This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
biskit
Advisor
Advisor
‎2019-03-29 03:40 AM

SSL VPN Certificates

I have a question re SSL VPN certificates - using 3rd party certificates.

My understanding is that if you use SNX you generate the CSR via the IPSec VPN page, get the valid cert, then "complete" the cert via the IPsec VPN page.  This certificate has no bearing on Mobile Access.

If you enable Mobile Access, you generate the CSR via the command line, get the cert, then import it via the Platform Portal page.  So this is a different cert to what SNX would use.

My customer currently uses SNX (not MAB) and has a certificate for that, with 200 clients connecting using the VPN client.  That's working well.  But now they're interested in Mobile Access which would require purchasing another certificate.  

Will enabling MAB and installing a new certificate cause the existing VPN clients to moan?

Will the new MAB certificate override what the existing VPN clients see when connecting (and cause a certificate mis-match type error message to pop up for the users)?

Is there a way to use the same certificate for both the IPSec and Platform Portal tabs?

 

 

8 Replies
Wolfgang
MVP Gold
MVP Gold
‎2019-03-29 03:57 AM

You can use the same certificate. Import your existing certificate to the MOB-configuration via SmartConsole.

If the SNs in the certificate will match again the MOB-Portal DNS-name everything should fine.

And yes you're right, if you enable MOB you get the certificate from the MOB-Portal.

What did you mean with VPN-clients ? SNX is clientless SSL VPN, only the small ssl-extender agent is installed, not a real VPN client.

Wolfgang

Maxim_Medvedev
Contributor
‎2020-06-04 02:51 AM
In response to Wolfgang

Hello, Wolfgang

I installed new ssl certificate for Mobile Access in gateway properties Mobile Access --> Portal Settings --> Certificate --> Replace

As I understand this shouldn't have affected setting for vpn clients. Certificate for vpn clients is specified in gateway properties VPN clients --> the gateway authenticates with this certificate

But Endpoint Security vpn client get this error: The site's security certificate is not trusted

Therefore gateway use Mobile Access certificate for vpn clients and don't use certificate for vpn clients

Could you please explain is it normal behavior or bug?

 

 

Preview file
76 KB
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2020-06-04 04:26 AM
In response to Maxim_Medvedev

@Maxim_Medvedev 

yes, this is normal behaviour.

The first connection from the  endpoint-client is a SSL handshake with the gateway. If MOB-blade is activated, this will be done with the MOB certificate.

Same behaviour is described here:

Mobile Access certificate fingerprint presented on Remote Access client 

Wolfgang

Maxim_Medvedev
Contributor
‎2020-06-05 01:27 AM
In response to Wolfgang

Thank you, now it's clear, this sk is very helpfull
Another question on the topic:
Would gateway work correctly with wildcard certificate like *.mydomain.com?
Whether full DNS name matching is required?
For Example mobile access portal has DNS name sslvpn.mydomain.com and vpn site has vpn.mydomain.com
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2020-06-05 01:49 AM
In response to Maxim_Medvedev

@Maxim_Medvedev 

yes, that works.

Wolfgang 

Jerry
Mentor
Mentor
‎2019-03-29 04:03 AM

IPSec does not use SSL Certificate
MAB uses either SSL Cert or IPSec host-based-cert.
I think you need to learn a little about the MAB and Remote Access security from CP ...

seach support site for sk's about MAB.
Jerry
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2019-03-29 05:07 AM
In response to Jerry

Hello Jerry,

you're right with your answer, 

But as I understand Matt, he is already using SNX (SSL extender) and for this an SSL certificate is in use.

And this same certificate can be used to import in the MAB. You can use there the one created from SmrtCenters CA or from a Third Party.

Wolfgang

0 Kudos
Jerry
Mentor
Mentor
‎2019-03-29 04:04 AM

https://community.checkpoint.com/t5/Remote-Access-Solutions/Create-CSR-and-Importing-third-party-cer...
Jerry
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events