- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
I have a question re SSL VPN certificates - using 3rd party certificates.
My understanding is that if you use SNX you generate the CSR via the IPSec VPN page, get the valid cert, then "complete" the cert via the IPsec VPN page. This certificate has no bearing on Mobile Access.
If you enable Mobile Access, you generate the CSR via the command line, get the cert, then import it via the Platform Portal page. So this is a different cert to what SNX would use.
My customer currently uses SNX (not MAB) and has a certificate for that, with 200 clients connecting using the VPN client. That's working well. But now they're interested in Mobile Access which would require purchasing another certificate.
Will enabling MAB and installing a new certificate cause the existing VPN clients to moan?
Will the new MAB certificate override what the existing VPN clients see when connecting (and cause a certificate mis-match type error message to pop up for the users)?
Is there a way to use the same certificate for both the IPSec and Platform Portal tabs?
.png "Wolfgang"){kind=avatar}
Wolfgang
You can use the same certificate. Import your existing certificate to the MOB-configuration via SmartConsole.
If the SNs in the certificate will match again the MOB-Portal DNS-name everything should fine.
And yes you're right, if you enable MOB you get the certificate from the MOB-Portal.
What did you mean with VPN-clients ? SNX is clientless SSL VPN, only the small ssl-extender agent is installed, not a real VPN client.
Wolfgang
Hello, Wolfgang
I installed new ssl certificate for Mobile Access in gateway properties Mobile Access --> Portal Settings --> Certificate --> Replace
As I understand this shouldn't have affected setting for vpn clients. Certificate for vpn clients is specified in gateway properties VPN clients --> the gateway authenticates with this certificate
But Endpoint Security vpn client get this error: The site's security certificate is not trusted
Therefore gateway use Mobile Access certificate for vpn clients and don't use certificate for vpn clients
Could you please explain is it normal behavior or bug?
Wolfgang
yes, this is normal behaviour.
The first connection from the endpoint-client is a SSL handshake with the gateway. If MOB-blade is activated, this will be done with the MOB certificate.
Same behaviour is described here:
Mobile Access certificate fingerprint presented on Remote Access client
Wolfgang
Wolfgang
Jerry
Wolfgang
Hello Jerry,
you're right with your answer,
But as I understand Matt, he is already using SNX (SSL extender) and for this an SSL certificate is in use.
And this same certificate can be used to import in the MAB. You can use there the one created from SmrtCenters CA or from a Third Party.
Wolfgang
Jerry
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY
