This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dale_Lobb
Advisor
‎2019-09-27 07:43 AM

Mobile Access SSL Extender issue on firewall with VPN established to same site

We have several hundred Mobile Access SSL Extender clients in use by employees, vendors and partners.  We also have about 150 VPNs defined to small rural hospitals (we are a larger Midwest hospital).

We have a disconcerting number of SSL Extender clients that seem to regularly visit these rural hospitals where they NAT all traffic leaving their facility to one address, even public internet access.  The problem occurs when the client needs to talk to the CheckPoint firewall directly and the CheckPoint denies the traffic as communication in the clear. 

Has anyone else seen this issue?  What do you do to circumvent the limitation? We cannot exclude https traffic from the VPN as many of these sites include https traffic already between internal devices on the two respective networks.

We are contemplating moving Mobile Access to another firewall, but that's going to be expensive in terms of time and acquisition costs.

 

0 Kudos
2 Replies
FedericoMeiners
Advisor
‎2019-09-27 11:48 PM

Dale,

We had a similar issue in one of our customers and end up allowing access to some of the involved services published on the SSL Extender via the S2S VPN, I know that this may be a security issue in your case so maybe it's not a viable solution.

Have you tried to set up the SSL Extender protal in another IP different that the one that you are using to terminate S2S VPNs?

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2019-09-28 05:35 AM
In response to FedericoMeiners

Hi

Scenario 3 in sk108600 might be worth reviewing.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events