Re: Machine Certificate

KM1895 · ‎2024-03-14

hi,

Im currently assisting a customer with trying to set up machine certification on their windows mobile clients.

As far as i can tell, i think i have done the correct initial settings:

- added the trusted ca and subordinate ca to smartconsole

- made sure that they are set to use ldap account unit to retrieve crl

- set "send machine certificate" to mandatory, on the gateway object

- configured the basic remote access settings on the gateway

- int trac.defaults, i see that enable_machine_auth is set to true, but machine_tunnel_afer_logon is still set to false, which we intend to change

What else am i missing, as i only get a "certificate is required" error message when trying to log on to the gateway.

I have only done this once before, and unfortunately, i cannot recall all the steps i did back then, so any input would be appreciated.

mgmt server is 81.20, while gateway is 81.10.

the_rock · ‎2024-03-14

This is what TAC sent us before, but I dont believe we ever followed it, as customer had more pressing issues to deal with.

Best,

Andy

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

KM1895 · ‎2024-03-14

hi,

thanks for the quick reply.

Have followed this one, and i think i have everything in place...just asked the customer to try again, but have a sneaky feeling something is still not right.

the_rock · ‎2024-03-14

Can you send a screenshot of what they see?

Andy

KM1895 · ‎2024-04-08

attaching the error they receive when trying to log on.

the_rock · ‎2024-04-08

Thats it, thats EXACTLY what I get in the lab. I dont believe our client get that, but it never prompts them for cert auth to begin with.

Andy

KM1895 · ‎2024-04-08

worst thing is, i have set this up once before, but wasnt much involved in the client setup.

So, i believe that things are correct set up on the Checkpoint side, but for some strange reason, the certificate, or at least not the correct, certificate is not presented.

Have asked the customer for a verification of the certificates in the capi store, but here, im a bit on wobbly ground, as this is not something i work with on a daily basis.

Br

the_rock · ‎2024-04-08

Im sure someone will make me feel real dumb when they say what has to be done to make this work on windows side, but if I can get it work in the lab, happy to do it : - )

I googled this so many times to see what Im missing, but not matter what I try, it simply does not work. I even tested with free p12 cert I found online, you set the cert as machine cert in mmc console, no joy.

Andy

KM1895 · ‎2024-04-08

is that cert you used based on the trusted ca? because i believe it must be. Also, it cannot be empty fields in the certname, like *.trusted.company.crt for instance.

the * needs to be replaced with something, like machineid.trusted.company.crt, if i remember correct.

Br

the_rock · ‎2024-04-08

I did not do any of that, because its not trusted CA, plus, it asks for p12 certificate, so I generated one from mgmt ICA tool and also tried free one I found online, but its always exact same error you sent, no matter what cert store you place it in.

Andy

KM1895 · ‎2024-04-08

i see.

but as far as i can tell, this error is related to something on the client, rather than checkpoint. So for now, i feel focus my troubleshooting there.

Guess there is not much else to do in trac.defaults, other than setting the tunnel stuff to true.

Br

the_rock · ‎2024-04-08

I dont think so either, trac.defaults would not have much to do with cert itself, at least specially the machine one.

Andy

Albin · ‎2024-04-08

Have you checked out https://support.checkpoint.com/results/sk/sk175111? Had this issue when setting it up in my lab.

the_rock · ‎2024-04-08

Yup, did that on day 1, no joy.

Andy

Are you a member of CheckMates?

Machine Certificate