Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Kavan
Advisor
Advisor

SSL Network Extender - client upgrade upon connection in global properties

So, I want clients to upgrade upon connection from one gateway, yet not others...  Alas, this is a global property...

Is there a way to leave this remote access global property as Do not upgrade, yet initiate the upgrade on one specific gateway?

 

 

 

0 Kudos
20 Replies
the_rock
Legend
Legend

Not that I know of, but will look into it. Let me see if R81.20 has different options.

0 Kudos
PhoneBoy
Admin
Admin

What triggers the upgrade ultimately for SNX is this file: $CVPNDIR/htdocs/SNX/CSHELL/snx_ver.txt
I presume if this file is modified on the other gateways to the lower version, then the upgrade won't be triggered.

the_rock
Legend
Legend

@PhoneBoy Somewhat unrelated snx extender question...any idea what would cause to show java unavailable when trying to connect via ssl extender? I tried R81.10, R81.20, 3 different machines, even added fw ip to excluded list in java panel, no luck. Java unavailable shows up when I enter creds to connect (shows up after about 30 seconds).

Also tried 4 different browsers, same problem.

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos
the_rock
Legend
Legend

I do, BUT...I just realized that sk does not have windows 11 listed, maybe thats why its failing...as I tested only on that version. Let me see if windows 10 works.

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos
the_rock
Legend
Legend

No luck even on windows 10. I even downloaded latest JDK (version 19) and tried manual msi install from extender log on page, but when I try it from c/program files(x86)/ssl extender folder, nothing really happens.

0 Kudos
Daniel_Kavan
Advisor
Advisor

Is there a link or page that shows the most recent version of snx available?  Not sk104379, but a web page on cp.com that shows it to confirm what's in cat $CVPNDIR/htdocs/SNX/CSHELL/snx_ver.txt

 

cat /opt/CPcvpn-R81.10/htdocs/SNX/CSHELL/snx_ver.txt

 

sk168353 show the portal agent, not snx though
800008304

0 Kudos
PhoneBoy
Admin
Admin

What's in that file will depend entirely on the version of the gateway in question since we don't generally distribute SNX separate of the gateway itself or a hotfix (JHF or otherwise).
For example, I see some SNX-specific fixes in the most recent JHF (Take 82) for R81.10.
See https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.10/R81.10/R81.10-List-of-all-Resolved-Issues.htm.
Whether these are gateway specific fixes, client specific fixes, or both, I can't say off-hand.

In any case, I checked my R81.20 installation and see the same version that you specified (800008304).
Which suggests it's a fairly recent version (if not the most recent). 

AndreiR
Employee
Employee

Hi @Daniel_Kavan,

80008304 is the latest version of SNX. It is available since R81.10 Jumbo take 55.

SNX itself doesn't require Java runtime. It is needed for deployment and control from Mobile Access Portal page. See sk113410 for more details. Pay attention to supported Java versions and editions.

If you see "Java unavailable" message, it means that Mobile Access Portal Agent can't detect installed Java. Check output of following command in CMD:

java -version

If you see Java version. try to re-install "Check Point Mobile Access Portal Agent". If it doesn't help - better open ticket with support.

0 Kudos
the_rock
Legend
Legend

Hey @AndreiR ,

It was actually me that had that issue. Question...I know before you could use ssl extender without needing to have mobile access enabled, is that still the case? I ask, because I get same problem regardless if MA is enabled or not.

Andy

0 Kudos
PhoneBoy
Admin
Admin

SNX doesn't require MAB to be enabled to use...if they already have SNX installed.
However, the "legacy" SNX portal still uses the legacy deployment method that modern browsers don't support.

0 Kudos
the_rock
Legend
Legend

Hey @PhoneBoy ...what do you mean exactly by "if they already have SNX installed"?

0 Kudos
PhoneBoy
Admin
Admin

SNX is typically deployed through a web portal and requires Java to do so.
There are two portals where this can be done:

  • Mobile Access Blade
  • Legacy SNX Portal (doesn't require MAB to be enabled)

Mobile Access Blade (as of R80.40) has been updated to allow the Java-based Deployment Agent to deploy SNX on modern web browsers.
The Legacy SNX Portal leverages the legacy NPAPI method, which isn't supported on any current web browser.

It is possible to deploy SNX "out of band" if you're not using Mobile Access Blade (i.e. by installing the relevant CAB file).

(1)
the_rock
Legend
Legend

I simply ended up downgrading java version and bam, all worked like a charm : - )

0 Kudos
Daniel_Kavan
Advisor
Advisor

Would you consider just logging into the Mobile access portal (sslvpn) and just using web applications to still be a VPN (sslvpn?) or would you say it's only considered a VPN once you connect with snx and native applications?  Or are they both considered VPNs whether you just login to the portal and use a web application or connect with SNX?  Or is one considered sslvpn and the other just a reverse proxy?

0 Kudos
PhoneBoy
Admin
Admin

All VPNs provide Remote Access, but not all forms of Remote Access involve a VPN.
Accessing applications via the MAB portal without SNX is a form of Remote Access.
SNX creates a VPN that terminates over TLS/SSL.

the_rock
Legend
Legend

Spoke with one of my colleagues and asked him about it and he said if anything, I may need to downgrade Java to get this to work, so will try that and update : - ). With MA blade on, all works just fine.

0 Kudos
the_rock
Legend
Legend

Just to verify for myself, installed older java version and that worked fine, no MAB enabled.

0 Kudos
the_rock
Legend
Legend

I actually disabled/re-enabled MA blade and now works fine. Tx a lot!

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events