What is our primary use case?
We use a Check Point Endpoint Remote Access VPN client along with Check Point SSL VPN, which allows users to connect to our firewall who don't have the client, e.g., if they have a MacBook, then we don't have a client for them. We allow them to connect to the firewall over the browser. That had a bunch of problems, but they have resolved those this year.
The use case is to allow people to connect to our firewall on-premise. We also have Check Point firewalls in the cloud, which people can connect to as well. Then they can access resources either in our on-premise environment that they need to access, such as, their computers, the Intranet, Salesforce, or our production applications. Also, in AWS, they can access other types of applications, like WorkSpaces, or our production applications there, which allows them to work. It lets them have access to their email, because they're not able to access their email unless they are VPN'd in, etc.
We keep everything locked down to the VPN. If that's not working, then our company will not be able to work. It was very finicky last year, and it's working now. It has been perfect this year.
We don't use the Endpoint Remote Access VPN client for too much. We use its local firewall, which is valuable, but we don't really use SandBlast. I know you can add the SandBlast module along with all these other modules. We literally just use it so our users can connect on-prem.
How has it helped my organization?
Before we used the Check Point Endpoint Remote Access VPN solution, we were using a difficult VPN solution. It made us install a certificate on the user's laptop. That was very difficult to maintain for the IT department. When we gave out a new laptop, we would have to go and manually put the certificate on a laptop so they could then connect back to the on-prem. Where now, Check Point allows us to use an RSA token and PIN. It integrates with RSA, which is another solution that we use. RSA is a random generated key done every minute and another factor of authentication. With Check Point having that feature, it helped us a lot when we initially set it up.
What is most valuable?
The most valuable part would be allowing users to have a seamless connection to the Check Point firewall, which is what we use for controlling access to our on-premise area. Otherwise, we would have to get some other type of VPN solution that I don't know how well would work with the Check Point firewalls. Keeping it in the same ecosystem is good.
What needs improvement?
Currently, we're using Check Point Endpoint Remote Access VPN R70.30.03. That's the latest version of R70.30. We haven't upgraded to R80 yet, but all of our firewalls are R80. We've been through many iterations of the Endpoint VPN client. I remember awhile ago, it was very difficult to deploy and not have problems, but they've come a long way. Now, it's a lot better.
I have worked so much on this in the past with Check Point that they actually had their vice president of product development call me. I remember one of the things that I told him need room for improvement, which I still haven't seen: When you want to deploy a new Check Point agent, it is really a pain in the butt. For example, Windows 10 now has updates almost every couple of months. It changes the versioning and things under the hood. These are things that I don't understand, because I'm not a Windows person. However, I know that the Check Point client is installed on the Windows machine, and if the Check Point client's not kept up-to-date, then it's functionality breaks. It has to be up-to-date with the Windows versions. Check Point has to update the client more often. Now, the problem is that the Check Point client is not easy to update on remote computers and it's not easy to deploy a new client.
They need to improve deploying a new Endpoint Remote Access VPN client and updating existing Endpoint Remote Access VPN clients. Especially if you want to deploy a new one, it's not an easy process. Their software doesn't really support creating a new Endpoint Remote Access VPN client. There is a lot of manual activity. They need to automate it better. You have to create a generic client, download it to a computer, and install it to the computer. Then, you have to find a file deep inside the directory that it creates. It's like a text file, then you take that text file out and edit the settings in it. For example, I have to tell it to connect to a site which contains our firewalls or else it's like a phone with no phone numbers and I have to put in the phone numbers. This should be done when I download the client the first time from their GUI, but it is not. Instead, I have to install a generic blank version on a computer, find a text file, and edit the text file with the sites of firewalls that the users have to connect to specific to my company. I have to make other setting changes in that version, save it, reboot the computer, find the file again, take that file out of the computer, upload it to GUI, and deploy a new version. Then, I install it after I uninstalled the old one. Of course, all the uninstalls require reboots. So, I am rebooting it like five times now. After that, I have to install it and check the settings. Half the time they don't save the way you want them to save. It is very tedious and terrible.
Even learning that process was a nightmare, because it's not like they have a nice article that explains it to you. They don't. I was bumping my head up against the wall with support for almost six or seven months trying to figure that out. Half of them didn't even know how to do it. That was miserable. But now that I'm an expert on it, I can probably do it within a half a day to three days depending on if it gives me problems or not. That's still miserable, and it should be as easy as: I upload the new version of the client, put in the information that I want it to have on the settings, click download, and install, then it works. It should be that easy. There's really no reason why it's not, except for they didn't improve that process nor have they developed that area. It makes me think that their interest isn't in VPN solutions, even though it should be because it's something that they offer. Otherwise, their support is great.
For how long have I used the solution?
About seven or eight years.
What do I think about the stability of the solution?
Since it was fixed in November, it's been 100 percent solid and stable. It's been solid as far as Endpoint Remote Access VPN is concerned. I would say their SSL VPN isn't always solid, but I don't think it's necessarily their fault. I think it's because companies, like Apple and Google, change their browsers and operating systems. This messes up Check Point's ability to allow the connection as far as Java updates or other types of security features that they enable. They also don't let you run the application without administrative rights or in sandbox. I have seen a lot of things break because of other companies' involvement in their products.
As far as the connection is concerned, recently it's been stable. If you had asked me that a couple years ago, it was miserable. It was like the bane of my existence. Now, it's working great.
I manage the solution, though technically it's my team. They don't work on it if they don't have to. If they have to, then they ask me questions.
What do I think about the scalability of the solution?
It is pretty scalable as far as adding more users. I don't see that as being an issue. All we have to do is buy more licenses and it's easy to add the license headcount, then more users can be added just as simply.
We have 200 to 250 users in our company.
We will definitely be increasing to have more users since our company was just purchased by a very large company. This will make us grow.
How are customer service and technical support?
Their Endpoint Remote Access VPN support team tries to fix whatever problems that are there and incorporate those issues into the next Endpoint Remote Access VPN client that they release for everyone, which is great. I know that last year specifically, I worked with the Endpoint Remote Access VPN support for nine months. We were having disconnects. Some users would get disconnected from their VPN five times in a day. Throughout nine months of working with them, providing logs, providing TCP dumps from the firewall, and all the information they needed, they were able to give us a new client where our users didn't have any more disconnects. They did something where they made it more resilient. So, if there's a problem, the client has more time to talk back to the endpoint or firewall. That is huge since this entire year our whole company has been working from home.
Last year, we had a few people working from home every week, or maybe a tenth of the company works from home permanently. However, if we hadn't fix that issue by November of last year, then having everyone work from home and getting disconnected five times a day would have been an utter nightmare. It probably would (100 percent) been the end of Check Point at our company, because I know our CIO already doesn't really like Check Point. We keep it around because my team believes in it. But if no one could work, because no one could VPN, that definitely would have been the end of Check Point.
This wasn't something they could just fix or something that I could fix or configure. It literally took nine months of troubleshooting and ongoing fixing with their development team in Israel, where they were making new code for the input client, which we got. It worked and we're still running that client today. That was huge. If I had to say something really good, it would be that their support helped us and fixed that issue.
Which solution did I use previously and why did I switch?
We did use something else previously. I want to say it was some kind of a VNC Viewer things with a certificate. It's very basic and crappy.
We switched because we need more features, like the RSA token involvement. We also like that we were using another Check Point solution and could integrate with that.
How was the initial setup?
The initial setup wasn't too complex. I think their documentation is pretty good for the initial setup. It took a little while, but it wasn't difficult. We did the deployment successfully in probably two months on our own, without them doing anything, by just reading the documentation and having other stuff going on too. We didn't just focus on this deployment.
I just wished the upgrade process was easy and the configuration initial process was easier. In the past six months, they did a fix, where if I push out a new install to users, it doesn't reboot their computer. Now, it will install their client and not reboot.
They need to keep up with Windows updates faster. There have been a couple of times where Windows is updated and they didn't have a new version ready for when Windows was ready, which means the clients that are running on the newer version of Windows won't be able to VPN. If they can keep up to speed with that, then it would be good.
What about the implementation team?
I've done this twice already because I know that we didn't upgrade it. I built out two new servers for it. I have a primary and a policy server. We have a primary endpoint server. Then, we have a secondary, which is called a policy server. This is operational because our clients will connect round robin to one, then the other. It's just that one of them has more precedence over the other as far as enforcing policy. We have those in two different environments, and they're virtual. All the standard things that go along with setting up a virtual environment.
We had to create the policy on the new endpoint server, which isn't too complicated. It includes a list of ports that we needed for our users to be able to use certain applications, like their chat and VoIP, because it has a local firewall. That took some time, like a week building that policy out and testing it. It's really about making sure that it can connect to the endpoint server through the main firewall. Then, it gets its policy from the endpoint server that it downloads and enforces on the local firewall, allowing for the connection to the main firewall. I wouldn't say it was too complicated as far as deployment strategy goes.
What was our ROI?
We have seen ROI. It allows everyone to work from home. If no one could work from home, then we wouldn't have a company, especially now during COVID-19. It's mission-critical, especially since it's currently being used. If there is a problem with it, we would really be screwed. We would be hard-pressed because we would have to figure out what solution we're going to go with, how to deploy it, how long it would take to deploy it, and how we'd even get it on people's computers if we couldn't VPN to them. It would be near impossible to just change to a new VPN solution right now. Without physical access to the machines, it makes things much more difficult.
What's my experience with pricing, setup cost, and licensing?
My understanding is that the pricing and licensing are very competitive, and it's not one of their more expensive products. We buy licenses for the solution and have licenses for the endpoint servers.
Which other solutions did I evaluate?
I believe we did evaluate other option, but I know that we were leaning strongly towards Check Point.
What other advice do I have?
My advice would be to have patience. Make sure you get a Tier 3 support person. Setting up the servers and everything is easy, but deploying the Endpoint VPN client is not easy. They need to have someone walk them through the process of creating the Trac file that contains the settings for the client. That is hard.
There is the endpoint server, which is on-prem, and easy to set up like any other appliance that any network engineer or systems administrator should know how to do. That is easy. But if you want to deploy the client, which most people want to deploy the client, and have any type of configured settings on it, then know that it is not just a generic client. That's the hard part. My advice would be to reach out to support and have them help you with it.
I remember not knowing how to deploy the Trac file and struggling immensely. I was unable to deploy the client and get people working, which is my job and what I'm supposed to do. Learning how to do that, being familiar with the process, and actually doing what I'm expected to do at work, which is let people be connected to the firewall, that was my biggest lesson.
I would rate it a seven and a half out of 10.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?