Some SSL VPN functionality breaks as a result of a Java update to version 7 update 51 (7u51) and higher

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk97987
Technical Level
Product	Mobile Access / SSL VPN, SSL Network Extender
Version	R71 (EOL), R75 (EOL), R76 (EOL), R77 (EOL), R77.10 (EOL)
Platform / Model	All
Date Created	01-Jan-2014
Last Modified	07-Jul-2020

Symptoms

After a Java update to version 7 update 51 (7u51) and higher, launch of Check Point Deployment Agent applet fails. As a result, functionality, such as ESOD scan, SNX, Native Application launch, etc., fails.

Cause

Oracle had introduced a change in the security settings, which as a result blocks the Java version of the Check Point Deployment Agent.

Solution

Note: To check your current Java version, go to http://java.com/en/download/installed.jsp

Table of Contents:

Hotfix availability
Hotfix installation instructions
Hotfix uninstall instructions
Workarounds

(1) Hotfix availability

This problem was fixed. The fix is included in:

Check Point R77.20
Jumbo Hotfix Accumulator for R77.10 - since Take_4
Jumbo Hotfix Accumulator for R76 - since Take_61

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade VSX / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

Note for 600 / 1100 appliances running R75.20.X firmware:

For 1100 Centrally Managed appliances, contact Check Point Support to get a Hotfix for Security Management Server.
For 600 / 1100 Locally Managed appliances, upgrade to R75.20.50 to resolve the issue.

(2) Hotfix installation instructions for Security Gateway R77.10 and lower

Hotfix has to be installed on Security Gateway.
Note: In cluster environment, this procedure must be performed on all members of the cluster.

Download the two hotfix packages for your version of Security Gateway:

Note: The "CVPN" part is required only when you are using the Mobile Access Blade.

Version of Security Gateway	Platform	Link to FW-1 part	Link to CVPN part
R77.10 ⁽¹⁾	Gaia / SecurePlatform OS	(TGZ)	(TGZ)
R77	Gaia / SecurePlatform OS	(TGZ)	(TGZ)
R76 ⁽²⁾	Gaia / SecurePlatform OS	(TGZ)	(TGZ)
R75.47	Gaia / SecurePlatform OS	(TGZ)	(TGZ)
R75.46	Gaia / SecurePlatform OS	(TGZ)	(TGZ)
R75.45	Gaia / SecurePlatform OS	(TGZ)	(TGZ)
R75.40	Gaia / SecurePlatform OS	(TGZ)	(TGZ)
R75.30	SecurePlatform OS	(TGZ)	(TGZ)
R75.20	SecurePlatform OS	(TGZ)	(TGZ)
R71.50	SecurePlatform OS	(TGZ)	(TGZ)

Notes:

This fix for R77.10 on Gaia OS (both FW-1 part and CVPN part) is included in sk98285 - Jumbo Hotfix Accumulator for R77.10 (gypsy_hf_base_021) since Take_4 (together with updated SNX client from sk97702).
This fix for R76 on Gaia OS (both FW-1 part and CVPN part) is included in sk96191 - Jumbo Hotfix Accumulator for R76 (gizmo_hf_041_050) since Take_61 (together with updated SNX client from sk97702).

Transfer the two hotfix packages to the Security Gateway into two separate directories:
- FW1 package (fw1_wrapper_<HOTFIX_NAME>.tgz) into e.g., /path_to_FW1_fix/
- Mobile Access package (cvpn_<HOTFIX_NAME>.tgz) into e.g., /path_to_cvpn_fix/
Unpack and install the FW1 hotfix package:

[Expert@HostName]# cd /path_to_FW1_fix/
[Expert@HostName]# tar -zxvf fw1_wrapper_<HOTFIX_NAME>.tgz
[Expert@HostName]# ./fw1_wrapper_<HOTFIX_NAME>
Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
Do NOT reboot yet.
Unpack and install the Mobile Access CVPN hotfix:

[Expert@HostName]# cd /path_to_cvpn_fix/
[Expert@HostName]# tar -zxvf cvpn_<HOTFIX_NAME>.tgz
[Expert@HostName]# ./cvpn_<HOTFIX_NAME>
Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
Reboot the Security Gateway.

(3) Hotfix uninstall instructions for Security Gateway R77.10 and lower

Hotfix has to be uninstalled from Security Gateway.
Note: In cluster environment, this procedure must be performed on all members of the cluster.
Stop all the Check Point services on Security Gateway:
[Expert@HostName]# cpstop
UnInstall the FW-1 hotfix:
[Expert@HostName]# cd /opt/CPsuite-<VERSION>/
[Expert@HostName]# ./uninstall_fw1_wrapper_<HOTFIX_NAME>
Example for R77 hotfix:
```
[Expert@HostName]# cd /opt/CPsuite-R77/
[Expert@HostName]# ./uninstall_fw1_wrapper_HOTFIX_GULLI_HF_BASE_207
```
Do not reboot yet.
UnInstall the CVPN hotfix (relevant if Mobile Access Blade is used):
[Expert@HostName]# cd /opt/CPcvpn-<VERSION>/
[Expert@HostName]# ./uninstall_cvpn_<HOTFIX_NAME>
Example for R77 hotfix:
```
[Expert@HostName]# cd /opt/CPcvpn-R77/
[Expert@HostName]# ./uninstall_cvpn_HOTFIX_GULLI_HF_BASE_207
```
Reboot the Security Gateway.

(4) Workarounds

If you do not wish to upgrade / install a hotfix, then the following workarounds are available:

Show All Workarounds

Either lower the Java security settings to "Medium" (applies only to Java 7)

Related resource: http://www.java.com/en/download/help/jcp_security.xml
- Instructions for Windows OS
  1. Go to Start menu.
  2. Go to Control Panel.
  3. Click on 'Java'.
  4. Go 'Security' tab.
  5. Move the slider to the bottom ('Medium').
  6. Click on 'OK'.
- Instructions for Mac OS X
  1. In the upper left corner of the screen, click on 'Apple' icon.
  2. Go to 'System Preferences'.
  3. Click on 'Java'.
  4. Go 'Security' tab.
  5. Move the slider to the bottom ('Medium').
  6. Click on 'OK'.
Or add the relevant web site to "Exception Site List" (as of the JDK 7u51 release, and Java 8)

Related resources: http://java.com/en/download/faq/exception_sitelist.xml and http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/exception_site_list.html#create

Note: The "Exception Site List" feature is available only since the release of Java 7 Update 51. To check your current Java version, go to http://java.com/en/download/installed.jsp
- Instructions for Windows OS
  1. Go to Start menu.
  2. Go to Control Panel.
  3. Click on 'Java'.
  4. Go 'Security' tab.
  5. Click on 'Exception Site List...' button:
    
    Java 7 Java 8
  6. Click on 'Add':
  7. Under 'Location', type the URL into the empty field (https://X.X.X.X):
    
    Note: If you add an HTTP location, then a warning is presented. Click on 'Continue':
  8. Continue to click on 'Add' and enter URLs until your list is complete.
  9. Click on 'OK' to save the URLs that you entered.
  10. Click on 'OK'.
- Instructions for Mac OS X
  1. In the upper left corner of the screen, click on 'Apple' icon.
  2. Go to 'System Preferences'.
  3. Click on 'Java'.
  4. Go 'Security' tab.
  5. Click on 'Exception Site List...' button.
  6. Click on 'Add'.
  7. Under 'Location', type the URL into the empty field (https://X.X.X.X).
  8. Continue to click on 'Add' and enter URLs until your list is complete.
  9. Click on 'OK' to save the URLs that you entered.
  10. Click on 'OK'.

Applies To:

01345729 , 01350557 , 01350558 , 01350878 , 01370132 , 01662188

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating

(1) Hotfix availability

(2) Hotfix installation instructions for Security Gateway R77.10 and lower

(3) Hotfix uninstall instructions for Security Gateway R77.10 and lower

(4) Workarounds

Either lower the Java security settings to "Medium" (applies only to Java 7)

Or add the relevant web site to "Exception Site List" (as of the JDK 7u51 release, and Java 8)