Checkpoint mobile linux install

CheckPoint SNX install instructions for major Linux distributions

I decided to do a round up of how to install the software needed on GNU/Linux to enable access through a CheckPoint firewall. My focus was on distributions whose ISO downloads supported UEFI boot, and hard disk encryption out of the box. This explains why Debian is not in this list. These requirements may not apply to you so feel free to add the instructions for your distro of choice to the comments below.

As of build 800007075 Checkpoint no longer support using the Native Client on the command line. This prevents scripting logins, and also requires a heavy desktop when we were able to survive with a headless server. Access is still possible, but only via the “SSL Network Extender“. This is a major pain as it requires (from my experience) X server, Oracle Java, and the FireFox browser to run.В Chrome gives this helpful message on the Java website:

The Chrome browser does not support NPAPI plug-ins and therefore will not run all Java content. Switch to a different browser (Firefox, Internet Explorer or Safari on Mac) to run the Java plug-in.

Despite all this, it still uses the native client but with the “unsupported” -Z option.В Ah well.

With all the distributions I did the following:

• downloaded the most prominent ISO on offer at the projects main page
• used dd to transfer the image to usb stick
• installed using full disk encryption
• applied all the patch fixes
• installed openssh-server.

Let me tell you now that your future is full of warnings like, This Connection is Untrusted, I understand the Risks, Add Exception, Confirm Security Exception, allow, allow remember, continue, run, allow, trust server, etc etc. I found it useful to browse to the Verify Java Version site in Firefox to verify that java is working.

You will also need to know the url, username and password for your own checkpoint login site. It should be something like.:
https://checkpoint.example.com/sslvpn/Login/Login

These instructions are going to be terse but the links provided should give you more information if needed.

Ubuntu 15.04 Vivid Vervet

We’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

Pressing connect will open an xterm window that downloads and runs the native client install.sh script. You will need to enter the root password you set earlier, sudo will not work.

Now finally try the Connect > Continue > Accept Key and you should get connected.

Linux Mint 17.2 “Rafaela”

Very similar to Ubuntu, we’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

Unlike Ubuntu however the install via the browser did not work for me. You will need to go to your own login site:
https://checkpoint.example.com/sslvpn/Login/Login

Then select Settings > Edit Native Applications Settings > Download installation for Linux

Open a terminal and then run the command snx_install.sh from wherever you downloaded it.

Now when you go back to the web site, your Connect button should work.

openSUSE 13.2

This is a distribution I haven’t used too much before but decided to give it a try. Again additional libraries were necessary to get snx to run. I also followed these instructions to install java.

Then is was just a case of connecting to the website and pressing Connect

Fedora 22

We have covered installing under Fedora 21 before and the biggest problem was installing Oracle Java. Get the latest from http://www.java.com/en/download/linux_manual.jsp and I copied it to /usr/local/src. You’ll need to adjust accordingly.

Summary

I’m sorry if I haven’t covered your distribution in this round up. As I said at the beginning my requirements were pretty specific, but my time was limited. If you browse through the snx series here, you should be able to find out how you can get it running on your own distribution easily enough. This is what I had to do with openSUSE, for which I was a novice user. If not you can always drop me a line.

Having to run such a bloated and convoluted tool chain just to end up running the same application is very disappointing. I am also concerned that such an essential piece of business software is built using such old libraries, and that there is no 64 bit version.

I would like to hear if there is a way to get this plugin to run from the command line, or at least run without having a browser window open. If you have suggestions please comment below.

21 Responses to CheckPoint SNX install instructions for major Linux distributions

Thank you so much for posting this information. I went through a similar experience trying to get Check Point working on my Ubuntu laptop. The experience gave me enough concern that I switched to Windows 10 with Check Point Capsule VPN installed from the Windows Store running an Ubuntu guest VM that piggybacks my host’s VPN. A bit of an end-run around the issue I realize but the whole Firefox / Java / root password process seemed horribly brittle and a bad omen for things to come.

I’m running Ubuntu 14.04 LTS 64 bit. I’ve followed all your described steps, I’m connecting using Firefox. But anyway it is not connecting, Java console has following stack, I’ve replaced my information with my_, the rest I’ve left it as it is:
21/12/2015 03:14:19[Component] Trying to create socket to 127.0.0.1:5555
21/12/2015 03:14:19[Component] Could not connect
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:402)
at java.net.Socket.connect(Socket.java:591)
at java.net.Socket.connect(Socket.java:540)
at java.net.Socket.(Socket.java:436)
at java.net.Socket.(Socket.java:213)
at CpComponent.initPipe(CpComponent.java:96)
at SNXNMComponent.initPipe(SNXNMComponent.java:375)
at SNXNMComponent.checkCommunications(SNXNMComponent.java:449)
at SNXNMComponent.checkCommunications(SNXNMComponent.java:427)
at CpComponent.connect(CpComponent.java:131)
at ClientDirector.InstallAndConnectClient(ClientDirector.java:156)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:520)
at CpIs$1.run(CpIs.java:717)
at java.security.AccessController.doPrivileged(Native Method)
at CpIs.runPrivilegedMethod(CpIs.java:711)
at CShell.InitializeCShell(CShell.java:390)
at CShell.Initialize(CShell.java:354)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:520)
at sun.plugin.javascript.Trampoline.invoke(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:520)
at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MethodInfo.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MemberBundle.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke0(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$DefaultInvocationDelegate.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo.doObjectOp(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$LiveConnectWorker.run(Unknown Source)
at java.lang.Thread.run(Thread.java:747)
21/12/2015 03:14:19[SNXNetMode] Could not connect to SNX Network Mode, probably not installed.
21/12/2015 03:14:19[Launcher] Launching /usr/bin/snx -Z
21/12/2015 03:14:20[Component] Trying to create socket to 127.0.0.1:7776
21/12/2015 03:14:20[SNXNetMode] Successfully connected to SNX Network Mode.
21/12/2015 03:14:20[SNXNetMode] Connection to SNX Network Mode is ok
21/12/2015 03:14:20[Component] Connecting…
21/12/2015 03:14:20[Proxy] detectProxy, name = my-server
21/12/2015 03:14:20[Proxy] detectProxy, proxyFullPath = /tmp/.proxy.ini
21/12/2015 03:14:20[Proxy] URI = https://my-server
21/12/2015 03:14:20[Proxy] about to get the system-wide proxy selector…
21/12/2015 03:14:20[Proxy] about select proxy list from the selector…
21/12/2015 03:14:20[Proxy] about iterate the proxy list…
21/12/2015 03:14:20[Proxy] about iterate the proxy #0…
21/12/2015 03:14:20[Proxy] about to get address from proxy…
21/12/2015 03:14:20[Proxy] no proxy – continue
21/12/2015 03:14:20[Proxy] done with the list – there is no proxy
21/12/2015 03:14:20[Messaging] Sending INIT_DATA message:
21/12/2015 03:14:20[Messaging] Gateway IP: my.ip
21/12/2015 03:14:20[Messaging] Gateway name: my-server
21/12/2015 03:14:20[Messaging] Gateway port: 443
21/12/2015 03:14:20[Messaging] Proxy IP: 0.0.0.0
21/12/2015 03:14:20[Messaging] Proxy port: 0
21/12/2015 03:14:20[Messaging] Server CN: my-server
21/12/2015 03:14:20[Messaging] User Name: my-user
21/12/2015 03:14:20[Messaging] Server fingerprint: my_fingerprint
21/12/2015 03:14:20[Messaging] Automatic proxy replacement: true
21/12/2015 03:14:20[CShell] Initialized successfully

It writes that Initialization passes successfully. But there are two different messages:
21/12/2015 03:14:19[SNXNetMode] Could not connect to SNX Network Mode, probably not installed.
***
21/12/2015 03:14:20[SNXNetMode] Successfully connected to SNX Network Mode.
Or it work or doesn’t.
The main problems is that the Firefox shows:
Connection Mode:
Status: Connecting…
Gateway ID:
Office Mode IP:
Duration: 0 Days 00:00:00
Remaining Time: 0 Days 00:00:00
Please help me.

Источник

Клиент Checkpoint VPN Linux

Есть ли клиент Linux для Checkpoint VPN? Предпочтительно для Ubuntu?

6 ответов

Я слышал хорошие вещи о Shrew, но я только видел, что он используется в Windows.

Я использую SNX (через контрольную точку), и он работает отлично. Его можно загрузить из здесь .

Я использовал это руководство , чтобы установить snx на моем клиенте, проверить его и проверьте, установлены ли у вас все необходимые пакеты.

Кроме того, вы можете создать файл .snxrc в /home/user/ и укажите там IP-адрес и имя пользователя, например:

Затем просто запустите snx , вам будет предложено ввести ваш пароль и все.

Существующий клиент является древним, и на данный момент AFAIK нет планов писать более новый. Есть частные VPN-клиенты Linux, которые должны работать с контрольной точкой — особенно проверьте vpnc и енот.

Я успешно подключился к Checkpoint (NGX R75) с помощью Shrew Soft, подробнее здесь: https://serverfault.com/a /386021/73387

Я предполагаю, что вы ищете клиента IPSEC, но если вы ищете SSL VPN, мне повезло с клиентом Checkpoint SNX в Ubuntu.

Я тоже искал его И я нашел VPN-клиент контрольной точки на форумах пользователей Checkpoint, я свяжу его с вами завтра.

OK Вот ссылка на документацию в RedHat:

НО, VPN-клиент Linux, похоже, устарел и больше не поддерживается, как и мой собственный опыт, лучше использовать OpenSwan VPN для подключения через VPN-шлюз Checkpoint VPN под Linux.

Источник

Checkpoint mobile linux install

Linux setup Check Point Mobile Access VPN

This is a step-by-step tutorial to setup your Linux machine with all the required dependencies to work with Check Point Mobile Access VPN. This tutorial also includes some troubleshooting.

In the past year I had to setup my Ubuntu 18.04 laptop twice. Both times were very exhausting and took long hours until it was ready to use due to so many different errors hard to find the solution on Google. So no need to mention this tutorial (at the current state) is only useful if you’re working with a clean and recently installed Ubuntu LTS distro.

First make sure your operating system is up-to-date with:

Now you need some basic tooling for installing and building independent package vendors:

If your system has no Java version installed, make sure you install the version 8 (or higher). You can do that quickly with SDKMAN!, but first be sure you’re on your home directory with:

And then for installing SDKMAN!:

List the available Java versions and try to find the OpenJDK version 8 or higher (in my case it was 8.0.232-open ) and then install it:

For the Check Point Mobile Access required packages, you’ll need to install xterm and some SSL packages with the following commands:

If you’re running a 64 bit operating system, you’ll need to install some 32 bit compatible libraries:

Downloading the Shell Scripts

There are two shell script files you’ll need to download to setup Check Point Mobile Access VPN on your machine:

Both of them you can get on your company’s Mobile Access VPN page.

2. Click on «Settings» button

3. Click on «Download Installation for Linux» for both SSL Network Extender and Check Point Mobile Access Portal Agent

Running the Shell Scripts

The scripts you’ve just downloaded are just regular files. So we need to change their permissions to make them executable with the following commands:

The first script we’re going to run is the snx_install.sh , which should not give any errors when installing it.

Here comes the tricky part: running the other shell script. The script will ask you for your password because it’s going to run some things as sudo . Everything should be going fine until it gets to the last step: when it tries to run /usr/bin/cshell/launcher . That’s where it gets stuck. This executable file does not work properly with sudo .

When you notice it is stuck at the message above, open Ubuntu’s system monitor and try to find a process called launcher with 0% CPU usage and Sleeping status. Once you find it, kill it.

Do not ever type CTRL+C on the terminal or try to end its process or launcher ‘s. You must kill the launcher process. Otherwise, the script will do a clean-up and erase everything it has made that will allow you to make Check Point Mobile Access VPN work.

If you’ve done everything right, there should be an executable file called launcher at /usr/bin/cshell/ . If so, run it and it should have been displayed some logs as follows:

It means it has successfully been installed, and you should be fine trying to connect to the VPN now, but it doesn’t mean we don’t have more work to do.

If you end up with an error when you’re trying to run /usr/bin/cshell/launcher about a named pipe file called cshell.fifo inside the /tmp folder, just delete it with:

You need to disable one of your system’s startup applications. You should be able to see one of them called cshell with a marked checkbox. All it does is running the launcher executable file in /usr/bin/cshell/ . You must uncheck it because every time you let it run automatically it’s going to be run as sudo , which means it’s going to get stuck.

Now we’re going to do a little trick to make it start automatically without sudo : run it inside the .bashrc file, so every time you open up a terminal it’s going to run with your user normal permissions. Actually, we only want to run it once when you log in, right? So why don’t we simply run it inside .profile ? Because everything in .profile run as sudo , so the launcher is going to get stuck.

So here is the tricky part: let’s create a simple log file to check whether launcher should run every time you open up a terminal window. Add the following lines to the .profile file to remove the log file every time you log in.

On the .bashrc file add the following lines to check whether it should run the launcher file every time you open up a terminal window:

Restart your computer, log into your user account and check if the log file we created is on your home directory by opening a terminal and typing:

Then show its contents by using cat and it should be displayed as the following:

Now you should be all set. Open your company’s Check Point Mobile Access page and you should be able to connect everytime you log into your computer. Just remember to open up a terminal window first 🙂

About

Linux setup to work with Check Point Mobile Access VPN.

Источник