Basic Configuration of SSL Network Extender for Remote Access VPN

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., in the top right panel Objects, click VPN Communities.

2. Right-click the RemoteAccess object and click New.

3. Configure the required settings:

   1. Object name.

   2. Participating Security Gateways.

   3. Participant User Groups.

4. Click OK.

See the Site to Site VPN Administration Guide for your version.

1. From the left navigation panel, click Gateways & Servers.

2. Double-click the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

3. From the navigation tree, click General Properties.

4. Select the IPsec VPN Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..

5. From the navigation tree, click IPsec VPN.

6. To add the Security Gateway to a Remote Access community:

   1. Click Add.

   2. Select the community.

   3. Click OK.

7. From the navigation tree, expand Network Management and click VPN Domain.

8. Configure the applicable VPN Domain.

9. Configure the settings for Visitor Mode (see the Remote Access VPN Administration Guide for your version > "Configuring Remote Access Connectivity" chapter > "Configuring Windows Proxy Replacement" section > "Proxy Replacement for the Security Gateway" heading).

10. From the navigation tree, expand VPN Clients and click Office Mode.

11. Configure the settings for Office Mode (see the Remote Access VPN Administration Guide for your version > "Office Mode" chapter > "IP Pool Configuration" heading).

    Note - Office Mode support is mandatory on the Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

12. Click OK.

Important - If the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB.Software Blade is enabled on a Security Gateway, then SSL Network Extender works through Mobile Access and not IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access.. In this case, you must configure the SSL Network Extender settings in the Mobile AccessSoftware Blade. If you already had SSL Network Extender settings configured in the IPsec VPNSoftware Blade and then you enabled the Mobile AccessSoftware Blade, then you must configure the SSL Network Extender settings for the Mobile AccessSoftware Blade.

See the Mobile Access Administration Guide for your version.

1. From the left navigation panel, click Gateways & Servers.

2. Double-click the Security Gateway object.

3. From the navigation tree, click General Properties.

4. Select the Mobile Access Software Blade.

5. In the Mobile Access Configuration wizard:

   1. On the Mobile Access page, you must select Web (you can select other applicable options).

      Click Next.

   2. On the Web Portal page, configure the applicable Main URL and Portal Certificate.

      Click Next.

   3. On the Applications page, configure the applicable options.

      Click Next.

   4. On the Active Directory Integration page, configure the applicable settings.

      Click Next.

   5. On the Authorized Users page, configure the applicable settings.

      Click Next.

   6. On the Applications page, configure the applicable settings.

      Click Next.

   7. Click Finish.

6. From the navigation tree, click Mobile Access.

   In the Allowed Clients section, make sure Web is selected.

7. From the navigation tree, click VPN Clients:

   1. Make sure Other is selected and SSL Network Extender (SNX) is selected.

   2. From The gateway authenticates with this certificate, select the certificate that is used to authenticate to all SSL clients.

8. Click OK.

1. From the top left Menu, click Global properties.

2. From the left, expand Remote Access and click SSL Network Extender.

3. In the User Authentication section, from the User authentication method, select the applicable method:

   • Certificate - The system authenticates the user only with a certificate.

   • Certificate with enrollment - The system authenticates the user only with a certificate. Enrollment is allowed.

     If the users do not have a certificate, they can enroll using a registration key that they previously received from the administrator.

     For more information about creating a user certificate for enrollment, see Management of Internal Certificate Authority (ICA) Certificates.

   • Legacy - The system authenticates the user with the Username and Password. This is the default setting.

   • Mixed - The system tries to authenticate the user with the certificate. If the user does not have a valid certificate, the system tries to authenticate the user with the Username and Password.

4. Click OK.

1. From the top, click Install Policy.

2. Select the applicable Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

3. Select Access Control.

4. Select the Security Gateway / Cluster object.

5. Click Install.

1. Using Internet Explorer, browse to the SSL Network Extender portal of the Security Gateway at:

   https://<IP Address or HostName of Security Gateway>

   This Security Alert message may appear:

   The site's security certificate has been issued by an authority that you have not designated as a trusted CA. Before you connect to this server, you must trust the CA that signed the server certificate. (The system administrator can define which CAs may be trusted by the user.) You can view in the certificate in order to decide if you wish to proceed.

   Note - The administrator can direct the user to the URL below to install this CA certificate, thereby establishing trust, and to avoid this message in the future: http://<IP Address of Management Server>:18264

2. Click Yes.

   If Endpoint Security on Demand is enabled, the ESOD web page opens.

   If this is the first time that the user is scanned with ESOD, the user should install the ESOD ActiveX object.

   If this is the first time that ESOD is used, the Server Confirmation window appears. The user must confirm that the listed ESOD server is identical to the organization's site for remote access.

3. Click one of these:

   • No - An error message appears and the user is denied access.

   • Yes - The ESOD client continues the software scan. Moreover, if the Save this confirmation for future use is selected, the Server Confirmation window does not appear the next time the user attempts to log in.

   After the user confirms the ESOD server, an automatic software scan takes place on the client's machine.

   When the scan completes, the scan results and directions on how to proceed appear.

ESOD not only prevents users with potentially harmful software from accessing your network, but also requires that they conform to the corporate Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. and firewall policies, as well. A user is defined as having successfully passed the ESOD scan only if he/she successfully undergoes scans for Malware, Anti-Virus, and Firewall. Each malware appear as a link, which, if selected, redirects you to a data sheet describing the detected malware. The data sheet includes the name and a short description of the detected malware, what it does, and the recommended removal method(s).

The options available to the user are configured by the administrator on the ESOD server:

Scan Option	Description
Scan Again	Allows a user to rescan for malware. This option is used in order to get refreshed scan results, after manually removing an unapplicable software item.
Cancel	Prevents the user from proceeding with the portal login, and closes the current browser window.
Continue	Causes the ESOD for Mobile Access client to disregard the scan results and proceed with the log on process.

To continue with the download:

1. From the Scan Results, select a different language from the list.

   If you change languages, while connected to the SSL Network Extender portal, the portal informs you that if you continue the process it disconnects you, and you must connect again.

2. From the Scan Results, you can select a different skin from the Skin drop-down list . You can change skins, while connected to the SSL Network Extender portal.

3. Click Continue.

   • If the configured authentication scheme is User Password Only, an SSL Network Extender Login window appears.

     Enter the User Name and Password and click OK.

     Note - If user authentication has been configured to be performed via a 3rd party authentication mechanism, such as SecurID or LDAP, the Administrator may require the user to change his/her PIN, or Password. In such a case, an additional Change Credentials window appears, before the user is allowed to access the SSL Network Extender.

   • If the configured authentication scheme is Certificate without Enrollment, and the user already has a certificate. If the user does not already have a certificate, access is denied.

   • If the configured authentication scheme is Certificate with Enrollment, and the user does not already have a certificate, the Enrollment window appears.

4. Enter the Registration Key and select PKCS#12 Password.

5. Click OK.

   The PKCS#12 file is downloaded.

   At this point the user should open the file and utilize the Microsoft Certificate Import wizard as follows.

   Best Practice - We strongly recommend that the user set the property Do not save encrypted pages to disk on the Advanced tab of the Internet Properties of Internet Explorer. This prevents the certificate from being cached on disk.

Importing a Client Certificate with the Microsoft Certificate Import Wizard to Internet Explorer:

The web browser automatically uses the client certificate when SSL Network Extender connects to a Security Gateway.

To import a client certificate:

1. Open the downloaded PKCS#12 file.

   The Certificate Import Wizard opens.

2. Click Next.

   The File to Import window opens.

   The P12 file name appears.

3. Click Next.

   The Password window appears.

   We strongly recommend to enable Strong Private Key Protection.

   The user is then be prompted for consent/credentials, as configured, each time authentication is required.

   Otherwise, authentication is fully transparent for the user.

4. Enter your password, click Next twice.

   If the user enabled Strong Private Key Protection, the Importing a New Private Exchange Key window appears:

   • If you click OK, the Security Level is assigned the default value Medium, and the user is asked to consent each time the certificate is required for authentication.

   • If you click Set Security Level, the Set Security Level window appears. Select either High or Medium, and click Next.

5. Click Finish.

   The Import Successful window appears.

6. Click OK.

7. Close and reopen your browser.

   You can now use the certificate that has now been imported for logging in.

8. If you are connecting to the SSL Security Gateway for the first time, a VeriSign certificate message appears, requesting the user's consent to continue installation.

   • If you connect using Java Applet, a Java security message appears. Click Yes.

   • If the system administrator configured the upgrade option, the Upgrade Confirmation window appears:

     If you click OK, you must re-authenticate and a new SSL Network Extender version is installed.

   • If you click Cancel, the client connects normally.

     (The Upgrade Confirmation window does not appear again for a week.)

     The SSL Network Extender window appears.

     A Click here to upgrade link appears in this window, enabling the user to upgrade even at this point.

     If you click the Click here to upgrade link, you must authenticate again before the upgrade can proceed.

9. At first connection, the user is notified that the client is associated with a specific Security Gateway. Click Yes.

   The server certificate of the Security Gateway is authenticated.

   If the system Administrator has sent the user a fingerprint, it is strongly recommended that the user verify that the root CA fingerprint is identical to the fingerprint, sent to the user.

   The system Administrator can view and send the fingerprint of all the trusted root CAs, in the Certificate Authority Properties window in SmartConsole.

10. If the user is using a proxy server that requires authentication, the Proxy Authentication pop-up appears.

    The user must enter his/her proxy username and password, and click OK.

11. If you connect on Windows OS, a Windows Firewall message may appears. Click Unblock.

    You may work with the client as long as the SSL Network Extender Connection window remains open, or minimized (to the system tray).

    Once the SSL Network Extender is initially installed, a new Windows service named Check PointSSL Network Extender and a new virtual network adapter are added.

    Notes: The settings of the adapter and the service must not be changed. IP assignment, renewal and release are done automatically. The Check Point SSL Network Extender service depends on both the virtual network adapter and the DHCP client service. Therefore, the DHCP client service must not be disabled on the user's computer.

    Both the virtual network adapter and the Check Point SSL Network Extender service are removed during the product uninstall.

    There is no need to reboot the client machine after the installation, upgrade, or uninstall of the product.

12. When you finish working, click Disconnect to terminate the session, or when the window is minimized, right-click the icon and click Disconnect. The window closes.

SNX is available for Linux and macOS endpoint computers only as a CLI application. For more information, see Using SSL Network Extender on Linux / macOS Operating Systems.

Prerequisites

• The endpoint computer must meet necessary prerequisites. For more information, see SSL Network Extender (SNX) Versions and Requirements.

• The endpoint computer must be able to connect directly to the Security Gateway that has SNX enabled.

• The user of the endpoint computer must have "execute" permissions to download a Shell archive to the user's home directory.

• The user of the endpoint computer must have administrator permissions or the root password.

For a workaround to download and connect SNX without administrator permissions or the root password for the endpoint computer, see Installation for Users without Administrator Privileges.

To download and connect the SNX client for Linux or macOS:

1. On the endpoint computer, in a web browser, go to the IP address or the FQDN of the Security Gateway.

   The SSL Network Extender homepage opens.

2. From the right menu, expand Download SSL Network Extender manual installation.

3. Select the appropriate option:

   • Download command line SNX for Linux.

   • Download command line SNX for Macintosh.

   The endpoint computer downloads the Shell archive package from the Security Gateway and saves it in the user's home directory.

4. Make sure that the user has "execute" permissions to download the Shell archive package to the user's home directory. To add the "execute" permissions, run:
   

   chmod + x snx_install.sh

5. Run the installation script:

   snx_install.sh

   If the user does not have administrator permissions, the endpoint computer asks the user to enter a root password. In this case, enter the root password and then press the Enter key.

   To disconnect after installation, run:

   Server_1:/ snx -d