Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DreyCon
Explorer

SNX on M1 Mac with Monterey not compatible

Hi everyone,

I am working for a customer who utilizes Check Point VPN with SSL Network Extender for externals. Sadly this currently doesn't work with M1 powered Monterey systems, does it?

Is there a workaround that could help me here?

The main issue seems to be, that the six installer tries to copy the six executable into /usr/bin. That directory is protected (at least under Monterey), so that there is no chance to copy the binary into that folder.

I tried a lot an spent hours investigating without any success. Maybe I have overseen something?

Could someone please help me here? Otherwise I cannot work together with my customer...

Regards,

DreyCon

0 Kudos
14 Replies
PhoneBoy
Admin
Admin

SNX isn't currently supported on Monterey, but is planned for the future.

DanCreed
Explorer

Any idea what the ETA is on getting this supported on Monterey. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Towards the end of the year though it subject to change.

If it's important for you please discuss it with your Check Point SE.

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend
Legend

Try to use the E86.20 Standalone Clients for macOS: Enterprise Endpoint Security E86.20 macOS Clients

CCSE CCTE CCSM SMB Specialist
DreyCon
Explorer

Hi @G_W_Albrecht ,

you gave me a little hope. So I did install E86.20. It brought me one step further:

With this version I now can create a new site - but only with the concrete IP, not with the URL. But that's another issue.

The VPN client then asks me for UN and PW, and is correctly preconfigured for RSA token usage. After a bit of server-client communication the client states me: UN or PW wrong.

Within the logging I then found this:

[ 25519 0x206079600][8 Mar 12:50:52][TR_REALM_CONFIG_MANAGER] TrRealmConfigManager::GetRealmConfiguration: entering...
[ 25519 0x206079600][8 Mar 12:50:52][CONFIG_MANAGER] login_options_list return value is object type, because it is Gateway config variable. Scope: site SOME_IP_THATS_TO_BE_CONNECTED_TO ,gw NULL ,user USER
[ 25519 0x206079600][8 Mar 12:50:52][TR_REALM_CONFIG_MANAGER] TrRealmConfigManager::GetRealmConfiguration: loginOptionVec size is 1
[ 25519 0x206079600][8 Mar 12:50:52][TR_REALM_CONFIG_MANAGER] TrRealmConfigManager::GetRealmConfiguration: curConfigRealm.realmID = vpn_Username_Password_Token
[ 25519 0x206079600][8 Mar 12:50:52][RealmConfiguration] [COVERAGE] [RealmConfiguration::getAuthenticationMethodType(s)] __start__
[ 25519 0x206079600][8 Mar 12:50:52][RealmConfiguration] [INFO] [RealmConfiguration::getAuthenticationMethodType(s)] AuthType of index 0 is 1
[ 25519 0x206079600][8 Mar 12:50:52][RealmConfiguration] [COVERAGE] [RealmConfiguration::getAuthenticationMethodType(s)] __end__ Total:0 milliseconds.
[ 25519 0x206079600][8 Mar 12:50:52][TR_REALM_CONFIG_MANAGER] TrRealmConfigManager::ToCertTrAuthType: certificate authentication type is not set (certificateType 0), return defualt authentication not-defined
[ 25519 0x206079600][8 Mar 12:50:52][TR_REALM_CONFIG_MANAGER] TrRealmConfigManager::ToSecIdTrAuthType: secure id authentication type is not set (SecureIdTypes = 0), return defualt authentication not-defined
[ 25519 0x206079600][8 Mar 12:50:52][CONFIG_MANAGER] authentication_method return value username-password, because it is User config variable. Scope: site SOME_IP_THATS_TO_BE_CONNECTED_TO ,gw NULL ,user USER
[ 25519 0x206079600][8 Mar 12:50:52][TR_REALM_CONFIG_MANAGER] TrRealmConfigManager::GetRealmConfiguration: setting realmId=vpn_Username_Password_Token
[ 25519 0x206079600][8 Mar 12:50:52][TR_API_TRANSLATE] TR_API_TRANSLATE::TrAPI_Translate::ToSet: converting TrRealmInfo struct to set
[ 25519 0x206079600][8 Mar 12:50:52][TR_REALM_CONFIG_MANAGER] TrRealmConfigManager::GetRealmConfiguration: realm return set is:

 

(APIMsg
:conn_name (SOME_IP_THATS_TO_BE_CONNECTED_TO)
:MsgId (1016)
:SyncOpaque (309cf6ce8)
:ClientId (11)
:realm_auth_info_vec (
: (
:id (vpn_Username_Password_Token)
:display_name ("Username Password and RSA Token")
:needed_auth_type_mask (0)
:securid_card_type (not-defined)
:certificate_storage_type (not-defined)
:user_defined_auth_type (username-password)
:is_saa (false)
:is_bc (false)
:show_realm (true)
)
)
)

[ 25519 0x206079600][8 Mar 12:50:52][TrComInf] TrComInf::TrComInfSendAsynchronic: __start__ 12:50:52
[ 25519 0x206079600][8 Mar 12:50:52][TrComInf] TrComInf::TrComInf::TrComInfSendAsynchronic: Acquiring mutex
[ 25519 0x206079600][8 Mar 12:50:52][messaging] messaging::send_all: Sending Message {{ 2 }} , len 461
[ 25519 0x206079600][8 Mar 12:50:52][tcpserver] TcpMultiPipe::pipe_if_send: Message (469 bytes) written successfully to socket 0xb
[ 25519 0x206079600][8 Mar 12:50:52][TrComInf] TrComInf::TrComInf::TrComInfSendAsynchronic: Released mutex
[ 25519 0x206079600][8 Mar 12:50:52][TrComInf] TrComInf::TrComInfSendAsynchronic: __end__ 12:50:52 Total time - 0 seconds
[ 25519 0x206079600][8 Mar 12:50:58][TalkCCC] talkccc::idle_timeout_cb: closing CCC
[ 25519 0x206079600][8 Mar 12:50:58][TalkCCC] talkccc::Close: Disconnecting ssl tunnel and removing all requests
[ 25519 0x206079600][8 Mar 12:50:58][TalkCCC] talkccc::disconnect: CCC is already disconnected
 
Do you have any idea, what I am doing wrong?
0 Kudos
G_W_Albrecht
Legend
Legend

I am not having a good idea what you are doing as i have never configured RSA - can you try test with UN/PW only ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
DreyCon
Explorer

Sadly, no, I can't, as I work as an external freelancer for that company.

Before switching to my m1 Mac with macOS I used Windows. There I always had to login first into a web ui. Therefore I entered my credentials (UN:PW) and received a one time token (a couple of numbers) via email, which I then had to copy into the newly opened webpage. Afterwards I only needed to click on some kind of connect button within the web ui, what triggers a process of e locally installed software from checkpoint to set up a vpn connection that is called SSL network extension or somewhat...

The RSA token was named wrong by me. It is RSA_Security and is the authentication mechanism before first logging in to the webpage (see screenshot attached). Sorry for this confusion...

Now, with the E86.20 installed on my Mac, I at least can observe the VPN software trying to connect to the company network. But after some time the client GUI tells me, my UN:PW combination is wrong (which isn't, what I double checked multiple times).

0 Kudos
G_W_Albrecht
Legend
Legend

I know how to use SNX - but this is Endpoint VPN, and maybe the admin did not configure your account for access thru that. Did you update with the customer about the change ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
DreyCon
Explorer

Actually I did, and their support hadn't any idea what to do. So I tried a lot stuff on my own. Maybe I am on a totally wrong track with that snx... I figured that one out, when I was debugging an install script, that was accessible when logged in into the web portal.

 

What can I tell the it support guys on my customer side to maybe fix this issue?

0 Kudos
Howard_Gyton
Advisor

Has there been any update on this?  I see that OS 11, and 12 are both not supported according to the following SK:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As an interim measure, we are falling back to using an old version of SNX that is command line enabled.  This version doesn't need a browser. and does not require Java to run.

From memory its build number is something like "8000100003".

It's odd to me that the latest versions all have the ability to be run from the command line, and you get the same syntax but it won't connect.  The version above will, and works for all versions of Mac as far as I can see.

Is there a reason why more modern SNX executables won't connect from the command line?

When you try the latest version, the connection is rejected with the message:

Dropped by multiportal infrastructure

 

0 Kudos
G_W_Albrecht
Legend
Legend

That is true - using Legacy SNX is not possible on OS X anymore if you want a Web Browser, only the old Linux CLI version can be used as you did already find out.

There are RA clients for OS X 11 and 12 available from CP...

CCSE CCTE CCSM SMB Specialist
Howard_Gyton
Advisor

We investigated that, but we have some technical reasons why we do not want to allow BYOD devices to have a non-SSL VPN connection.  Currently we don't have an easy way of differentiating between a corporate owned device connecting via Endpoint VPN, and a BYOD device.  It would allow un-managed machines to directly access our storage, and the SSL VPN does a great job of obfuscating that.

I should have added that we have had two instances where SNX has worked correctly on Monterey machines, but both of those instance were where they had been running something like 10.15, and had been upgraded to 12.x.

Potentially one way would be to come up with some Endpoint Compliance rules, where we would detect whether the computer was a corporate owned one.  Things like whether it was bound to our domain, and a few other things.  If the machine is not considered Compliant then it would get a Restricted rulebase, one which would still allow access to things they should have, like the mail server, Intranet etc. but would not allow CIFS/SMB/NFS access to any of our file servers.

0 Kudos
PhoneBoy
Admin
Admin

Last I heard, we are still planning to address this issue with SNX.
I don't know the precise timeframe for doing so, however.
Meanwhile, Compliance rules are probably the way to go here.

Howard_Gyton
Advisor

Thanks for the update.  For now we continue with the CLI-enabled version, coupled with the following script:

 

if ! pgrep -x snx >/dev/null
then
read -p "Username: " user
snx -s <gateway> -u $user
else
snx -d
fi

 

Save this out as a .command file, then run "chmod u+x" on it, and it can be run from the desktop to alternately connect or disconnect.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events