Troubleshooting SSL Network Extender

All user's packets destined directly to the external SSL Network Extender Security Gateway are not encrypted by the SSL Network Extender.

If there is a need to explicitly connect to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. through the SSL tunnel, connect to the internal interface, which is part of the encryption domain.

1. The SSL Network Extender Security Gateway allows users to authenticate themselves via certificates. Therefore, when connecting to the SSL Network Extender Security Gateway, this message may appear: "The Web site you want to view requests identification. Select the certificate to use when connecting."

   To now show this message to the users, two solutions are proposed:

   1. On the client computer, open the Internet Explorer.

      Below Tools > Options > Security tab, select Local intranet > Sites.

      You can now add the SSL Network Extender Security Gateway to the Local intranet zone, where the Client Authentication pop-up does not appear.

      Click Advanced, and add the Security Gateway external IP or DNS name to the existing list.

   2. On the client computer, open the Internet Explorer.

      Below Tools > Options > Security tab, select Internet Zone > Custom Level. In the Miscellaneous section, select Enable for the item Don't prompt for client certificate selection when no certificates or only one certificate exists. Click OK. Click Yes in the confirmation window. Click OK again.

      Note - This solution changes the behavior of the Internet Explorer for all Internet sites, so if better granularity is required, refer to the previous solution.

2. If the client computer has Endpoint Security VPN software installed, and is configured to work in 'transparent mode', and its encryption domain contains SSL Network Extender Security Gateway, or otherwise overlaps with the SSL Network Extender encryption domain, the SSL Network Extender does not function properly.

   To resolve this, disable the overlapping site in Endpoint Security VPN.

3. If the client computer has Endpoint Security VPN software installed, and is configured to work in 'connect mode', and its encryption domain contains SSL Network Extender Security Gateway, or otherwise overlaps with the SSL Network Extender encryption domain, the SSL Network Extender does not function properly.

   To resolve this, make sure the value of the parameter "allow_clear_traffic_while_disconnected" is True (which is the default value).