READ-ME File Check Point FireWall-1 SecuRemote version 3.0 for Windows NT
=========================================================================

Content
=======
1. Unpacking SecuRemote.
2. Limitations on installation on the PC.
3. Known Bugs.
4. What's new since last release.

Unpacking SecuRemote
====================
If you have downloaded SecuRemote from the network as a single file,
you should first unpack it:
1. Create a temporary directory for installation: for example C:\TEMP
2. Copy SR30_NT.EXE to your temporary directory and run it. 
   This is a self extracting file.

   You should now run SETUP.EXE located in your temporary directory.
3. After completing the installation you should define at least one
   site, see the program help for more information.

Limitations on installation on the PC
=====================================
1. The following data items are never encrypted:
   * The connection between the PC and the Manager when doing an
     "Add New Site" or "Update" operations. However the information
     is signed.
   * The connection between the PC and a FireWall in which a key is exchanged.
     However the information is signed and the password and the session key
     are encrypted.
   * DNS information.
   * In FTP, RealAudio, and VDOLive connections, some packets
     are not encrypted. These packets only contain information needed to
     open a back connection from the FireWall to the PC (e.g., data connection
     in FTP.)
   * Local connections are not encrypted. A connection is "local" if
     both the IP of the PC (i.e., the client) and the IP of the destination
     (i.e. the server) are both inside the same encryption domain of
     the same firewalled gateway.

2. SecuRemote can only work with FireWall-1 version 2.1 (or latter versions.)
   See the FireWall manual for instructions on how to configure it to work
   with SecuRemote.

3. This version of SecuRemote can work only on Windows NT (3.51 or 4.0). 
   For Windows 95, download the 95 version.

4. The following TCP/IP stacks are supported:
   * MSTCP - from MicroSoft
   * FTPTCP96 - from Ftp Software

5. Working with a Firewall-1 server version 3.0 or earlier, the user password 
   is limited to 8 characters (only the first 8 characters will be read). As of 
   servers version 3.0a, this restriction has been removed.

Known Bugs
==========
1. If you have a service on a server which can be accessed from any
   client, even without SecuRemote, then it should be possible to contact
   it even with SecuRemote. If for some reason you fail to access
   with SecuRemote you can temporarily disable SecuRemote by selecting
   "Kill" in the "File" menu. After establishing the connection you can
   re-run the SecuRemote daemon from the "FireWall-1" group in the
   Start menu.

2. If you discover that you are unable to authenticate yourself to a firewall, 
   when asked for a user name and password you may press Cancel.  In very rare 
   instances, you may find that the popup repeatedly reappears, immediately after 
   canceling.  This is a temporary state, and waiting about one minute before 
   re-canceling will restore normal behavior.

What's new since last release
=============================
1. Encapsulation: It is now possible to work in "encapsulation" mode. In this mode, 
   configured on the Firewall-1 server (version 3.0a and up, see Firewall-1 
   user manual), packets leaving the SecuRemote PC are addressed to the decrypting
   gateway, and not to the host behind it. The true destination is indicated in the 
   packet, and the gateway redirects it. Similarly, packets coming from hosts behind 
   the gateway seem to be coming from the gateway. The PC retrieves the true source
   from the packet. In this mode, there need not be valid routing to the destination. 
   It does not even need to have a valid IP address.

2. Authentication schemes: SecurID and S/KEY authentication are now supported, in 
   addition to firewall-1 and OS passwords. These authentication schemes can only 
   be used with servers version 3.0a and up.

   Backwards compatibility: Both these enhancements are fully backwards compatible. 
   This version of SecuRemote will work exactly as previous versions, if the server
   is of a version lower than 3.0a.
