VPN SSL Network Extender in Firefox

Ultimately, I decided to settle on authenticating with Firefox+Java (and then later on, changed my mind, see the related link at the bottom). The VM itself does not run Java nor a graphical interface, and I am running Firefox on a remote X server on my notebook when I need to connect to our corporate network.

The procedure is roughly:

1) Installing firefox
2) Downloading the snx Linux client installation after logging in the Web VPN client interface
3) Installing JDK
4) After everything installed, accessing the VPN URL in firefox each time you need to use the VPN.
5) Closing the VPN via firefox

As for the actual steps guide:

1) After some tests, it is evident the latest firefox version does not cut it running the Java applet.

Firefox 52 and above

Beginning with Firefox 52 (released March 2017), plug-in support is limited to Adobe Flash, and drops support for NPAPI, impacting plugins for Java, Silverlight, and other similar NPAPI based plugins.

So after testing a couple of firefox older versions, I settled for firefox 48 that will be just used to login in the VPN. Downloaded it from the firefox archives.

So in your target directory, do:

tar -jxvf  firefox-48.0.tar.bz2

Then do:

cd firefox

To prevent it from updating to a more recent version the first time you run on this directory:

sudo touch updates
sudo chattr +i updates

Note: the first time you run it, you also disable updates either with:

  • menu icon->Preferences->Advanced->Updates

or:

  • opening the URL about:preferences#advanced

and in "Firefox Updates" select the radio button: "Never check for updates"

2) If in the VPN, to get the installation file, do:

wget --no-check-certificate https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh 

Alternatively, download the application from the Web VPN interface, in "Settings->Edit Native application settings SSL Network Extender: Download Installation for Linux"

snxurl

That will get you a snx_install.sh file.

You also need to select: "When signing-in launch SSL Network Extender:" change it to "automatically".

Run then:

chmod a+rx snx_install.sh
sudo ./snx_install.sh`

You will have know a /usr/bin/snx 32-bit client binary executable. Check what dynamic libraries are missing with:

sudo ldd /usr/bin/snx

For Debian, I you might need:

sudo dpkg --add-architecture i386
sudo apt-get update    

I had to install the following:

sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386

Check again if any dynamic libraries are missing (if any) with:

sudo ldd /usr/bin/snx

You can only proceed to the following point when all the dependencies are satisfied, as the Java applet uses snx behind the scenes.

3) After several unsuccessful iterations and web crawling, found it is needed to install Java 6 from Sun. So got jdk-6u45-linux-x64.bin from the Oracle site.

To install it do as root:

mkdir /usr/java
mv jdk-6u45-linux-x64.bin /usr/java
cd /usr/java
chmod a+rx jdk-6u45-linux-x64.bin
./jdk-6u45-linux-x64.bin

We won´t configure the whole system to use this Java version as it is too old. Just to use Java with Firefox later on:

sudo mkdir -p /usr/lib/mozilla/plugins
sudo ln -s /usr/java/jdk1.6.0_45/jre/lib/amd64/libnpjp2.so libnpjp2.so

Now the Java installation is finished.

4) Finally, to run firefox as a regular user do:

./firefox

If the Java Applet/SSL Network Extender does not launch itself after authentication, do "Native Applications->Connect". It will open a popup/Java Window. Wait for "Status: connected".

extender

You can then close the main FireFox window.

After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:

$ ip addr show dev tunsnx
14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
       valid_lft forever preferred_lft forever
    inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

ip route will show you also new routes going through the tunsnx interface.

For extra convenience, you can define as your home page, the URL of the WebVPN.

5) To close the VPN, you either press the "Disconnect" button in the Java popup, or close/kill Firefox.

See related: getting Checkpoint VPN SSL Network Extender working in the command line


To use the latest version of firefox, once you have installed snx_install.sh and cshell_install.sh open https://localhost:14186/id in a separate Firefox tab and add a Security Exception for site "https://localhost:14186/". Once the exception is added, you will see a unique identifier in HEX format. You can now close this tab and try to connect again.