- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
I have followed this post to install the Check Point SSL Network Extender for a non admin user:
Installation for Users without Administrator Privileges
The SSL Network Extender usually requires Administrator privileges to install the ActiveX component. To allow users that do not have Administrator privileges to use the SSL Network Extender, the Administrator can use his/her remote corporate installation tools (such as, Microsoft SMS) to publish the installation of the SSL Network Extender, as an MSI package, in configuring the SSL Network Extender.
To prepare the SSL Network Extender MSI package:
Move the extender.cab file, located in $FWDIR/conf/extender, to a Windows machine and open the file using WinZip.
Extract the cpextender.msi, and use as an MSI package, for remote installation.
On Windows , Mac and Linux, it is possible to install SSL Network Extender for users that are not administrators, if the user knows the admin password. In this case, perform a regular SSL Network Extender installation and supply the administrator password when asked.
However, when they log onto the VPN, they are being prompted for Admin Credentials again for this:
Any ideas?
Hi All
Thought I would send on how I got this working if its of interest to anyone.
We followed this article:
We managed to use SCCM and created a rule to search for installed software and software code. We found that any clients with the R80.30 version installed all had the same software code.
We downloaded the files from a GW running R80.40 installed these on a laptop and SCCM gave us a different code. This means we can tell the difference about which laptops are running the software from R80.30 or R80.40. We have setup a SCCM policy to upgrade all clients to use the R80.40 install.
Fingers crossed that when I update my actual GW to R80.40 that all my clients connect to, they will already have the latest client so we wont need to provide admin credentials to my users. This is the hope anyway.
Thanks for all your suggestions and help here.
Hi, whatever you copy/pasted the text of this post from added a bunch of DIV tags that made the post difficult to read--fixed that.
However, it also did NOT propagate what documentation you linked to--can you please update?
Also tagging @AndreiR as he might be able to help.
Thanks for the edit on the post.
I followed this document:
And the section titled "Installation for Users without Administrator Privileges".
I have recently updated some of my Firewalls to R80.40 and one of my final upgrades will be my main Firewall that serves my SSL MAB.
I have taken the extender.cab file from one of the R80.40 Firewalls and extracted the cpextender.msi file and installed onto my laptop using my administrator credentials. However, when I connect to the VPN as my normal non administrator user, I am still being asked for Administrator Credentials. I am looking to be able to upgrade the client so that when I do my final upgrade to R80.40, the clients will already be on the latest version.
Is this even possible with how I am doing this?
Hi @NeilDavey ,
Let's clarify your case first:
Thanks for the reply.
1 - Mobile Access Blade
2 - Windows 10
3 - IE
4 - We use the Native Applications (hope this was what you were thinking off)
I think that the screenshot shows Win 10 UAC dialogue for an app with a known/trusted publisher. This is Win 10, not CheckPoint:
User Account Control (UAC) is a mandatory access control enforcement facility introduced with Microsoft 's Windows Vista and Windows Server 2008 operating systems , with a more relaxed version also present in Windows 7 , Windows Server 2008 R2 , Windows 8 , Windows Server 2012 and Windows 10 . It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation.
I have copied the extender.cab file and extracted the cpextender.msi file.
I have logged onto my laptop (with UAC running as we use this in the company) and have installed the cpextender.msi. Under Add/Remove Programs, Check Point SSL Network Extender is installed.
I log back onto my laptop with my normal non-admin account and load my SSL VPN website and this is when that box loads.
Surely if I have installed the cpextender.msi with my admin account, why am I being asked for it again when its already installed?
If we were to do this process with SCCM which is what we will be doing in the long term, would this then not prompt for a 2nd install?
I have just done a test on an off network laptop and I have disabled UAC. I am logged on as an admin account and installed the cpextender.msi file. I then load my VPN website and I am being presented with this. I can obviously fix this here as this is an admin account on a test laptop but how do you fix this with a laptop running UAC and the user is not an admin?
I have followed Check Point's post but it doesn't say anything about this bit or how to get around it.
In the document you have linked there is a part with Importing a Client Certificate with the Microsoft Certificate Import Wizard to Internet Explorer8)
Ok thanks. Seen that now, what/where is this certificate and how do I get it?
I tried to click the publisher on the install message and installed this certificate but that doesn't help. I have tried to get a certificate from http://< mngmt IP>:18264 and installed this but no luck. I also went to http://< external IP of FW> and installed this but no luck.
Each time I always get this "Do you want to install this software?" pop up box.
Strange - the "Always install" option does not work ?
Usually there are two steps:
In Internet Explorer, select Tools > Internet Options > Security.
Select Trusted sites.
Click Sites.
Enter the URL of the SSL Network Extender Portal and click Add.
To download the Client:
Using Internet Explorer, browse to the SSL Network Extender portal of the Security Gateway at https://<GW name or IP>. The following Security Alert message may be displayed
The site's security certificate has been issued by an authority that you have not designated as a trusted CA. Before you connect to this server, you must trust the CA that signed the server certificate. (The system administrator can define which CAs may be trusted by the user.) You can view in the certificate in order to decide if you wish to proceed.
Note- The administrator can direct the user to the URL, http://< mngmt IP>:18264
, to install this CA certificate, thereby establishing trust, and avoiding future displays of this message.
Hi All
Thought I would send on how I got this working if its of interest to anyone.
We followed this article:
We managed to use SCCM and created a rule to search for installed software and software code. We found that any clients with the R80.30 version installed all had the same software code.
We downloaded the files from a GW running R80.40 installed these on a laptop and SCCM gave us a different code. This means we can tell the difference about which laptops are running the software from R80.30 or R80.40. We have setup a SCCM policy to upgrade all clients to use the R80.40 install.
Fingers crossed that when I update my actual GW to R80.40 that all my clients connect to, they will already have the latest client so we wont need to provide admin credentials to my users. This is the hope anyway.
Thanks for all your suggestions and help here.
The strange think is, that in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\e673875ba91d732498f5993a11796796 register, there is the "Version" record but it looks that value is the same for all versions.
We use SCCM to run a query and it looks at Installed Software.Software Code is equal to "THE LONG NUMBER IN HERE".
I know this number is the same when I have R80.40 MAB installed so I can then tell which laptops have the latest client installed.
I did an upgrade at the weekend from R80.30 to R80.40 and the machines that I had pushed the MAB client out to over the previous weeks, connected with no admin prompts needed.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
5 | |
3 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 |
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 02:00 PM (EDT)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - AMERAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY