topic Mobile Access Client Certificate auto choice in Firewall and Security Management

Mobile Access Client Certificate auto choice

Henrik_J — Tue, 01 Feb 2022 21:36:43 GMT

Hello!

We ran into a rather strange issue where we our mobile access clients suddently chooses the other certificate of the two, resulting in authentication issues when connecting to our site.

No changes have been made to either the client package, Check Point gateway or anything.

Before diving in too deeply, I just want to ask.

How does the Mobile Access client decide on which certificate in its list to present when connecting to its site?

It has worked without any client intervention before with auto-connect, but suddenly they get an authentication error and have to choose the correct certificate manually.

Any input here would be appreciated, so I know where to start looking.

Re: Mobile Access Client Certificate auto choice

PhoneBoy — Wed, 02 Feb 2022 06:48:52 GMT

What precise client and version on what precise gateway version?

Re: Mobile Access Client Certificate auto choice

Henrik_J — Wed, 02 Feb 2022 07:50:38 GMT

In add-remove programs it is mentioned as Check Point VPN with version 98.61.2331, checked sk102150 but can't really find the exact version number there.
The client is Check Point Mobile.

We will start the process to upgrade to a newer version, but to my knowledge, no changes have been made to the firewall nor the client and its configuration during the holidays.

Only thing worth mentioning is that they may have had issues with the certificate enrollment, as the client started telling users that their certificate was expiring within x amount of days.

Check Point is not the Certificate enroller here.

So I was hoping to see if their certificate enrollment perhaps made any changes, which then changed the order of the certificate in some way or another.

Hence why I want to know how mobile access selects a certificate in its list if more are available.

Re: Mobile Access Client Certificate auto choice

PhoneBoy — Wed, 02 Feb 2022 09:29:40 GMT

My guess is it's E84.30.
Also, it's possible older certificates may need to be removed as the client is picking the "first" one (not necessarily the most recent one), at least based on my recent experience.

Re: Mobile Access Client Certificate auto choice

Henrik_J — Fri, 04 Feb 2022 07:33:32 GMT

thanks for the input.

The current problem though is that another PKI's certificate is being selected as first.
Not that the old certificate in the valid PKI is being chosen.

So what decision-making process does it use to have a cert being considered first and what not?

Thanks again.

Re: Mobile Access Client Certificate auto choice

Henrik_J — Fri, 04 Feb 2022 09:58:57 GMT

Just had time to troubleshoot this further.

So the problem isn't really it just automagically choosing another certificate in the list, it is due to certificate renewal in combination with auto-connect.

In the list, most if not all clients have at least two certificates to choose from, but the client has since long cached the certificate to use when auto-connecting.

What we saw, was when I renewed the certificate, and immediately rebooted my computer, we received the error that it was unable to find a valid certificate during auto connect.

I'm just assuming here, but I suppose it is looking for the old certificate prior to the renewal, and doesn't find the new one properly.

Is there a workaround to this? Working as intended? Newer version has a fix?

Thanks again.