Print Download PDF Send Feedback

Previous

Next

SSL Network Extender

In This Section:

Introduction to the SSL Network Extender

How the SSL Network Extender Works

Commonly Used Concepts

Special Considerations for the SSL Network Extender

Configuring SSL Network Extender

SSL Network Extender User Experience

Troubleshooting SSL Network Extender

Introduction to the SSL Network Extender

Whenever users access the organization from remote locations, it is essential that not only the usual requirements of secure connectivity be met but also the special demands of remote clients. These requirements include:

To resolve these issues, a secure connectivity framework is needed to ensure that remote access to the corporate network is securely enabled.

The SSL (Secure Socket Layer) Network Extender is a simple-to-implement remote access solution. A thin client is installed on the user's machine. (The SSL Network Extender client has a much smaller size than other clients.) It is connected to an SSL enabled web server that is part of the Enforcement Module. By default, the SSL enabled web server is disabled. It is activated by using the SmartDashboard, thus enabling full secure IP connectivity over SSL. The SSL Network Extender requires a server side configuration only, unlike other remote access clients. Once the end user has connected to a server, the thin client is downloaded as an ActiveX component, installed, and then used to connect to the corporate network using the SSL protocol.

It is much easier to deploy a new version of the SSL Network Extender client than it is to deploy a new version of other conventional clients.

Note - If the Mobile Access blade is active on a Security Gateway, SSL Network Extender works through Mobile Access and not IPsec VPN. In this case, SSL Network Extender must be configured through the Mobile Access blade. If you already had SSL Network Extender configured on an IPsec VPN Security Gateway and then you enable the Mobile Access blade, you must reconfigure SSL Network Extender for the Mobile Access blade.

How the SSL Network Extender Works

The SSL Network Extender is a thin client installed on the user's computer and an SSL enabled web server component, integrated into the Security Gateway.

To enable connectivity for clients using the SSL Network Extender, a Security Gateway must be configured to support Remote Access Clients, in addition to a minor configuration specific to SSL Network Extender.

Users download SSL Network Extender from a Security Gateway portal.

Commonly Used Concepts

This section briefly describes commonly used concepts that you will encounter when dealing with the SSL Network Extender. It is strongly recommended that you review the "Remote Access VPN" section of this book before reading this guide.

Remote Access VPN

Refers to remote users accessing the network with client software such as Endpoint VPN clients, SSL clients, or third party IPsec clients. The Security Gateway provides a Remote Access Service to the remote clients.

Remote Access Community

A Remote Access Community, a Check Point concept, is a type of VPN community created specifically for users that usually work from remote locations, outside of the corporate LAN.

Office Mode

Office Mode is a Check Point remote access VPN solution feature. It enables a Security Gateway to assign a remote client an IP address. This IP address is used only internally for secure encapsulated communication with the home network, and therefore is not visible in the public network. The assignment takes place once the user connects and authenticates. The assignment lease is renewed as long as the user is connected. The address may be taken either from a general IP address pool, or from an IP address pool specified per user group, using a configuration file.

Visitor Mode

Visitor Mode is a Check Point remote access VPN solution feature. It enables tunneling of all client-to-Security Gateway communication through a regular TCP connection on port 443. Visitor mode is designed as a solution for firewalls and Proxy servers that are configured to block IPsec connectivity.

Endpoint Security on Demand

Endpoint Security on Demand (ESOD) may be used to scan endpoint computers for potentially harmful software before allowing them to access the internal application. When end users access the SSL Network Extender for the first time, they are prompted to download an ActiveX component that scans the end user machine for Malware. The scan results are presented both to the Security Gateway and to the end user. SSL Network Extender access is granted/denied to the end user based on the compliance options set by the administrator.

ESOD Policy per User Group

Since there are many different kinds of threats to your network's security, different users may require different configurations in order to guard against the increasing number and variety of threats. The ability to configure a variety of ESOD policies enables the administrator to customize the software screening process between different user groups.

Screened Software Types

ESOD can screen for the Malware software types listed in the following table:

Software Type

Description

Worms

Programs that replicate over a computer network for the purpose of disrupting network communications or damaging software or data.

Trojan horses

Malicious programs that masquerade as harmless applications.

Hacker tools

Tools that facilitate a hacker's access to a computer and/or the extraction of data from that computer.

Keystroke loggers

Programs that record user input activity (that is, mouse or keyboard use) with or without the user's consent. Some keystroke loggers transmit the recorded information to third parties.

Adware

Programs that display advertisements, or records information about Web use habits and store it or forward it to marketers or advertisers without the user's authorization or knowledge.

Browser plug-ins

Programs that change settings in the user's browser or adds functionality to the browser. Some browser plug-ins change the default search page to a pay-per-search site, change the user's home page, or transmit the browser history to a third party.

Dialers

Programs that change the user's dialup connection settings so that instead of connecting to a local Internet Service Provider, the user connects to a different network, usually a toll number or international phone number.

3rd party cookies

Cookies that are used to deliver information about the user's Internet activity to marketers.

Other undesirable software

Any unsolicited software that secretly performs undesirable actions on a user's computer and does not fit any of the above descriptions.

Special Considerations for the SSL Network Extender

This section lists SSL Network Extender special considerations, such as pre-requisites, features and limitations:

Pre-Requisites

The SSL Network Extender pre-requisites are listed below:

Client-side Pre-Requisites

The SSL Network Extender client-side pre-requisites for remote clients are:

Server-Side Pre-Requisites

The SSL Network Extender server-side pre-requisites are listed below:

Features

The SSL Network Extender features are listed below:

Configuring SSL Network Extender

The following sections describe how to configure the server. Load Sharing Cluster Support, customizing the Web GUI, upgrading the SSL Network Extender client and Installation for Users without Administrator privileges are also discussed.

Configuring the Server

Before configuring the server, verify that you have a valid license for the SSL Network Extender.

Use cpconfig to verify that you have a valid license for the SSL Network Extender. Check Point software is activated with a License Key. You can obtain this License Key by registering the Certificate Key that appears on the back of the software media pack, in the Check Point Support Center.

Server-Side Configuration

The SSL Network Extender requires only server side configuration

Configuring the Security Gateway as a Member of the Remote Access Community
  1. Open SmartDashboard, select the Security Gateway object on the Network Object tab of the Objects Tree.

    The General Properties window is displayed.

  2. Verify that the IPsec VPN blade is selected and click OK.
  3. Select VPN in the objects tree on the left hand side.
  4. Verify that the module participates in the Remote Access Community. If not, add the module to the Remote Access Community.
  5. In the Topology Tab of the Security Gateway Properties page, configure the VPN Domain for SSL Network Extender, in the same way that you configure it for SecureClient.

    Note - You can use the VPN Domain to configure SSL Network Extender to work in Hub Mode. All traffic is then directed through a central Hub. You can also use the "Set domain for Remote Access Community ..." button on the same tab to create different encryption domain for Remote Access clients that connect to the Security Gateway (see Configuring Selective Routing).

  6. Configure Visitor Mode, as described in the "Resolving Connectivity Issues" chapter. Configuring Visitor Mode doesn't interfere with regular SecureClient users' functionality. It merely allows SecureClient users to enable Visitor Mode. (For a description of Visitor Mode, refer to Visitor Mode.)

    Note - The SSL Network Extender uses TCP 443 (SSL) to establish a secure connection with VPN. The IPSO platform uses TCP 443 (SSL) for remote administration purposes. Another port may be assigned to the SSL Network Extender, however, this is not recommended, as most proxies do not allow ports other than 80 and 443. Instead, it is strongly recommended that you assign the IPSO platform web user interface to a port other than 443.

  7. To change a Voyager port on an IPSO platform, run:

    voyager –e x –S <port number> (x represents the encryption level.)

    For more information, run: voyager –h

  8. Select IPSec VPN > Office Mode.
  9. Configure Office Mode, as described in the "Office Mode" chapter. (For a description, refer to Office Mode.)

    Note - Office Mode support is mandatory on the Security Gateway side

  10. Configure Users and Authentication.
Configuring the Security Gateway to Support the SSL Network Extender

Note - If the Mobile Access blade is active on a Security Gateway, SSL Network Extender works through Mobile Access and not IPsec VPN. In this case, SSL Network Extender must be configured through the Mobile Access blade. If you already had SSL Network Extender configured on an IPsec VPN Security Gateway and then you enable the Mobile Access blade, you must reconfigure SSL Network Extender for the Mobile Access blade.

To configure the SSL Network Extender:

Note - You must configure each Security Gateway that will be using the SSL Network Extender

  1. Select Remote Access > SSL Network Extender.
  2. Select SSL Network Extender.
  3. Select the server side certificate with which the Security Gateway will authenticate from the drop-down list.
  4. Click OK.
Configuring the SSL Network Extender
  1. Select Policy > Global Properties > Remote Access > SSL Network Extender. The SSL Network Extender Global Properties window is displayed.
  2. Select the user authentication method, employed by the SSL Network Extender, from the drop-down list. The options are:
    • Certificate: The system will authenticate the user only via a certificate. Enrollment is not allowed.
    • Certificate with enrollment: The system will authenticate the user only via a certificate. Enrollment is allowed. If the user does not have a certificate, he/she can enroll using a registration key, received previously from the system administrator.
    • Legacy: (Default) The system authenticates the user via his/her Username and Password.
    • Mixed: The system attempts to authenticate the user via a certificate. If the user does not have a valid certificate, the system attempts to authenticate the user via his/her Username and Password.
Management of Internal CA Certificates

If the administrator has configured Certificate with Enrollment as the user authentication scheme, users can create a certificate for their use, by using a registration key, provided by the system administrator.

To create a user certificate for enrollment:

  1. Follow the procedure described in "The Internal Certificate Authority (ICA) and the ICA Management Tool" in the R77 Security Management Server Administration Guide.

    Note - In this version, enrollment to an External CA is not supported.

  2. Browse to the ICA Management Tool site, https://<mngmt IP>:18265, and select Create Certificates.
  3. Enter the user's name, and click Initiate to receive a Registration Key, and send it to the user.

    When the user attempts to connect to the SSL Network Extender, without having a certificate, the Enrollment window is displayed, and he/she can create a certificate for his/her use by entering the Registration Key, received from the system administrator.

    For a description of the user login experience, refer to Downloading and Connecting the Client.

    Note - The system administrator can direct the user to the URL, http://<IP>/registration.html, to allow the user to receive a Registration Key and create a certificate, even if they do not wish to use the SSL Network Extender, at this time.

  4. You can determine whether the SSL Network Extender will be upgraded automatically, or not. Select the client upgrade mode from the drop-down list. The options are:
    • Do not upgrade: Users of older versions will not be prompted to upgrade.
    • Ask user: (Default) Ask user whether or not to upgrade, when the user connects.
    • Force upgrade: Every user, whether users of older versions or new users will download and install the newest SSL Network Extender version.

    Note - The Force Upgrade option should only be used in cases where the system administrator is sure that all the users have administrator privileges. Otherwise, the user will not be able to connect to and use the SSL Network Extender.

    For a description of the user upgrade experience, refer to Downloading and Connecting the Client.

  5. Select the supported encryption method from the drop-down list. The options are:
    • 3DES only: (Default) The SSL Network Extender client supports 3DES, only.
    • 3DES or RC4: The SSL Network Extender client supports the RC4 encryption method, as well as 3DES.
  6. You can determine whether the SSL Network Extender will be uninstalled automatically, when the user disconnects. Select the desired option from the drop-down list. The options are:
    • Keep installed: (Default) Do not uninstall. If the user wishes to uninstall the SSL Network Extender, he/she can do so manually.
    • Ask user whether to uninstall: Ask user whether or not to uninstall, when the user disconnects.
    • Force uninstall: Always uninstall automatically, when the user disconnects.

    For a description of the user disconnect experience, refer to Uninstall on Disconnect.

    Note - The Uninstall on Disconnect feature will not ask the user whether or not to uninstall, and will not uninstall the SSL Network Extender, if a user has entered a suspend/hibernate state, while he/she was connected.

  7. You can determine whether Endpoint Security on Demand will be activated, or not. When ESOD is activated, users attempting to connect to the SSL Network Extender will be required to successfully undergo an ESOD scan before being allowed to access the SSL Network Extender. Select the desired option from the drop-down list. The options are:
    • None
    • Endpoint Security on Demand
Fetching the XML Configuration File

After installing the ESOD server and configuring it, fetch the XML config file from the ESOD server:

  1. Open a browser on any computer or server.
  2. Browse to http://<site ip>/<site name or virtual directory>/sre/ report.asp and save the displayed XML file to disk, using Save As.
  3. Copy the XML file to $FWDIR/conf/extender/request.xml on the Security Gateway.
Upgrading ESOD

Note - At present, the Dynamic ESOD Update feature is not supported.

You can manually upgrade ESOD as follows:

  1. Replace the ICSScanner.cab file, under $FWDIR/conf/extender, with the new package.
  2. Edit the file ics.html, under $FWDIR/conf/extender, as follows:
  3. Search for #Version= and replace the current value with the new version.
  4. Save.

Configuring ESOD Policies

On the Security Management Server:

Note - Make sure that Endpoint Security on Demand is enabled in the Global Properties > Remote Access > SSL Network Extender page.

  1. Navigate to the $FWDIR/lib directory.
  2. Backup the vpn_table.def file.
  3. Change the file name vpn_table_HFA.def to vpn_table.def.

On the Security Gateway:

  1. Using the ESOD server, or ESOD configuration Tool (which can be downloaded from the Check Point download center), create xml policy files for each group and place them in $FWDIR/conf/extender.
  2. You can create a default policy file, named request.xml. This is only optional, and will be used when no group is given.
  3. In the $FWDIR/conf folder, create a file called ics.group. This should be a text file, in which, each row lists a group name and its policy xml file.

    Example of ics.group file:

    Group1 group1.xml

    Group2 group2.xml

    Group3 defGroup.xml

    Group4 defGroup.xml

    Important notes about the ics.group file:

    • The group name must be the same as its name in SmartDashboard.
    • Several groups can register to the same xml file.
    • Each group must appear only once in the ics.group file.
    • Only groups that are listed in the ics.group file will use their specific xml files. Groups that are not listed in the ics.group file will try to use the default policy, located in the request.xml file. If the request.xml file does not exist, an error will be returned.
    • The default xml file, request.xml, cannot appear in the ics.group file.
  4. After creating the ics.group file (or after any change has been made), install policy.
  5. Run cpstop and then cpstart on the Security Gateway.
  6. Each user should be assigned the specific URL that matches his group. The URL should be in the format: https://hostIP/<groupName>_ics.html

    For example, all users belonging to "group1" will surf to the assigned URL: https://10.10.10.10/group1_ics.html.

For troubleshooting tips, see Troubleshooting.

Load Sharing Cluster Support

The SSL Network Extender provides Load Sharing Cluster Support.

To provide Load Sharing Cluster Support:

  1. Double-click the Security Gateway Cluster Object on the Network Object tab of the Objects Tree. The Security Gateway Cluster Properties window is displayed.

    Note - A Load Sharing Cluster must have been created before you can configure use of sticky decision function.

  2. Select Cluster XL. The Cluster XL tab is displayed.
  3. Click Advanced. The Advanced Load Sharing Configuration window is displayed.
  4. Select Use Sticky Decision Function. When the client connects to the cluster, all its traffic will pass through a single Security Gateway. If that member Security Gateway fails, the client will reconnect transparently to another cluster member and resume its session.
  5. Select Security Gateway Cluster Object > Remote Access > Office Mode. When defining Office Mode, for use with Load Sharing Clusters, only the Manual (using IP pool) method is supported.

Customizing the SSL Network Extender Portal

You can modify the SSL Network Extender Portal by changing skins and languages.

Configuring the Skins Option

To configure the Skins Option:

The skin directory is located under $FWDIR/conf/extender on the SSL Network Extender Security Gateways.

There are two subdirectories. They are:

Disabling a Skin
  1. Enter the specific skin subdirectory, under custom, that is to be disabled and create a file named disable. This file may be empty.
  2. If the specific skin does not exist under custom, create it and then create a file within it named disable.
  3. Install Policy. The next time that the user connects to the SSL Network Extender portal, this skin will not be available to him/her.
Example

cd $FWDIR/conf/extender/skin/custom

mkdir skin1

touch disable

Creating a Skin
  1. Enter the custom subdirectory.
  2. Create a folder with the desired skin name.

    Note - Verify that this name is not already used in chkp. If it is, the new skin definition will override the existing skin definition (as long as the new skin definition exists). Once you have deleted the new skin definition, the chkp skin definition will once again be used.

    Each skin folder must contain the following five style sheets:

    • help_data.css: The main OLH page uses this style sheet.
    • help.css: The inner frame on the OLH page uses this style sheet.
    • index.css: The ESOD pages, and the main SSL Network Extender portal page use this style sheet.
    • style.css: All login pages use this style sheet.
    • style_main.css: The main SSL Network Extender Connection page, Proxy Authentication page and Certificate Registration page use this style sheet.

    Note - It is recommended that you copy the aforementioned files from another chkp skin, and then modify them as desired.

  3. Install Policy after creating the new skin.
Example

Add your company logo to the main SSL Network Extender portal page.

cd $FWDIR/conf/extender/skin/custom

mkdir <skin_name>

cd <skin_name>

copy ../../chkp/skin2/* .

Place logo image file in this directory

Edit index.css.

Goto .company_logo and replace the existing URL reference with a reference to the new logo image file.

Save.

Install Policy.

Note - No spaces are allowed in the <skin_name>

Configuring the Languages Option

To configure the Languages Option:

The languages directory is located under $FWDIR/conf/extender on the SSL Network Extender Security Gateways.

There may be two subdirectories. They are:

Disabling a Language
  1. Enter the specific language subdirectory, under custom, that is to be disabled (if it exists) and create a file named disable. This file may be empty.
  2. If the specific language does not exist under custom, create it and then create a file within it named disable.
  3. Install Policy. The next time that the user connects to the SSL Network Extender portal, this language will not be available to him/her.
Adding a Language
  1. Enter the custom subdirectory.
  2. Create a folder with the desired language name.

    Note - Verify that this name is not already used in chkp. If it is, the new language definition will override the existing language definition (as long as the new language definition exists). Once you have deleted the new language definition, the chkp language definition will once again be used.

  3. Copy the messages.js file of an existing chkp language to this folder.
  4. Edit the messages.js file and translate the text bracketed by quotation marks.
  5. Save.
  6. Install Policy after adding the new language.
Example

cd $FWDIR/conf/extender/language

mkdir custom

cd custom

mkdir <language_name>

cd <language_name>

copy ../../chkp/english/messages.js

Edit the messages.js file and translate the text bracketed by quotation marks.

Save.

In custom/english/messages.js, add a line as follows:

<language_name>="translation of language_name";

Install Policy.

Note - No spaces are allowed in the <language_name>

Modifying a Language
  1. Enter the custom subdirectory.
  2. Create a folder with a language name that matches the chkp language folder to be modified.
  3. Create an empty messages.js file, and insert only those messages that you want to modify, in the following format:

    <variable_name>="<desired text>";

    Note - For reference, refer to the messages.js file, located in chkp/<language>.

Installation for Users without Administrator Privileges

The SSL Network Extender usually requires Administrator privileges to install the ActiveX component. To allow users that do not have Administrator privileges to use the SSL Network Extender, the Administrator can use his/her remote corporate installation tools (such as, Microsoft SMS) to publish the installation of the SSL Network Extender, as an MSI package, in configuring the SSL Network Extender.

To prepare the SSL Network Extender MSI package:

  1. Move the extender.cab file, located in $FWDIR/conf/extender, to a Windows machine and open the file using WinZip.
  2. Extract the cpextender.msi, and use as an MSI package, for remote installation.

On Windows , Mac and Linux, it is possible to install SSL Network Extender for users that are not administrators, if the user knows the admin password. In this case, perform a regular SSL Network Extender installation and supply the administrator password when asked.

SSL Network Extender User Experience

This section describes the user experience, including downloading and connecting the SSL Network Extender client, importing a client certificate, and uninstalling on disconnect.

Configuring Microsoft Internet Explorer

Check Point SSL Network Extender uses ActiveX controls and cookies to connect to applications via the Internet. These enabling technologies require specific browser configuration to ensure that the applications are installed and work properly on your computer. The Trusted Sites Configuration approach includes the SSL Network Extender Portal as one of your Trusted Sites. This approach is highly recommended, as it does not lessen your security. Please follow the directions below to configure your browser.

Trusted Sites Configuration
  1. In Internet Explorer, select Tools > Internet Options > Security.
  2. Select Trusted sites.
  3. Click Sites.
  4. Enter the URL of the SSL Network Extender Portal and click Add.
  5. Click OK twice.

About ActiveX Controls

ActiveX controls are software modules, based on Microsoft's Component Object Model (COM) architecture. They add functionality to software applications by seamlessly incorporating pre-made modules with the basic software package.

On the Internet, ActiveX controls can be linked to Web pages and downloaded by an ActiveX-compliant browser. ActiveX controls turn Web pages into software pages that perform like any other program.

The SSL Network Extender can use ActiveX control in its applications. To use ActiveX you must download the specific ActiveX components required for each application. Once these components are loaded, you do not need to download them again unless upgrades or updates become available. If you do not want to use an ActiveX component you may work with a Java Applet.

Note - You must have Administrator rights to install or uninstall software on Windows XP Professional, as well as on the Windows 2000 operating systems.

Downloading and Connecting the Client

The following section discusses how to download and connect the SSL Network Extender.

To Download the Client:

  1. Using Internet Explorer, browse to the SSL Network Extender portal of the Security Gateway at https://<GW name or IP>. The following Security Alert message may be displayed

    The site's security certificate has been issued by an authority that you have not designated as a trusted CA. Before you connect to this server, you must trust the CA that signed the server certificate. (The system administrator can define which CAs may be trusted by the user.) You can view in the certificate in order to decide if you wish to proceed.

    Note - The administrator can direct the user to the URL, http://< mngmt IP>:18264, to install this CA certificate, thereby establishing trust, and avoiding future displays of this message.

  2. Click Yes.

    If Endpoint Security on Demand is enabled, the ESOD web page is displayed.

    If this is the first time that the user is scanned with ESOD, the user should install the ESOD ActiveX object.

    If this is the first time that ESOD is used, the following Server Confirmation window appears. The user is asked to confirm that the listed ESOD server is identical to the organization's site for remote access.

  3. Click one of the following:
    • No: an error message is displayed and the user is denied access.
    • Yes: the ESOD client continues the software scan. Moreover, if the Save this confirmation for future use check box is selected, the Server Confirmation window will not appear the next time the user attempts to login.

    Once the user has confirmed the ESOD server, an automatic software scan takes place on the client's machine. Upon completion, the scan results and directions on how to proceed are displayed as shown below.

Scan Results

ESOD not only prevents users with potentially harmful software from accessing your network, but also requires that they conform to the corporate Anti-Virus and firewall policies, as well. A user is defined as having successfully passed the ESOD scan only if he/she successfully undergoes scans for Malware, Anti-Virus, and Firewall. Each malware is displayed as a link, which, if selected, redirects you to a data sheet describing the detected malware. The data sheet includes the name and a short description of the detected malware, what it does, and the recommended removal method/s.

The options available to the user are configured by the administrator on the ESOD server. The options are listed in the following table:

Scan Option

Description

Scan Again

Allows a user to rescan for malware. This option is used in order to get refreshed scan results, after manually removing an undesired software item.

Cancel

Prevents the user from proceeding with the portal login, and closes the current browser window.

Continue

Causes the ESOD for Mobile Access client to disregard the scan results and proceed with the log on process.

To continue with the download:

  1. From the Scan Results, select a different language from the list. If you change languages, while connected to the SSL Network Extender portal, you will be informed that if you continue the process you will be disconnected, and must reconnect.
  2. From the Scan Results, you can select a different skin from the Skin drop-down list . You can change skins, while connected to the SSL Network Extender portal.
  3. Click Continue.
    • If the configured authentication scheme is User Password Only, an SSL Network Extender Login window is displayed. Enter the User Name and Password and click OK.

      Note - If user authentication has been configured to be performed via a 3rd party authentication mechanism, such as SecurID or LDAP, the Administrator may require the user to change his/her PIN, or Password. In such a case, an additional Change Credentials window is displayed, before the user is allowed to access the SSL Network Extender.

    • If the configured authentication scheme is Certificate without Enrollment, and the user already has a certificate. If the user does not already have a certificate, access is denied.
    • If the configured authentication scheme is Certificate with Enrollment, and the user does not already have a certificate, the Enrollment window is displayed:

  4. Enter the Registration Key and select PKCS#12 Password.
  5. Click Ok. The PKCS#12 file is downloaded.

    At this point the user should open the file and utilize the Microsoft Certificate Import wizard as follows.

    Note - It is strongly recommended that the user set the property Do not save encrypted pages to disk on the Advanced tab of the Internet Properties of Internet Explorer. This will prevent the certificate from being cached on disk.

Importing a Client Certificate with the Microsoft Certificate Import Wizard to Internet Explorer

Importing a client certificate to Internet Explorer is acceptable for allowing access to either a home PC with broadband access, or a corporate laptop with a dial-up connection. The client certificate will be automatically used by the browser, when connecting to an SSL Network Extender Security Gateway.

To import a client certificate:

  1. Open the downloaded PKCS#12 file. The following Certificate Import Wizard opens.
  2. Click Next. The File to Import window appears:

    The P12 file name is displayed.

  3. Click Next. The Password window appears:

    It is strongly recommended that the user enable Strong Private Key Protection. The user will then be prompted for consent/credentials, as configured, each time authentication is required. Otherwise, authentication will be fully transparent for the user.

  4. Enter your password, click Next twice. If the user enabled Strong Private Key Protection, the following Importing a New Private Exchange Key window appears:
    • If you click OK, the Security Level is assigned the default value Medium, and the user will be asked to consent each time the certificate is required for authentication.
    • If you click Set Security Level, the Set Security Level window appears. Select either High or Medium and click Next.
  5. Click Finish. The Import Successful window appears.
  6. Click OK.
  7. Close and reopen your browser. You can now use the certificate that has now been imported for logging in.
  8. If you are connecting to the SSL Security Gateway for the first time, a VeriSign certificate message appears, requesting the user's consent to continue installation.
    • If you connect using Java Applet, a Java security message will appear. Click Yes.
    • If the system administrator configured the upgrade option, the following Upgrade Confirmation window is displayed:

      If you click OK, you must re-authenticate and a new SSL Network Extender version is installed.

    • If you click Cancel, the client connects normally. (The Upgrade Confirmation window will not be displayed again for a week.) The SSL Network Extender window appears. A Click here to upgrade link is displayed in this window, enabling the user to upgrade even at this point. If you click on the Click here to upgrade link, you must reauthenticate before the upgrade can proceed.
  9. At first connection, the user is notified that the client will be associated with a specific Security Gateway. Click Yes.

    The server certificate of the Security Gateway is authenticated. If the system Administrator has sent the user a fingerprint, it is strongly recommended that the user verify that the root CA fingerprint is identical to the fingerprint, sent to him/her.

    The system Administrator can view and send the fingerprint of all the trusted root CAs, via the Certificate Authority Properties window in SmartDashboard.

  10. If the user is using a proxy server that requires authentication, the Proxy Authentication pop-up is displayed. The user must enter his/her proxy username and password, and click OK.
  11. If you are connected with Windows Vista, a Windows Firewall message will appear. Click Unblock.

    You may work with the client as long as the SSL Network Extender Connection window, shown below, remains open, or minimized (to the System tray).

    Once the SSL Network Extender is initially installed, a new Windows service named Check Point SSL Network Extender and a new virtual network adapter are added. This new network adapter can be seen by typing ipconfig /all from the Command line.

    Note - The settings of the adapter and the service must not be changed. IP assignment, renewal and release will be done automatically.

    Note - The Check Point SSL Network Extender service is dependent on both the virtual network adapter and the DHCP client service. Therefore, the DHCP client service must not be disabled on the user's computer.

    Both the virtual network adapter and the Check Point SSL Network Extender service are removed during the product uninstall.

    There is no need to reboot the client machine after the installation, upgrade, or uninstall of the product.

  12. When you finish working, click Disconnect to terminate the session, or when the window is minimized, right-click the icon and click Disconnect. The window closes.

Uninstall on Disconnect

If the administrator has configured Uninstall on Disconnect to ask the user whether or not to uninstall, the user can configure Uninstall on Disconnect as follows.

To set Uninstall on Disconnect:

  1. Click Disconnect. The Uninstall on Disconnect window is displayed, as shown in the following figure.
  2. Click Yes to Uninstall.

    If you select Cancel, the SSL Network Extender will not be uninstalled.

    If you click Yes, the Uninstall on Disconnect window will be displayed the next time the user connects to the SSL Network Extender.

Using SSL Network Extender on Linux / Mac Operating Systems

There are two methods to access Network Applications using Linux:

Java
  1. When connecting for the first time, the SSL Network Extender installation archive package is downloaded.

    This process is similar to the Windows Java installation.

  2. If the user does not have root permissions, the user is prompted to enter a root password in order to install the package. Enter the password and press Enter.

    After the installation is finished, the applet will try to connect.

    If it is the first time, the following window is displayed:

    If the system Administrator has sent the user a fingerprint, it is strongly recommended that the user verify that the server certificate fingerprint is identical to the Root CA Fingerprint seen in the window.

  3. Click Yes to confirm.
Command Line

To download the SSL Network Extender installation archive package:

  1. In the Network Applications Settings window, click on click here in the sentence For Linux command line SSL Network Extender installation click here. The Shell archive package is downloaded to the users home directory.

    Before running the installation script, make sure execute permissions are available on the file. Use the command chmod + x snx_install.sh to add execution permissions.

  2. Download and select the SSL Network Extender manual installation.
    • Download MSI installation package for Windows
    • Download command line SSL Network Extender for Linux
    • Download command line SSL Network Extender for Macintosh
  3. Select the operating system.

    The Shell archive package is downloaded to the user's home directory.

  4. Run snx_install.sh.

    If the user does not have root permissions, the user is prompted to enter a root password in order to install the package. Enter the password and press Enter.

    To disconnect after installation, run Server_1:/ snx -d.

SSL Network Extender Command Attributes

Attributes

Description

snx -f <configuration file>

Run SSL Network Extender using parameters defined in a configuration file other than the default name or location.

snx -d

Disconnect from Mobile Access

snx -s <server>

Specify server IP or hostname

snx -u <username>

Specify a valid user

snx -c <certificate file>

Specify which certificate is used to authenticate.

snx -l <CA directory>

Define the directory where CA's certificates are stored.

snx -p <port>

Change the HTTPS port. (default port is TCP 443).

snx -g

Enable debugging. snx.elg log file is created.

snx -e <cipher>

Force a specific encryption algorithm. Valid values - RC4 and 3DES.

Configuration File Attributes

It is possible to predefine SSL Network Extender attributes by using a configuration file (.snxrc) located in the users home directory. When the SSL Network Extender command SSL Network Extender is executed, the attributed stored in the file are used by the SSL Network Extender command. To run a file with a different name execute the command snx -f <filename>.

Attributes

Description

server

Change the HTTPS port. (default port is TCP 443).

sslport

Change the HTTPS port. (default port is TCP 443).

username

Specify a valid user

certificate

Specify which certificate is used to authenticate

calist

Define the directory where CA's certificates are stored.

reauth

Enable reauthentication. Valid values -{yes, no}

debug

Enable debugging. snx.elg log file is created. Valid values {yes, no}. To activate debugging when running java, create a .snxrc file with the line debug yes in the home directory.

cipher

Force a specific encryption algorithm. Valid values: RC4 and 3DES

proxy_name

Define a Proxy hostname

proxy_port

Define a proxy port

proxy_user

Define a proxy user

proxy_pass

Define a password for proxy authentication

Note - Proxy information can only be configured in the configuration file and not directly from the command line.

Removing an Imported Certificate

If you imported a certificate to the browser, it will remain in storage until you manually remove it. It is strongly recommended that you remove the certificate from a browser that is not yours.

To remove the imported certificate:

  1. In the Internet Options window of your browser, access the Content tab.
  2. Click Certificates.

    The Certificates window is displayed:

  3. Select the certificate to be removed, and click Remove.

Troubleshooting SSL Network Extender

The following sections contain tips on how to resolve issues that you may encounter when using SSL Network Extender.

SSL Network Extender Issues

All user's packets destined directly to the external SSL Network Extender Security Gateway will not be encrypted by the SSL Network Extender.

If there is a need to explicitly connect to the gateway through the SSL tunnel, connect to the internal interface, which is part of the encryption domain.

  1. The SSL Network Extender gateway allows users to authenticate themselves via certificates. Therefore, when connecting to the SSL Network Extender gateway, the following message may appear: "The Web site you want to view requests identification. Select the certificate to use when connecting."

    In order not to display this message to the users, two solutions are proposed:

    On the client computer, access the Internet Explorer. Under Tools > Options > Security tab, select Local intranet > Sites. You can now add the SSL Network Extender gateway to the Local intranet zone, where the Client Authentication pop-up will not appear. Click Advanced, and add the gateway external IP or DNS name to the existing list.

    On the client computer, access the Internet Explorer. Under Tools > Options > Security tab, select Internet Zone > Custom Level. In the Miscellaneous section, select Enable for the item Don't prompt for client certificate selection when no certificates or only one certificate exists. Click OK. Click Yes on the Confirmation window. Click OK again.

    Note - This solution will change the behavior of the Internet Explorer for all Internet sites, so if better granularity is required, refer to the previous solution.

  2. If the client computer has Endpoint Security VPN software installed, and is configured to work in 'transparent mode', and its encryption domain contains SSL Network Extender gateway, or otherwise overlaps with the SSL Network Extender encryption domain, the SSL Network Extender will not function properly.

    To resolve this, disable the overlapping site in Endpoint Security VPN.

  3. If the client computer has Endpoint Security VPN software installed, and is configured to work in 'connect mode', and its encryption domain contains SSL Network Extender gateway, or otherwise overlaps with the SSL Network Extender encryption domain, the SSL Network Extender will not function properly.

    To resolve this, verify that the flag allow_clear_traffic_while_disconnected is True (which is the default value).

ESOD Issues

  1. User did not pass the scan (a 'Continue' button is not displayed).

    The user probably did not match the policy requirements.

    • If using "ESOD per User Group" feature – Verify that the user is using the correct policy.
    • According to the policy, Explain the user how to remove the elements that are blocking him.
  2. User cannot access the given URL for his specific group.
    • Make sure that the group listed in the URL is listed in the ics.group file, with the correct xml file.
    • Make sure that the xml file that is assigned to the group exists in $FWDIR/conf/extender.
    • Make sure Install Policy has been made since the ics.group file has changes.
  3. User has passed the ESOD scan, but gets a "Wrong ESOD Scan" error when trying to connect.

    This means that the user has passed the scan intended for a group that he does not belong to.

    • Verify that the user is using the correct URL.
    • Look at the SmartView Tracker. The log should state which xml file the user used for the scan.
    • Make sure that this file is the same as the user's group file. If not, direct the user to the correct URL.