I think you're talking about the prompt to trust the certificate when you try to connect? That's not the problem I'm talking about here.

My issue is with the installation of the Check Point Mobile Access Portal Agent.

@altu , yes my side also having this issue.

The users was prompted to re-install the agent everytime they're accessing the mobile access portal.

And currently we haven't find out the solution on this issue. We already reach out to TAC, but the issue still persist.

Gateway ver: R80.40 

Hotfix: Take 125

Everybody has this issue brother.

There is no way to deploy this silently and unattended.

And yes, Java is required as well. I deployed OpenJDK together with the portal components.

The install was interactive. Meaning: I had to ask the users to launch the install themselves and explain what to do with the prompts.

Makes no sense for such a crucial application to be honest. But I found no other way. It was a hassle.

But java is required? because till version 80.30 wasnt...not all wish java installed now..

Java has always been required.

for ssl extender too?

SNX itself has never required Java.
What does require Java is the deployment agent, which is how SNX is activated from the MAB portal.
Previously, this used Java browser plugins, which have all been deprecated by major browsers.

Because since upgrade 81.10 now MAB ask me java for installation, so what is the best way now? customer doesnt want install java...

Then you won't be able to use the Portal.

You could use the Check Point Mobile client.

Or, install OpenJDK (e.g. Home | Adoptium)

but is just for installation or to operate?

Also to operate...

Otherwise you won't be able to connect via the portal in a modern browser like Chrome or Edge.

It wouldn't also make sense to only be required for the installation 🙂

yes but happens after i upgrade from 80.30 to 81.10 so try understand why was working before without java installed...

Because before it was SNX, which worked in Internet Explorer. SNX doesn't require JAVA.

You now have the Deployment Agent, which requires Java to activate SNX from the Mobile Access Portal (MAB) portal.

This then also works from Edge and Chrome browsers.

I agree that it is something that they should do differently. Java requirements should be something from the past. But unfortunately you won't have a choice if you want to use it now.

There is no workaround.

Perhaps you could try to reach out to their support and ask for advice.

ok you mean now SNX need MAB that need java correct? bit confused:)

Prior to R80.40, “out of the box” there were two ways to deploy SNX on endpoint computers:

• With a Java plugin (which no modern browser supports)
• With an ActiveX plugin (which only works in legacy Internet Explorer)

Since neither Java or ActiveX are supported in modern browsers, and haven’t for some time, we had to change the deployment method.
See: https://support.checkpoint.com/results/sk/sk113410
R80.40 was the first version this was integrated “out of the box” thus why this “broke” after you upgraded.

I hope that makes the situation clear.

I don't think that I understand what you're saying here:

R80.40 was the first version this was integrated “out of the box”...

Does this mean that with this version there is no need for Java?

Also, the initial question I posted here was never answered. So I don't really accept any answer (including mine) as a solution 😄 😄

The answer to your original question (how to deploy certs to many computers automatically) can be solved using GPO.
Something like: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-t...

My answer refers to how SNX is deployed to client computers via the MAB portal.
In versions prior to R80.40, the "out of box" portal also allowed deployment without Java if and only if legacy Internet Explorer browser is used (using ActiveX instead of Java).
R80.40 (and earlier versions with appropriate hotfix) changed this as it:

• Removed support for ActiveX (because Internet Explorer is no longer supported)
• Changed the Java deployment method from NSAPI to WebStart so SNX can be deployed via modern browsers.

It has always been required to deploy SNX using non-Internet Explorer browsers.
From R80.40, it is now the only option.
I hope that makes the situation clear.

That was not my original question though. 🙂

I know how to deploy certificates.

My origiginal question is: 

I am trying to install the Check Point Mobile Access Portal Agent (CheckPointMobileAgent.msi) which would allow our users to connect to VPN via the web portal in modern browsers like Chrome, Edge Chromium, etc...

However, during the installation the installer will show a prompt where you would have to allow the installation of a certificate.

Each time you run the installer a new certificate is generated. The Thumbprint changes.

How should we install this agent silently to a couple of thousands of devices without our users seeing this prompt.

More details in the first post. Including screenshot.

I couldn't find a way do silently deploy it. And nobody from CP was able to help. 

It just seems weird that such a crucial application can't be deployed unattended.

Unfortunately, this is expected behavior: https://support.checkpoint.com/results/sk/sk122077 

we just publish on the portal rdp server to connect to...what would be a workaround? any other possibilities beside installed java on every endpoint?

Essentially, yes. That is what it is...

If it’s only RDP, you don’t need SNX for that.
It does require setting up a Guacamole server, which will provide an HTML5 interface that can be used with MAB.
See: https://support.checkpoint.com/results/sk/sk123842

The sk you mention is for 80.30 by the way you mean a separate server that will be reach via mab via https link?