This article is relevant to Endpoint Security Clients on Windows OS, managed by Cloud Management
On June 30th, 2021, the CA/B Forum voted on the ballot SC47V2 planning the sunset of the OrganizationalUnitName field depreciation (for more information, see here).
On October 17th, 2021, following the CA/B Forum decision, we will replace our existing production certificate with a new certificate, which is aligned with the new format that does not include the OrganizationalUnitName field.
Most clients will continue functioning as usual, establishing a connection to the Endpoint Management without being affected by this change.
All clients who establish a connection with the server starting from October 10th were automatically configured to work with the new schema parallel to the old one. Clients with version E85.40 or higher are configured to work with both certificate schemas.
Endpoint Security Clients on the cloud who were continuously disconnected between October 10th - October 17th and could not get the automatic update, may use the dedicated Updater (see below) to extend the client to support the new certificate schema configuration, otherwise it will remain disconnected from the management.
Important: Any initial & exported packages downloaded before October 18th, 2021 (for versions E85.30 or lower) are no longer valid and need to be replaced.
Important: The below is relevant only for Endpoint Security Clients on Windows OS, managed by Cloud Management (Cloud instance @ portal.checkpoint.com)! Other blades including VPN, will continue working as before. This is relevant only to the communication between the Clients and the Management on Cloud.
The issue does not pose any security risk.
If all your clients are connected to the management, you do not need to take any action to resolve issue.
To resolve the issue
There are 2 simple ways to resolve this issue:
- Option 1: Upgrading your Endpoint Security to the latest version - E85.40 Windows Clients (preferred).
- Option 2: Download and install a small (less than 1MB) and quick-to-install Updater (HEP_Updater.msi). This Updater has no impact on the Endpoint Client other than resolving the issue. The Updater takes a short time to install. It is recommended to use a Central Deployment Tool such as GPO to distribute the Updater to the clients. It is applicable to all Windows versions.
|HEP_Updater - Updater for Harmony Endpoint Client (E80.94 and higher) - Windows OS
The Updater can be applied to any Endpoint Client version (E80.94 and higher), on all Windows flavors, whether or not it can establish a connection to the Endpoint Security Management.
Note: Any initial & exported packages downloaded before October 18th, 2021 (for versions E85.30 or lower) are no longer valid and need to be replaced.
To deploy manually:
- On the client machine, open a command prompt with elevated administrator privileges.
- Run the MSI file.
- Wait for client to connect to the Management server (takes about two minutes).
To deploy through GPO:
- Copy the <MSI file> to a shared network location.
- On the Domain Controller, open Group Policy Management.
- Create a GPO for the desired group.
- Right-click the newly created GPO and select Edit…
- In the new window, under Computer Configuration, expand Policies > Software Settings.
- Right-click Software installation, then click New > Package…
- Select the <MSI file> file from the shared folder in the opened browser windows, then select Open.
Note: You must use the UNC path of the shared folder.
- In the opened browser windows, select the <MSI file> file from the shared folder.
The GPO is read and the patch deploys.
For Customers who use VDI
Show / Hide this Section
Follow these steps when using a VDI environment:
- Update the Golden \ Master image:
- Boot Golden \ Master image in an editable mode (Read \ Write Mode in Citrix PVS)
- Follow the instruction above on how to run the Updater (HEP_Updater.msi)
- Update the Pool
- Once Golden \ Master image is updated, fixed (patched) clones shall be created on the next Logon process.
Force logoff may be used for running instances (if needed).
- If logoff of running users is not a valid option, Follow the instructions above on how to run the Updater (HEP_Updater.msi) on each running instance.
Click Here to Show the Entire FAQ
- How can I tell if the Endpoint Client disconnects due to this issue?
The C:\ProgramData\CheckPoint\Logs\cpda*.log file contains these lines:
[error] Subject DN in server certificate differs from expected, server DN: /CN=*.epmgmt.checkpoint.com, expected: CN=*.epmgmt.checkpoint.com,OU=Domain Control Validated [the_verify_callback]
[error] CURL error description: SSL certificate problem: error number 1 [CHTTPCall_curl::sendReq_internal]
- Which products and configurations are affected?
Endpoint Security Client & Harmony Endpoint (formerly called Sandblast Agent) that the Cloud Management manages.
- Which versions are affected?
Clients on Windows Operation Systems - All versions older than E85.40.
macOS are not affected
Note - The issue affects all custom builds (Client Hotfix)
- How do I check if a client can establish a connection to the Endpoint Management?
You can check the status of a client through a view on your cloud instance of the Endpoint Management server or individually directly on the client:
- In portal.checkpoint.com:
- From the left toolbar, select Asset Management > Computers
- From the Columns drop-menu, select Custom and add the Last Connection field to the report:
- The Asset Management report opens with the Last Connection field:
- On the client machine:
- Right-click the Endpoint Client icon and then select Display Overview
- The Client status shows in the bottom right corner:
- What should I do today?
- If your Endpoint Security Client are connected to the cloud management - Nothing to do.
- If your Endpoint Security Client are not connected - either make sure they are connected or run the Updater to establish the connection.
- What should I don if I’m working with an initial & exported packages?
Any initial & exported packages downloaded before October 18th, 2021 (for versions E85.30 or lower) are no longer valid and need to be replaced. You should consider upgrading to the latest version (E85.40 and above).