Endpoint Security
January 9, 2008
Client Management Guide
Version 7.0 GA
© 2008 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their
use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by
any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book,
Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check
Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing,
ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa,
DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX,
FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity
Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC,
OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage,
PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge,
SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security
Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter
UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand,
SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1,
UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1
Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1
SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm
Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs,
and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm
is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered
trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668,
Endpoint Security Client Management Guide 3

User Password ..........................................................................27
Client Parameters ................................................................... 29
Command Line Switches ......................................................... 30
Chapter 5 Uninstalling Clients
Silently Removing a Client ...................................................... 32
Uninstalling Endpoint Security Clients ...................................... 33
Uninstalling MSI files ................................................................ 33
Uninstalling using the product code ............................................ 33
Uninstalling using a script .........................................................33
Endpoint Security Client Management Guide 5
Preface
In This Preface
About This Guide
This document is the
Endpoint Security Client Management Guide.

Use this docum
ent to
understand the Endpoint Security clients and how to install and configure them on your endpoint
computers.
About the Endpoint Security Documentation Set
A comprehensive set of documentation is available for Endpoint Security, including the
documentation for the Endpoint Security clients. This includes:

“Documentation for Administrators,” on page 5

“Documentation for Endpoint Users,” on page 6
Documentation for Administrators
The following documentation is intended for use by Endpoint Security administrators.
About This Guide page 5

Contains information on client and server
requirements and supported third party devices
and applications.
Endpoint Security Gateway
Integration Guide
Contains information on integrating your
gateway device with Endpoint Security.
Endpoint Security Client
Management Guide
Contains detailed information on the use of
third party distribution methods and command
line parameters.
Endpoint Security Agent for Linux
Installation and Configuration
Guide
Contains information on how to install and
configure Endpoint Security Agent for Linux.
Table 1-1: Server Documentation for Administrators
Title Description
Table 1-2: Client documentation for endpoint users
Title Description
User Guide for Endpoint Security
Client Software
Provides task-oriented information about the
Endpoint Security client (Agent and Flex) as
well as information about the user interface.
Introduction to Flex Provides basic information to familiarize new
users with Flex. This document is intended to
be customized by an Administrator before
distribution. See the Endpoint Security


Endpoint Security server

Endpoint Security clients installed on your endpoint computers
For more detailed information about Endpoint Security system architecture, including
integration with other Check Point products and communications between the
Endpoint Security server and the Endpoint Security clients, see the Endpoint Security
Administrator Guide and the Endpoint Security Implementation Guide.
Endpoint Security Server
The Endpoint Security Server allows you to centrally configure and deploy your
enterprise policies through the Endpoint Security Administrator Console. You can also
use the Administrator Console to pre-package Endpoint Security client executables
with configuration settings and policies before you deliver them to your users.
Endpoint Security Clients
The following Endpoint Security clients are available from Check Point:

Agent - See “Agent,” on page 10.

Flex - See “Flex,” on page 10.
Figure 1-1: Basic Endpoint Security Architecture
Endpoint Security Client Management Guide 10

VPN Agent and VPN Flex - See “VPN Agent and VPN Flex,” on page 10.
Depending on your security needs and the components you have purchased, you may
be working with more than one of these client types. Although Endpoint Security
clients have a lot of features in common, some administration steps and options are
quite different. Be sure to use the information that pertains to the Endpoint Security
client you are using.
Agent
Use Agent when you want to centrally manage security at all times. It has a limited

with the Check Point VPN-1 gateway. By using it in combination with Enforcement
rules, you have the option of controlling client network access at the VPN gateway. VPN
Endpoint Security Client Management Guide 11
Agent and Flex also provide your endpoint users with a convenient unified interface for
managing both the Endpoint Security client and their VPN access.
If you previously integrated Endpoint Security client and SecureClient by configuring SCV, be
aware that the local.scv file is eliminated during endpoint installation of VPN packages. For
this reason, refer to the Migrating from Check Point SecureClient section of the Endpoint
Security Administrator Guide for details on recreating your prior SCV settings and Desktop
Security rules with Endpoint Security.
Endpoint Security Client Management Guide 12
Concepts
You will need to understand the following basic Endpoint Security system concepts in
order to successfully configure and deploy your Endpoint Security clients:

“Policies,” on page 12

“Configuration Files,” on page 13

“Client Packages,” on page 13

“Gateways,” on page 14
This chapter provides an overview of these concepts. For more detailed information,
see the following documents:

Endpoint Security Implementation Guide

Endpoint Security Administrator Guide
Policies
Policies are how you deliver security rules to your endpoint users.

from the worst threats while allowing the user more freedom.
For example, a disconnected policy might require that the endpoint have antivirus
protection, but not be as strict about which brand or version. It might also allow users
to run entertainment programs that they are not allowed to run while connected.
If you do not want to control an endpoint computer’s security when it is disconnected,
you can omit the disconnected policy from the policy package assigned to a user or
group of users. In the case of Flex users, their personal policy is enforced in the
absence of a disconnected policy.
Personal Policies
Flex users can create their own security policies. How these policies are arbitrated with
conflicting enterprise policies depends on what settings you choose in the enterprise
policy. Generally the more restrictive policy rule is the one that is enforced.
Configuration Files
Agent and Flex also use configuration files. These files contain important information
for the Endpoint Security clients, such as the location of the Endpoint Security.
Client Packages
You can use client packages to pre-configure your Endpoint Security clients and pre-
populate them with security policies. Client packages not only let your endpoint users
get policies and connect to Endpoint Security as soon as possible, but also lets you do
things like prevent the user from uninstalling the Endpoint Security client. You can
also use the packager to create a package that includes both an Endpoint Security
client and VPN functionality.
Client packages contain the following files, in zipped format:

client msi - This file installs the Endpoint Security client on your endpoint
computer. The executable that is included is determined by the choice you make
on the Client Package page.

config.xml - This file provides connection information that the Endpoint Security
client will use to communicate with the Endpoint Security. It also configures some

For more information about creating client packages, see the Endpoint Security
Administrator Guide.
Gateways
You can integrate Endpoint Security with supported gateways to enhance your security.
Gateway integration will not be covered in this guide. The Endpoint Security Systems
Requirements Document lists all the supported gateways. See the Endpoint Security
Gateway Integration Guide for information about configuring your gateway to work with
Endpoint Security.