Remote Access to the Network

Overview

Check Point Mobile Access Software Blade extends the functionality of a Firewall and lets remote users easily and securely use the Internet to connect to internal networks. Remote users start a standard HTTPS request to the Mobile Access Security Gateway. They can then authenticate with multiple options such as: user name/password, certificates, or SecurID.

SmartDashboard lets you easily create user groups and give the users access to the applicable applications. These are some of the different corporate applications that users can access:

• Web applications - A set of URLs that are accessed with an Internet browser. For example: inventory management or HR management applications.
• File share - A collection of files that are available with a specified protocol, such as SMB for Windows. Users can read, write, and delete files that are stored on the network.
• Citrix clients - Users can connect to internal XenApp servers.
• Web mail services - Mobile Access provides a front end for email servers that support IMAP and SMTP protocols. You can also configure other Web-based mail services, such as OWA (Outlook Web Access) and iNotes (IBM Lotus Domino Web Access).

For more about using the Mobile Access Software Blade, see R76 Mobile Access Administration Guide.

Check Point Mobile Access Solutions

Check Point Mobile Access has a range of flexible clients and features that let users access internal resources from remote locations. All these solutions include these features:

• Enterprise-grade, secure connectivity to corporate resources
• Strong user authentication
• Granular access control

For more information about the newest versions of Mobile Access solutions and clients, go to sk67820.

Client-Based vs. Clientless

Check Point remote access solutions use IPsec and SSL encryption protocols to create secure connections. All Check Point clients can work through NAT devices, hotspots, and proxies in situations with complex topologies, such as airports or hotels. These are the types of installations for remote access solutions:

• Client-based - Client application installed on endpoint computers and devices. Clients are usually installed on a managed device, such as a company-owned computer. The client supplies access to most types of corporate resources according to the access privileges of the user.
• Clientless - Users connect through a web browser and use HTTPS connections. Clientless solutions usually supply access to web-based corporate resources.
• On demand client - Users connect through a web browser and a client is installed when necessary. The client supplies access to most types of corporate resources according to the access privileges of the user.

Mobile Access Clients

• Check Point Mobile - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.
• Mobile VPN - A full L3 tunnel app that gives users network access to all mobile applications.
• Check Point Mobile for Windows - A Windows IPsec VPN client that supplies secure IPsec VPN connectivity and authentication.

Mobile Access Web Portal

The Mobile Access Portal is a clientless SSL VPN solution that supplies secure access to web-based resources. After users authenticate to the portal, they can access Mobile Access applications such as Outlook Web App and a corporate wiki.

SSL Network Extender

SSL Network Extender is an on-demand SSL VPN client and is installed on the computer or mobile device from an Internet browser. It supplies secure access to internal network resources.

Configuring Remote Access to Network Resources

Sample Mobile Access Workflow

This is a high-level workflow to configure remote access to the internal applications and resources.

1. Use SmartDashboard to enable the Mobile Access Software Blade on the Security Gateway.
2. Follow the steps in the Mobile Access Configuration wizard to configure these settings:
   • Select mobile device access clients
   • Define the Mobile Access portal
   • Define the web applications, for example Outlook Web App
   • Connect to the AD server for user information
3. For VPN clients, add Firewall rules to allow the mobile device connections.
4. Optional: Distribute client certificates to authenticate the mobile users.

   For R76 and higher, use the Certificate Creation and Distribution Wizard.

5. Users download the Check Point Mobile app.
6. Users open the Check Point Mobile app and enter the Mobile Access Site Name and necessary authentication, such as user name and password.

Sample Mobile Access Deployment

This is a sample deployment of a Mobile Access Security Gateway with an AD and Exchange server in the internal network.

In this sample Mobile Access deployment, a mobile device uses a Mobile Access tunnel to connect to the internal network. The Mobile Access Security Gateway decrypts the packets and authenticates the user. The connection is allowed and the mobile device connects to the internal network resources.

Using the Mobile Access Configuration Wizard

This procedure describes how to enable and configure the Mobile Access Software Blade on a Security Gateway with the Configuration wizard. For this sample configuration, the AD user group Mobile_Access contains all the users that are allowed to connect to the internal network. The deployment is based on the Sample Mobile Access Deployment.

This configuration lets these clients connect to internal resources:

• Android and iOS mobile devices
• Windows and Mac computers
• Internet browsers can open a SSL Network Extender connection to the internal network

To configure Mobile Access:

1. In SmartDashboard, from the Network Objects tree, double-click the Security Gateway.

   The General Properties window opens.

2. In Network Security, select Mobile Access.

   The Mobile Access page of the Mobile Access Configuration Wizard opens.

3. Configure the Security Gateway to allow connections from the Internet and mobile devices. Select these options:
   • Web
   • Mobile Devices - Business Secure Container and VPN Client
   • Desktops - With compliance check
4. Click Next.

   The Web Portal page opens.

5. Enter the primary URL for the Mobile Access portal. The default is https://<IPv4 address of the gateway>/sslvpn.
6. Click Next.

   The Applications page opens.

7. Configure the applications that are shown:
   1. In Web Applications, make sure Demo web application is selected.
   2. In Mail/Calendar/Contacts, enter the domain for the Exchange server and select these options:
      • Check Point Secure Mail
      • ActiveSync Applications
      • Outlook Web App

      The Mobile Access portal shows links to the Demo web and Outlook Web App applications. The client on the mobile device shows links to the other applications.

8. Click Next.

   The Active Directory page opens.

9. Select the AD domain and enter the user name and password.
10. Click Connect.

    The Security Gateway makes sure that it can connect to the AD server.

11. Click Next.

    The Users page opens.

    Click Add and then select the group Mobile_Access.

12. Click Next and then click Finish.

    The Mobile Access Configuration Wizard closes.

13. Click OK.

    The Gateway Properties window closes.

Allowing Mobile Connections

The Mobile Access Configuration Wizard, enables and configures the Mobile Access Software Blade. It is necessary to add Firewall rules to allow connections from the VPN clients on the computers and devices. Create a Host Node object for the Exchange server, all of the other objects are predefined.

All connections from the RemoteAccess VPN community to the Exchange server are allowed. These are the only protocols that are allowed: HTTP, HTTPS, and MSExchange. This rule is installed on the MobileAccess_Gateway Security Gateway.

Defining Access to Applications

Use the Policy page to define rules that let users access Mobile Access applications. The applications that are selected in the Configuration wizard are automatically added to this page. You can also create and edit the rules that include these SmartDashboard objects:

• Users and user groups
• Mobile Access applications
• Mobile Access Security Gateways

Sample Mobile Access Policy

The Mobile Access rule lets the users in the Mobile_Access AD group access these applications on the Tokyo_Gateway:

• OWA - Outlook Web Access
• Mobile Secure Mail - Check Point Mobile clients can connect to the Exchange mail server to use email applications
• Access_My_PC - Remote Desktop application
• Corporate_Portal - Connect to the internal corporate web portal
• ActiveSync App - Connect to the Exchange mail server to use email applications such as Outlook

Activating Single Sign On

Enable the SSO (Single Sign On) feature to let users authenticate one time for applications that they use during Mobile Access sessions. The credentials that users enter to log in to the Mobile Access portal can be re-used automatically to authenticate to different Mobile Access applications. SSO user credentials are securely stored on the Mobile Access Security Gateway for that session and are used again if users log in from different remote devices. After the session is completed, the credentials are stored in a database file.

By default, SSO is enabled on new Mobile Access applications that use HTTP. Most Web applications authenticate users with specified Web forms. You can configure SSO for an application to use the authentication credentials from the Mobile Access portal. It is not necessary for users to log in again to each application.

To configure SSO:

1. In the Mobile Access tab, select Additional Settings > Single Sign On.

   The Single Sign On page opens.

2. Select an application and click Edit.

   The application properties window opens and shows the Single Sign On page.

3. For Web form applications, do these steps:
   1. In the Application Single Sign On Method section, select Advanced and click Edit.

      The Advanced window opens.

   2. Select This application reuses the portal credentials. Users are not prompted.
   3. Click OK.
   4. Select This application uses a Web form to accept credentials from users.
   5. Click OK.
4. Install the policy.

Connecting to a Citrix Server

Citrix Services

The Mobile Access Software Blade integrates the Firewall Citrix clients and services. It is not necessary to use STA (Secure Ticketing Authority) servers in a Mobile Access Security Gateway deployment because Mobile Access uses its own STA engine. You can also use Mobile Access in a deployment with STA and CSG (Citrix Secure Gateway) servers.

The Mobile Access server certificate must use a FQDN (Fully Qualified Domain Name) that is issued to the FQDN of the Mobile Access Security Gateway.

Sample Deployment with Citrix Server

This is a sample deployment of a Mobile Access Security Gateway and a Citrix web server in the DMZ. The Citrix XenApp server is connected to the internal network.

Configuring Citrix Services for Mobile Access

This procedure describes how to configure Mobile Access to let remote users connect to Citrix applications. The deployment is based on the Sample Deployment with Citrix Server.

To configure Citrix services:

1. In the Mobile Access tab, select Endpoint Security on Demand > Applications > Citrix Services.
2. Click New.

   The General Properties page of the Citrix Service window opens.

3. Enter the Name for the Citrix server object.
4. From the navigation tree, click Web Interface.
5. Create a new object for the Citrix web interface server, in Servers, click Manage > New > Host.

   The Host Node window opens.

6. Enter the settings for the Citrix web interface server and the click OK.
7. In Services, select one or more of these services that the Cirtrix web interface server supports:
   • HTTP
   • HTTPS
8. From the navigation tree, click Link in Portal.
9. Configure the settings for the link to the Citrix services in the Mobile Access portal:
   • Link text - The text that is shown for the Citrix link
   • URL - The URL for the directory or subdirectory of the Citrix application
   • Tooltip - Text that is shown when the user pauses the mouse pointer above the Citrix link
10. From the navigation tree, select Additional Settings > Single Sign On.
11. Enable Single Sign On for Citrix services, select these options:
    • Turn on single Sign On for this application
    • Prompt users for their credentials
12. Click OK.

    The Citrix server object is added to Defined Citrix Services.

13. From the Mobile Access navigation tree, select Policy.
14. Add the Citrix services object to the applicable rules.
    1. Right-click on the Applications cell of a rule and select Add Applications.
    2. Select the Citrix services object.
15. Install the policy.

Endpoint Compliance Check

The Mobile Access Software Blade lets you use the Endpoint Security on Demand feature to create compliance policies and add more security to the network. Mobile devices and computers are scanned one time to make sure that they are compliant before they can connect to the network.

The Endpoint Compliance scanner is installed on mobile devices and computers with ActiveX (for Internet Explorer on Windows) or Java. The scan starts when the Internet browser tries to open the Mobile Access Portal.

Compliance Policy Rules

The Endpoint Compliance policy is composed of different types of rules. You can configure the security and compliance settings for each rule or use the default settings.

These are the rules for an Endpoint Compliance policy:

• Windows security - Microsoft Windows hotfixes, patches and Service Packs.
• Anti-spyware protection - Anti-spyware software.
• Ant-virus protection - Anti-virus software version and virus signature files.
• Firewall - Personal firewall software.
• Spyware scan - Action that is done for different types of spyware.
• Custom - Compliance rules for your organization, for example: applications, files, and registry keys.
• OR group - A group of the above rules. An endpoint computer is compliant if it meets one of the rules in the group.

Creating an Endpoint Compliance Policy

The default setting for Endpoint Security on Demand is that all endpoint computers cannot log in to the Mobile Access portal until they are compliant with the Endpoint Compliance policy. Use the Policies window to create or edit an Endpoint Compliance policy.

This procedure shows how to configure a sample policy for company laptop computers.

To create an Endpoint Compliance policy:

1. In the Mobile Access tab, select Endpoint Security on Demand > Endpoint Compliance.
2. Click Edit policies.

   The Policies window opens.

3. Click New Policy.

   The Policies > New Policy window opens.

4. Enter the Name and Description for the policy.
5. Click Add.

   The Add Enforcement Rules window opens.

6. Select the rules for the policy.

   These are the rules for the sample laptop computer policy:

   • Default Windows Security rule
   • High security Anti-Spyware applications check
   • High security Anti-Virus applications check
   • High security spyware scan
   • Medium security Firewall applications check
7. Click OK.

   The Policies > Edit Policy window shows the rules for the policy.

8. Select Bypass spyware scan.

   When this feature is selected, the scan for endpoint computers that are compliant with the Anti-Virus or Anti-Spyware settings is changed. These computers do not scan for spyware when they connect to a Mobile Access Security Gateway.

9. Click OK.

   The Policies window opens.

10. Click OK.

Configuring Compliance Settings for a Security Gateway

The Firewall on a Mobile Access Security Gateway only allows access to endpoint computers that are compliant with the Endpoint Compliance policy.

This procedure shows how to configure the Laptop Computer policy for a Security Gateway.

To configure the Endpoint Compliance settings:

1. In the Mobile Access tab, select Endpoint Security on Demand > Endpoint Compliance.

2. Select the Security Gateway and click Edit.

   The Endpoint Compliance page of the Security Gateway properties window opens.

3. Select Scan endpoint machine when user connects.
4. Click Threshold policy and from the drop-down menu select Laptop Computer.
5. Click OK.
6. Install the policy on the Mobile Access Security Gateway.

Using Secure Workspace

Secure Workspace is a security solution that allows remote users to connect to enterprise network resources safely and securely. The Secure Workspace virtual workspace provides a secure environment on endpoint computers that is segregated from the "real" workspace. Users can only send data from this secure environment through the Mobile Access portal. Secure Workspace users can only access permitted applications, files, and other resources from the virtual workspace.

Secure Workspace creates an encrypted folder on the computer called My Secured Documents and can be accessed from the virtual desktop. This folder contains temporary user files. When the session terminates, Secure Workspace deletes this folder and all other session data.

For more about configuring Secure Workspace, see the R76 Mobile Access Administration Guide.

To enable Secure Workspace on a Mobile Access Security Gateway:

1. In the Mobile Access tab, select Endpoint Security on Demand > Secure Workspace.
2. Select the Security Gateway and click Edit.

   The Check Point Secure Workspace page of the Security Gateway properties window opens.

3. Select This gateway supports access to applications from within Check Point Secure Workspace.
4. Click OK and then install the policy.