SSL network extender uses wrong certificate

TonyStark · ‎2022-05-18

Hello

We recently changed the SSL Certificates for VPN on our Gateway. We use two certificate. One for internal use only issued by an internal CA and one for external use issued by EuropeanSSL. Our configuration looks correct on the first glimpse but if we connect to our SNX it shows the internal certificate which it should not use.

SSLVPN-2022 is our EuropeanSSL Certificate the internal one would be InternalCP

Is there any kind of database entry that did not override or did i miss anything?

Thanks in advance for your help

_Val_ · ‎2022-05-19

Silly question, did you push policy?

TonyStark · ‎2022-05-19

Sure! Its running since 2 weeks or so...

_Val_ · ‎2022-05-19

Got it. Look into sk177903 and let me know if it fixes things or not.

TonyStark · ‎2022-05-23

I dont think this is the right solution... The UserCheck Portal should use the internal CA Cert but when we want to access the SNX Web-Page (for example) from the public domain it should use the EuropeanSSL but it does'nt...

This page is accessed via the public domain name so it should use the EuropeanSSL cert but internally it shouldnt

I hope you understand what I mean

_Val_ · ‎2022-05-23

UserCheck and SNX are using the same certificate, which is different from VPN certificate. What is the issue for UserCheck to show your EuropeanSSL?

_Val_ · ‎2022-05-23

Also, to make sure which certificate is used where, you can look into $FWDIR/database/myself_objects.C file of your Security Gateway

TonyStark · ‎2022-05-23

Okay so i checked the File....

The UserCheck Portal is running following settings:

: (
:type (portal_settings)
:portal_name (UserCheck)
:ssl_certificate (ReferenceObject
:Uid ("{BE6C0102-E935-4917-8B3E-A81DEE2577D3}")
:Name (cert_9)
:Table (ssl_certificates)
)
:internal_port (8887)
:is_enabled (true)
:priority (1000)
:encrypted_connection (true)
:dmz_internal_interfaces (false)
:portal_access (internal_interfaces)
:is_any_host (false)
:ip_address (w.x.y.z)
:allow_additional_clear_port (false)
:main_url ("https://server.domain.net/UserCheck")
:undefined_internal_interfaces (false)
:certificate_mode (all_with_same_ip)
:is_encrypted (true)
:path_prefix ("/UserCheck")
:hostname (server.domain.com)
:external_port (443)
)

It references to the ceretificate cert-9 but in the certificates section there is only the certs EuropeanSSL_Intermediate-2 and internal_ca... could that be related? and am i allowed to add a certificate to the config of the snx portal?

: (
:type (portal_settings)
:portal_name (VPN_SNX)
:internal_port (444)
:is_enabled (true)
:priority (1000)
:encrypted_connection (false)
:dmz_internal_interfaces (false)
:portal_access (all_interfaces)
:is_any_host (false)
:ip_address (0.0.0.0)
:allow_additional_clear_port (false)
:main_url ("https://0.0.0.0/")
:undefined_internal_interfaces (false)
:certificate_mode (all_with_same_ip)
:is_encrypted (true)
:path_prefix ("/")
:hostname (0.0.0.0)
:external_port (443)
)

_Val_ · ‎2022-05-23

As I said, SNX uses the same infrastructure as UserCheck, so no, you cannot manually assign a different certificate to it by editing the file.

Are you a member of CheckMates?

SSL network extender uses wrong certificate