topic Re: Prevent VPN from switching certificates in SASE and Remote Access

Prevent VPN from switching certificates

FloydG — Wed, 07 Apr 2021 10:49:27 GMT

Dear CheckMates,

we are using certificate based authentification to establish VPN connections.
The certificate is based in users personal store.

When opening TrGui.exe, you can choose between those authentifications.
When deploying its set to "certificate" and the correct user certificate.

Whenever this certificate is renewed, checkpoint application will switch between those certificates and pick another one in this store.
That results in error when connection to site.
The end user can (if they remember) open TrGui.exe and switch it back.

But our environment is as large, as we have atleast 1 call every day, that the certificate is not working.

The Question:
Can I somehow force the endpoint to use exactly this certificate with specific name (for example).
Any regkey where the current choice is stored?

Thank you in advance.

Re: Prevent VPN from switching certificates

PhoneBoy — Fri, 09 Apr 2021 17:38:06 GMT

Paging @AndreiR

Re: Prevent VPN from switching certificates

FloydG — Mon, 12 Apr 2021 08:21:58 GMT

I found the answer here

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk169453

Thank you.

Re: Prevent VPN from switching certificates

FloydG — Thu, 22 Apr 2021 13:20:13 GMT

Hi,

another question regarding SK article above.

Can we modify trac.defaults file and push it on all clients without any risks?
Or is this file personalized for every client, so that it does not work/fit on all devices/users?

Thank you.

Re: Prevent VPN from switching certificates

G_W_Albrecht — Thu, 22 Apr 2021 13:32:49 GMT

There are two options in sk169453:

- use GW trac_client_1.ttm for configuration, that will be downloaded by all clients when connecting

- use trac.defaults in client install package for configuration, then you can either roll out using one package or use packages with different trac.defaults for different clients

Re: Prevent VPN from switching certificates

FloydG — Fri, 30 Apr 2021 08:58:13 GMT

Hi,

thank you for reply, but it does not really answer my question.
Is there any risk, when I create a trac.defaults file and replace this file on all systems in our environment (by basic copy & paste)?

Any user specific file metadata or something else, which could lead to issues in the future?

Re: Prevent VPN from switching certificates

G_W_Albrecht — Tue, 04 May 2021 08:29:43 GMT

No, not at all - see sk55502: How to centrally manage the trac_client_1.ttm configuration file for Remote Access Clients for the suggested way of managing extended configurations for all clients. Or you can use sk122574 - VPN Configuration Utility for Endpoint Security VPN E80.71 (and above) Clients for Windows. The sk121196: Remote Access client disconnects after upgrade explains that you can use any track.defaults from same version clients for replacement. So nothing client-specific there...

But all three possible methods have inherent weaknesses:

- central managing the config following sk55502 will need manual editing again after SMS upgrade

- creating client packages with changed trac.default must be done for every new client version to be rolled out

- manual changes to clients trac.default will be overwitten by any new client version to be rolled out (this needs the most manual work that multiplies with the number of clients)