topic Re: SSL VPN Certificates in SASE and Remote Access

SSL VPN Certificates

biskit — Fri, 29 Mar 2019 10:40:09 GMT

I have a question re SSL VPN certificates - using 3rd party certificates.

My understanding is that if you use SNX you generate the CSR via the IPSec VPN page, get the valid cert, then "complete" the cert via the IPsec VPN page. This certificate has no bearing on Mobile Access.

If you enable Mobile Access, you generate the CSR via the command line, get the cert, then import it via the Platform Portal page. So this is a different cert to what SNX would use.

My customer currently uses SNX (not MAB) and has a certificate for that, with 200 clients connecting using the VPN client. That's working well. But now they're interested in Mobile Access which would require purchasing another certificate.

Will enabling MAB and installing a new certificate cause the existing VPN clients to moan?

Will the new MAB certificate override what the existing VPN clients see when connecting (and cause a certificate mis-match type error message to pop up for the users)?

Is there a way to use the same certificate for both the IPSec and Platform Portal tabs?

Re: SSL VPN Certificates

Wolfgang — Fri, 29 Mar 2019 10:57:51 GMT

You can use the same certificate. Import your existing certificate to the MOB-configuration via SmartConsole.

If the SNs in the certificate will match again the MOB-Portal DNS-name everything should fine.

And yes you're right, if you enable MOB you get the certificate from the MOB-Portal.

What did you mean with VPN-clients ? SNX is clientless SSL VPN, only the small ssl-extender agent is installed, not a real VPN client.

Wolfgang

Re: SSL VPN Certificates

Jerry — Fri, 29 Mar 2019 11:03:52 GMT

IPSec does not use SSL Certificate
MAB uses either SSL Cert or IPSec host-based-cert.
I think you need to learn a little about the MAB and Remote Access security from CP ...

seach support site for sk's about MAB.

Re: SSL VPN Certificates

Jerry — Fri, 29 Mar 2019 11:04:51 GMT

https://community.checkpoint.com/t5/Remote-Access-Solutions/Create-CSR-and-Importing-third-party-certificate-in-Mobile/td-p/39942

Re: SSL VPN Certificates

Wolfgang — Fri, 29 Mar 2019 12:16:12 GMT

Hello Jerry,

you're right with your answer,

But as I understand Matt, he is already using SNX (SSL extender) and for this an SSL certificate is in use.

And this same certificate can be used to import in the MAB. You can use there the one created from SmrtCenters CA or from a Third Party.

Wolfgang

Re: SSL VPN Certificates

Maxim_Medvedev — Thu, 04 Jun 2020 09:51:50 GMT

Hello, Wolfgang

I installed new ssl certificate for Mobile Access in gateway properties Mobile Access --> Portal Settings --> Certificate --> Replace

As I understand this shouldn't have affected setting for vpn clients. Certificate for vpn clients is specified in gateway properties VPN clients --> the gateway authenticates with this certificate

But Endpoint Security vpn client get this error: The site's security certificate is not trusted

Therefore gateway use Mobile Access certificate for vpn clients and don't use certificate for vpn clients

Could you please explain is it normal behavior or bug?

Re: SSL VPN Certificates

Wolfgang — Thu, 04 Jun 2020 11:26:59 GMT

@Maxim_Medvedev

yes, this is normal behaviour.

The first connection from the endpoint-client is a SSL handshake with the gateway. If MOB-blade is activated, this will be done with the MOB certificate.

Same behaviour is described here:

Mobile Access certificate fingerprint presented on Remote Access client

Wolfgang

Re: SSL VPN Certificates

Maxim_Medvedev — Fri, 05 Jun 2020 08:27:58 GMT

Thank you, now it's clear, this sk is very helpfull
Another question on the topic:
Would gateway work correctly with wildcard certificate like *.mydomain.com?
Whether full DNS name matching is required?
For Example mobile access portal has DNS name sslvpn.mydomain.com and vpn site has vpn.mydomain.com

Re: SSL VPN Certificates

Wolfgang — Fri, 05 Jun 2020 08:49:17 GMT

@Maxim_Medvedev

yes, that works.

Wolfgang