Introduction to Mobile Access

Check Point Mobile Access blade is a simple and comprehensive remote access solution that delivers exceptional operational efficiency. It allows mobile and remote workers to connect easily and securely from any location, with any Internet device to critical resources while protecting networks and endpoint computers from threats. Combining the best of remote access technologies in a software blade provides flexible access for endpoint users and simple, streamlined deployment for IT.

This software blade option simply integrates into your existing Check Point gateway, enabling more secure and operationally efficient remote access for your endpoint users. The data transmitted by remote access is decrypted and then filtered and inspected in real time by Check Point’s award-winning gateway security services such as antivirus, intrusion prevention and web security. The Mobile Access blade also includes in-depth authentications, and the ability to check the security posture of the remote device. This further strengthens the security for remote access.

Mobile Access Applications

Mobile Access provides the remote user with access to the various corporate applications, including, Web applications, file shares, Citrix services, Web mail, and native applications.

• A Web application can be defined as a set of URLs that are used in the same context and that is accessed via a Web browser, for example inventory management, or HR management.
• A file share defines a collection of files, made available across the network by means of a protocol, such as SMB for Windows, that enables actions on files, such as opening, reading, writing and deleting files across the network.
• Mobile Access supports Citrix client connectivity to internal XenApp servers.
• Mobile Access supports Web mail services including:
  • Built-in Web mail: Web mail services give users access to corporate mail servers via the browser. Mobile Access provides a front end for any email server that supports the IMAP and SMTP protocols.
  • Other Web-based mail services, such as Outlook Web Access (OWA) and IBM Lotus Domino Web Access (iNotes). Mobile Access relays the session between the client and the OWA server.
• iPhone and iPad support
  • Access to Web applications
  • Access to email, calendar, and contacts
  • Two-factor authentication with client certificate and user name/password
• Mobile Access supports IPv6 on the for access to:
  • The Mobile Access portal
  • Capsule Workspace

  This feature is supported in R77.10 and higher. Notes:

  • SSL Network Extender is not supported with IPv6
  • IPv6 is supported on external interfaces only
• SSL Network Extender support for MacOS as part of Capsule Workspace Access
• Mobile Access supports any native application, via SSL Network Extender. A native application is any IP-based application that is hosted on servers within the organization. When a user is allowed to use a native application, Mobile Access launches SSL Network Extender and allows users to employ native clients to connect to native applications, while ensuring that all traffic is encrypted.

Remote users initiate a standard HTTPS request to the Mobile Access gateway, authenticating via user name/password, certificates, or some other method such as SecurID. Users are placed in groups and these groups are given access to a number of applications.

For information about Web applications, file shares, Citrix services, Web mail see Applications for Clientless Access.

For information about native applications, see Native Applications for Client-Based Access.

Mobile Access Management

• Mobile Access enabled gateways are managed by the Security Management Server that manages all Check Point gateways.
• All Mobile Access related configuration can be performed from the Mobile Access tab of SmartDashboard.
• Mobile Access users are shown in SmartConsole, along with real-time counters, and history counters for monitoring purposes.
• Mobile Access supports SNMP. Status information regarding Check Point products can be obtained using a regular SNMP Network Management Station (NMS) that communicates with SNMP agents on Mobile Access gateways. See "Working with SNMP Management Tools" in the R77 Security Management Administration Guide.

SSL Network Extender

The SSL Network Extender client makes it possible to access native applications via Mobile Access.

SSL Network Extender is downloaded automatically from the Mobile Access portal to the endpoint machines, so that client software does not have to be pre-installed and configured on users' PCs and laptops. SSL Network Extender tunnels application traffic using a secure, encrypted and authenticated SSL tunnel to the Mobile Access gateway.

SSL Network Extender Network Mode

The SSL Network Extender Network Mode client provides secure remote access for all application types (both Native-IP-based and Web-based) in the internal network via SSL tunneling. To install the Network Mode client, users must have administrator privileges on the client computer.

After installing the client, an authenticated user can access any authorized internal resource that is defined on Mobile Access as a native application. The user can access the resource by launching the client application, either directly from the desktop or from the Mobile Access portal.

SSL Network Extender Application Mode

The SSL Network Extender Application Mode client provides secure remote access for most application types (both Native (IP-based) and Web-based) in the internal network via SSL tunneling. Most TCP applications can be accessed in Application Mode. The user does not require administrator privileges on the endpoint machine.

After the client is installed the user can access any internal resource that is defined on Mobile Access as a native application. The application must be launched from the Mobile Access portal and not from the user's desktop.

Commonly Used Concepts

This section briefly describes commonly used concepts that you will encounter when dealing with Mobile Access.

Authentication

All remote users accessing the Mobile Access portal must be authenticated by one of the supported authentication methods. As well as being authenticated through the internal database, remote users may also be authenticated via LDAP, RADIUS, ACE (SecurID), or certificates. You can also configure two factor authentication with a DynamicID one time password.

Authorization

Authorization determines how remote users access internal applications on the corporate LAN. If the remote user is not authorized, access to the services provided by the Mobile Access gateway is not granted.

After being authenticated, the user can open an application:

• If the user belongs to a group with access granted to that application.
• If the user satisfies the security requirements of the application (such as authentication method and endpoint health compliance).

Endpoint Compliance Scanner

The Check Point Endpoint Security On Demand scanner enforces endpoint compliance by scanning the endpoint to see if it complies with a pre-defined endpoint compliance policy. For example, an endpoint compliance policy would make sure that the endpoint clients have updated Anti-Virus signatures and an active firewall. If the endpoint is compliant with the endpoint compliance policy, the user is allowed to access the portal.

When end users access the Mobile Access Portal for the first time, an ActiveX component scans the client computer. If the client computer successfully passes the scan, the user is granted access to the Mobile Access portal. The scan results are presented to the Mobile Access gateway and to the end user.

When Endpoint Security on Demand detects a lack of security, it either rejects the connection or allows the user to choose whether or not to proceed, according to the Endpoint Compliance policies. The system administrator defines policies that determine which types of threats to detect and what action to take upon their detection.

Secure Workspace

End-users can utilize Check Point's proprietary virtual desktop that enables data protection during user-sessions, and enables cache wiping, after the sessions have ended. Secure Workspace protects all session-specific data accumulated on the client side. It uses protected disk space and file encryption to secure files created during the access session. Afterwards, it cleans the protected session cache, eliminating any exposure of proprietary data that would have been inadvertently left on public PCs.

Protection Levels

Protection Levels balance between connectivity and security. The Protection Level represents a security criterion that must be satisfied by the remote user before access is given. For example, an application may have a Protection Level, which requires users to satisfy a specific authentication method. Out of the box, Mobile Access has three pre-defined Protection Levels — Permissive, Normal, and Restrictive. It is possible to edit Protection Level settings, and define new Protection Levels.

Session

After being authenticated, remote users are assigned a Mobile Access session. The session provides the context in which Mobile Access processes all subsequent requests until the user logs out, or the session ends due to a time-out.

Mobile Access Security Features

Greater access and connectivity demands a higher level of security. The Mobile Access security features may be grouped as server side security and client side security.

Server Side Security Highlights

Mobile Access enabled gateways are fully integrated with and benefit from the same security features as other Security Gateways. In addition, Mobile Access gateways have numerous security features to enable secure remote access. The following list outlines the security highlights and enhancements available on Mobile Access gateways:

1. IPS: Protects organizations from all known, and most unknown network attacks using intelligent security technology.

   The Web Intelligence component of IPS enables protection against malicious code transferred in Web-related applications: worms, various attacks such as Cross Site Scripting, buffer overflows, SQL injections, Command injections, Directory traversal, and HTTP code inspection.

   See the R77 IPS Administration Guide.

2. IPS Service: Downloads new defense mechanisms to the IPS console, and brings existing defense mechanisms up-to-date.
3. Anti-Virus: Many Anti-Virus settings enabled on the Security Gateway also apply to Mobile Access traffic, preventing viruses from reaching end users and the enterprise.
4. Granular authorization policy: Limits which users are granted access to which applications by enforcing authentication, encryption, and client security requirements.
5. Web Application support over HTTPS: All traffic to Web-based applications is encrypted using HTTPS. Access is allowed for a specific application set rather than full network-level access.
6. Encryption: SSL Network Extender, used by Mobile Access, encrypts traffic using the 3DES or the RC4 encryption algorithm.

Client Side Security Highlights

The following list outlines the security highlights and enhancements available on the client side:

1. Endpoint Compliance for Mobile Access on the endpoint machine: Prevents threats posed by endpoint clients that do not have updated protection, for example, updated anti- virus and firewall applications.
2. Secure Workspace protects all session-specific data, accumulated on the client side. End-users can utilize Check Point's proprietary virtual desktop that prevents data leakage, by encrypting all files and wiping it at the end of the user session. The administrator can configure Mobile Access (via Protection Levels) to force end users to use Secure Workspace when accessing the user portal or sensitive applications.

   Secure Workspace is a security solution that allows remote users to connect to enterprise network resources safely and securely. The Secure Workspace virtual workspace provides a secure environment on endpoint computers that is segregated from the "real" workspace.

   No data is allowed to leave this secure environment except through the Mobile Access portal. Also, Secure Workspace users cannot access any applications, files, system tools, or other resources from the virtual workspace unless they are explicitly permitted by the Secure Workspace policy.

   Administrators can easily configure Secure Workspace policy to allow or prevent activity according to enterprise requirements.

   Secure Workspace creates an encrypted folder called My Secured Documents on the virtual desktop that contains temporary user files. It deletes this folder and all other session data when the session terminates.

   After enabling Secure Workspace, administrators can configure a gateway to either require all users to connect to the Mobile Access portal via Secure Workspace, or to give users the option of connecting via Secure Workspace or from their endpoint computers.

3. Controls browser caching: You can decide what Web content may be cached by browsers, when accessing Web applications. Disabling browser caching can help prevent unauthorized access to sensitive information, thus contributing to overall information security.
4. Captures cookies sent to the remote client by the internal Web server: In most configurations, Mobile Access captures cookies and maintains them on the gateway. Mobile Access simulates user/Web server cookie transmission by appending the cookie information, stored on Mobile Access, to the request that Mobile Access makes to the internal Web server, in the name of the remote user.
5. Supports strong authentication methods: For example, using SecurID tokens, SSL client certificates, and two factor authentication utilizing DynamicID.

User Workflow for Mobile Access Portal

The user workflow includes these steps:

1. Sign in and select the portal language.
2. On first-time use, install ActiveX and Java Components.
3. Initial setup.
4. Access applications.

Signing In

In a browser, the user types in the URL assigned by the system administrator for the Mobile Access gateway.

If the Administrator has configured Secure Workspace to be optional, users can choose to select it on the sign in page.

Users enter their authentication credentials and click Sign In. Before Mobile Access gives access to the applications on the LAN, the credentials of remote users are first validated. Mobile Access authenticates the users either through its own internal database, LDAP, RADIUS or RSA ACE/Servers. Once the remote users have been authenticated, and associated with Mobile Access groups, access is given to corporate applications.

First time Installation of ActiveX and Java Components

Some Mobile Access components such as the endpoint Compliance Scanner, Secure Workspace and SSL Network Extender require either an ActiveX component (for Windows with Internet Explorer machines) or a Java component to be installed on the endpoint machine.

When using one of these components for the first time on an endpoint machine using Windows and Internet Explorer, Mobile Access tries to install it using ActiveX. However, Internet Explorer may prevent the ActiveX installation because the user does not have Power User privileges, or display a yellow bar at the top of the page asking the user to explicitly allow the installation. The user is then instructed to click the yellow bar, or if having problems doing so, to follow a dedicated link. This link is used to install the required component using Java.

After the first of these components is installed, any other components are installed in the same way. For example, if the Endpoint compliance Scanner was installed using Java on Internet Explorer, Secure Workspace and SSL Network Extender are also installed using Java.

Language Selection

The user portal can be viewed in several languages. The default language is English. Supported languages include:

• Bulgarian
• Chinese — Simplified
• Chinese — Traditional
• English
• Finnish
• French
• German
• Italian
• Japanese
• Polish
• Romanian
• Russian
• Spanish

You can turn on automatic detection of the local language or let users select a language.

Initial Setup

The user may be required to configure certain settings, such as application credentials. In addition, the user can define additional favorites for commonly used applications.

Accessing Applications

After the remote users have logged onto the Mobile Access gateway, they are presented with a portal. The user portal enables access to the internal applications that the administrator has configured as available from within the organization, and that the user is authorized to use.

Security Gateway Portals

The Security Gateway runs a number of web-based portals over HTTPS:

• Mobile web access portal
• SecurePlatform WebUI
• Gaia WebUI
• Identity Awareness (Captive Portal)
• DLP portal
• SSL Network Extender portal
• UserCheck portal
• Endpoint Security portals (CCC)

All of these portals can resolve HTTPS hosts to IPv4 and IPv6 addresses over port 443.

These portals (and HTTPS inspection) support the latest versions of the TLS protocol. In addition to SSLv3 and TLS 1.0 (RFC 2246), the Security Gateway supports:

• TLS 1.1 (RFC 4346)
• TLS 1.2 (RFC 5246)

Support for TLS 1.1 and TLS 1.2 is enabled by default but can be disabled in SmartDashboard (for web-based portals) or GuiDBedit (for HTTPS Inspection).

To configure TLS protocol support for portals:

1. In SmartDashboard, open Global Properties > SmartDashboard Customization.
2. In the Advanced Configuration section, click Configure.

   The Advanced Configuration window opens.

3. On the Portal Properties page, set minimum and maximum versions for SSL and TLS protocols.

To Configure TLS Protocol Support for HTTPS inspection:

1. In GuiDBedit, on the Tables tab, select Other > ssl_inspection.
2. In the Objects column, select general_confs_obj.
3. In the Fields column, select the minimum and maximum TLS version values in these fields:
   • ssl_max_ver (default = TLS 1.2)
   • ssl_min_ver (default = SSLv3)