Since EAP2 Checkpoint Mobile VPN connections (TCP 443 and UDP 4500) from LAN to WAN aren't possible.
Regardless if exceptions for the remote host are configured or not. SSL/TLS log says "Do not decrypt", but the only way to get the connection working is to disable SSL/TLS inspection completly. (It takes a few hours for me to find the point ...)
I believe that "Do not decrypt" means not "Do not modify connection".
Is it a bug or a feature?
Chris
