- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: SSL VPN extender Linux/Mozilla Firefox
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN extender Linux/Mozilla Firefox
Hi Everyone. Im really struggling to get our checkpoint VPN to work for SLLVPN. I am using Ubuntu so the Checkpoint Client is out of the question (Stupid) ive tried doing the SSL extender option and it works to a point, i receive the Java unavailable error.
my problem is im using checkpoint 750. there is apparently a hotfix for mobile access hotfix. my checkpoint is 'up to date' with update R77.20.87 (990173004) but the hotfix only applies to R77.30 i think. is there anyway i could get this working at all? its so frustrating as i need to teamviewer to my Server to access anything intranet. im not the biggest fan of checkpoint. help would be greatly appreciated as i have tried everything, even L2TP.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone. I had headache with SNX too, but after many hours searching and reading I did resolve this problem.
SK's:
sk43935 Failure to connect with SSL Network Extender via Ubuntu 7 CLI
sk114267 How to install SSL Network Extender (SNX) client on Linux machine
sk65210 SSL Network Extender
sk90240 SNX Installation Package for Linux OS client
My linux host is Linux Mint, which I updated and upgraded to last patches:
Linux vmLinuxMint 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Java coming with such linux flavor, is ...
openjdk version "10.0.2" 2018-07-17
OpenJDK Runtime Environment (build 10.0.2+13-Ubuntu-1ubuntu0.18.04.4)
OpenJDK 64-Bit Server VM (build 10.0.2+13-Ubuntu-1ubuntu0.18.04.4, mixed mode)
With all above installed, I ran:
prompt>sudo apt install libpam0g:i386 libx11-6:i386 libstdc++6:i386 libstdc++5:i386 libnss3-tools
Then I installed SNX, but something rare, snx client that donwloaded from my FW remote access portal don't work for me, so I downloaded snx client from sk90240. and made it executable, after that...
prompt>sudo sh ./snx_install_linux30.sh
and connect to remote FW
prompt>snx -s (ip-wan-fw) -u user
Check Point's Linux SNX
build 800010003
Please enter your password:
SNX - connected.
Session parameters:
===================
Office Mode IP : A.B.C.D
Timeout : 8 hours
I hope this work for you.
...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@G_W_Albrechtis correct in that the hotfix described in sk113410 is only for firewalls running the Mobile Access Blade. It's an update to the Mobile Access Portal to support extra browsers. The Mobile Access Blade is not supported on SMB firewalls tuning embedded Gaia.
Having said that, I have read a number of CheckPoint documents stating that the SNX client and Remote Access is possible and supported on SMB appliances running Embedded Gaia. One would presume that the SMB appliances have some sort of alternate portal.
What I have not been able to find is any CheckPoint documentation on how to enable Remote Access on an SMB firewall, nor on how to write policy rules to limit access to remote clients.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SMB Appliances managed with Smart enter are configured exactly the same way as regular gateways in terms of remote access (I.e. nothing on the device itself).
For locally managed SMB appliances, the “alternate” portal to download SNX is gateway-IP:444 though I will admit I haven’t tried invoking snx on Linux.
You can also configure local rules to allow remote users to access specific resources.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you read sk65210: SSL Network Extender ? All Linux OSs require Oracle JRE to install.
Use the snx -h command to make sure that the SSL Network Extender client is installed correctly.
The Hotfix is from sk113410 - Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology
Here we read:
Note for locally and centrally managed SMB appliances [Embedded Gaia]:
This feature is not included in the product. If you need it, please submit a Request for Enhancement.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thank you for your response.
i have Java installed but unfortunately most browsers dont support Java anymore so its useless. ive tried with different browsers and i get the same error.
im also new to Linux, as i want to increase my knowledge in the OS. the endpoint works for windows but i just cannot seems to get this going for some reason.
ive tried everything.
does this request for enhancement upgrade my current device?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Installing SNX via browser is not currently possible on SMB appliances.
Assuming an RFE would be accepted/delivered on SMB appliances, it would not apply to the 750 as we are only fixing bugs and not adding new features on these appliances.
However, what you can do is manually install SNX from here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
This will allow you to invoke an SNX connection from the CLI, avoiding the issue with the browser not supporting Java plugins.
I did a brief test on 1490 and it appears to work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone. I had headache with SNX too, but after many hours searching and reading I did resolve this problem.
SK's:
sk43935 Failure to connect with SSL Network Extender via Ubuntu 7 CLI
sk114267 How to install SSL Network Extender (SNX) client on Linux machine
sk65210 SSL Network Extender
sk90240 SNX Installation Package for Linux OS client
My linux host is Linux Mint, which I updated and upgraded to last patches:
Linux vmLinuxMint 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Java coming with such linux flavor, is ...
openjdk version "10.0.2" 2018-07-17
OpenJDK Runtime Environment (build 10.0.2+13-Ubuntu-1ubuntu0.18.04.4)
OpenJDK 64-Bit Server VM (build 10.0.2+13-Ubuntu-1ubuntu0.18.04.4, mixed mode)
With all above installed, I ran:
prompt>sudo apt install libpam0g:i386 libx11-6:i386 libstdc++6:i386 libstdc++5:i386 libnss3-tools
Then I installed SNX, but something rare, snx client that donwloaded from my FW remote access portal don't work for me, so I downloaded snx client from sk90240. and made it executable, after that...
prompt>sudo sh ./snx_install_linux30.sh
and connect to remote FW
prompt>snx -s (ip-wan-fw) -u user
Check Point's Linux SNX
build 800010003
Please enter your password:
SNX - connected.
Session parameters:
===================
Office Mode IP : A.B.C.D
Timeout : 8 hours
I hope this work for you.
...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI almost all linux vendors have stopped supporting i386. Ubuntu's latest LTS (20.04) doesn't. Checkpoint is going to need to come up with a SNX build for 64bit at some point.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LuisSP, Thank you, youre amazing
It is finally working. i was doing everything exactly as you were doing except, my firewall was giving me an older version of SNX (800007075)
going through your clues led me to download the right version and now i can connect. thank you once again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I faced similar issue so thought of sharing the solution as it may help someone else:
At UBUNTU client, install the following prerequisites
sudo apt-get install libstdc++5:i386 libpam0g:i386
It worked for me, Gateway: R80 , client: Ubuntu 16 and Ubuntu 18.
Hope it helps.