This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nemezis_rock
Contributor
‎2023-07-11 11:48 PM

Publishing Services, HTTPS Inspection certificate issue

Hi dears,

I have two gateways working in ClusterXL mode running on R81.10. For internet interface i use three IP addresses: two for two gateways and one for cluster address as well. I am currently migrating services from Kerio and Pfsense and cannot find the clear answers by googling.

On external DNS there are bunch of subdomains (A records) that are pointed to one IP address like sub1.example.com -> IP1, sub2.example.com -> IP1 and etc. On kerio they are proxying using wildcard certificate.

For testing purpose I used one Host object published. But HTTPS inspection didnt work with Wildcard certificate uploaded via SmartDashboard. Also can't find information regarding publishing serveral services. Tried Domain object in NAT rule as Original Destination is Domain object (sub1.example.com) Translated destination (Host1) and got validation error.

So, I need help with importing *.example.com like certificate, and publishing several services on external cluster IP address that will do NAT like sub1.example.com -> Host1, sub2.example.com -> Host2.

Can someone provide clear instructions or link how can I perform it please?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2023-07-13 03:06 PM

When you import the certificate, it must include the private key plus any public keys of intermediate CAs as part of the CA bundle.
Otherwise, please post a screenshot (with sensitive details redacted) of the relevant log card.

0 Kudos
nemezis_rock
Contributor
‎2023-07-18 10:22 PM
In response to PhoneBoy

Hi @PhoneBoy ,

Thank you so much for reply. I figured out how to publish services via Mobile Access Reverse Proxy settings. And Certificate works fine in reverse proxy. So I have another question. How to perform Acces Rules for services published via Reverse Proxy? Is there any clear information regarding that? 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-19 10:23 AM
In response to nemezis_rock

Mobile Access Reverse Proxy functionality is here: https://support.checkpoint.com/results/sk/sk110348 
Note this is different from configuring applications within the MAB portal itself.
To do that (clientless applications), refer to: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont... 

0 Kudos
Collette
Explorer
‎2023-07-19 05:13 AM

Hy there i have some suggestion 

 

Here are some common issues and potential solutions related to HTTPS Inspection certificate problems:

  1. Certificate Trust: Ensure that the certificate used for HTTPS Inspection is trusted by the client devices (e.g., browsers, applications). If the client does not trust the inspection certificate, it will raise security warnings or fail to establish a secure connection.

  2. Certificate Validity: Check if the HTTPS Inspection certificate is still valid. Certificates have an expiration date, and if the certificate has expired, it needs to be renewed or replaced with a valid one.

  3. Certificate Chain: Verify that the certificate chain is complete and correctly configured. The certificate chain should include all necessary intermediate and root certificates to establish trust with the client devices.

  4. Certificate Installation: Ensure that Tell Happy Star the HTTPS Inspection certificate is correctly installed and configured on the security appliance or proxy server performing the SSL/TLS inspection.

Thanks and regards

Collette

the_rock
Legend
Legend
‎2023-07-19 05:45 AM
In response to Collette

100% all valid points @Collette 👍

0 Kudos
nemezis_rock
Contributor
‎2023-07-19 06:04 AM
In response to Collette

Hi @Collette ,

Thank you so much for reply. Certificate is valid because it was used in Kerio Reverse Proxy and it was signing well. I recreated chain and p12 cert to be sure that it is fine. And it is working perfectly in reverse proxy of Checkpoint) Another question is how to restrict access to published services via CP Reverse proxy using Access Rules. How to use Access Rules correctly for reverse proxied services? I have played with rules and did not succeed. While analyzing logs, I noticed that rules not working for Mobile Access Reverse proxied services...

Preview file
14 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events