topic Re: SSL VPN extender Linux/Mozilla Firefox in Spark Firewall (SMB)

SSL VPN extender Linux/Mozilla Firefox

Realming_Grape — Thu, 30 Jul 2020 10:59:08 GMT

Hi Everyone. Im really struggling to get our checkpoint VPN to work for SLLVPN. I am using Ubuntu so the Checkpoint Client is out of the question (Stupid) ive tried doing the SSL extender option and it works to a point, i receive the Java unavailable error.

my problem is im using checkpoint 750. there is apparently a hotfix for mobile access hotfix. my checkpoint is 'up to date' with update R77.20.87 (990173004) but the hotfix only applies to R77.30 i think. is there anyway i could get this working at all? its so frustrating as i need to teamviewer to my Server to access anything intranet. im not the biggest fan of checkpoint. help would be greatly appreciated as i have tried everything, even L2TP.

Re: SSL VPN extender Linux/Mozilla Firefox

G_W_Albrecht — Thu, 30 Jul 2020 15:40:51 GMT

did you read sk65210: SSL Network Extender ? All Linux OSs require Oracle JRE to install.
Use the snx -h command to make sure that the SSL Network Extender client is installed correctly.

The Hotfix is from sk113410 - Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology

Here we read:

Note for locally and centrally managed SMB appliances [Embedded Gaia]:

This feature is not included in the product. If you need it, please submit a Request for Enhancement.

Re: SSL VPN extender Linux/Mozilla Firefox

Dale_Lobb — Thu, 30 Jul 2020 16:34:24 GMT

@G_W_Albrechtis correct in that the hotfix described in sk113410 is only for firewalls running the Mobile Access Blade. It's an update to the Mobile Access Portal to support extra browsers. The Mobile Access Blade is not supported on SMB firewalls tuning embedded Gaia.

Having said that, I have read a number of CheckPoint documents stating that the SNX client and Remote Access is possible and supported on SMB appliances running Embedded Gaia. One would presume that the SMB appliances have some sort of alternate portal.

What I have not been able to find is any CheckPoint documentation on how to enable Remote Access on an SMB firewall, nor on how to write policy rules to limit access to remote clients.

Re: SSL VPN extender Linux/Mozilla Firefox

PhoneBoy — Thu, 30 Jul 2020 17:09:18 GMT

SMB Appliances managed with Smart enter are configured exactly the same way as regular gateways in terms of remote access (I.e. nothing on the device itself).
For locally managed SMB appliances, the “alternate” portal to download SNX is gateway-IP:444 though I will admit I haven’t tried invoking snx on Linux.
You can also configure local rules to allow remote users to access specific resources.

Re: SSL VPN extender Linux/Mozilla Firefox

Realming_Grape — Fri, 31 Jul 2020 08:40:23 GMT

Thank you for your response.

i have Java installed but unfortunately most browsers dont support Java anymore so its useless. ive tried with different browsers and i get the same error.

im also new to Linux, as i want to increase my knowledge in the OS. the endpoint works for windows but i just cannot seems to get this going for some reason.

ive tried everything.

does this request for enhancement upgrade my current device?

Re: SSL VPN extender Linux/Mozilla Firefox

PhoneBoy — Fri, 31 Jul 2020 21:26:34 GMT

Installing SNX via browser is not currently possible on SMB appliances.
Assuming an RFE would be accepted/delivered on SMB appliances, it would not apply to the 750 as we are only fixing bugs and not adding new features on these appliances.

However, what you can do is manually install SNX from here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90240
This will allow you to invoke an SNX connection from the CLI, avoiding the issue with the browser not supporting Java plugins.
I did a brief test on 1490 and it appears to work.

Re: SSL VPN extender Linux/Mozilla Firefox

LuisSP — Tue, 11 Aug 2020 07:37:00 GMT

Hello everyone. I had headache with SNX too, but after many hours searching and reading I did resolve this problem.

SK's:

sk43935 Failure to connect with SSL Network Extender via Ubuntu 7 CLI
sk114267 How to install SSL Network Extender (SNX) client on Linux machine
sk65210 SSL Network Extender
sk90240 SNX Installation Package for Linux OS client

My linux host is Linux Mint, which I updated and upgraded to last patches:

Linux vmLinuxMint 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Java coming with such linux flavor, is ...

openjdk version "10.0.2" 2018-07-17
OpenJDK Runtime Environment (build 10.0.2+13-Ubuntu-1ubuntu0.18.04.4)
OpenJDK 64-Bit Server VM (build 10.0.2+13-Ubuntu-1ubuntu0.18.04.4, mixed mode)

With all above installed, I ran:

prompt>sudo apt install libpam0g:i386 libx11-6:i386 libstdc++6:i386 libstdc++5:i386 libnss3-tools

Then I installed SNX, but something rare, snx client that donwloaded from my FW remote access portal don't work for me, so I downloaded snx client from sk90240. and made it executable, after that...

prompt>sudo sh ./snx_install_linux30.sh

and connect to remote FW

prompt>snx -s (ip-wan-fw) -u user

Check Point's Linux SNX
build 800010003
Please enter your password:

SNX - connected.

Session parameters:
===================
Office Mode IP : A.B.C.D
Timeout : 8 hours

I hope this work for you.

...

Re: SSL VPN extender Linux/Mozilla Firefox

John_Fleming — Tue, 11 Aug 2020 15:41:52 GMT

FYI almost all linux vendors have stopped supporting i386. Ubuntu's latest LTS (20.04) doesn't. Checkpoint is going to need to come up with a SNX build for 64bit at some point.

Re: SSL VPN extender Linux/Mozilla Firefox

Realming_Grape — Wed, 12 Aug 2020 09:26:23 GMT

LuisSP, Thank you, youre amazing

It is finally working. i was doing everything exactly as you were doing except, my firewall was giving me an older version of SNX (800007075)
going through your clues led me to download the right version and now i can connect. thank you once again.

Re: SSL VPN extender Linux/Mozilla Firefox

SushilS — Fri, 30 Apr 2021 13:27:35 GMT

I faced similar issue so thought of sharing the solution as it may help someone else:

At UBUNTU client, install the following prerequisites

sudo apt-get install libstdc++5:i386 libpam0g:i386

It worked for me, Gateway: R80 , client: Ubuntu 16 and Ubuntu 18.

Hope it helps.