In R77.20.51 the default cryptography protocol used by remote access users is TLSv1.2, as previous versions contain numerous potential security weaknesses. A new SSL Network extender that supports TLSv1.2 was created, but the end users must first uninstall their previous extender in order to re-download the new one upon their next SNX connection.
First, while not advisable, an administrator can choose to return the cryptography protocol used to an older version and prevent the need to uninstall the extender in each end-user desktop.
This can be done by going to Device -> Advanced web page and searching for the advanced setting of "Minimum TLS version support in the SSL VPN portal". This is not recommended as it poses a security risk.
The recommended solution for End-users:
- Using the search in “Windows” OS, go to the "Programs and Features" list
- Search for "Check Point SSL Network Extender"
- Uninstall it.
Note: the next time the end-user will connect, he will be requested to install the new extender that the new firmware downloaded from the cloud.
If the problem persists it may due to a problem with deletion of the previous extender in the appliance. It is possible to force the appliance to delete its existing extender which will force it to download the latest version from the cloud, supporting TLSv1.2. This can be done in 2 ways:
- A CLISH command “delete ssl-network-extender”
- Running the "rm -r /storage/extender" Linux command from the Expert mode.