https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31781#M97656 <HTML><HEAD></HEAD><BODY><P>The front end of the Internal CA is called SmartConsole <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P>Granted, it's&nbsp;not meant as a full CA but for specific functionality, which could potentially be expanded.</P></BODY></HTML> Thu, 22 Feb 2018 23:53:29 GMT PhoneBoy 2018-02-22T23:53:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31777#M97652 <HTML><HEAD></HEAD><BODY><P>For the gateway configured to perform HTTPS inspection, with certificate created and distributed to clients, normal traffic behaves as expected:</P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/63286_pastedImage_2.png" style="width: auto; height: auto;" /></P><P></P><P>But when UserCheck is encountered in the rulebase, the gateway serving its VPN certificate:</P><P><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/63287_pastedImage_3.png" style="width: 620px; height: 439px;" /></P><P></P><P>Which, as it happens, was not distributed to internal hosts.</P><P></P><P>Is there a way to address it properly?</P></BODY></HTML> Thu, 22 Feb 2018 20:32:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31777#M97652 Vladimir 2018-02-22T20:32:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31778#M97653 <HTML><HEAD></HEAD><BODY><P class="">Yes, on the cluster/gateway properties under UserCheck you can enter the FQDN for UserCheck Portal and import a proper certificate matching it.</P><P class="">For sure FQDN must be resolvable to Cluster/Gateway IP.</P></BODY></HTML> Thu, 22 Feb 2018 20:49:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31778#M97653 Norbert_Bohusch 2018-02-22T20:49:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31779#M97654 <HTML><HEAD></HEAD><BODY><P>Just to clarify, the UserCheck portal serves it's own certificate that is not subject to HTTPS Inspection (if I recall correctly).</P><P>Thus that certificate needs to be correct/something the client is configured to accept.</P><P>It would definitely be better if we could leverage the HTTPS Inspection CA in this case <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Thu, 22 Feb 2018 22:50:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31779#M97654 PhoneBoy 2018-02-22T22:50:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31780#M97655 <HTML><HEAD></HEAD><BODY><P>Agree with you on idea of using same cert for multiple purposes. It would actually be nice if the CA on SMS would've been a bit more functional with good front end. Some environments do not have PKI in place and could've used Check Point for this purpose.</P></BODY></HTML> Thu, 22 Feb 2018 23:51:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31780#M97655 Vladimir 2018-02-22T23:51:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31781#M97656 <HTML><HEAD></HEAD><BODY><P>The front end of the Internal CA is called SmartConsole <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P>Granted, it's&nbsp;not meant as a full CA but for specific functionality, which could potentially be expanded.</P></BODY></HTML> Thu, 22 Feb 2018 23:53:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31781#M97656 PhoneBoy 2018-02-22T23:53:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31782#M97657 <HTML><HEAD></HEAD><BODY><P><img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />&nbsp;good one</P></BODY></HTML> Thu, 22 Feb 2018 23:57:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/UserCheck-portal-using-Certificate-not-created-for-HTTPS/m-p/31782#M97657 Vladimir 2018-02-22T23:57:10Z