Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NeilDavey
Collaborator
Jump to solution

Check Point SSL Network Extender - Non Admin User

I have followed this post to install the Check Point SSL Network Extender for a non admin user:

Installation for Users without Administrator Privileges

The SSL Network Extender usually requires Administrator privileges to install the ActiveX component. To allow users that do not have Administrator privileges to use the SSL Network Extender, the Administrator can use his/her remote corporate installation tools (such as, Microsoft SMS) to publish the installation of the SSL Network Extender, as an MSI package, in configuring the SSL Network Extender.

To prepare the SSL Network Extender MSI package:

  1. Move the extender.cab file, located in $FWDIR/conf/extender, to a Windows machine and open the file using WinZip.

  2. Extract the cpextender.msi, and use as an MSI package, for remote installation.

On Windows , Mac and Linux, it is possible to install SSL Network Extender for users that are not administrators, if the user knows the admin password. In this case, perform a regular SSL Network Extender installation and supply the administrator password when asked.

However, when they log onto the VPN, they are being prompted for Admin Credentials again for this:

 
 
 
 

2020-06-13 08_31_29-Window.png

Any ideas?

1 Solution

Accepted Solutions
NeilDavey
Collaborator

Hi All

Thought I would send on how I got this working if its of interest to anyone.

We followed this article:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

We managed to use SCCM and created a rule to search for installed software and software code.  We found that any clients with the R80.30 version installed all had the same software code.

We downloaded the files from a GW running R80.40 installed these on a laptop and SCCM gave us a different code.  This means we can tell the difference about which laptops are running the software from R80.30 or R80.40.  We have setup a SCCM policy to upgrade all clients to use the R80.40 install.

Fingers crossed that when I update my actual GW to R80.40 that all my clients connect to, they will already have the latest client so we wont need to provide admin credentials to my users.  This is the hope anyway.

Thanks for all your suggestions and help here.

View solution in original post

13 Replies
PhoneBoy
Admin
Admin

Hi, whatever you copy/pasted the text of this post from added a bunch of DIV tags that made the post difficult to read--fixed that.
However, it also did NOT propagate what documentation you linked to--can you please update?
Also tagging @AndreiR as he might be able to help.

NeilDavey
Collaborator

Thanks for the edit on the post.

I followed this document:

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/C...

And the section titled "Installation for Users without Administrator Privileges".

I have recently updated some of my Firewalls to R80.40 and one of my final upgrades will be my main Firewall that serves my SSL MAB.

I have taken the extender.cab file from one of the R80.40 Firewalls and extracted the cpextender.msi file and installed onto my laptop using my administrator credentials.  However, when I connect to the VPN as my normal non administrator user, I am still being asked for Administrator Credentials.  I am looking to be able to upgrade the client so that when I do my final upgrade to R80.40, the clients will already be on the latest version.

Is this even possible with how I am doing this?

AndreiR
Employee
Employee

Hi @NeilDavey ,

Let's clarify your case first:

  1. Are you going to use Mobile Access blade or IPsec VPN?
  2. Which operating system(s) are you going to run?
  3. Which browsers are you going to use?
  4. Which applications/services are you going to run over SSL VPN?

 

NeilDavey
Collaborator

Thanks for the reply.

1 - Mobile Access Blade

2 - Windows 10

3 - IE

4 - We use the Native Applications (hope this was what you were thinking off)

G_W_Albrecht
Legend
Legend

I think that the screenshot shows Win 10 UAC dialogue for an app with a known/trusted publisher. This is Win 10, not CheckPoint:

User Account Control (UAC) is a mandatory access control enforcement facility introduced with Microsoft 's Windows Vista  and Windows Server 2008  operating systems , with a more relaxed version also present in Windows 7 , Windows Server 2008 R2 , Windows 8 , Windows Server 2012  and Windows 10 . It aims to improve the security of Microsoft Windows  by limiting application software  to standard user privileges  until an administrator  authorizes an increase or elevation.

CCSE CCTE CCSM SMB Specialist
NeilDavey
Collaborator

I have copied the extender.cab file and extracted the cpextender.msi file.

I have logged onto my laptop (with UAC running as we use this in the company) and have installed the cpextender.msi. Under Add/Remove Programs, Check Point SSL Network Extender is installed.

I log back onto my laptop with my normal non-admin account and load my SSL VPN website and this is when that box loads.

Surely if I have installed the cpextender.msi with my admin account, why am I being asked for it again when its already installed?

If we were to do this process with SCCM which is what we will be doing in the long term, would this then not prompt for a 2nd install?

NeilDavey
Collaborator

Capture.PNG 

I have just done a test on an off network laptop and I have disabled UAC.  I am logged on as an admin account and installed the cpextender.msi file.  I then load my VPN website and I am being presented with this.  I can obviously fix this here as this is an admin account on a test laptop but how do you fix this with a laptop running UAC and the user is not an admin?

I have followed Check Point's post but it doesn't say anything about this bit or how to get around it.

G_W_Albrecht
Legend
Legend

In the document you have linked there is a part with Importing a Client Certificate with the Microsoft Certificate Import Wizard to Internet Explorer😎

CCSE CCTE CCSM SMB Specialist
0 Kudos
NeilDavey
Collaborator

Ok thanks.  Seen that now, what/where is this certificate and how do I get it?

I tried to click the publisher on the install message and installed this certificate but that doesn't help.  I have tried to get a certificate from http://< mngmt IP>:18264 and installed this but no luck.  I also went to http://< external IP of FW> and installed this but no luck.

Each time I always get this "Do you want to install this software?" pop up box.

G_W_Albrecht
Legend
Legend

Strange - the "Always install" option does not work ?

Usually there are two steps:

Trusted Sites Configuration

  1. In Internet Explorer, select Tools > Internet Options > Security.

  2. Select Trusted sites.

  3. Click Sites.

  4. Enter the URL of the SSL Network Extender Portal and click Add.

To download the Client:

  1. Using Internet Explorer, browse to the SSL Network Extender portal of the Security Gateway at https://<GW name or IP>. The following Security Alert message may be displayed

    The site's security certificate has been issued by an authority that you have not designated as a trusted CA. Before you connect to this server, you must trust the CA that signed the server certificate. (The system administrator can define which CAs may be trusted by the user.) You can view in the certificate in order to decide if you wish to proceed.

    Note- The administrator can direct the user to the URL, http://< mngmt IP>:18264, to install this CA certificate, thereby establishing trust, and avoiding future displays of this message.

CCSE CCTE CCSM SMB Specialist
NeilDavey
Collaborator

Hi All

Thought I would send on how I got this working if its of interest to anyone.

We followed this article:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

We managed to use SCCM and created a rule to search for installed software and software code.  We found that any clients with the R80.30 version installed all had the same software code.

We downloaded the files from a GW running R80.40 installed these on a laptop and SCCM gave us a different code.  This means we can tell the difference about which laptops are running the software from R80.30 or R80.40.  We have setup a SCCM policy to upgrade all clients to use the R80.40 install.

Fingers crossed that when I update my actual GW to R80.40 that all my clients connect to, they will already have the latest client so we wont need to provide admin credentials to my users.  This is the hope anyway.

Thanks for all your suggestions and help here.

Michal_Gans
Contributor
Contributor

The strange think is, that in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\e673875ba91d732498f5993a11796796 register, there is the "Version" record but it looks that value is the same for all versions. 

0 Kudos
NeilDavey
Collaborator

We use SCCM to run a query and it looks at Installed Software.Software Code is equal to "THE LONG NUMBER IN HERE".

I know this number is the same when I have R80.40 MAB installed so I can then tell which laptops have the latest client installed.

I did an upgrade at the weekend from R80.30 to R80.40 and the machines that I had pushed the MAB client out to over the previous weeks, connected with no admin prompts needed.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events