SSL Network Extender [SNX] and Mobile Access Portal Issue

[Hernan_Mella]

Hello
I have a UTM-1 R75.10 with license demo [NFR 1 year for partners], with all functionalities.
I've configured the Mobile access Portal to access to internal aplications[works OK], also i want to use SNX for VPN SSL.

When I enter to portal I use https://FW_EXT_IP/sslvpn/ works OK, but i've heared that there are a button to access [Connect]to SNX "INSIDE" of the portal [Am I wrong?] . It Doesn't appears to me...

When i try to enter to the portal of SNX https://FW_EXT_IP/SNX the URL is redirected to https://FW_EXT_IP/sslvpn portal

Also I've changed the priority of the portals with the GUI : GuiDBedit.exe. Priority 1 to SNX.
But still i can't to enter to SNX portal.

Someone knows something about this problem?

[mcnallym]

I don't have a MAB available but worth checking the Launch SSL Network Extender Settings.

On Demand when user clicks on "Connect" on the portal
Automatically, when user logs on

As I understand it then you would only need the Connect button if the setting is set to the On Demand as otherwise when you login to the MAB Portal then the SNX launches automatically

[Hernan_Mella]

The problem is use both products..MBA and SNX. SNX works when i use VPN ipsec, but when i use the mobile access blade the SNX portal is not available. Always redirect to MA portal
Thanks

[mcnallym]

As I said I don't have a MAB myself however I believe that when you have a MAB that you connect into that and then depending upon the settings for the Launch SNX then depends upon when SNX launches.

Launch SSL Network Extender Settings will either lauch SNX automatically (so no need for the connect button ) or upon demand by clicking on the connect.

If I am wrong then perhaps one of the people that actually have a MAB can correct me, however as I understand this then the SNX connection is made via the MAB portal when you have a MAB and not via a SNX portal as when it is on the IPSEC VPN Blade.

[Winger29]

I am having a similar issue. I have a valid Mobile Access Blade license applied, have installed MAB and ran the setup wizard successfully. I have read the R75 MAB Admin Guide and it looks like everything is configured as recommended. I can logon successfully to the MAB portal, but there is no SSL Extender connection button when I have it configured for on demand. When it is configured to load automatically the SSL client never gets installed on the remote client, and IPCONFIG shows no trace of an SSL VPN connection - no office mode IP assigned. I worked with CP support via chat on this for a while today. We reviewed the config and saw nothing obviously wrong. I ended up sending a cpinfo off to them. I will update this post if anything productive comes of the case.

[Winger29]

Case update - CP Support pointed me to this article: sk56800. It sounded promising, so I re-prioritized the portals as recommended - still no SNX.

[mcnallym]

I was on the UK Lunch and Learn for Remote Access and MAB yesterday so here is my findings on what I found was how things worked when I was on a MAB enabed gateway.

1.) When MAB is installed onto the box then the SNX is terminated on the MAB Blade, not the IPSEC VPN Blade.
2.) In order to get the Connect option to display for the SNX then have too configure a Native App.

From this and chatting with the SE running the lunch and learn session then I don't believe that when the MAB is present that you can just SNX into the Gateway, but HAVE to go through the MAB Portal before connecting with SNX.

Based on this then I don't believe that there is a way to just SNX into the gateway, (when MAB is present) where you authenticate with the SNX portal and then have a raw SSL tunnel into the gateway. The MAB hijacks the connection attempt.

If you don't have the MAB Blade active on the gateway then the SNX is terminated onto the IPSEC VPN Blade and you just SNX straight in and have a raw SSL tunnel into the network with Office Mode.

Taken from the MAB Guide, which I have reread in light of my experience.

SSL Network Extender Network Mode
The SSL Network Extender Network Mode client provides secure remote access for all application types (both Native-IP-based and Web-based) in the internal network via SSL tunneling. To install the Network mode client, users must have administrator privileges on the client computer.
After installing the client, an authenticated user can access any authorized internal resource that is defined on Mobile Access as a native application. The user can access the resource by launching the client application, either directly from the desktop or from the Mobile Access portal.

Unless what you wish to access is defined as a native app then you won't get access with SNX via a MAB enabled Gateway to it. I am not sure if you have any native apps defined in your configuration.

As such you would need to deploy two gateways

1.) FW and VPN Gateway as perimeter gateway ( IPS / URL etch as well if you want )
2.) an MAB on the DMZ

Can terminate SNX directly on the IPSEC blade of the FW/VPN perimeter, which would give you a raw SSL VPN Tunnel and for MAB is NATted through to the DMZ located MAB Gateway.

Hope this sheds some light on your issues.

[Winger29]

As noted in the previous post, the solution is to configure each internal subnet that we want to access as a Native Application, then add them to a policy rule in the Mobil Access setup tab. As soon as this was done, the SNX started working as expected. Interestingly enough, the Checkpoint guy I worked with based in Ottawa was in the same boat as I was. He read the documentation, set it up in a lab and made no headway until he talked to a Connectra guy. He said - "It works just like Connectra" and showed him what to do. It was so easy once it was explained I felt ignorant for not figuring it out on my own.

[jonathan.rambeau]

Thank you very much for that valuable piece of information guys !
I was really struggling on that SNX configuration and couldn't see where I was going wrong... Check Point could have wrote something about that on the official documentation...

Anyway, thanks !

[boythanhdat_2012]

Good solution, winger29 :D. I configured 1 application as a native app, the button was appeared :X