This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Di_Junior
Advisor
Advisor
‎2019-12-13 12:13 AM

Importing certificates in Check Point gateways for authentication

Hi Mates

 

I need a hand.

We are currently migrating one of our services (skype for business) from TMG to Check Point. I am using a logical server in order to balance the traffic to our internal servers (3 servers) where the 7 DNS records that serves this application. 

The problem that we are facing is with mobile devices, currently with TMG when a mobile device tries to connects, TMG presents them our certificate issued by Digicert, and everything works fine.

Now that we are migrating to Check Point, we are facing an issue with the certificate. With Check Point, when a mobile device tries to connect, it is presented with self-signed certificate on the internal servers, and the comunication does not work.

We requested the certificate that is being used by TMG, and it is a .pfx file. 

Is there any way we can achieve what is being done by TMG.

 

We are using R80.20.

 

Thanks in advance

 

8 Replies
PhoneBoy
Admin
Admin
‎2019-12-13 08:53 AM

Logical Server objects don't have any specific support for HTTPS.
That said, you might be able to combine this with inbound HTTPS Inspection where you can configure it to present the Digicert certificate.
The gateway will need to be configured to trust the CA (or self-signed cert) for the Internal servers.
Di_Junior
Advisor
Advisor
‎2019-12-14 10:44 PM
In response to PhoneBoy

Hi PhoneBoy

Thanks for the feedback.

"That said, you might be able to combine this with inbound HTTPS Inspection where you can configure it to present the Digicert certificate."

The Digicert certificate is in pfx format, I tried to import it in https inspections but it seems that this pfx is not supported. How can solve this issue?

Thanks in advance

0 Kudos
PhoneBoy
Admin
Admin
‎2019-12-15 06:04 PM
In response to Di_Junior

You just need to convert the certificate using OpenSSL or some other tool.
A couple suggestions here: https://stackoverflow.com/questions/6819079/convert-pfx-format-to-p12
0 Kudos
Di_Junior
Advisor
Advisor
‎2019-12-16 02:55 PM
In response to PhoneBoy

Hi PhoneBoy

I have successfully convertes the certificate into p12.

How do I now present the certificates to clientes when they are trying to connect?

How do I make the gateway to trust this certificate?

You help is much appreciated.

Thanks in advance
0 Kudos
PhoneBoy
Admin
Admin
‎2019-12-16 03:47 PM
In response to Di_Junior

You configure Inbound HTTPS Inspection as described in the documentation: https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_NextGenSecurityGateway_Guide...
The certificate you have to configure the gateway to "trust" in this case is the internal CA (or self-signed) certificate(s) the gateway will see when it opens the HTTPS connection to the internal hosts.
This process should also be described in the documentation referenced above.

Like I originally said, this might work.
I don't know for sure it will.
0 Kudos
Di_Junior
Advisor
Advisor
‎2020-01-08 02:41 AM
In response to PhoneBoy

Hi @PhoneBoy

Thanks for your help.
I tried that, and it did not work. I am still getting the self-signed certificate instead of the Digicert certificate.
I have opened a TAC case and still waiting on their feedback.

Meanwhile, Has anyone ever implemented skype for business over a Check Point firewall and got it working? how was it implemented? because this is the only service preventing us from migrating all our services to Check Point.

Thanks in advance
0 Kudos
PhoneBoy
Admin
Admin
‎2020-01-08 03:26 PM
In response to Di_Junior

You should start a separate thread about Skype for Business derailing the configuration and specific issues you’re running into.
I do know you probably need to bypass HTTPS Inspection for those servers.
0 Kudos
Di_Junior
Advisor
Advisor
‎2020-01-09 04:56 AM
In response to PhoneBoy

Hi @PhoneBoy

Thanks. I will open another thread.
Regards
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events