Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
altu
Participant

Silent install Check Point Mobile Access Portal Agent

Hi,

I am trying to install the Check Point Mobile Access Portal Agent (CheckPointMobileAgent.msi) which would allow our users to connect to VPN via the web portal in modern browsers like Chrome, Edge Chromium, etc...

However, during the installation the installer will show a prompt where you would have to allow the installation of a certificate. (screenshot below)

Each time you run the installer a new certificate is generated. The Thumbprint changes.

How should we install this agent silently to a couple of thousands of devices without our users seeing this prompt.

In corporate environments it's not feasible to have to do stuff manually.

Because of this, we are also not able to install the agent during OS Deployment.

I can't find any property in the MSI that would force the import of the certificate without displaying the prompt.

I also can't manually import the certificate with certutil as a new certificate is generated each time the installer runs.

Does anyone have any tips or suggestions?

 

Thank you

 

2021-01-07 10_38_24-Window.png

0 Kudos
27 Replies
Gaurav_Pandya
Advisor

Hi,

We have installed JHF on gateway and because of that users were prompting certificate warning. This warning comes first time connect only. We are not getting this warning message every time. 

 

0 Kudos
altu
Participant

I think you're talking about the prompt to trust the certificate when you try to connect? That's not the problem I'm talking about here.

My issue is with the installation of the Check Point Mobile Access Portal Agent.

0 Kudos
PhoneBoy
Admin
Admin

@AndreiR any ideas here?

0 Kudos
altu
Participant

Is there anyone that deployed this in their organization?

We can't be the only ones facing this issue...

0 Kudos
Fatihah
Participant

@altu , yes my side also having this issue.

The users was prompted to re-install the agent everytime they're accessing the mobile access portal.

And currently we haven't find out the solution on this issue. We already reach out to TAC, but the issue still persist.

Gateway ver: R80.40 

Hotfix: Take 125

 

0 Kudos
Bac26
Contributor

I have same issues furhter more Mobile Access Portal Agent must have java installed on version 81.20?

0 Kudos
altu
Participant

Everybody has this issue brother.

There is no way to deploy this silently and unattended.

And yes, Java is required as well. I deployed OpenJDK together with the portal components.

The install was interactive. Meaning: I had to ask the users to launch the install themselves and explain what to do with the prompts.

Makes no sense for such a crucial application to be honest. But I found no other way. It was a hassle.

0 Kudos
Bac26
Contributor

But java is required? because till version 80.30 wasnt...not all wish java installed now..

0 Kudos
PhoneBoy
Admin
Admin

Java has always been required.

0 Kudos
Bac26
Contributor

for ssl extender too?

0 Kudos
PhoneBoy
Admin
Admin

SNX itself has never required Java.
What does require Java is the deployment agent, which is how SNX is activated from the MAB portal.
Previously, this used Java browser plugins, which have all been deprecated by major browsers.

0 Kudos
Bac26
Contributor

Because since upgrade 81.10 now MAB ask me java for installation, so what is the best way now? customer doesnt want install java...

0 Kudos
altu
Participant

Then you won't be able to use the Portal.

You could use the Check Point Mobile client.

Or, install OpenJDK (e.g. Home | Adoptium)

0 Kudos
Bac26
Contributor

but is just for installation or to operate?

0 Kudos
altu
Participant

Also to operate...

Otherwise you won't be able to connect via the portal in a modern browser like Chrome or Edge.

It wouldn't also make sense to only be required for the installation 🙂

0 Kudos
Bac26
Contributor

yes but happens after i upgrade from 80.30 to 81.10 so try understand why was working before without java installed...

0 Kudos
altu
Participant

Because before it was SNX, which worked in Internet Explorer. SNX doesn't require JAVA.

You now have the Deployment Agent, which requires Java to activate SNX from the Mobile Access Portal (MAB) portal.

This then also works from Edge and Chrome browsers.

I agree that it is something that they should do differently. Java requirements should be something from the past. But unfortunately you won't have a choice if you want to use it now.

There is no workaround.

Perhaps you could try to reach out to their support and ask for advice.

 

0 Kudos
Bac26
Contributor

ok you mean now SNX need MAB that need java correct? bit confused:)

0 Kudos
PhoneBoy
Admin
Admin

Prior to R80.40, “out of the box” there were two ways to deploy SNX on endpoint computers:

  • With a Java plugin (which no modern browser supports)
  • With an ActiveX plugin (which only works in legacy Internet Explorer)

Since neither Java or ActiveX are supported in modern browsers, and haven’t for some time, we had to change the deployment method.
See: https://support.checkpoint.com/results/sk/sk113410
R80.40 was the first version this was integrated “out of the box” thus why this “broke” after you upgraded.

I hope that makes the situation clear.

0 Kudos
altu
Participant

I don't think that I understand what you're saying here:

R80.40 was the first version this was integrated “out of the box”...

Does this mean that with this version there is no need for Java?

Also, the initial question I posted here was never answered. So I don't really accept any answer (including mine) as a solution 😄 😄

0 Kudos
PhoneBoy
Admin
Admin

The answer to your original question (how to deploy certs to many computers automatically) can be solved using GPO.
Something like: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-t...

My answer refers to how SNX is deployed to client computers via the MAB portal.
In versions prior to R80.40, the "out of box" portal also allowed deployment without Java if and only if legacy Internet Explorer browser is used (using ActiveX instead of Java).
R80.40 (and earlier versions with appropriate hotfix) changed this as it:

  • Removed support for ActiveX (because Internet Explorer is no longer supported)
  • Changed the Java deployment method from NSAPI to WebStart so SNX can be deployed via modern browsers.

It has always been required to deploy SNX using non-Internet Explorer browsers.
From R80.40, it is now the only option.
I hope that makes the situation clear.

0 Kudos
altu
Participant

That was not my original question though. 🙂

I know how to deploy certificates.

My origiginal question is: 

I am trying to install the Check Point Mobile Access Portal Agent (CheckPointMobileAgent.msi) which would allow our users to connect to VPN via the web portal in modern browsers like Chrome, Edge Chromium, etc...

However, during the installation the installer will show a prompt where you would have to allow the installation of a certificate.

Each time you run the installer a new certificate is generated. The Thumbprint changes.

How should we install this agent silently to a couple of thousands of devices without our users seeing this prompt.

 

More details in the first post. Including screenshot.

I couldn't find a way do silently deploy it. And nobody from CP was able to help. 

It just seems weird that such a crucial application can't be deployed unattended.

0 Kudos
PhoneBoy
Admin
Admin

Unfortunately, this is expected behavior: https://support.checkpoint.com/results/sk/sk122077 

0 Kudos
Bac26
Contributor

we just publish on the portal rdp server to connect to...what would be a workaround? any other possibilities beside installed java on every endpoint?

0 Kudos
altu
Participant

Essentially, yes. That is what it is...

0 Kudos
(1)
PhoneBoy
Admin
Admin

If it’s only RDP, you don’t need SNX for that.
It does require setting up a Guacamole server, which will provide an HTML5 interface that can be used with MAB.
See: https://support.checkpoint.com/results/sk/sk123842

0 Kudos
Bac26
Contributor

The sk you mention is for 80.30 by the way you mean a separate server that will be reach via mab via https link?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events