Hi everyone,

I wanted to share a workaround that solved a tricky issue we ran into after migrating from Cisco ASA firewalls to Check Point Quantum Security Gateways, in case it helps anyone else facing the same problem.

Environment

• Check Point Quantum 6200 Security Gateway

• Gaia OS R82, Build 2589

• Cisco Expressway Server in the DMZ

• Cisco Jabber for external users

Issue

After the migration, Cisco Jabber clients were unable to connect to the Phone Service when connecting from outside the network. Internal connections worked fine, but all external attempts were blocked by the firewall.

We suspected SIP-related traffic handling on the Check Point side, but there was very little documentation or community input on this specific issue.

Troubleshooting and Resolution

During troubleshooting, we created an Access Control Rule to allow external connections to the Cisco Expressway Server using the Check Point predefined service sip_tls_not_inspected.

As soon as we applied this rule, Cisco Jabber external connectivity was restored.

It appears that Cisco Jabber doesn’t handle SIP TLS inspection well when traffic passes through Check Point. Disabling inspection for SIP TLS (while maintaining other security layers) resolved the issue immediately.

Summary

If Cisco Jabber stops connecting from outside your network after moving to Check Point:

• Try allowing SIP TLS traffic to your Cisco Expressway using sip_tls_not_inspected.

• This bypasses SIP TLS inspection, which seems to cause the connection failure.

Hopefully, this saves someone else a few hours (or days) of troubleshooting!