This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2018-02-22 12:32 PM
Jump to solution

UserCheck portal using Certificate not created for HTTPS inspection

For the gateway configured to perform HTTPS inspection, with certificate created and distributed to clients, normal traffic behaves as expected:

But when UserCheck is encountered in the rulebase, the gateway serving its VPN certificate:

Which, as it happens, was not distributed to internal hosts.

Is there a way to address it properly?

1 Solution

Accepted Solutions
Norbert_Bohusch
Advisor
‎2018-02-22 12:49 PM
Jump to solution

Yes, on the cluster/gateway properties under UserCheck you can enter the FQDN for UserCheck Portal and import a proper certificate matching it.

For sure FQDN must be resolvable to Cluster/Gateway IP.

View solution in original post

5 Replies
Norbert_Bohusch
Advisor
‎2018-02-22 12:49 PM
Jump to solution

Yes, on the cluster/gateway properties under UserCheck you can enter the FQDN for UserCheck Portal and import a proper certificate matching it.

For sure FQDN must be resolvable to Cluster/Gateway IP.

PhoneBoy
Admin
Admin
‎2018-02-22 02:50 PM
Jump to solution

Just to clarify, the UserCheck portal serves it's own certificate that is not subject to HTTPS Inspection (if I recall correctly).

Thus that certificate needs to be correct/something the client is configured to accept.

It would definitely be better if we could leverage the HTTPS Inspection CA in this case Smiley Happy

(1)
Vladimir
Champion
Champion
‎2018-02-22 03:51 PM
In response to PhoneBoy
Jump to solution

Agree with you on idea of using same cert for multiple purposes. It would actually be nice if the CA on SMS would've been a bit more functional with good front end. Some environments do not have PKI in place and could've used Check Point for this purpose.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-22 03:53 PM
In response to Vladimir
Jump to solution

The front end of the Internal CA is called SmartConsole Smiley Happy

Granted, it's not meant as a full CA but for specific functionality, which could potentially be expanded.

0 Kudos
Vladimir
Champion
Champion
‎2018-02-22 03:57 PM
In response to PhoneBoy
Jump to solution

Smiley Happy good one

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events