Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Apparently, there is a built-in ICA portal in R80.10, but I am having trouble making it work.
According to documentation:
To enable the ICA Management tool: [Expert@HostName]# cpca_client [-d] set_mgmt_tool on [-a "administrator DN" | -u "user DN"]
where:
-d- (optional) enables debug for this operation (output is printed on the terminal)on- sets the status of the ICA Management Tool-a "administrator DN" | -u "user DN"- (optional) sets the DN of the authorized administrator ('-a' flag) or DN of the authorized user ('-u' flag) permitted to use the ICA Management tool (must specify the full DN as appears in SmartDashboard in administrator/user properties - on 'Certificates' pane - in the 'DN:' field)
Note: Having port 18265 open is not a vulnerability. The Management Tool Portal is secured and protected by SSL. In addition, only authorized administrators are allowed to access it using a certificate.
But I do not see the 'Certificates' pane not in the Smart console (where I can issue a cert for the user, but it does not contain DN:
Nor in SmartDashboard, where admins are not shown at all:
If someone was able to successfully do this, please chime in with pointers.
Thank you,
Vladimir
The certificates are managed on the user/admin record shown in your screenshot (i.e. there is no unique place to do so).
The DN for the user in your screenshot is "CN=icadmin,OU=users,O=SMSR8010..bhska4"
Since this is an admin user, you would issue the following on your management:
cpca_client set_mgmt_tool on -a "CN=icadmin,OU=users,O=SMSR8010..bhska4"
Access the URL https://mgmt-ip:18265
Assuming you have the certificate imported into your browser's certificate store, you should get something that looks like this:
Otherwise you will get an error message when you attempt to access the site.
Hope this helps.
Well, no dice so far:
[Expert@SMS8010:0]# cpca_client set_mgmt_tool print
Management tool is ON.
Using SSL.
The authorized administrators:
(
: ("CN=icadmin1,OU=users,O=SMS8010..bhska4")
)
The authorized users:
()
The authorized custom users:
()
[Expert@SMS8010:0]#
and cannot connect to 18265:
While nmap shows port as open:
...I am getting ready to invest in a punching bag:
With SSL off, I have no problem connecting to ICA WebUI and am seeing the interface you have shown in the example above.
With SSL on, no dice in any of these browsers: IE11, Firefox, Chrome, Opera on Win 10 pro:
[Expert@SMS8010:0]# cpca_client set_mgmt_tool print
Management tool is ON.
Using SSL.
The authorized administrators:
(
: ("CN=icadmin1,OU=users,O=SMS8010..bhska4")
)
The authorized users:
()
The authorized custom users:
()
[Expert@SMS8010:0]#
Packet capture is not very informative, or I am not seeing something (see attached tcpdump from SMS and pcap from client).
The server is not responding to the initial client's TLS hello:
Is there a way to run a self-diagnostics on ICA?
