https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Client-Client-Hello-with-SNI/m-p/227720#M3139 <P>Hello Community,</P><P>One of my customers are using a third party cloud proxy provider where they define exceptions based on the SNI not the IP address.</P><P>They've created the VPN site with the URL rather than the IP address. Now they've now noticed that the Check Point Endpoint client not always sends the SNI but sometimes uses the IP only in the Client Hello.</P><P>This results in the proxy client on the endpoint sending these packages to the cloud proxy rather than directly to the Check Point gateway and subsequently traffic being inspected or not forwarded to the gateway.</P><P>I haven't found a setting in trac_client_1.ttm to always include the SNI in the Client Hello, has anybody else come across the issue and solved it with any other method but defining the exceptions based on IP?</P><P>Is this even considered and/or supported from Check Point side?</P><P>Thanks,<BR />Soenke</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TCPdump_Screenshot.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27758i15F89FB932349CB1/image-size/large?v=v2&amp;px=999" role="button" title="TCPdump_Screenshot.png" alt="TCPdump_Screenshot.png" /></span></P> Tue, 24 Sep 2024 09:38:48 GMT Soenke_Weiss1 2024-09-24T09:38:48Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Client-Client-Hello-with-SNI/m-p/227720#M3139 <P>Hello Community,</P><P>One of my customers are using a third party cloud proxy provider where they define exceptions based on the SNI not the IP address.</P><P>They've created the VPN site with the URL rather than the IP address. Now they've now noticed that the Check Point Endpoint client not always sends the SNI but sometimes uses the IP only in the Client Hello.</P><P>This results in the proxy client on the endpoint sending these packages to the cloud proxy rather than directly to the Check Point gateway and subsequently traffic being inspected or not forwarded to the gateway.</P><P>I haven't found a setting in trac_client_1.ttm to always include the SNI in the Client Hello, has anybody else come across the issue and solved it with any other method but defining the exceptions based on IP?</P><P>Is this even considered and/or supported from Check Point side?</P><P>Thanks,<BR />Soenke</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TCPdump_Screenshot.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27758i15F89FB932349CB1/image-size/large?v=v2&amp;px=999" role="button" title="TCPdump_Screenshot.png" alt="TCPdump_Screenshot.png" /></span></P> Tue, 24 Sep 2024 09:38:48 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Client-Client-Hello-with-SNI/m-p/227720#M3139 Soenke_Weiss1 2024-09-24T09:38:48Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Client-Client-Hello-with-SNI/m-p/228009#M3140 <P>I don't think there is such a setting anywhere in the client configuration. However, I would advise you to raise a TAC ticket and get an official answer to the matter.&nbsp;</P> Thu, 26 Sep 2024 09:51:01 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-Client-Client-Hello-with-SNI/m-p/228009#M3140 _Val_ 2024-09-26T09:51:01Z