Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KM1895
Collaborator
Collaborator

Machine Certificate

hi,

 

Im currently assisting a customer with trying to set up machine certification on their windows mobile clients.

As far as i can tell, i think i have done the correct initial settings:

 

- added the trusted ca and subordinate ca to smartconsole

- made sure that they are set to use ldap account unit to retrieve crl

- set "send machine certificate" to mandatory, on the gateway object

- configured the basic remote access settings on the gateway

- int trac.defaults, i see that enable_machine_auth is set to true, but machine_tunnel_afer_logon is still set to false, which we intend to change

 

What else am i missing, as i only get a "certificate is required" error message when trying to log on to the gateway.

I have only done this once before, and unfortunately, i cannot recall all the steps i did back then, so any input would be appreciated.

 

mgmt server is 81.20, while gateway is 81.10.

 

 

0 Kudos
13 Replies
the_rock
Legend
Legend

This is what TAC sent us before, but I dont believe we ever followed it, as customer had more pressing issues to deal with.

Best,

Andy

 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

0 Kudos
KM1895
Collaborator
Collaborator

hi,

thanks for the quick reply.

Have followed this one, and i think i have everything in place...just asked the customer to try again, but have a sneaky feeling something is still not right.

 

 

the_rock
Legend
Legend

Can you send a screenshot of what they see?

Andy

0 Kudos
KM1895
Collaborator
Collaborator

attaching the error they receive when trying to log on.

 

error.png

0 Kudos
the_rock
Legend
Legend

Thats it, thats EXACTLY what I get in the lab. I dont believe our client get that, but it never prompts them for cert auth to begin with.

Andy

0 Kudos
KM1895
Collaborator
Collaborator

worst thing is, i have set this up once before, but wasnt much involved in the client setup.

So, i believe that things are correct set up on the Checkpoint side, but for some strange reason, the certificate, or at least not the correct, certificate is not presented. 

Have asked the customer for a verification of the certificates in the capi store, but here, im a bit on wobbly ground, as this is not something i work with on a daily basis.

 

Br

 

the_rock
Legend
Legend

Im sure someone will make me feel real dumb when they say what has to be done to make this work on windows side, but if I can get it work in the lab, happy to do it : - )

I googled this so many times to see what Im missing, but not matter what I try, it simply does not work. I even tested with free p12 cert I found online, you set the cert as machine cert in mmc console, no joy.

Andy

0 Kudos
KM1895
Collaborator
Collaborator

is that cert you used based on the trusted ca? because i believe it must be. Also, it cannot be empty fields in the certname, like *.trusted.company.crt for instance.

the * needs to be replaced with something, like machineid.trusted.company.crt, if i remember correct.

 

Br

 

0 Kudos
the_rock
Legend
Legend

I did not do any of that, because its not trusted CA, plus, it asks for p12 certificate, so I generated one from mgmt ICA tool and also tried free one I found online, but its always exact same error you sent, no matter what cert store you place it in.

Andy

0 Kudos
KM1895
Collaborator
Collaborator

i see.

 

but as far as i can tell, this error is related to something on the client, rather than checkpoint. So for now, i feel focus my troubleshooting there.

 

Guess there is not much else to do in trac.defaults, other than setting the tunnel stuff to true.

 

Br

 

0 Kudos
the_rock
Legend
Legend

I dont think so either, trac.defaults would not have much to do with cert itself, at least specially the machine one.

Andy

0 Kudos
Albin
Contributor
Contributor

Have you checked out https://support.checkpoint.com/results/sk/sk175111? Had this issue when setting it up in my lab. 

0 Kudos
the_rock
Legend
Legend

Yup, did that on day 1, no joy.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events