Check Point SSL Network Extender and Windows Update KB2585542
For those of you using SSL Network Extender on Windows 7, Check Point released a SK regarding a recent Microsoft Patch (KB2585542) which can cause problems. The information regarding the symptoms as well as a workaround for the problem are below. Check Point also has a hotfix available for the problem.
After installing Windows Update KB2585542 the SSL Network Extender portal is no longer accessible (SK671000)
Symptoms
After installing the update on Windows XP and Windows 7 based client systems, the SSL Network Extender page no longer loads. Users receive a certificate warning for all self-signed certs, after accepting it they receive a browser error about being unable to load the page.
Cause
KB2585542 changes how Microsoft Internet Explorer processes the SSL handshake. Since this change affects much more than the Check Point SNX portal based on a quick google search, Microsoft may release their own fix for this issue.
Solution
Workarounds:
1) On Windows XP and Windows 7 clients, you may use a different browser such as Firefox.
2) For Windows XP clients, the encryption parameters can be changed in Global Properties:
Enable RC4 (or AES on newer versions) as an optional encryption algorithm for SSL Network Extender (SNX):
Global Properties -> Remote Access -> SSL Network Extender -> Encryption -> Supported encryption methods: "3DES or RC4" or "AES, 3DES or RC4" (depand on the version)
3) On Windows 7 and Windows XP, you may disable TLS 1.0 support which is enabled by default:
Internet Options -> Advanced -> Uncheck "TLS 1.0" at the bottom of the window.
TLS 1.2 and TLS 1.3 may be checked for other applications which will use those protocols. Leaving TLS 1.2 and 1.3 checked will not affect SSL Network Extender
Solution:
Contact Check Point Support to get a Hotfix for this issue. A Support Engineer will make sure the Hotfix is compatible withyour environment before providing the Hotfix.
For more information, please contact us at info@rutter-net.com
Comments