In R77.20.51, the default cryptography protocol used by remote access users is TLSv1.2, as previous versions contain numerous potential security weaknesses.
There is a new SSL Network extender that supports TLSv1.2, but users must first uninstall their previous extender and then download the new one the next time they connect to SNX.
The recommended solution for users:
- In the Windows OS, go to the "Programs and Features" list.
- Search for "Check Point SSL Network Extender".
- Uninstall this program.
Note: The next time the user connects, he is asked to install the new extender that the new firmware downloaded from the cloud.
If the problem persists, it may due to a problem with the deletion of the previous extender in the appliance.
To force the appliance to delete its existing extender and download the latest version (that supports TLSv1.2) from the cloud, select one of these options:
- Run the clish command:
- Run this Linux command in Expert mode:
rm -r /storage/extender
- An administrator can revert the cryptography protocol to an older version and eliminate the need to uninstall the extender in each end-user desktop:
Go to Device
> Advanced Settings
and search for the advanced setting of "Minimum TLS version support in the SSL VPN portal". This is not recommended as it poses a security risk.