SSL Network Extender (Network Mode) Troubleshooting
| 1. On the problematic client machine, make sure that the service 'Routing and Remote Access' is disabled. This service is usually active on Windows 2000/2003 server machines. | |
| 2. Check the encryption domain. If you have another successfully connected client, you can view the encryption domain by opening a command prompt and typing 'route print'. The encryption domain is everything routed to the server through the virtual network adapter (VNA) installed by SNX. |
|
| 3. View the routing table on the server by opening a console and typing: 'ip route' or 'netstat -rn' | |
| 4. Check for the traffic flow. SSL traffic can be captured on the client by using ethereal and on the server by using 'tcpdump'. |
|
| 5. If All user's packets destined directly to the external SSL Network Extender Gateway are not encrypted by the SSL Network Extender and in case there is a need to explicitly connect to the Gateway through the SSL tunnel, connect to the internal interface, which is part of the encryption domain | |
| 6. If the following message appears when connecting to the SSL Network Extender Gateway: "The Web site you want to view requests identification. Select the certificate to use when connecting." you can choose one of the following two options: - On the client computer, access Internet Explorer. Under Tools > Options > Security tab, select Local intranet > Sites. You can now add the SSL Network Extender Gateway to the Local intranet zone, where the Client Authentication pop up will not appear. Click Advanced, and add the Gateway's external IP or DNS name to the existing list. - On the client computer, access the Internet Explorer. Under Tools > Options > Security tab, select Internet Zone > Custom Level. In the Miscellaneous section, select Enable for the item Do not prompt for client certificate selection when no certificates or only one certificate exists. Click OK. Click Yes on the Confirmation window and click OK again. Note: This solution will change the behavior of Internet Explorer for all Internet sites, so if better granularity is required, refer to the previous solution. |
|
| 7. If the client computer has SecuRemote/SecureClient software installed, and is configured to work in 'transparent mode', and its encryption domain contains SSL Network Extender Gateway, or otherwise overlaps with the SSL Network Extender encryption domain, the SSL Network Extender will not function properly. To resolve this, disable the overlapping site in SecuRemote/SecureClient. | |
| 8. If the client computer has SecuRemote/SecureClient software installed, and is configured to work in 'connect mode', and its encryption domain contains SSL Network Extender Gateway, or otherwise overlaps with the SSL Network Extender encryption domain, the SSL Network Extender will not function properly. To resolve this, verify that the flag 'allow_clear_traffic_while_disconnected' is set to True (which is the default value). | |
| 9. SSL Network Extender connections cannot pass SCV rules. SecureClient users must be differentiated from SNX users in order to allow the SecureClient connections to pass the SCV rules. One way to do this is to use the SCV capabilities in the rule base. In Traditional Mode you can configure two types of rules, by selecting the Apply Rule Only if Desktop Configuration Options are verified. The selected (SCV) rules will pass only SecureClient connections, while the rules that were not selected will pass SecureClient and SSL Network Extender connections. When using Simplified Mode, the Administrator may specify services that will be excluded from SCV checking. Both SecureClient and SSL Network Extender clients attempting to access such services will be allowed access, even when not SCV verified. SCV will not be enforced on specified services for both types of clients. |
| 1. Connectivity problems can be traced with TCP dump on both the client and server sides. | |
| 2. Connectivity problems to the gateway can be related to a proxy configuration. View the proxy detected by the CShell on the java console. If there is a proxy configured, it should be disabled in the browser for web browsing to work through SNX. Either use a proxy configuration file and disable the proxy settings in the browser or leave the settings until the CShell detects them and then disables them in order to browse the web. | |
| 3. When the use of a proxy for the client machine is mandatory, SNX needs these proxy definitions in order to open the SSL connections to the gateway through this proxy. The CShell can detect the proxy settings in the browser so the StaProxy will use it to connect to the gateway. In the Java console, this detection can be viewed. The proxy can also be manually configured by the file: %APPDATA%\Check Point\CShell\proxy.ini File format: - IP or Host Name - Port - Optional: user - Optional: password |
|
| 4. Connectivity problems to hosts behind Connectra can be greatly related to the configuration in Connectra. Check configuration of network applications, servers, services and user groups. | |
| 5. In some rare cases the framing mechanism may cause some issues like high CPU usage for specific applications. The framing can be manually disabled by adding the file ColorConf.txt to %TEMP%\SNXAC when the first line is 0 (disable). The file format is: 0/1 Disable/Enable, 0-255 Red, 0-255 - Green 0-255 - Blue. |
|
| 6. SNX Application Mode does not support UDP traffic. |