topic Re: Capsule Workspace Oauth in SASE and Remote Access

Capsule Workspace Oauth

Lars_de_Mooy — Sat, 21 Jan 2023 15:32:17 GMT

Hi all,

We used Capsule Workspace for business mail for many years, the best advantage is that you only have to allow a connection from the public IP to exchange online and you can block all the rest. Capsule is making a connection to the remote access gateway and the remote access gateway makes a session to ExO.

Now last week Microsoft finaly depricated basic auth in ExO that Capsule needs to connect.

The only way to make the connection again is to upgrade to R81.20 that had the Oauth for Capsule Workspace option.

We upgraded our environment and configured the enterprise app in Azure and made all the configs on the mobile asscess GW on the checkpioint side. The problem is that the authentication to the Mobile access GW is all fine but the authentication to Azure Oauth ends up with a 401 error. I spended last week to troubleshoot and created all the relevant logging.

Is there anyone that have this setup working that may faced the same issues and was able to fix them ?

I am at the end of my knowlage and need this to work asap.

Hope someone has some good tips to get us in the right track.

Best rgrds Lrs

Re: Capsule Workspace Oauth

PhoneBoy — Sat, 21 Jan 2023 15:58:53 GMT

I presume you’ve opened a TAC case in parallel?
In any case, sharing whatever debug you’ve collected might be helpful.

Re: Capsule Workspace Oauth

Lars_de_Mooy — Sun, 22 Jan 2023 10:04:13 GMT

Hi PhoneBoy,

Yes i have a TAC case

Right after i login i get a new prompt "Enter your Mail credentials" if i fill in this credentials i see this logging

How to debug Mobile Access Web Applications (checkpoint.com)

tail -f $CVPNDIR/log/httpd.log

[4606][22 Jan 10:58:28][SERIALIZE] [CVPN_INFO] getDecoder: Using fwobj-based RPC decoder
[4606][22 Jan 10:58:28][SERIALIZATION] [CVPN_INFO] CvpnIS::FwobjDeserializer::createObject: deserializing object of class: PortalCustomizationResponse
[4606][22 Jan 10:58:28][SERIALIZATION] IDeserializable::createObject: found CreateFunc (0xf1c5c110) for className: PortalCustomizationResponse
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Mod_input_filter: Handling HTTP (not SOCKS) traffic
[Sun Jan 22 10:58:28.454160 2023] [wi:debug] [pid 4606] WIConnection.cpp(220): parsing: (body printout skipped)
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::getRequestNumber: WIConnection::getRequestNumber m_requestNumber=1
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::isCriticalError: WIConnection::IsCriticalError isCriticalError=false
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::shouldHandleInFilter: handleInFilter = true
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::checkParseResult: handleInFilter
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::getRequestNumber: WIConnection::getRequestNumber m_requestNumber=1
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::isCriticalError: WIConnection::IsCriticalError isCriticalError=false
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::checkParseResult: no errors or no relevant errors
[Sun Jan 22 10:58:28.455897 2023] [deflate:debug] [pid 4606] mod_deflate.c(873): [client x.x.x.x:52824] AH01384: Zlib: Compressed 171 to 156 : URL /Errors/ErrorDocument, referer: https://capsule.xxxxxxx/sslvpn/MobileApp/
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Mod_input_filter: Handling HTTP (not SOCKS) traffic
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Cvpn::ApacheRequest::~ApacheRequest: (/Errors/ErrorDocument)
[4606][22 Jan 10:58:28][BusinessMail] [CVPN_INFO] Cvpn::BusinessMailHandler::~BusinessMailHandler: Dtor
[4606][22 Jan 10:58:28][CURL_BASED] [CVPN_INFO] Cvpn::CurlBasedHandler::~CurlBasedHandler: Dtor
[Sun Jan 22 10:58:28.456891 2023] [:debug] [pid 4606] trace_logger_filters.c(321): [client x.x.x.x:52824] in clean request , referer: https://capsule.xxxxxxx/sslvpn/MobileApp/
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WICreateRequestHook::doExecute: WICreateRequestHook::execute setting current request and body flag
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::setIsBody: WIConnection::setIsBody m_isBody=false
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::incrementRequestNumber: WIConnection::incrementRequestNumber incremented m_requestNumber=2
[Sun Jan 22 10:58:28.457456 2023] [:debug] [pid 4606] trace_logger_filters.c(207): [client x.x.x.x:52824] creating request_buffer_handle<<<<<
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Mod_input_filter: Handling HTTP (not SOCKS) traffic
[4606][22 Jan 10:58:30][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::parseLoop: ap_get_brigade failed - return false
[Sun Jan 22 10:58:30.459714 2023] [:debug] [pid 4606] trace_logger_filters.c(244): [client x.x.x.x:52824] get brigade failed
[Sun Jan 22 10:58:30.459724 2023] [:debug] [pid 4606] trace_logger_filters.c(321): [client x.x.x.x:52824] in clean request

Re: Capsule Workspace Oauth

PhoneBoy — Thu, 26 Jan 2023 19:00:32 GMT

That appears to be the logs from the front end web server.
I suspect you’ll need to look at a different log file which will contain the actual backend authentication that is occurring with O365.

Re: Capsule Workspace Oauth

Spectrumtech_MS — Sun, 29 Jan 2023 08:43:12 GMT

Hello

Has Checkpoint released a new guide on how to onboard capsule workspace as an Azure enterprise app ?

Capsule tries to authenticate using basic auth and given its deprecated status, users can no longer log in.

Re: Capsule Workspace Oauth

Lars_de_Mooy — Sun, 29 Jan 2023 09:08:14 GMT

Hi spectumtech

This is the guide that you need please share your findings and report back.

If its not working use EWSEDITOR from github to test the azure part.

On my config the EWSeditor is connecting fine on the azure app, the gateways are not.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Content/Topics-MABG/Exchange-Mail-Applications-for-Smartphones-and-Tablets.htm?Highlight=oauth

Re: Capsule Workspace Oauth

Lars_de_Mooy — Sun, 29 Jan 2023 09:10:18 GMT

Hi PhoneBoy,

Spend hours and days and hours fixing this the azure app is fine i can connect with EWSeditor using the exact same input as i have on the gateways. I have sent all related logs to checkpoint and i keep waiting on a solution.

Re: Capsule Workspace Oauth

Lars_de_Mooy — Wed, 01 Feb 2023 14:27:36 GMT

Hi spectumtech did you manage to get this working i just spend 2 hours with TAC and no solution yet...

I hope you to hear back and hear how your capsult oauth is doing ?

Regards Lars

Re: Capsule Workspace Oauth

PhoneBoy — Wed, 01 Feb 2023 17:54:31 GMT

I can see that you have an active case with TAC and they are working with you to get the necessary information to troubleshoot.

Re: Capsule Workspace Oauth

Lars_de_Mooy — Wed, 01 Feb 2023 18:06:01 GMT

Yes thats what ik wrote before and TAC is doing all they can to help me solve this, like they always do.

After working on this for a while i am very curious to know if someone else was able to connect Capsule with Oauth.

Tnxs for the reply and keep you posted.

Re: Capsule Workspace Oauth

Spectrumtech_MS — Wed, 01 Feb 2023 21:31:04 GMT

PhoneBoy

indeed, we have an open case with TAC

No real help at this stage and very slack in responding .

It is most likely due to the deprecation of basic auth in m365. We are able to successfully connect and authenticate to the mobile portal and SNX which used the local AD but when capsule is trying to authenticate to Azure AD (ie m365 - exchange online) authentication fails

we simply need a solid (and working) guide on how to correctly configure the enterprise app in Azure to get capsule workspace to authenticate correctly using modern auth.

not sure why this is taking so long. I am safe to assume that there are quite a few frustrated capsule users out there that can’t use this po until it is resolved ..

Re: Capsule Workspace Oauth

Spectrumtech_MS — Thu, 02 Feb 2023 01:34:20 GMT

The following confirms the above:

https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/authentication-and-ews-in-exchange

There is NO guide (tested and validated !) from Checkpoint on how to configure capsule workspace to authenticate as an Azure enterprise app using OAth2.0. Checkpoint - why not ???

Re: Capsule Workspace Oauth

Lars_de_Mooy — Fri, 03 Feb 2023 09:09:59 GMT

Hi Spectrumtech_MS,

Microsoft deprecated basic auth after a long time of communicating and warning and end 2022 and switched off basic in the tenants one at the time.

This is the moment we started to get the 401 unauthenticated error on EWS in smartvier tracker.

Capsule workspace stopped working because of this.
There was a possibility to turn back on basic on EWS in office 365 to give you some more time and after we did that it started to work again. So it was not a surprise for us that this was about to happen beginning 2023 and we needed a solution for this.

We created a checkpoint case and the only way to get the possibility to use Oauth on mobile access connecting to ews was to upgrade to R81.20 we did. The mobile access guide i posted here gives you the basics on what you need to configure in Azure to make this work. Dont take me wrong but the configuration of the enterprise app in azure ad is no complex configuration and the R81.20 mobile access admin guide i posted here gives all the relevant information to create it and it can be tested easaly with the EWSeditor tool from github.

The fact that the R81.20 release, in which the possibility to use oauth with caspule, was released after Microsoft switched off basic auth is strange. Checkpoint is investigating my config and i believe this will be solved soon.

Re: Capsule Workspace Oauth

Spectrumtech_MS — Sun, 05 Feb 2023 10:19:43 GMT

Hi there,

We have upgraded to R81.20 and the issue persists.

Capsule workspace is NOT using modern auth but rather reverts to basic which, in turn, is rejected by m365.

Regarding the configuration of Azure Enterprise App - Are you able to post the detailed configuration steps to allow the use of OATH2.0 for capsule workspace authentication to Exchange Online as the guide is somewhat vague.

Thanks in advance

Re: Capsule Workspace Oauth

Spectrumtech_MS — Sun, 05 Feb 2023 10:07:57 GMT

see attached log extract from the gateway

Re: Capsule Workspace Oauth

Lars_de_Mooy — Sun, 05 Feb 2023 13:01:50 GMT

hi please read carefully

-login azure AD
-click azure active directory
-click app registrations (not enterprise applications)
-click new registration leave all default and give name
-click Client credentials Add a certificate or secret
-new client secret + give name
-copy value to txt
-click api permissions chose APIs my organization uses search offcie 365 exchange online
-click delegated poermissions seacrh ews open ews chose EWS.AccessAsUser.All click ok
-chose Office 365 Exchange Online (1) again click application permissions chose full_access_as_app

dont forget to add the redirect url for iOS / Android)

Re: Capsule Workspace Oauth

Spectrumtech_MS — Mon, 06 Feb 2023 01:06:00 GMT

Thank you Lars.

All configured but unfortunately Capsule still fails to authenticate with a 401 error in the log

We have an open, escalated ticket with Checkpoint ( which failed to provide any meaningful input to date) so will continue to follow up and update if/when a resolution is found

Re: Capsule Workspace Oauth

Lars_de_Mooy — Tue, 07 Feb 2023 08:34:23 GMT

Hi please try this;

- Open your Mobile Mail application in smart dashboard

-go to exchange access

-tick use specific domain

-fill in yourdomain.onmicrosoft.com and save -> policy install

In the basic auth configuration this field had you public domain name that is after the @

In Oauth this needs to be your onmicrosoft domain

Re: Capsule Workspace Oauth

Spectrumtech_MS — Tue, 07 Feb 2023 10:06:00 GMT

Thanks Lars.

I think that did the trick (changing the domain to the *.microsoftonline.com)

Is this a prerequisite for OATH2 authentication to AAD/M365 ?

Re: Capsule Workspace Oauth

Lars_de_Mooy — Tue, 07 Feb 2023 10:14:48 GMT

This may be necessary for the GW to find the tenant, the authentication itself uses the primary smtp address.

You can see this address in the top of your screen in the settings on the capsult client.

Is all working in your environment now ?