cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Pedro_Silva
Pedro_Silva inside Remote Access Solutions Thursday
views 68 1

Remote Access SSL VPN or clientless configuration on R80.20

Hi everyone,I am trying to configure a scenario to allow Remote Access through a R80.20 gateway using SSL VPN/clientless configuration.I am looking for recommendations and documentation to set this up.The Remote Access client needs to have network access to the internal network as this is to be used for IT support. We would prefer to keep it simple by not installing a full IPSec client.I have tried two configurations so far without success:1. Enabled Mobile Access - was able to get authentication to work and establish connectivity with the SNX client, however could not find a way to present the internal routes to the client. SNX only showed routes to subnets directly connected to firewall.2. Disabled Mobile Access and followed instructions in Remote Access VPN R80.20 Admin Guide - Have configured SSL Network Extender support but am not getting a response when I browse to the external IP on the gateway.Any help appreciated.ThanksPedro
Nikolaos_Liakop
Nikolaos_Liakop inside Remote Access Solutions a week ago
views 30 1

Restrict Client2Site VPN User Group to connect from specific public IP addresses

Hello.I would like to ask if it is possible to define whether a specific User Group can connect to the Gateway via RAS VPN but only from specific public IP addresses.I am aware that there are some fields such as "Known Locations" in the User object properties, or "Known networks" in the Access Role Properties, but these Source Networks/IPs get applied only after the VPN connection has already been established. Thank you.
Alexander_Urits
Alexander_Urits inside Remote Access Solutions a week ago
views 1569 13

VPN access restriction based on domain membership

Hi.I'm looking for an option to restrict VPN access only for laptops which are "domain members".Is there a way to accomplish that? (All PCs/Part of them?)Thanks,Alex
Udupi_krishna
Udupi_krishna inside Remote Access Solutions a week ago
views 1161 5

SDL with location awareness

Hello Everyone, I am working on a specific requirement with Endpoint security VPN E80.92 clients. I read the admin guide in order to enable SDL and location awareness (Global properties>Endpoint connect). It contains a group with our internal IP addresses. SDL is enabled on the client. Now when these users connect over an external network the SDL pops up which is good. But when the user comes into office, we have configured the parameter to not come up, but it doesn't work.I added below parameter on the Security gateway trac client ttm file, but it still doesn't work.:ignore_sdl_in_encdomain (:gateway (:map (:false (false):true (true)):default (true)Unless I have mistaken on the syntax or procedure, the above statement should be good. In addition to that, when I look at the trac.defaults file of the client, ignore_sdl_in_encdomain is infact set to true.ignore_sdl_in_encdomain STRING true GW_USER 0 While reviewing the logs from the endpoint, I see a weird behavior but unable to conclude what component is possibly causing the issue.[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: entering...[ 4324 5340][16 Apr 9:37:03][CONFIG_MANAGER] sdl_enabled return value true, because it is User config variable. Scope: site NULL ,gw NULL ,user USER[ 4324 5340][16 Apr 9:37:03][CONFIG_MANAGER] ignore_sdl_in_encdomain return value true, because it is Default variable. Scope: site clientvpn.flybe.com, gw NULL ,user USER[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: check if client is in enc domain[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::GetCurrentClientIP: mLA is NULL[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: clientIP is not initialized in LA yet, try getting it directly[ 4324 5340][16 Apr 9:37:03][CONFIG_MANAGER] gw_ipaddr return value XXX.XX.93.6, because it is Gateway config variable. Scope: site clientXXX.XXXXX.com ,gw NULL ,user USER[ 4324 5340][16 Apr 9:37:03][location_awareness] GetExternalInterfaceIndex: GetIpForwardTable needs 1412 bytes[ 4324 5340][16 Apr 9:37:03][location_awareness] GetExternalInterfaceIndex: External index interface is 0x0, Default gw is 0.0.0.0[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: GetExternalInterfaceIndex failed[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: no client ip - set enc domain result NO_NETWORK[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TrConnManager::SaveInEncDomainResult: InEncStatus=no_network[ 4324 5340][16 Apr 9:37:03][slim_utils] RaisDbSetValue: Trying to open or create registry: Software\CheckPoint\TRAC[ 4324 5340][16 Apr 9:37:03][slim_utils] RaisDbSetValue: Successfully opened key Software\CheckPoint\TRAC[ 4324 5340][16 Apr 9:37:03][slim_utils] RaisDbSetValue: Successfully set (DWORD) key IsInEncDomain with value 2[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::isUserLoggedOn: Entering... Here are logs from another test.[ 4420 5272][17 Apr 10:30:33][location_awareness] LocationAwareness::_NotifyNetworkChange: entering...[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TrConnManager::NotifyNetworkChange: entering, location is UNKNOWN(-1), interfaceIdx=2, interfaceIp=XX.XXX.23.45[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::NotifyNetworkChange: save location result in the registry for sdl[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TrConnManager::SaveInEncDomainResult: InEncStatus=out[ 4420 5272][17 Apr 10:30:33][slim_utils] RaisDbSetValue: Trying to open or create registry: Software\CheckPoint\TRAC[ 4420 5272][17 Apr 10:30:33][slim_utils] RaisDbSetValue: Successfully opened key Software\CheckPoint\TRAC[ 4420 5272][17 Apr 10:30:33][slim_utils] RaisDbSetValue: Successfully set (DWORD) key IsInEncDomain with value 0[ 4420 5272][17 Apr 10:30:33][location_awareness] LocationAwareness::NotifyLocation: notify our current location - UNKNOWN[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::LocationNotification: called with location of type -1I have masked the IP address, but the IP seen here is part of the location awareness Internal IP group.Not sure if I am missing some basic stuff here.
ovidiu_catrina
ovidiu_catrina inside Remote Access Solutions a week ago
views 15266 21 4

remote client VPN authentication with Certificate

hiat the moment we have the standard remote vpn for our users with office mode, authentication done through LDAP and MFA, which works perfectly, no complaints here until so far but i want to start implement certificate based authentication on the remote vpn clients.the CA is internal, our Active Directory will issue the certificates for the users.i have an NPS server(RADIUS), policy is created, although could be wrongly configured.i have the RADIUS server defined on the management.but i am missing 2 steps : 1st : how do i enforce/allow users to user to use the certificate to authenticate. 2nd : could someone provide some step-by-step or a policy configuration for the NPs serverat the moment i have this : and of course the firewalls defined as clients on the radius server.Regards
MattDunn
MattDunn inside Remote Access Solutions a week ago
views 48 3

SNX

Hi everyone 🙂A customer is reporting problems with SNX. It keeps disconnecting. They were doing some testing yesterday and found repeats of the following stuff in the log from the SNX SSL VPN Network Extender during drops:[ 3864 4568]@IT[8 May 10:04:35][] fwasync_connbuf_realloc: reallocating 1350b80 from 1208 to 2292[ 3864 4568]@IT[8 May 9:01:33][] fwasync_mux_in: 2348: read: Connection Reset by peer[ 3864 4568]@IT[8 May 9:01:35][] SkSetTCP_NODELAY: fd=1428: Invalid Argument[ 3864 4568]@IT[8 May 9:01:35][] fwasync_conn_params: ->[ 3864 4568]@IT[8 May 9:01:35][] fwasync_connbuf_realloc: reallocating 0 from 0 to 1208[ 3864 4568]@IT[8 May 9:01:35][] fwasync_connbuf_realloc: reallocating 0 from 0 to 66560[ 3864 4568]@IT[8 May 9:01:37][] kmsg_handle_local: 2 records handled[ 3864 4568]@IT[8 May 9:01:37][] fwasync_connbuf_realloc: reallocating 134e078 from 1208 to 2292[ 3864 4568]@IT[8 May 8:52:52][] fwasync_mux_in: 2348: read: Connection Reset by peer[ 3864 4568]@IT[8 May 8:52:54][] SkSetTCP_NODELAY: fd=2348: Invalid Argument[ 3864 4568]@IT[8 May 8:52:54][] fwasync_conn_params: ->[ 3864 4568]@IT[8 May 8:52:54][] fwasync_connbuf_realloc: reallocating 0 from 0 to 1208[ 3864 4568]@IT[8 May 8:52:54][] fwasync_connbuf_realloc: reallocating 0 from 0 to 66560[ 3864 4568]@IT[8 May 8:51:04][] fwasync_mux_in: 1748: read: Connection Reset by peer[ 3864 4568]@IT[8 May 8:51:06][] SkSetTCP_NODELAY: fd=2316: Invalid Argument[ 3864 4568]@IT[8 May 8:51:06][] fwasync_conn_params: ->[ 3864 4568]@IT[8 May 8:51:06][] fwasync_connbuf_realloc: reallocating 0 from 0 to 1208[ 3864 4568]@IT[8 May 8:51:06][] fwasync_connbuf_realloc: reallocating 0 from 0 to 66560[ 3864 4568]@IT[8 May 8:51:14][] kmsg_handle_local: 2 records handled[ 3864 4568]@IT[8 May 8:51:15][] fwasync_connbuf_realloc: reallocating 139eac0 from 1208 to 2292This was recorded for each of the drops they experienced over an hour window. The first thing I notice is the date. Yesterday was 5 May. The logs show 8 May. I presume as it does connect and work for a while each time, the incorrect date isn't the root cause of this problem?Anyone got any ideas?It's R80.10 Take 42.Thanks,Matt
John_Borden1
inside Remote Access Solutions a week ago
views 1067 6 1
Employee

Dynamic ID and 2way SMS Provider

Dynamic ID and two-way SMS providers. Most SMS Providers are now requiring two-way SMS in US. Clickatell is now requring this format to send an SMS text.curl -v --capath $CVPNDIR/var/ssl/ca-bundle/ "https://platform.clickatell.com/messages/http/send?apiKey=%APIKEY%==&to=%PHONE #%&content=%DYNAMICCODE%&from=%FROMNUMBER%"Is this possible in our Dynamic setup? I can send this command directly from gateway and I get the text message, but can't get the Dynamic SMS within Check Point to send this request. Trying to help customer with this. If there is a SMS provider users are using that is working that is also an option. Thanks,John Borden CCSA
Gaurav_Pandya
Gaurav_Pandya inside Remote Access Solutions a week ago
views 44 1

Remote access & SCV configuration

When we edit the $FWDIR/conf/local.scv file on the management server to start enforcing the OsMonitor checks like sk147416 instructs we get failures when attempting to push the Desktop Policy out to the Gateways. The customer wants to block users from connecting into the environment on computers running Windows XP. Anyone has any idea how we can troubleshoot issue
cezar_varlan1
cezar_varlan1 inside Remote Access Solutions 2 weeks ago
views 834 5

Remote Access Communities

Hello,I am trying to configure a more complicated VPN setup for Remote Access but it doesn't look like it works the way i was expecting. There is only one Remote Access Community. In the manual we have the line: "You can also create a new Remote Access VPN Community with a different name." but there is no instruction on how to do so. If i add new community i have only Star or Mesh options and they look like they are a bit different than the built in Remote Access. 1. First of all can i have more than one Remote Access Community per Gateway? I can edit VPN Domain per Remote Access but i can't really get how you can create a second Remote Access Community.2. I know that there is one Office Mode Pool by default per gateway. If i need to allocate two different ip subnets to users connecting to the gateway based on Group/Username can i do it in any other way than stated in sk33422 (Office Mode IP and ipassignment.conf file)? This one 3. For non-global split-tunnel we have this sk114882 where you can control tunneling mode based on group membership.Does anyone have a similar setup where let's say?:Internal VPN Users can access Full-Tunnel and all internal subnets External VPN Users can access Split-Tunnel and some pre-defined internet destinations with VPN GW NATAll of this on only one Security GatewayThank you,Cezar
Christoph_Holzi
Christoph_Holzi inside Remote Access Solutions 2 weeks ago
views 1300 20 2

Multiple Remote Access Communities (GW Version?)

Hello, when playing around in R80.10-Management today, I discovered that it's now possible to define multiple remote access communities (including defining different vpn domains for each RAC). First of all, thank you CheckPoint - I've been waiting for this feature for so long. [edit 07.01.: more a bug than a feature, see below]I couldn't find any hints regarding multiple RACs in the R80.10 Release Notes/HFA Notes/Support-Center.So my questions are:Is there any official statement whether the GW has to run R80.10 or can this be configured for a R77.30 GW (managed by R80.10 SM) as well?(added) Any experiences/considerations when using on VSX?Thanks in advance!Greetings Christoph
Mike_Barkett
Mike_Barkett inside Remote Access Solutions 2 weeks ago
views 193 1 2

Disclaimer banner popup upon VPN connection

Not really a question, but suggestions for improvements or other feedback are certainly encouraged.I received a requirement to pop up a disclaimer after an endpoint connects to VPN, requiring the user to accept the terms ("unauthorized access prohibited" etc) or else the VPN connection should shut off. TAC helpfully pointed me to sk103117 but understandably, their assistance ended before providing any guidance on how the post-connect script itself should work.Googling wasn't much help, so DEAR PEOPLE FROM THE FUTURE: Here's what we've figured out so far...*In a nutshell, the SK instructs you to make a few adjustments via GUIDBEdit and the trac_client_1.ttm file (or your equivalent, if you have multiple ttm's) on the gateway(s), which will point the client to a local script that runs after the VPN connects. TAC's advice was to consider an HTA file, which is a good idea, but they could not assist any further than that.First, it turns out you cannot run an HTA file directly from this feature. So I created a .bat wrapper. This part is very simple, something as basic as this does the trick:================= popup.bat ================= echo @offstart C:\scripts\popup.hta============================================ A couple of important administrative notes before we get into the HTA file:Permissions for popup.bat and popup.hta should be restricted such that regular users cannot simply delete or rename them, but they should be able to execute them.popup.hta will need to be trusted by your GPO policy or whatever you are using to manage Windows security on your endpoints. Otherwise, you'll get an untrusted app warning upon first connection, which could confuse users. Borrowing from cobbled-together code that I was able to find on various sites (appropriate credit given in comments where due) I put together a little popup that cannot be closed or edited, and which provides the user a configurable number of seconds to Agree or Disagree to the disclaimer before the VPN disconnects. Conveniently, the VPN will also disconnect if the user tries to kill the task without agreeing.Here is the code for popup.hta:================= C:\scripts\popup.hta ================= <html><head>APPLICATIONNAME="disclaimer_popup"SCROLL="no"SINGLEINSTANCE="yes"WINDOWSTATE="Normal"CAPTION="yes"MAXIMIZEBUTTON="no"MINIMIZEBUTTON="no"SYSMENU="no"BORDER="thin"BORDERSTYLE="Normal"CONTEXTMENU="no"SELECTION="no"><title>Authorized Access Only</title><script language="VBScript">Public acceptedPublic alreadyranDim pbTimerIDDim pbHTMLDim pbWaitTimeDim pbHeightDim pbWidthDim pbBorderDim pbUnloadedColorDim pbLoadedColorDim pbStartTimeSub Window_OnLoad' Progress Bar Settings, credit to Paul W. Blair:' https://gallery.technet.microsoft.com/scriptcenter/Accurate-HTA-Countdown-and-3fd670d6pbWaitTime = 20 ' How many seconds the progress bar lastspbHeight = 8 ' Progress bar heightpbWidth= 200 ' Progress bar widthpbUnloadedColor="white" ' Color of unloaded areapbLoadedColor="blue" ' Color of loaded areapbBorder="green" ' Color of Progress bar border' Don't edit these thingspbStartTime = NowrProgressbarpbTimerID = window.setInterval("rProgressbar", 200)'window.resizeTo screen.availWidth/4.5,screen.availHeight/3window.resizeTo 427,360window.moveTo screen.availWidth/3,screen.availHeight/3' Fake modal windowwindow.setInterval "putontop()", 200accepted = Falsealreadyran = FalseEnd SubFunction putontopwindow.focus()End FunctionSub rProgressbarpbHTML = ""pbSecsPassed = DateDiff("s",pbStartTime,Now)pbMinsToGo = Int((pbWaitTime - pbSecsPassed) / 60)pbSecsToGo = Int((pbWaitTime - pbSecsPassed) - (pbMinsToGo * 60))if pbSecsToGo < 10 thenpbSecsToGo = "0" & pbSecsToGoend ifpbLoadedWidth = (pbSecsPassed / pbWaittime) * pbWidthpbUnloadedWidth = pbWidth - pbLoadedWidthpbHTML = pbHTML & "<table border=1 bordercolor=" & pbBorder & " cellpadding=0 cellspacing=0 width=" & pbWidth & "><tr>"pbHTML = pbHTML & "<th width=" & pbLoadedWidth & " height=" & pbHeight & "align=left bgcolor=" & pbLoadedColor & "></th>"pbHTML = pbHTML & "<th width=" & pbUnloadedWidth & " height=" & pbHeight & "align=left bgcolor=" & pbUnLoadedColor & "></th>"pbHTML = pbHTML & "</tr></table><br>"pbHTML = pbHTML & "<table border=0 cellpadding=0 cellspacing=0 width=" & pbWidth & "><tr>"pbHTML = pbHTML & "" & pbMinsToGo & ":" & pbSecsToGo & " remaining"pbHTML = pbHTML & "</tr></table>"progressbar.InnerHTML = pbHTMLif DateDiff("s",pbStartTime,Now) >= pbWaitTime thenStopTimerDoActionend ifEnd SubSub StopTimerwindow.clearInterval(PBTimerID)End SubSub DoActionDisableVPNAdapterEnd SubSub DisableVPNAdapterIf accepted = True ThenWindow = NothingElseIf alreadyran = False ThenSet ObjShell = CreateObject("Shell.Application")ObjShell.ShellExecute "trac.exe", "disconnect", "C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\", "", 0alreadyran = TrueEnd IfWindow.CloseEnd IfEnd SubSub Proceedaccepted = TrueWindow.CloseEnd SubSub Window_onUnloadDisableVPNAdapterEnd Sub</script></head><body><div align="center"><p>Unauthorized access is prohibited. By clicking 'Agree' you assert that you are an authorized employee, will abide by all usage policies, and consent to monitoring of all network traffic.</p><p><button onclick="Proceed">Agree</button> &nbsp;<button onclick="DisableVPNAdapter">Disagree</button></p> <p></div><div align="center"><p>VPN will disconnect if you do not agree before the counter reaches 0.</p><span id = "progressbar"></span></body></html>=================================================== If all goes well, then upon connection you should see a window like this: Hopefully this helps someone in the same situation at some point down the road. -MAB * - https://xkcd.com/979/
Craig_Waddingto
Craig_Waddingto inside Remote Access Solutions 2 weeks ago
views 144 3

Endpoint VPN Internet Access

Hoping someone can help me troubleshoot. Endpoint VPN users cannot browse the Internet.Internal: Works great. Can ping all Internal resources, use Internal websites, resolve DNS internal and external.Internet: Cannot ping google.com.au, cannot browse to say Google. Tracert to google.com stops at FW/Gateway.In Gateway logs. VPN:Blade I dont see any drops, everything is accepted.Any ideas on how to troubleshoot?Can someone provide a copy of a Rule example for VPN Internet acccess?
KeithSponseller
KeithSponseller inside Remote Access Solutions 3 weeks ago
views 183 1

VPN Local Authentication & LDAP

I have the Mobile Access VPN licenses configured on my 5600 gateway R80.20 (latest patches) and want to see if there is a way to configure a local VPN authentication method in addition to the LDAP so I can connect when the LDAP AD servers are offline due to an outage.
Thomas_Bennek
Thomas_Bennek inside Remote Access Solutions 3 weeks ago
views 641 2 2

SSL Ciphers Mobile Access Portal

Hello everyone,for the connection to the Mobile Access Portal we want to use strong ciphers and therefore used "vpn_cipher_priority.conf" in R80.10 to allow only secure ciphers.For example:# more /opt/CPshrd-R80/conf/vpn_cipher_priority.conf( :allowed ( : (TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) ) :forbidden ( : (TLS_RSA_WITH_AES_256_CBC_SHA) : (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) : (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) : (TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) : (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) : (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384) : (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) : (TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA) : (TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) : (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) : (TLS_SRP_SHA_WITH_AES_256_CBC_SHA) : (TLS_DHE_DSS_WITH_AES_256_GCM_SHA384) : (TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) : (TLS_DHE_DSS_WITH_AES_256_CBC_SHA256) : (TLS_DHE_RSA_WITH_AES_256_CBC_SHA) : (TLS_DHE_DSS_WITH_AES_256_CBC_SHA) : (TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA) : (TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA) : (TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384) : (TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384) : (TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384) : (TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384) : (TLS_ECDH_RSA_WITH_AES_256_CBC_SHA) : (TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA) : (TLS_RSA_WITH_AES_256_GCM_SHA384) : (TLS_RSA_WITH_AES_256_CBC_SHA256) : (TLS_RSA_WITH_CAMELLIA_256_CBC_SHA) : (TLS_PSK_WITH_AES_256_CBC_SHA) : (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) : (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) : (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) : (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) : (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) : (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA) : (TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA) : (TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) : (TLS_SRP_SHA_WITH_AES_128_CBC_SHA) : (TLS_DHE_DSS_WITH_AES_128_GCM_SHA256) : (TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) : (TLS_DHE_DSS_WITH_AES_128_CBC_SHA256) : (TLS_DHE_RSA_WITH_AES_128_CBC_SHA) : (TLS_DHE_DSS_WITH_AES_128_CBC_SHA) : (TLS_DHE_RSA_WITH_SEED_CBC_SHA) : (TLS_DHE_DSS_WITH_SEED_CBC_SHA) : (TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA) : (TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA) : (TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256) : (TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256) : (TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256) : (TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256) : (TLS_ECDH_RSA_WITH_AES_128_CBC_SHA) : (TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA) : (TLS_RSA_WITH_AES_128_GCM_SHA256) : (TLS_RSA_WITH_AES_128_CBC_SHA256) : (TLS_RSA_WITH_AES_128_CBC_SHA) : (TLS_RSA_WITH_SEED_CBC_SHA) : (TLS_RSA_WITH_CAMELLIA_128_CBC_SHA) : (TLS_RSA_WITH_IDEA_CBC_SHA) : (TLS_PSK_WITH_AES_128_CBC_SHA) : (TLS_ECDHE_RSA_WITH_RC4_128_SHA) : (TLS_ECDHE_ECDSA_WITH_RC4_128_SHA) : (TLS_ECDH_RSA_WITH_RC4_128_SHA) : (TLS_ECDH_ECDSA_WITH_RC4_128_SHA) : (TLS_RSA_WITH_RC4_128_SHA) : (SSL_CK_RC4_128_WITH_MD5) : (TLS_PSK_WITH_RC4_128_SHA) : (TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) : (TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA) : (TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA) : (TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) : (TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) : (TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) : (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA) : (TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA) : (TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA) : (SSL_CK_DES_192_EDE3_CBC_WITH_SHA) : (TLS_PSK_WITH_3DES_EDE_CBC_SHA) : (TLS_DHE_RSA_WITH_DES_CBC_SHA) : (TLS_DHE_DSS_WITH_DES_CBC_SHA) : (TLS_RSA_WITH_DES_CBC_SHA) : (TLS_RSA_WITH_RC4_128_MD5) : (TLS_RSA_WITH_3DES_EDE_CBC_SHA) : (TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) ))After configuring the priority list, the allowed cipher hasn´t worked, the configuration is set to "default" because the one allowed cipher is not supported.(shown in vpn debug)Check Point Support said, only ciphers in the following sk are supported sk108426, but they are all SHA-1 or MD5 ciphers, which are definitly insecure. But, opening the Mobile Access Portal with default list configured, uses a strong AES_128_GCM Cipher:The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_GCM (a strong cipher).Answer from Support:"I understand your disappointment, however if the customer would like to use other ciphers other then TLS RSA, this would require opening an RFE through your local office. Unfortunately at this point I will proceed to close the case snce we as support cannot further assist."Could this really be true, Check Point only supports SHA-1 and MD5 ciphers for Mobile Access Portal? And we need to generate a RFE for changing this?Support said: <snip> however if the customer would like to use other ciphers other then TLS RSA</snip> but the configured allowed cipher is a TLS RSA cipher: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256But in the end, if only SHA-1 and MD5 ciphers are supported, why will the default configuration use a cipher which is not supported, because it is not listed in the skArticle?Can anyone help me figuring out which strong ciphers are working with mobile access portal and how I can force it to use only these ciphers? The support seems not to be able to.Thanks!
CPnoob
CPnoob inside Remote Access Solutions 3 weeks ago
views 827 2

End users can't access local network when VPN connected to us.

I have users using Capsule on Android Smartphones and tablet, they can connect to vpn gateway but they cannot use Remote Desktop to access terminal server.Windows users using Endpoint Connect have no problem connecting and using Remote Desktop to access terminal server.What to do? Where do I start looking?