Checkpoint Considered Shitware (With Updates)

I am still trying to find a decent VPN client for my MacBook. One which actually works. And one which is not messing up your whole machine.

Today I tried the SecureClient from CheckPoint only to find out how retarded that piece of shit is. Although probably my real point is

Intentionally retarded.

As if it was ported from Windows. Which it obviously is, given the hideous icons and menus.

Not only does it make you to reboot the machine after the install (we are writing anno 2009, btw, and I am not one of these Windows ... people), it messes with your firewall rules. And blocks incoming SSH.

Now I then figured that it is a security feature that SSH is blocked when the client is involved in an active connection.

  • But it blocks even if it is NOT active.
  • And it never tells you.
  • And also no trace of this in any network preferences.

To make it completely absurd, it allows you (connected or not) to open SSH outgoing. As if there is no such thing as forward or reverse SSH tunneling.

The only way to get SSH working again is to deinstall the crapware. And reboot again. And loose all your settings.

The biggest joy is then to delete it from disk. Thank God the MacBook makes this noise...


Update: When you do the install/deinstall cycle a number of times, then sometimes the deinstallation will simply hang. It will remove the application's files, but it will still start itself. Effectively, you cannot stop it, and it cannot get rid of it. That so reminds me of the operating system with the blue background.

Needless to say, when you try to reinstall it, it will notify you that the software is already installed.

Recovery Method:

  • download again the software
  • then unpack the crap manually (.pkg files are directories, but Finder will not show them as such)

cd SecureClient_XXXXX
cpio -id < Archive.pax
tar zxvf desktop_XXXXXX.tgz

  • go into bin and uninstall manually:

cd bin
sudo bash
sh scuninstall

  • Finally, go onto a killing spree.

Update: Beating the Beast into Submission.

I was not giving up, especially since the only way to connect to a CheckPoint VPN is with ... a CheckPoint client. Welcome to the world of open protocols.

I had the following problems:

  • When SecureClient is installed (even not running) there is no incoming SSH possible. Obviously, the thing messes around with the firewall.
  • Always when you log in, the client starts. That is annoying, intrusive, obtrusive, inappropriate, rude, unprofessional and childish.

Googling, I came across the SecureClient FAQ for Mac OSX . Question 3 there gives a first hint:

MAC OS-X comes packaged with two policy files in the $SRDIR/conf folder: sc_boot_acceptall.bin (accept all) sc_boot_blockinbound.bin (block inbound connections). The link $SRDIR/default.bin points to one of them, and is used as the effective boot Policy file. To change the boot Policy, change the link to point to sc_boot_blockinbound.bin after the client is already installed.

Well, there was no link, but I made one to the version which I wanted to be used:

default.bin -> conf/sc_boot_acceptall.i386.bin

That by itself does not solve problem 1 as the client always is started, and that uses a restrictive security setting. But now at least the client offers in the menue to turn that off:

Tools -> Disable Security Policy

Question 4 of the FAQ tells you how to avoid the client to be started in the first place:

tcsh
source /opt/CPsrsc-50/.cshrc
StartupItemsMgr remove /opt/CPsrsc-50/bin/SecureClient.app

Make sure to use the absolute path here. And execute this a number of times until it tells you it is empty. I suspect that this piece of ... software had the client several times registered in there. And there is no way to list the registered things. Great.

100 reboots later: no client and SSH working. The remaining problem is that I want the client to NOT have these security policies enabled. The MacOS firewall is just fine the way I have it.

Posted In

Shimo

Have you tried Shimo? It's a €12,95 offer from http://www.shimoapp.com/

I installed it but never really used it. At least it seems to be unobtrusive.

Benjamin Bock (not verified) | Fri, 02/27/2009 - 15:07

Tunnelblick is great for

Tunnelblick is great for OpenVPN connections - it's not for the novice, but once set up it Just Works.

Of course, that's not much consolation if you're not connecting to an OpenVPN server. :-/

Andrew Gallagher (not verified) | Wed, 03/11/2009 - 13:34

Re: Tunnelblick

That one I found pretty quickly. But as you write, this is only good if you're docking onto OpenVPN. It seems that for my scenario (checkpoint firewall on the corporate side) NOTHING(!) except the corresponding client would work.

This is all pretty borken....

rho | Wed, 03/11/2009 - 13:42