This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Amber
Explorer
yesterday

Capsule Connect VPN Issue(The site's certificate has expired)

Hi all,

I'm encountering a problem. I have a 5000 series gateway (R81.10) managed by SMS (R81.20). Last Friday, I renewed the VPN certificate for the 5000 series gateway. After renewing the certificate, both the IPsec VPN and the desktop Remote Access VPN client are working well.

However, VPN connections from mobile devices using Capsule Connect are not working. When attempting to connect via Capsule Connect, the client displays a message indicating that the site's certificate has expired.

Please suggest. Many thanks.

Labels
Preview file
32 KB
0 Kudos
7 Replies
the_rock
Legend
Legend
yesterday

Hey Amber,

Can you have them try delete/re-create the site and test? Just have one or two random users do that.

Andy

0 Kudos
Lesley
Authority Authority
Authority
yesterday

You sure the clients trust the new certificate? 

https://support.checkpoint.com/results/sk/sk167255

Just to make sure you done policy push after cert renewal? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
(1)
the_rock
Legend
Legend
yesterday
In response to Lesley

Good points @Lesley 

0 Kudos
Amber
Explorer
7 hours ago
In response to Lesley

Hi Lesley,

When using Capsule Connect to establish a VPN connection, the self-signed certificate does not appear to trust. According to sk167255, the recommended solution is to add a third-party trusted certificate to the Mobile Access Blade.
May I kindly ask if it is possible to use the gateway’s self-signed certificate for Mobile Access instead?

Many thanks.

0 Kudos
Lesley
Authority Authority
Authority
an hour ago
In response to Amber

Hi

As user still is able not to trust a third party (not self-signed) certificate. If you import certificate without the Intermediate CA and only the certificate systems can complain about it: invalid certificate. Normally you import all Intermediate CA's including the certificate and not the root CA. You can also include root ca but that should not be needed as it is expected that all clients are known with the root ca. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
PhoneBoy
Admin
Admin
49m ago
In response to Amber

You can use the Internal CA for this, but for the error message to go away, the end user will have to manually configure the CA as trusted on their device.

0 Kudos
the_rock
Legend
Legend
36m ago
In response to PhoneBoy

I guess similar to ssl inspection...maybe not best comparison though.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events