SSL Network Extender

Checkpoint Solutions' proprietary VPN Firewall solution is called SSL Network Extender. This article documents the manual setup required to properly tunnel into this firewall from a Gentoo Linux host.

To access the VPN from a Linux host, a user logs into a web site using Firefox, then launches a Java applet, which runs a pre-installed local binary (snx) which initiates and configures the tunnel. The setup is elaborate and runs a setuid-root binary, so only attempt this if you trust the firewall server and its administrator, and if you are otherwise confident in the security of the Gentoo host.

Download the client install script
The client software is only available for download from the firewall appliance itself. The VPN administrator must provide a URL (something like https://vpn.example.com/Login/Login ) and credentials.

Log in and click the Settings link.



There is a link to download the software. Click to save the file locally.



Install the client software
There is currently not an ebuild for snx. Run the install script as root.

The script installs and also. The main binary is setuid-root, which means that when a non-privileged user runs it, it will run as the root user. Generally this is ill-advised for a system's security, but it is done here so that a normal user can trigger setting up the tunnel.

This binary is also 32-bit and will have linkage errors until the required libraries are installed.

For the three missing linkages it is possible to deduce the packages (with dependencies) that must be installed with 32-bit versions. Configure the necessary changes in package.use.

Now the missing libs can be installed.

and the linkage is fixed

Note that while it is now possible to run directly at the command line, it will not result in a successful login. In recent versions it will only work when run as intended, from the browser.

Kernel setup
The binary attempts to fork the command   and expects a successful exit code. Therefore, CONFIG_TUN must be compiled as a module.

Browser and java plugin
Chrome/Chromium no longer support the NPAPI required to call native programs, which leaves Firefox as a required browser.

Firefox must launch a java applet. One document on the web stated that Oracle's JRE is required, and a different document suggested that OpenJDK is acceptable. This document's author tested using Oracle. Be sure to enable the  use flag. Before trying to log into the tunnel, run a web search for java test applets and be sure that Firefox is generally successful at launching applets.

Tunnel connection
The system should now be ready to connect to the tunnel. Press the Connect button in the browser.



There will be a variety of trust warnings to click through. The applet will even prompt for your root password and appear to install the binary again. The connection should succeed, however, and subsequent connections will trigger fewer warnings.

External Resources

 * https://www.checkpoint.com/products-solutions/next-generation-firewalls/enterprise-firewall/
 * http://kenfallon.com/checkpoint-snx-install-instructions-for-major-linux-distributions/