This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KM1895
Collaborator
Collaborator
‎2024-03-14 05:58 AM

Machine Certificate

hi,

 

Im currently assisting a customer with trying to set up machine certification on their windows mobile clients.

As far as i can tell, i think i have done the correct initial settings:

 

- added the trusted ca and subordinate ca to smartconsole

- made sure that they are set to use ldap account unit to retrieve crl

- set "send machine certificate" to mandatory, on the gateway object

- configured the basic remote access settings on the gateway

- int trac.defaults, i see that enable_machine_auth is set to true, but machine_tunnel_afer_logon is still set to false, which we intend to change

 

What else am i missing, as i only get a "certificate is required" error message when trying to log on to the gateway.

I have only done this once before, and unfortunately, i cannot recall all the steps i did back then, so any input would be appreciated.

 

mgmt server is 81.20, while gateway is 81.10.

 

 

0 Kudos
13 Replies
the_rock
MVP Gold
MVP Gold
‎2024-03-14 06:33 AM

This is what TAC sent us before, but I dont believe we ever followed it, as customer had more pressing issues to deal with.

Best,

Andy

 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

0 Kudos
KM1895
Collaborator
Collaborator
‎2024-03-14 06:52 AM
In response to the_rock

hi,

thanks for the quick reply.

Have followed this one, and i think i have everything in place...just asked the customer to try again, but have a sneaky feeling something is still not right.

 

 

the_rock
MVP Gold
MVP Gold
‎2024-03-14 06:54 AM
In response to KM1895

Can you send a screenshot of what they see?

Andy

0 Kudos
KM1895
Collaborator
Collaborator
‎2024-04-08 04:59 AM
In response to the_rock

attaching the error they receive when trying to log on.

 

error.png

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-04-08 05:17 AM
In response to KM1895

Thats it, thats EXACTLY what I get in the lab. I dont believe our client get that, but it never prompts them for cert auth to begin with.

Andy

0 Kudos
KM1895
Collaborator
Collaborator
‎2024-04-08 05:20 AM
In response to the_rock

worst thing is, i have set this up once before, but wasnt much involved in the client setup.

So, i believe that things are correct set up on the Checkpoint side, but for some strange reason, the certificate, or at least not the correct, certificate is not presented. 

Have asked the customer for a verification of the certificates in the capi store, but here, im a bit on wobbly ground, as this is not something i work with on a daily basis.

 

Br

 

the_rock
MVP Gold
MVP Gold
‎2024-04-08 05:23 AM
In response to KM1895

Im sure someone will make me feel real dumb when they say what has to be done to make this work on windows side, but if I can get it work in the lab, happy to do it : - )

I googled this so many times to see what Im missing, but not matter what I try, it simply does not work. I even tested with free p12 cert I found online, you set the cert as machine cert in mmc console, no joy.

Andy

0 Kudos
KM1895
Collaborator
Collaborator
‎2024-04-08 05:25 AM
In response to the_rock

is that cert you used based on the trusted ca? because i believe it must be. Also, it cannot be empty fields in the certname, like *.trusted.company.crt for instance.

the * needs to be replaced with something, like machineid.trusted.company.crt, if i remember correct.

 

Br

 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-04-08 05:29 AM
In response to KM1895

I did not do any of that, because its not trusted CA, plus, it asks for p12 certificate, so I generated one from mgmt ICA tool and also tried free one I found online, but its always exact same error you sent, no matter what cert store you place it in.

Andy

0 Kudos
KM1895
Collaborator
Collaborator
‎2024-04-08 05:34 AM
In response to the_rock

i see.

 

but as far as i can tell, this error is related to something on the client, rather than checkpoint. So for now, i feel focus my troubleshooting there.

 

Guess there is not much else to do in trac.defaults, other than setting the tunnel stuff to true.

 

Br

 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-04-08 05:50 AM
In response to KM1895

I dont think so either, trac.defaults would not have much to do with cert itself, at least specially the machine one.

Andy

0 Kudos
Albin
Contributor
Contributor
‎2024-04-08 06:00 AM
In response to KM1895

Have you checked out https://support.checkpoint.com/results/sk/sk175111? Had this issue when setting it up in my lab. 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-04-08 06:04 AM
In response to Albin

Yup, did that on day 1, no joy.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events