I decided to do a round up of how to install the software needed on GNU/Linux to enable access through a CheckPoint firewall. My focus was on distributions whose ISO downloads supported UEFI boot, and hard disk encryption out of the box. This explains why Debian is not in this list. These requirements may not apply to you so feel free to add the instructions for your distro of choice to the comments below.
As of build 800007075 Checkpoint no longer support using the Native Client on the command line. This prevents scripting logins, and also requires a heavy desktop when we were able to survive with a headless server. Access is still possible, but only via the “SSL Network Extender“. This is a major pain as it requires (from my experience) X server, Oracle Java, and the FireFox browser to run. Chrome gives this helpful message on the Java website:
The Chrome browser does not support NPAPI plug-ins and therefore will not run all Java content. Switch to a different browser (Firefox, Internet Explorer or Safari on Mac) to run the Java plug-in.
Despite all this, it still uses the native client but with the “unsupported” -Z option. Ah well.
With all the distributions I did the following:
- downloaded the most prominent ISO on offer at the projects main page
- used dd to transfer the image to usb stick
- installed using full disk encryption
- applied all the patch fixes
- installed openssh-server.
Let me tell you now that your future is full of warnings like, This Connection is Untrusted, I understand the Risks, Add Exception, Confirm Security Exception, allow, allow remember, continue, run, allow, trust server, etc etc. I found it useful to browse to the Verify Java Version site in Firefox to verify that java is working.
You will also need to know the url, username and password for your own checkpoint login site. It should be something like.:
https://checkpoint.example.com/sslvpn/Login/Login
These instructions are going to be terse but the links provided should give you more information if needed.
Ubuntu 15.04 Vivid Vervet
We’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.
sudo su - passwd add-apt-repository -y ppa:webupd8team/java apt-get update apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386 java -version
Pressing connect will open an xterm window that downloads and runs the native client install.sh script. You will need to enter the root password you set earlier, sudo will not work.
Now finally try the Connect > Continue > Accept Key and you should get connected.
Linux Mint 17.2 “Rafaela”
Very similar to Ubuntu, we’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.
sudo su - passwd add-apt-repository -y ppa:webupd8team/java apt-get update apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386 java -version
Unlike Ubuntu however the install via the browser did not work for me. You will need to go to your own login site:
https://checkpoint.example.com/sslvpn/Login/Login
Then select Settings > Edit Native Applications Settings > Download installation for Linux
Open a terminal and then run the command snx_install.sh from wherever you downloaded it.
# sh +x ~/Downloads/snx_install.sh Installation successfull
Now when you go back to the web site, your Connect button should work.
openSUSE 13.2
This is a distribution I haven’t used too much before but decided to give it a try. Again additional libraries were necessary to get snx to run. I also followed these instructions to install java.
zypper install libX11-6-32bit libXau6-32bit libxcb1-32bit glibc-devel libstdc++-devel libstdc++48-devel linux-glibc-devel wget ftp://ftp5.gwdg.de/pub/opensuse/repositories/devel:/gcc/SLE-11/i586/libstdc++33-3.3.3-29.2.i586.rpm rpm -ivh ./libstdc++33-3.3.3-29.2.i586.rpm
Then is was just a case of connecting to the website and pressing Connect
Fedora 22
We have covered installing under Fedora 21 before and the biggest problem was installing Oracle Java. Get the latest from http://www.java.com/en/download/linux_manual.jsp and I copied it to /usr/local/src. You’ll need to adjust accordingly.
dnf update dnf install libcanberra-gtk2.i686 pkgconfig.i686 /usr/local/src/jre-8u60-linux-x64.rpm alternatives --install /usr/bin/java java /usr/java/latest/bin/java 200000 alternatives --install /usr/lib64/mozilla/plugins/libjavaplugin.so libjavaplugin.so.x86_64 /usr/java/latest/lib/amd64/libnpjp2.so 200000 alternatives --config java
Summary
I’m sorry if I haven’t covered your distribution in this round up. As I said at the beginning my requirements were pretty specific, but my time was limited. If you browse through the snx series here, you should be able to find out how you can get it running on your own distribution easily enough. This is what I had to do with openSUSE, for which I was a novice user. If not you can always drop me a line.
Having to run such a bloated and convoluted tool chain just to end up running the same application is very disappointing. I am also concerned that such an essential piece of business software is built using such old libraries, and that there is no 64 bit version.
I would like to hear if there is a way to get this plugin to run from the command line, or at least run without having a browser window open. If you have suggestions please comment below.
 
								
Pingback: Checkpont SNX on Ubuntu 14.04 LTS (Trusty Tahr) | kenfallon.com
Pingback: Checkpoint SSL Network Extender and Fedora19 | kenfallon.com
Pingback: How to install checkpoint ssl extender VPN SNX under Fedora 16 64bit | kenfallon.com
Pingback: Check Point SSL Network Extender | kenfallon.com
Pingback: How to install Checkpoint ssl extender vpn (snx) under Fedora 14 | kenfallon.com
Thank you so much for posting this information. I went through a similar experience trying to get Check Point working on my Ubuntu laptop. The experience gave me enough concern that I switched to Windows 10 with Check Point Capsule VPN installed from the Windows Store running an Ubuntu guest VM that piggybacks my host’s VPN. A bit of an end-run around the issue I realize but the whole Firefox / Java / root password process seemed horribly brittle and a bad omen for things to come.
Hi Ken,
I’m running Ubuntu 14.04 LTS 64 bit. I’ve followed all your described steps, I’m connecting using Firefox. But anyway it is not connecting, Java console has following stack, I’ve replaced my information with my_, the rest I’ve left it as it is:
21/12/2015 03:14:19[Component] Trying to create socket to 127.0.0.1:5555
21/12/2015 03:14:19[Component] Could not connect
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:402)
at java.net.Socket.connect(Socket.java:591)
at java.net.Socket.connect(Socket.java:540)
at java.net.Socket.(Socket.java:436)
at java.net.Socket.(Socket.java:213)
at CpComponent.initPipe(CpComponent.java:96)
at SNXNMComponent.initPipe(SNXNMComponent.java:375)
at SNXNMComponent.checkCommunications(SNXNMComponent.java:449)
at SNXNMComponent.checkCommunications(SNXNMComponent.java:427)
at CpComponent.connect(CpComponent.java:131)
at ClientDirector.InstallAndConnectClient(ClientDirector.java:156)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:520)
at CpIs$1.run(CpIs.java:717)
at java.security.AccessController.doPrivileged(Native Method)
at CpIs.runPrivilegedMethod(CpIs.java:711)
at CShell.InitializeCShell(CShell.java:390)
at CShell.Initialize(CShell.java:354)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:520)
at sun.plugin.javascript.Trampoline.invoke(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:520)
at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MethodInfo.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MemberBundle.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke0(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$DefaultInvocationDelegate.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo.doObjectOp(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$LiveConnectWorker.run(Unknown Source)
at java.lang.Thread.run(Thread.java:747)
21/12/2015 03:14:19[SNXNetMode] Could not connect to SNX Network Mode, probably not installed.
21/12/2015 03:14:19[Launcher] Launching /usr/bin/snx -Z
21/12/2015 03:14:20[Component] Trying to create socket to 127.0.0.1:7776
21/12/2015 03:14:20[SNXNetMode] Successfully connected to SNX Network Mode.
21/12/2015 03:14:20[SNXNetMode] Connection to SNX Network Mode is ok
21/12/2015 03:14:20[Component] Connecting…
21/12/2015 03:14:20[Proxy] detectProxy, name = my-server
21/12/2015 03:14:20[Proxy] detectProxy, proxyFullPath = /tmp/.proxy.ini
21/12/2015 03:14:20[Proxy] URI = https://my-server
21/12/2015 03:14:20[Proxy] about to get the system-wide proxy selector…
21/12/2015 03:14:20[Proxy] about select proxy list from the selector…
21/12/2015 03:14:20[Proxy] about iterate the proxy list…
21/12/2015 03:14:20[Proxy] about iterate the proxy #0…
21/12/2015 03:14:20[Proxy] about to get address from proxy…
21/12/2015 03:14:20[Proxy] no proxy – continue
21/12/2015 03:14:20[Proxy] done with the list – there is no proxy
21/12/2015 03:14:20[Messaging] Sending INIT_DATA message:
21/12/2015 03:14:20[Messaging] Gateway IP: my.ip
21/12/2015 03:14:20[Messaging] Gateway name: my-server
21/12/2015 03:14:20[Messaging] Gateway port: 443
21/12/2015 03:14:20[Messaging] Proxy IP: 0.0.0.0
21/12/2015 03:14:20[Messaging] Proxy port: 0
21/12/2015 03:14:20[Messaging] Server CN: my-server
21/12/2015 03:14:20[Messaging] User Name: my-user
21/12/2015 03:14:20[Messaging] Server fingerprint: my_fingerprint
21/12/2015 03:14:20[Messaging] Automatic proxy replacement: true
21/12/2015 03:14:20[CShell] Initialized successfully
It writes that Initialization passes successfully. But there are two different messages:
21/12/2015 03:14:19[SNXNetMode] Could not connect to SNX Network Mode, probably not installed.
***
21/12/2015 03:14:20[SNXNetMode] Successfully connected to SNX Network Mode.
Or it work or doesn’t.
The main problems is that the Firefox shows:
Connection Mode:
Status: Connecting…
Gateway ID:
Office Mode IP:
Duration: 0 Days 00:00:00
Remaining Time: 0 Days 00:00:00
Please help me.
Best regards
After working through the issues Artiom got back with the message: “Issue was fixed by Oracle. Users should upgrade to the last Java Version.”
Have you ever managed to make it work in a Debian Jessie? I am strugging with it for quite a while now and I do not seem to manage! The answers were perfect for my Ubuntu laptop, but I am struggling with it in my Debian workstation
After some time Delia and I worked out the following.
dpkg --add-architecture i386
apt-cache update
apt-get install libpam0g:i386 libstdc++5:i386 libx11-6:i386
snx
Pingback: Migrating to Ubuntu – Practical Guide for Voice/Network Engineers – afterthenumber
Thank you so much for the Debian instructions! My company has a VPN, and they only provide instructions for Ubuntu 11.10 (and with the already obsoleted library ia32-libs).
Now I have just connected from my Linux Mint Debian Edition laptop.
I will recommend your instructions for my colleagues (as one’s sole risk, sure).
Best regards and keep up,
Emerson
Thanks a lot for this article. I managed to get it working with Fedora 23.
Hello,
Which java version worked exactly for Artiom ? Java 8.0.91/92 seems to have exactly the same issue as Artiom reported, as well as java9.
Thanks !
$ java -version
java version “1.8.0_91”
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)
Seb got back to me to say that “The issue was user rights on linux to create sockets. “
Good resources!
I have managed to install it easily however the VPN network I am in need for connecting to is having a two-phase authentication using sms messages after answering the password. With snx I can access the network, send the password and username and their system sends me an SMS with the code – however I see no place where I can write this code into the terminal after this as the snx just drops me to the command prompt telling that the authentication is failed. I see there is a reauth option in the .snxrc, but it seems that this is not for this thing or is it? I cannot try this option right now as I do not want them to lock me out because of trying too many times or something as this is not only my user name… I will try it though…
Anyways. Has anyone any idea on what to do in case of needing to enter sms codes or is it an alternative to snx for this case that works on linux??? I can use a virtual box for accessing the VPN and move data in-between the linux host and the virtual machine, but this is cumbersome and I do not even want any micro$oft stuff around me anyways….
After months of using the tunnel from a Windows host, it stopped working abruptly and I was blocked from critical day-job duties.
With the help of your articles I was able to get a setup working on a Gentoo host, and it runs more smoothly than the Windows setup ever did (fewer warnings anyway). Thanks for publishing this.
I wrote up my findings on the wiki for other Gentoo users: https://wiki.gentoo.org/wiki/SSL_Network_Extender
Take a look, it’s not all distro-specific. And thanks again!
I use snx command on Fedora 24 and it always show the following error:
[richard@vina ~]$ snx -s nanpao-vpn -u vpnuser
Check Point’s Linux SNX
build 800007102
Please enter your password:
SNX: Authentication failed
But I can create VPN via Firefox. What is the problem? Thank you for your support.
As I say in the article “As of build 800007075 Checkpoint no longer support using the Native Client on the command line. This prevents scripting logins, and also requires a heavy desktop when we were able to survive with a headless server. Access is still possible, but only via the “SSL Network Extender“. ”
So please contact CheckPoint and voice your frustration.
I feel like I should post this somewhere and this is probably where someone might find it. I also have not been able to run snx and have been using SSL Network Extender using firefox and icedTea plugin with openJDK7. It stopped working the other day. The only solution I could find was ditching icedTea/openJKD and going to oracle-java8 which fixed the network extender.
Thanks for the tip.
I try to use the SSL network extender (and not the snx_install.sh version), but during the authentication a terminal window pops up, asking for root password (it is the snx_install.sh that is run by some automatism). Of course the authorization fails, and the web client immediately tells me that auth failed.
Is there a way to prevent snx_install.sh to run?
under fedora 25 this post can help http://www.linuxquestions.org/questions/linux-server-73/howto-install-32-bit-libraries-on-64-bit-linux-using-yum-505352/
Thank you for your clear instructions!!
Hi Ken,
It seems with the newly released version of Firefox 52 and Java 9, the java browser plugin has been deprecated, leaving linux Firefox users of the checkpoint SSL VPN client SOL.
I’d much prefer to not have to roll back Firefox and Java.
Any ideas you might have would be greatly appreciated.
I found a working solution that doesn’t require any browser or java.
openconnect –juniper supports Pulse Connect as of v7.08.
http://www.infradead.org/openconnect/index.html
Works like a charm for me (I’m using Linux Mint).
Followed this blog post for quite some time. Thanks Ken for your leg work! Based on your instructions and some of my own hacking I have been using SNX/VPN via linux in almost a every version of Fedora since like 15 or 16 (up to and including F25).
Firefox 52+ is moving away from NPAPI (much like google-chrome did some time ago).
NPAPI is the older netscape plugin api — and the java applet stuff uses NPAPI. Transitively, so does the CheckPoint VPN/SNX stuff.
For recent versions of FFX; you can re-enable the NPAPI (java applets and other plugins) via a simple FFX registry tweak. Read about it here (among many other places): http://stupidfredtricks.blogspot.com/
AND
Oracle Java 1.8.0 131, which was recently released has tweaked something in the whole applet world too. This breaks the SNX connector applet. I don’t know for certain but I think it has to do with how checkpoint signs their applet (this is one of the security fixes addressed in the 131 JDK/JRE).
For now — maybe don’t use 131 for your applets and checkpoint. 121 is still working well for me (FFX 52, Fedora 25, etc..).
Follow up regarding JDK 1.8.0 131.
CShell.jar is the applet that ‘runs’ and is command/control for the snx. For my vpn the cshell that is served up by our checkpoint thing was signed using old-school signing:
———-
– Signed by “CN=Check Point Software Technologies Ltd., OU=Digital ID Class 3 – Java Object Signing, O=Check Point Software Technologies Ltd., L=Tel-Aviv, ST=Israel, C=IL”
Digest algorithm: SHA1
Signature algorithm: MD5withRSA (weak), 2048-bit key
Timestamped by “CN=GeoTrust 2048-bit Timestamping Signer 1, O=GeoTrust Inc, C=US” on Tue Aug 30 11:16:58 UTC 2016
Timestamp digest algorithm: SHA-1
Timestamp signature algorithm: SHA1withRSA, 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
—————–
Or network peeps got some patch from checkpoint (addressing 1.8.0 131 compatibility). Now cshell is signed like so (and works with 131):
—————–
Timestamped by "CN=GlobalSign TSA for Standard – G2, O=GMO GlobalSign Pte Ltd, C=SG" on Wed Apr 26 08:31:16 UTC 2017
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA1withRSA, 2048-bit key
– Signed by "CN=Check Point Software Technologies Ltd., OU=Digital ID Class 3 – Java Object Signing, O=Check Point Software Technologies Ltd., L=Tel-Aviv, ST=Israel, C=IL"
Digest algorithm: SHA-256
Signature algorithm: SHA256withRSA, 2048-bit key
Timestamped by "CN=GlobalSign TSA for Standard – G2, O=GMO GlobalSign Pte Ltd, C=SG" on Wed Apr 26 08:30:54 UTC 2017
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA1withRSA, 2048-bit key
jar verified.
—————–
HTH!
Firefox 52 ESR still allows java plugins. Checkpoint is supposed to have a replacement solution out in Q2 2017.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113410
Pingback: linux – check point web vpn client – G3n1k's Blog
Thanks Ken, and thanks to everyone on this thread for your hard work and suggestions. I can confirm that Java 8u131 doesn’t work on CentOS 6, and that you need to use Java 8u121 instead.
I put together a Vagrantfile for anyone who might be interested: https://gist.github.com/jeffbonhag/72f1749e85dc63fd9bd1b88a47e9050d
Cheers!
I was able to connect in Ubuntu 17.04 using Firefox ESR (52.2.1esr) and installing the following dependencies.
sudo apt-get install libpam0g:i386 libstdc++5:i386
https://www.mozilla.org/en-US/firefox/organizations/
Hello,
For those having problems to connect with JAVA version >= 1.8.0.121, the problem resides in the way the .jar applet is signed. After this version the algorithm MD5 is no longer accepted as signed and the applet is treated as unsigned. Because of this JAVA tries to execute the applet in a sandbox which is not supported.
You should ask your company tech support to change the way they sign the applet.
For a workaround you can change the security configuration. (This weakens security!!)
– Find your JAVA path, and under /lib/security edit the file java.security.
– Look for this entry: jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
– Remove the MD5. (jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1)
Now you should be able to connect again.
Thanks for the details. I’ve gotten Checkpoint running on my Fedora 25 system so here’s a few notes on what I found in addition to what’s noted above:
1) Use an older version of JRE – I had to drop back to 92 for mine to work.
2) Use Firefox 52 ESR – installing older non-ESR versions works, once. Then they update themselves to a newer version that won’t run Java and subsequent login attempts will fail.
3) Don’t forget to install the libstdc++.so.5 that SNX requires. This is available thru the compat-libstdc++-33-3.2.3-68.16.fc25.i686 package.
thank you so much for all the help, from the post to all the comments. I was able to run it with Fedora 27, FFX 52.0ESR, disabling updates , setsebool -P unconfined_mozilla_plugin_transition 0, yum install /lib/ld-linux.so.2 libX11.so.6 libpam.so.0 libstdc++.so.5 xterm, adding key plugin.load_flash_only=false in firefox with about:config and using jre 1.8.0.92
Great Tip = Thanks
First, huge thanks go out to the author and all the contributors. Just wanted to chime in and confirm my functioning environment. I am running Ubuntu Bionic (18.04.1 LTS), Firefox ESR (52.9.0), and Oracle JRE (build 1.8.0_181-b13).
I installed Firefox using the ppa:mozillateam/ppa (sudo apt-get install firefox-esr) and, as the original post noted, JRE from the ppa:webupd8team/java (apt-get install oracle-java8-set-default), and support packages apt-get install libstdc++5:i386 libpam0g:i386 libx11-6:i386.
Unlike the Ubuntu 15.04 notes in the original post, clicking Connect (after logging in) did not open an xterm and run the installer. My experience was in fact similar to the Linux Mint 17.2 notes in the original post. I had to download the snx_install.sh file under Settings > Edit Native Applications Settings > Download installation for Linux. As noted, sh +x installed the right files, and clicking Connect worked like a charm.
Pingback: Connecting to a Checkpoint VPN from Fedora 29 – Gordon Buchan Blog