SNX not working on R65

[achuang24]

Would appreciate any help on this issue since we are getting ready to upgrade to R65 soon.

I have an test installation of SNX running on R65 SPLAT but cannot pull up the SNX login page from the external network. From the internal network or the DMZ network, it works fine when using IE to connect to HTTPS:\\gw.external.ip

Some facts:
1. Using the 30 day EVAL license
2. Management and enforcement module installed on same SPLAT R65
3. SPLAT webui set to 440 instead of 443
4. Visitor mode enabled for HTTPS on all interface
5. SSL Extender enabled in Remote Access section
6. On Management station, firewall GW object set to the external IP
7. SecureClient connects fine to firewall GW's external IP
8. Nothing is being reported on vpn debug

This should be a very simple install/setup but I can't get it to work. I wonder if this is a R65 issue.... Anyone running R65 yet?

[chillyjim]

Yes I'm using R65 and SNX works fine.

You don't happen to have the default rules disabled in gobal properties do you?

Look for https drops in your log

[achuang24]

chillyjim, I don't see any https related rules in the global policy page. Also, there is no https recorded in the SmartView tracker when connecting from the external network.

I am pretty much allowing everything and logging everything in the test setup.

[RiverStone]

I am seeing a similar problem. Have you by chance found a solution yet?

RiverStone

[chillyjim]

If you try https://internal.ip.address instead is it still a problem?

[smudger]

maybe a silly question but...

is the Firewall object included in your encryption domain? my understanding is that it needs to be....


regards


Smudger

[RiverStone]

First, let me apologize for not closing the loop on my portion of this post. Also, thanks for the response Smudger.

In our case, it turned out to be a licensing issue with LDAP authentication. We were licensed for LDAP on Connectra (this is "included" in the Connectra License) but not at FW-1. FW-1 (R65) was trying to handle the SNX authenication but was not licensed to do so. After working with TAC on a solution, the need to keep the project rolling backed us off of R62CM to R62 of Connectra which did not have the issue. My understanding is Checkpoint has a fix available now.

Achuang24, did you get your issue worked out?

RiverStone

[hotice_]

Yep, there's a special on-demand only hotfix for this

Check: sk33088

Issue is that Connectra comes with SmartDirectory but when you integrate management with the SCS, this gets disabled

[yatzekcs]

We had all setup the way it should be but SNX did not work. Called checkpoint just to find out that the 30 day evaluation did not include the SNX license. After gettting this sorted out, SNX works fine but we have some problems with the way it works. We would like to disallow our users from being able to browse the net and local network drives while they are connected through SNX but can't find an answer as of yet.

Yatzek