Support Center > Search Results > SecureKnowledge Details
Support Center
The information you are about to copy is INTERNAL! DO NOT share it with anyone outside Check Point.
 Print    Email
Endpoint Security MI Server R73 certificate validation

Solution ID: sk97784
Severity: High
Product: Endpoint Security MI
Version: R73
OS: Windows
Platform / Model: Intel/PC
Date Created: 19-Dec-2013
Last Modified: 22-Dec-2013
Rate this document
[1=Worst,5=Best]
Symptoms
  • Certificate validation settings take no effect in Endpoint Security MI Server R73. If certificate validation is configured, MI client will not perform validation.
Solution

Check Point offers a Hotfix for this issue.

Table of Contents:

  • Hotfix availability
  • Important notes
  • Hotfix installation instructions
  • Enabling SSL communication
  • Replacing the certificate
  • Troubleshooting

 

Hotfix availability

This hotfix is compiled only for MI version 3.0.0 HFA2.5.
If an older version is installed, user should upgrade.

 

Important notes

  • If the web server uses a self-signed certificate, then SSL communication must not be enabled. Otherwise, the Device-to-CP communication will break!

  • Server certificate must have a valid parent CA in the certification path.

  • The certificate must have a SSLv3 certificate.

 

Hotfix installation instructions

  1. Download the improved DLL file from here.

  2. Transfer the EPS_MI_R73_HF_sk97784.zip file to Endpoint Security MI Server.

  3. Stop the Endpoint Security MI Server.

  4. Extract the DLL file from the ZIP archive.

  5. Drag the DLL file to the folder %SYSTEMROOT%\assembly\.

  6. Start the Endpoint Security MI Server.

 

Enabling SSL communication

Note: It is recommended to configure only a single test device prior to switching all devices to communicate over SSL.

  1. Open Endpoint Security MI Management Console (MIMC).

  2. Navigate to the device.

  3. Right-click on the device - click on 'Properties'.

  4. Go to 'Software' tab.

  5. Right-click on the 'Endpoint Security Device Agent for PC' node - click on 'Properties'.

  6. Expand 'System Settings'.

  7. Go to 'Connection Points'.

  8. Double-click on each attribute - modify its value to 'Deny'.

  9. Click on 'OK' button.

  10. Verify that the device downloads the new settings (open 'Logs' tab).

  11. Verify that device communication is not broken.

Example:

 

Replacing the certificate

  1. Assign the new certificate to the web server - follow the instructions in Microsoft KB816794 - Install Imported Certificates on a Web Server in Windows Server 2003.

  2. Restart the Windows IIS service.

 

Troubleshooting

  1. On the server, browse to https://localhost/PointsecMI_CP/cp_ssl.aspx

  2. Verify you do not get any warning regarding the certificate.

  3. Open the certificate from the browser and verify:

    • The certificate is the one you expect.

    • The certificate has a trusted parent CA.

    • The certificate is of SSLv3.


  4. Verify that client device communicates:

    1. On client device, browse to the connection point at this URL:

      https://<Your_Server_Name>/PointsecMI_CP/cp_ssl.aspx

    2. Verify you do not get any warning regarding the certificate.

    3. Verify that the certificate that is used is the new one.

    4. Verify that Device Agent communicates (open Device Agent UI).

 


 

Credit

Check Point thanks Alberto Garcia Illera for responsible disclosure of this issue.


Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000