Server Certificates

For secure SSL communication, Security Gateways must establish trust with endpoint computers by showing a Server Certificate. This section discusses the procedures necessary to generate and install server certificates.

Check Point Security Gateways, by default, use a certificate created by the Internal Certificate Authority on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. as their server certificate. Browsers do not trust this certificate. When an endpoint computer tries to connect to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with the default certificate, certificate warning messages open in the browser. To prevent these warnings, the administrator must install a server certificate signed by a trusted certificate authority.

All portals on the same Security Gateway IP address use the same certificate.

Obtaining and Installing a Trusted Server Certificate

To be accepted by an endpoint computer without a warning, Security Gateways must have a server certificate signed by a known certificate authority (such as Entrust, VeriSign or Thawte). This certificate canbe issued directly to the Security Gateway, or be a chained certificate that has a certification path to a trusted root certificate authority (CA).

The next sections describe how to get a certificate for a Security Gateway that is signed by a known Certificate Authority (CA).

Generating the Certificate Signing Request

First, generate a Certificate Signing Request (CSR). The CSR is for a server certificate, because the Security Gateway acts as a server to the clients.

Note - This procedure creates private key files. If private key files with the same names already exist on the computer, they are overwritten without warning.

1. From the Security Gateway command line, log in to the Expert mode.

2. Run:

   cpopenssl req -new -out <CSR file> -keyout <private key file> -config $CPDIR/conf/openssl.cnf

   This command generates a private key. You see this output:

   Generating a 2048 bit RSA private key
.+++
...+++
writing new private key to 'server1.key'
Enter PEM pass phrase:

3. Enter a password and confirm.

   Fill in the data.

   • The Common Name field is mandatory. This field must have the Fully Qualified Domain Name (FQDN). This is the site that users access. For example: portal.example.com.

   • All other fields are optional.

4. Send the CSR file to a trusted certificate authority. Make sure to request a Signed Certificate in PEM format. Keep the .key private key file.

Generating the P12 File

After you get the Signed Certificate for the Security Gateway from the CA, generate a P12 file that has the Signed Certificate and the private key.

1. Get the Signed Certificate for the Security Gateway from the CA.

   If the signed certificate is in P12 or P7B format, convert these files to a PEM (Base64 encoded) formatted file with a CRT extension.

2. Make sure that the CRT file has the full certificate chain up to a trusted root CA.

   Usually you get the certificate chain from the signing CA. Sometimes it split into separate files. If the signed certificate and the trust chain are in separate files, use a text editor to combine them into one file. Make sure the server certificate is at the top of the CRT file.

3. From the Security Gateway command line, log in to the Expert mode.

4. Use the *.crt file to install the certificate with the *.key file that you generated.

   1. Run:

      cpopenssl pkcs12 -export -out <output file> -in <signed cert chain file> -inkey <private key file>

      For example:

      cpopenssl pkcs12 -export -out server1.p12 -in server1.crt -inkey server1.key

   2. Enter the certificate password when prompted.

Generating Wildcard Certificates for Hostname Translation

If you use Hostname Translation, you need a wildcard certificate. This lets clients access Web applications on sub-domains behind the Security Gateway. If Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. uses a fixed domain certificate, client browsers issue certificate warnings when users try to access Web applications in a sub-domain behind the Mobile Access Security Gateway. This is because each Web application URL is translated to a different Mobile Access hostname.

Before you begin, make sure the Hostname Translation support is configured in the Mobile Access Applications and in the Mobile Access Applications.

To prepare a request a 3rd-Party wildcard server certificate:

1. In Subject DN, start with CN=FQDN.

   For example: CN=sslvpn.example.com

2. In Alternate Name, enter two DNS names: the FQDN and the wildcard.

   For example:

   sslvpn.example.com, *.sslvpn.example.com

To configure wildcard certificate generation:

1. Backup and edit the configuration file of the csr_gen script:

   • R75.20 and higher - $CPDIR/conf/openssl.cnf

   • R66.x, R71.x, R75, R75.10 - $CVPNDIR/conf/openssl.cnf

2. In the [ req ] section, uncomment the line:

   req_extensions = v3_req

3. In the [ v3_req ] section, add this line:

   subjectAltName=DNS:FQDN,DNS:*.ParentDomain

   For example: subjectAltName=DNS:sslvpn.example.com,DNS:*.sslvpn.example.com

4. Save openssl.cnf.

5. Run csr_gen and create the CSR.

   To make sure the CSR was generated properly, run:

   • R75.x - cpopenssl req -in requestFile.csr -text

   • earlier versions - openssl req -in requestFile.csr -text

6. When asked for the CommonName (CN), enter the FQDN. For example: sslvpn.example.com

7. Restore the openssl.cnf file from the backup.

Installing the Signed Certificate

To install the certificate:

1. Log in to SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

2. From the left Navigation Toolbar, click Gateways & Servers.

3. Open the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Security Gateway object.

4. In the navigation tree, click the appropriate Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. page:

   • Mobile Access > Portal Settings

   • Platform Portal

   • Data Loss Prevention

   • Identity Awareness > Captive Portal > Settings > Access Settings

   In the Certificate section, click Import or Replace.

5. Install the Access Control Policy on the Security Gateway.

   Note - The Repository of Certificates on the IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. page of the Security Gateway object is only for self-signed certificates. It does not affect the certificate installed manually using this procedure.

Viewing the Certificate

To see the new certificate from a Web browser:

The Security Gateway uses the certificate when you connect with a browser to the portal. To see the certificate when you connect to the portal, click the lock icon that is next to the address bar in most browsers.

The certificate that users see depends on the actual IP address that they use to access the portal - not only the IP address configured for the portal in SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings..

To see the new certificate from SmartConsole:

From a page that contains the portal settings for that blade/feature, click View in the Certificate section.

Web Data Compression

Mobile Access can be configured to compress Web content. This can produce a much faster website for users. It also reduces bandwidth needs, and therefore, costs.

Most compression algorithms, when applied to a plain-text file, can reduce its size by 70% or more, depending on the content in the file.

Be aware that compression does increase the CPU usage of Mobile Access, which in itself does have some performance implications.

Most browsers can accept compressed data, uncompress it and display it.

If configured to compress data, Mobile Access compresses the data received from Web servers (the http or https response). If the Web browser at the endpoint compresses the http or https request, Mobile Access uncompresses it and sends it on to the server. This is illustrated in the figure below.

Mobile Access supports the gzip, deflate, and compress compression methods.

It is possible to specify the mime types that will be compressed.

Item	Description
1	Web Browser
2	Compressed Request
3	Mobile Access enabled Security Gateway
4	Uncompressed request (e.g., gunzip)
5	Web Server
6	Response
7	Compressed Response (e.g., gzip)

Configuring Data Compression

Web data compression is configured per Security Gateway in Database Tool (GuiDBEdit Tool) (see sk13009).

To configure data compression by Mobile Access:

1. Close all SmartConsole windows connected to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

2. Connect with Database Tool (GuiDBEdit Tool) to the Management Server.

3. In the top left pane, go to Network Objects > network_objects.

4. In the top right pane click Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

5. In the bottom pane, search for web_compression under connectra_settings and fill in the following parameters:

   • enable_web_compression - Enter true to enable data compression and false to disable it.

   • compression_level - Enter a value between 1 and 9. The higher the number, the more CPU is used. The default is 5.

   • compress_specific_mime - Enter true if you want to compress specific mime types and false if you do not.

   • mime_types - If you typed true for compress_specific_mime, enter the mime type, for example, text/html.

6. Save the changes in Database Tool (GuiDBEdit Tool) (File menu > Save All) and close it.

7. Connect with SmartConsole to the Management Server.

8. Install policy on the Security Gateway / Cluster object.

Using Mobile Access Clusters

A remote access enabled Security Gateway is a business critical device for an organization. A failure of a Security Gateway results in immediate loss of remote access traffic in and out of the organization. Many of these sessions may be mission critical, and losing them will result in loss of critical data.

Using ClusterXL, you can set up a Load Sharing or High Availability clustering solution that distributes network traffic among Mobile Access cluster members.

A cluster of Mobile Access Security Gateways provides:

• Transparent failover in case of cluster member Security Gateway that is part of a cluster. failure.

• Zero downtime for mission-critical environments.

• Enhanced throughput (in Load Sharing modes).

All cluster members are aware of the sessions tracked through each of the other cluster members. The cluster members synchronize their sessions and status information across a secure synchronization network.

The Sticky Decision Function

If you are using SSL Network Extender, you must enable the Sticky Decision Function.

A connection is sticky when all of its packets are handled, in either direction, by a single cluster member.

The Sticky Decision Function distributes sessions from client IP addresses between the cluster members, and ensures that connections from a given IP always pass through the same member.

How Mobile Access Applications Behave on Failover

The table below summarizes the end-user experience upon failover for each Mobile Access application.

Application	Survives failover?	User experience upon failover
Web browsing through the user portal Domino Web Access Outlook Web Access File Shares	Yes	User is unaware of failover. If the failover happens while a user is clicking a link or waiting for a server response, user may be disconnected and may need to refresh the page.
Web Mail	No	If failover occurs while a user is clicking a link or waiting for a server response, user sees an error page. By clicking the link "Go to the login page" the user returns to the Inbox, and the original session is lost.
Citrix	No	User is disconnected, and the Citrix session is lost. User must actively re-establish a connection.
Endpoint Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Scan	Yes	Re-scan may be required if user logs out of the portal, or needs to log in again.
Secure Workspace	Yes	User is unaware of failover. However, if the failover happens while a user is clicking a link or waiting for a server response, user may be disconnected and may need to refresh the page.
Multi challenge login	No	If user is in the middle of a multi-challenge login he/she is redirected to the initial login page.
SSL Network Extender Network Mode	Yes	The user may notice the connection stalling for a few seconds, as if there was a temporary network disconnection.
SSL Network Extender Application Mode	No	SSL Network Extender remains open and in a connected state. However, connections of applications using the VPN tunnel are lost. Some applications (such as Outlook) try to reopen lost connections, while others (Telnet for example) are closed (or exit).
SSL Network Extender - Downloaded-to-Mobile Access applications	Mode dependent	Network Mode - Survives failover. Application Mode - Does not survive failover.