Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Soenke_Weiss1
Participant

Endpoint Client: Client Hello with SNI?

Hello Community,

One of my customers are using a third party cloud proxy provider where they define exceptions based on the SNI not the IP address.

They've created the VPN site with the URL rather than the IP address. Now they've now noticed that the Check Point Endpoint client not always sends the SNI but sometimes uses the IP only in the Client Hello.

This results in the proxy client on the endpoint sending these packages to the cloud proxy rather than directly to the Check Point gateway and subsequently traffic being inspected or not forwarded to the gateway.

I haven't found a setting in trac_client_1.ttm to always include the SNI in the Client Hello, has anybody else come across the issue and solved it with any other method but defining the exceptions based on IP?

Is this even considered and/or supported from Check Point side?

Thanks,
Soenke

TCPdump_Screenshot.png

0 Kudos
1 Reply
_Val_
Admin
Admin

I don't think there is such a setting anywhere in the client configuration. However, I would advise you to raise a TAC ticket and get an official answer to the matter. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events