R81.20, JHF 84

SNX version 7.01.0000

Mobile Access Portal Agent 800.007.049

The SNX version should be a build like 800008302, which you can get with snx -h on the CLI.
The latest appears to be 80008409, which should be applied with the latest R81.20 JHF.

Assuming you're on the most recent release, you're saying it is signed with an old certificate?
Can you send me the relevant SR in a PM?

the SNX I put above was the 'SLL Network Extender Service' version that gets installed alongside the Mobile Access Portal Agent (actual snx).

SNX build using 'snx -h' is showing 997000069.

https://sc1.checkpoint.com/documents/SSL_Network_Extender_AdminGuide/Content/Topics-SNX-Admin-Guide/... 

this article confirms the latest version for my release is 80008409, and when I do "cat $CVPNDIR/htdocs/SNX/CSHELL/snx_ver.txt" it shows 800008409.

You can also see the old cert signature in the pictures I attached in my original post.

if the windows agent version # is supposed to match, then maybe when my clients are dowloading SNX they are getting an older version.

DM'ing you the SR as well

*edit*
according to https://support.checkpoint.com/results/sk/sk168353 the windows agent version is the latest.

Hi @NorthernNetGuy 

Could you please check SNX version that is installed on Windows?

It can be found in "c:\Program Files (x86)\CheckPoint\SSL Network Extender\ver.ini" file.

800008409

Can anyone confirm what certificate and root CA are signing the SSL extender for them? the security catalog and signer can be found at: C:\Program Files (x86)\CheckPoint\SSL Network Extender\netvna.cat 

Click 'View Signature", then click 'View Certificate"

Here are from my PC:

Do you have Secure Boot with  driver signature enforcement enabled? Windows should reject SNX if you do based on that.

You can check if Secure boot is enabled in MSINFO under "Secure Boot State"
if off, then driver signature enforcement will also be off.

If Secure Boot State is On, then in an elevated command prompt, run 'bcdedit' and look for "nointegritychecks", if it shows "yes", then driver signature enforcement is off

Secure Boot is definitely "on".

As for the "nointegritychecks". By default, I don't see its value. When I tried to alter it, I got "The value is protected by Secure Boot policy and cannot be modified or deleted." So, I disabled Secure Boot, explicitly set "nointegritychecks" to "off" and enabled Secure Boot back.

No issues with certificate.

The value won't show if off for nointetegritychecks, it is off by default for security. can you also confirm if you are on windows 10 22h2?

It should be normal for windows to reject a driver signature that comes from an expired CA I think, I don't know why my different windows test clients would be a rare exception in rejecting this instead of allowing it.

I check on Win10 22H2 19045.4849

I noticed one interesting thing. The root certificate (Microsoft Root Certificate Authority) has validity period from 10 May 2001 till 10 May 2021.

While on your screenshot it is 9 May 2001 - 9 May 2021. 

In my case certificate serial number is 79ad16a14aa0a5ad4c7358f407132e65. Please check with your one.