@PhoneBoy Somewhat unrelated snx extender question...any idea what would cause to show java unavailable when trying to connect via ssl extender? I tried R81.10, R81.20, 3 different machines, even added fw ip to excluded list in java panel, no luck. Java unavailable shows up when I enter creds to connect (shows up after about 30 seconds).

Also tried 4 different browsers, same problem.

I assume you have the appropriate JDK installed, correct?
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

I do, BUT...I just realized that sk does not have windows 11 listed, maybe thats why its failing...as I tested only on that version. Let me see if windows 10 works.

Windows 11 isn't supported yet per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

No luck even on windows 10. I even downloaded latest JDK (version 19) and tried manual msi install from extender log on page, but when I try it from c/program files(x86)/ssl extender folder, nothing really happens.

Is there a link or page that shows the most recent version of snx available?  Not sk104379, but a web page on cp.com that shows it to confirm what's in cat $CVPNDIR/htdocs/SNX/CSHELL/snx_ver.txt

cat /opt/CPcvpn-R81.10/htdocs/SNX/CSHELL/snx_ver.txt

sk168353 show the portal agent, not snx though
800008304

What's in that file will depend entirely on the version of the gateway in question since we don't generally distribute SNX separate of the gateway itself or a hotfix (JHF or otherwise).
For example, I see some SNX-specific fixes in the most recent JHF (Take 82) for R81.10.
See https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.10/R81.10/R81.10-List-of-all-Resolved-Issues.htm.
Whether these are gateway specific fixes, client specific fixes, or both, I can't say off-hand.

In any case, I checked my R81.20 installation and see the same version that you specified (800008304).
Which suggests it's a fairly recent version (if not the most recent). 

Hi @Daniel_Kavan,

80008304 is the latest version of SNX. It is available since R81.10 Jumbo take 55.

SNX itself doesn't require Java runtime. It is needed for deployment and control from Mobile Access Portal page. See sk113410 for more details. Pay attention to supported Java versions and editions.

If you see "Java unavailable" message, it means that Mobile Access Portal Agent can't detect installed Java. Check output of following command in CMD:

java -version

If you see Java version. try to re-install "Check Point Mobile Access Portal Agent". If it doesn't help - better open ticket with support.

Hey @AndreiR ,

It was actually me that had that issue. Question...I know before you could use ssl extender without needing to have mobile access enabled, is that still the case? I ask, because I get same problem regardless if MA is enabled or not.

Andy

SNX doesn't require MAB to be enabled to use...if they already have SNX installed.
However, the "legacy" SNX portal still uses the legacy deployment method that modern browsers don't support.

Hey @PhoneBoy ...what do you mean exactly by "if they already have SNX installed"?

SNX is typically deployed through a web portal and requires Java to do so.
There are two portals where this can be done:

• Mobile Access Blade
• Legacy SNX Portal (doesn't require MAB to be enabled)

Mobile Access Blade (as of R80.40) has been updated to allow the Java-based Deployment Agent to deploy SNX on modern web browsers.
The Legacy SNX Portal leverages the legacy NPAPI method, which isn't supported on any current web browser.

It is possible to deploy SNX "out of band" if you're not using Mobile Access Blade (i.e. by installing the relevant CAB file).

I simply ended up downgrading java version and bam, all worked like a charm : - )

Would you consider just logging into the Mobile access portal (sslvpn) and just using web applications to still be a VPN (sslvpn?) or would you say it's only considered a VPN once you connect with snx and native applications?  Or are they both considered VPNs whether you just login to the portal and use a web application or connect with SNX?  Or is one considered sslvpn and the other just a reverse proxy?

All VPNs provide Remote Access, but not all forms of Remote Access involve a VPN.
Accessing applications via the MAB portal without SNX is a form of Remote Access.
SNX creates a VPN that terminates over TLS/SSL.

Spoke with one of my colleagues and asked him about it and he said if anything, I may need to downgrade Java to get this to work, so will try that and update : - ). With MA blade on, all works just fine.

Just to verify for myself, installed older java version and that worked fine, no MAB enabled.

I actually disabled/re-enabled MA blade and now works fine. Tx a lot!

Cheers,

Andy