Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Duane_Toler
Advisor

MultiPortal configuration

Hey all...

So.. does anyone know how to configure MultiPortal?  No, I don't mean just the Mobile Access/Connectra/SSLVPN portal, or just the UserCheck Portal, and the individual ones.  I mean "MULTIPORTAL" itself, the big one at the top.

 

I got the TLS protocol edits (SmartConsole - Global Properties - Advanced - Customize - Portal Properties - min/max).  I got the TLS ciphers (cipher_util  and multi_portal_cipher_priority.conf and 'fw fetch local').   However, what about the HTTP headers?  I need to edit those for PCI compliance.  Yes I saw the SK about PCI (sk138813), but that was just about the Mobile Access/SNX/CSHELL portal; my customers aren't using that.

 

I know the different URIs in the HTTP request get handed to the internal reverse proxies and alternate proxy ports, and each of those have their own configurations (wow, what a zoo this is!).  Things get more exciting if you move the Gaia/API portal to an alternate port in CLISH (set web ssl-port ...), in which case that's in another config (and I got that already, along with template_xlate).  But again, that's not what I'm seeking.

 

I see $CPAPACHEDIR/conf/cp-httpd.conf but that is for the Gaia/API WebUI (and I see this as "Server: CPWS" in server HTTP response; I already got this configured like I need it, however this is not MultiPortal.).  The HTTP server I'm seeking is the one that issues "Server: Check Point SVN Foundation" as the server banner.  That is MultiPortal (and/or the VPN daemon itself?).

 

I've made tons of edit attempts in all kinds of portal config places (and yes, restarting MPDAEMON via cpwd_admin each time), but none of those give me the changes I need for the HTTP headers.  No SK has been useful for splicing together the desired configuration, either.  Everything keeps come up with specifically "Mobile Access" portal, and again.. that's not what I need.

 

I know I can turn off certain portals I don't want (SNX, Captive Portal, UserCheck....), but if a portal is needed, then how in the world do I edit certain values, like the Headers?

 

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend

Looks like a SR# for Info from R&D.

CCSE CCTE SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

"MULTIPORTAL" itself, the big one at the top, is no portal but only a simple daemon:  Introduced in R71, the MultiPortal daemon directs HTTP and SSL traffic destined for the gateway to applicable client portals. This product allows for multiple, discrete SSL applications to share a single IP and port.

Use the "mpclient status <portal name>" command to ensure that the portal is running. In order to determine the proper syntax for the portal name, run the "mpclient list" command to see the list of portals the client is aware of.

sk85040, sk155512 and old sk87920

CCSE CCTE SMB Specialist
0 Kudos
Chris_Atkinson
Employee
Employee

Does sk158773 help or is it already applied in your case?

0 Kudos
Duane_Toler
Advisor

That SK didn't come up in my searches... I don't have that hotfix available, so it is not applied.  So without it, there's no way to add these headers?  However, the customer is not using SNX (with or without MAB), either.

 

I did find that one of their gateways had the browser-based captive portal configured for Identity Awareness (the /connect URI), but they weren't actually using it.  I disabled that, and moved the Gaia WebUI to alternate port.  Now, the gateway closes connections to 443 for basic HTTPS requests (Endpoint VPN and visitor mode still function).   The captive portal configuration was set for "only internal interfaces", but that still caused MultiPortal to be engaged externally.  Some gateways still have UserCheck portal enabled (and "internal interfaces only" selected), but that doesn't seem to be engaging MultiPortal externally.

 

My cursory scans are now consistent with no responses on port 443 (desired, but still not solving the root issue of needing to edit the MultiPortal headers for situations where it's needed; regardless of SNX/MAB).  Any chance that will be doable?

 

0 Kudos