Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Native Applications for Client-Based Access

In This Section:

Accessing Native Applications

Configuring VPN Clients

Configuring SSL Network Extender Advanced Options

Endpoint Application Types

Configuring a Simple Native Application

Configuring an Advanced Native Application

Protection Levels for Native Applications

Adding Downloaded-from-Gateway Endpoint Applications

Configuring Downloaded-from-Gateway Endpoint Applications

A native application is any IP-based application that is hosted on servers within the organization, and requires an installed client on the endpoint. The client is used to access the application and encrypt all traffic between the endpoint and Mobile Access.

SSL Network Extender automatically works with Mobile Access as a native application.

Microsoft Exchange, Telnet, and FTP, are all examples of native application servers. Authorized users can use their native clients (for example, telnet.exe, ftp.exe, or Outlook) to access these internal applications from outside the organization.

A native application is defined by the:

  • Server hosting applications.
  • Services used by applications.
  • Connection direction (usually client to server, but can also be server to client, or client to client).
  • Applications on the endpoint (client) machines. These applications are launched on demand on the user machine when the user clicks a link in the user portal. They can be:
    • Already installed on the endpoint machine, or
    • Run via a default browser, or
    • Downloaded from Mobile Access.

Accessing Native Applications

The SSL Network Extender client makes it possible to access native applications via Mobile Access. SSL Network Extender can operate in two modes: Network Mode and Applications Mode.

SSL Network Extender

The SSL Network Extender client lets users access native applications using Mobile Access.

  • If the Mobile Access blade is enabled on the gateway, SSL Network Extender works through Mobile Access only. Configure its policy in the Policy page of the Mobile Access tab.
  • If the Mobile Access blade is disabled and the IPsec VPN blade is enabled, SSL Network Extender works through the IPsec VPN blade. Configure its policy in the main security rule base.

Note - If SSL Network Extender was configured through IPsec VPN, and now you enabled the Mobile Access blade on the gateway, you must reconfigure the SSL Network Extender policy in the Mobile Access tab of SmartDashboard. SSL Network Extender rules in the main security rule base are not active if the Mobile Access tab is enabled.

SSL Network Extender is downloaded automatically from the Mobile Access portal to the endpoint machines, so that client software does not have to be pre-installed and configured on users' PCs and laptops. SSL Network Extender tunnels application traffic using a secure, encrypted and authenticated SSL tunnel to the Mobile Access gateway.

SSL Network Extender requires ActiveX (for Windows with Internet Explorer), or Java. For details see First time Installation of ActiveX and Java Components.

SSL Network Extender Network Mode

The SSL Network Extender Network Mode client provides secure remote access for all application types (both Native-IP-based and Web-based) in the internal network via SSL tunneling. To install the Network mode client, users must have administrator privileges on the client computer.

After installing the client, an authenticated user can access any authorized internal resource that is defined on Mobile Access as a native application. The user can access the resource by launching the client application, either directly from the desktop or from the Mobile Access portal.

SSL Network Extender Application Mode

The SSL Network Extender Application Mode client provides secure remote access for most application types (both Native (IP-based) and Web-based) in the internal network via SSL tunneling. Most TCP applications can be accessed in Application mode. The user does not require administrator privileges on the endpoint machine.

After the client is installed, the user can access any internal resource that is defined on Mobile Access as a native application. The application must be launched from the Mobile Access portal and not from the user's desktop.

Note - UDP based applications are not supported with SSL Network Extender in Application mode.

Supported Application Mode Applications

Most TCP applications work with SSL Network Extender in the Application Mode. If an application is defined in the Mobile Access tab in SmartDashboard as one that can be used in Application Mode, a user that connects in Application Mode will be able to see it and launch it. If the application is not supported in Application Mode, a user who connects with Application Mode will not see it in the list of applications.

The following applications have been tested and are Check Point OPSEC-certified for use with Mobile Access SSL Network Extender in Application mode. Note that this mode is different from SSL Network Extender in Network mode which supports any IP-based application. While Application Mode is designed to work with most applications, only OPSEC-certified applications have been tested and verified to work with SSL Network Extender in Application mode. Only specified versions are guaranteed to work and are fully supported. However, in most cases other versions of the same client and most other applications that are TCP based will work.

SSL Network Extender - Application Mode Support

Partner/ Company

Client

Version

Telnet / SSH

Microsoft

Microsoft Telnet

(Command Line)

2000

XP

Microsoft

HyperTerminal

5.1

Putty

Putty

0.55

VanDyke

SecureCRT

4.1

Database Clients

Rational

ClearQuest

2003.06.00.436.000

Siebel

Siebel Client

7

TN3270

Ericom

PowerTerm InterConnect

for Windows

6.6.2

IBM

Personal Communications Workstation Program

5.8

FTP

Microsoft

FTP

(Command Line)

2000

XP

Ipswitch

WS_FTP Home/PRO

9.1.0.429

GlobalSCAPE

CuteFTP

4.2

7

E-Mail (POP3, IMAP, SMTP)

Microsoft

Outlook Express

6

Microsoft

Outlook

(See note below table)

2000

2003 SP1

XP

QUALCOMM

Eudora

6.2

Mozilla

Thunderbird

1.0.2

IBM

Lotus Notes

6.0.3

6.5.3

Web Browser (HTTP, HTTPS, Passive FTP)

Microsoft

Internet Explorer

5.5 and up

Mozilla

Mozilla Firefox

1.0.3

1.0.4

Terminal Services

Microsoft

Remote Desktop Connection

XP

2000

RealVNC

VNC Viewer

4.1.1

Famatech

Remote Administrator

2.0

2.1

Citrix

Citrix

Program Neighborhood

6.20.985

9.0.0.32649

Citrix

Java Connection Center

8.0.1672

Citrix

JICA

8.2.1684

Citrix

ActiveX

8.0.24737.0

Productivity Suites

IBM

Lotus Notes

6.0.3

6.5.3

Note - Some Anti-Virus applications do not scan email when Microsoft Outlook is launched with SSL Network Extender Application mode, because the mail is encrypted in SSL before scanning begins.

Configuring VPN Clients

To configure SSL Network Extender on VPN clients:

  1. Open Gateway Properties > Mobile Access > SSL Clients.

    SSL Network Extender is automatically enabled when the Mobile Access blade is turned on.

  2. Select an option:
    • Automatically decide on client type according to endpoint machine capabilities downloads the SSL Network Extender Network Mode client if the user on the endpoint machine has administrator permissions, and downloads the Application Mode client if the user does not have administrator permissions.
    • Application Mode only specifies that the SSL Network Extender Application Mode client is downloaded to the endpoint machines — irrespective of the capabilities of the endpoint machine.
    • Network Mode only specifies that the SSL Network Extender Network Mode client is downloaded to the endpoint machines — irrespective of the capabilities of the endpoint machine. The user on the endpoint machine must have administrator permissions in order to access Native Applications.

If you had SSL Network Extender configured through IPsec VPN and now you enabled the Mobile Access blade on the gateway, you must reconfigure the SSL Network Extender policy in the Mobile Access tab of SmartDashboard. Rules regarding SSL Network Extender in the main security rule base are not active if the Mobile Access tab is enabled.

Office Mode

When working with Office Mode, Remote Access clients receive an IP address allocated for them by the VPN administrator. These addresses are used by the clients in the source field of the IP packets they build. Since the IP packets are then encrypted and encapsulated, the packets appear to the Internet with their original IP address. To the organization's internal network, after decapsulation and decryption, they appear with the allocated IP address. The clients seem to be on the internal network.

For more about Office Mode, see the R77 VPN Administration Guide.

Configuring Office Mode

Configure Office Mode in Gateway Properties > Mobile Access > Office Mode. The settings configured here apply to Mobile Access clients and IPsec VPN clients.

Office Mode Method

Choose the methods used to allocate IP addresses for Office Mode. All of the methods selected below will be tried sequentially until the office mode IP addresses are allocated.

  • From ipassignment.conf in \FWDIR\conf - You can over-ride the Office Mode settings created on Security Management server by editing a plain text file called ipassignment.conf in the \FWDIR\conf directory of the Check Point Security Gateway. The gateway uses these Office Mode settings and not those defined for the object in Security Management server.

    Ipassignment.conf can specify:

    • An IP per user/group, so that a particular user or user group always receives the same Office Mode address. This allows the administrator to assign specific addresses to users, or particular IP ranges/networks to groups when they connect using Office Mode.
    • A different WINS server for a particular user or group
    • A different DNS server
    • Different DNS domain suffixes for each entry in the file.
  • From the RADIUS server used to authenticate the user - A RADIUS server can be used for authenticating remote users. When a remote user connects to a gateway, the user name and password are passed on to the RADIUS server, which checks that the information is correct, and authenticates the user. The RADIUS server can also be configured to allocate IP addresses.
  • Using one of the following methods:
    • Manually (IP pool) - Create a Network Object with the relevant addresses. The allocated addresses can be illegal but they have to be routable within the internal network.
    • Automatically (Using DHCP) - Specify the machine on which the DHCP server is installed. In addition, specify the virtual IP address to which the DHCP server replies. The DHCP server allocates addresses from the appropriate address range and relates to VPN as a DHCP relay agent. The virtual IP address must be routable to enable the DHCP send replies correctly.

      DHCP allocates IP addresses per MAC address. When VPN needs an Office Mode address, it creates a MAC address that represents the client and uses it in the address request. The MAC address can be unique per machine or per user. If it is unique per machine, then VPN ignores the user identity. If different users work from the same Remote Access client they are allocated the same IP address.

Multiple Interfaces

If the gateway has multiple external interfaces, there might be a routing problem for packets whose destination address is a client working in Office Mode. The destination IP address is replaced when the packet is encapsulated and thus previous routing information becomes irrelevant. Resolve this problem by setting the gateway to Support connectivity enhancement for gateways with multiple external interfaces. Do not select this option if your gateway has only one external interface, as this operation affects the performance.

Anti-Spoofing

If this option is selected, VPN verifies that packets whose encapsulated IP address is an Office Mode IP address are indeed coming from an address of a client working in Office Mode.

If the addresses are allocated by a DHCP server, VPN must know the range of allocated addresses from the DHCP scope for the Anti-Spoofing feature to work. Define a Network object that represents the DHCP scope and select it here.

IP Pool Optional Parameters

Configure additional optional parameters for how office mode addresses are assigned by clicking Optional Parameters. If the office mode addresses are allocated from an IP pool, this window allows you to you specify the DNS and WINS addresses by selecting the appropriate Network Objects. In addition, specify the backup DNS and WINS servers and supply the Domain name.

If the office mode addresses are allocated by a DHCP server, DNS and WINS addresses are set on the DHCP server.

These details are transferred to the Remote Access client when a VPN is established.

IP Lease Duration

Specify the amount of time after which the Remote Access client stops using the allocated IP address and disconnects. By default, the duration is 15 minutes. The client tries to renew the IP address by requesting the same address after half of the set time has elapsed. When this request is granted, the client receives the same address until the lease expires. When the new lease expires, it must be renewed again.

Configuring SSL Network Extender Advanced Options

For advanced SSL Network Extender configuration options, in the SmartDashboard Mobile Access tab, select the Additional Settings > VPN Clients > Advanced Settings for SSL Network Extender page, and click Edit.

Deployment Options

  • Client upgrade upon connection specifies how to deploy a new version of the SSL Network Extender Network Mode client on endpoint machines, when it becomes available.

Note - Upgrading requires Administrator privileges on the endpoint machine.

  • Client uninstall upon disconnection specifies how to handle the installed SSL Network Extender Network Mode client on the endpoint machine when the client disconnects.
    • Do not uninstall allows the user to manually uninstall if they wish to.
    • Ask User allows the user to choose whether or not to uninstall.
    • Always uninstall does so automatically, when the user disconnects.

Encryption

  • Supported Encryption methods defines the strength of the encryption used for communication between SSL Network Extender clients and all Mobile Access gateways and gateway clusters that are managed by the Security Management Server.
    • 3DES only. This is the default. The 3DES encryption algorithm encrypts data three times, for an overall key length of 192 bits.
    • 3DES or RC4 to configure the SSL Network Extender client to support the RC4 encryption method, as well as 3DES. RC4 is a variable key-size stream cipher. The algorithm is based on the use of a random permutation. It requires a secure exchange of a shared key that is outside the specification. RC4 is a faster encryption method than 3DES.

Launch SSL Network Extender Client

These settings define the behavior of the SSL Network Extender clients when launched on the endpoint machines.

  • On demand, when user clicks 'Connect" on the portal - SSL Network Extender only opens when the user clicks "Connect" from the Mobile Access portal.
  • Automatically, when user logs on - When users log in to the Mobile Access portal, SSL Network Extender launches automatically.
  • Automatically minimize client window after client connects - For either of the options above, choose to minimize the SSL Network Extender window to the system tray on the taskbar after connecting. This provides better usability for non-technical users.

Endpoint Application Types

When defining a Native Application, you can define applications on endpoint machines. These applications launch on the endpoint machine when the user clicks a link in the Mobile Access portal. You do not have to configure endpoint applications for users using SSL Network Extender in Network Mode, as they will be able to access them using their native clients.

Application Installed on Endpoint Machine

These endpoint applications are already installed on the endpoint machines.

Application Runs Via a Default Browser

Run via default browser is used to define a link to any URL. The link appears in the Mobile Access portal, and launches the current Web browser (the same browser as the Mobile Access portal). The link can include $$user, which represents the user name of the currently logged-in user.

This option has a user experience similar to a Web Application with a URL: The application is opened in a Web browser. However, Mobile Access Web applications perform Link Translation on the URL and encrypt the connection over SSL, while the "Run via default browser" option with SSL Network Extender does not perform link translation, and encrypts using SSL Network Extender. You may prefer to define a Native Application rather than a Web Application for convenience, or because some websites have problems working with Link Translation.

Applications Downloaded-from-Gateway

Downloaded-from-Gateway applications allow you to select a client application located on the Mobile Access gateway, that is downloaded from Mobile Access to the endpoint machine when the user clicks a link in the Mobile Access portal.

These applications allow end users to securely use client-server applications, without requiring a native client to be installed on their machines.

Two kinds of Downloaded-from-Gateway applications are available by default: Certified Applications and Add-on Applications. Certified applications are an integral part of Mobile Access, and are fully supported. Add-on Downloaded-from-Gateway applications are third-party applications, which are supplied as-is, and for which Check Point provides limited support.

Mobile Access provides eight built-in applications that the administrator can configure. Downloaded-from-Gateway applications are either Java-based applications or single-executable applications (including batch files). All the applications that are available by default, other than the Terminal (PuTTY) client, are Java based applications, and are therefore multi-platforms applications. The PuTTY client can only be used on Windows machines.

It is possible to add Downloaded-from-Gateway applications to Mobile Access, in addition to the built-in applications. See Adding Downloaded-from-Gateway Endpoint Applications.

Certified Applications

Certified applications are an integral part of Mobile Access, and are fully supported. The packages that are downloaded to the endpoint machine are signed by Check Point. The following table lists the available certified Downloaded-from-Gateway Native Applications:

Downloaded-from-Gateway Certified Applications

Application

Description

Telnet

Telnet terminal. Provides user oriented command line login sessions between hosts on the Internet.

SSH

Secure Shell (SSH) is designed for logging into and executing commands on a networked computer. It provides secure encrypted communications between two hosts over an insecure network. An SSH server, by default, listens on the standard TCP port 22.

TN3270

IBM 3270 terminal emulator tailored to writing screen-scraping applications. TN3270 is the remote-login protocol used by software that emulates the IBM 3270 model of mainframe computer terminal.

TN5250

IBM 5250 terminal emulator that interprets and displays 5250 data streams.

For configuration details, see Configuring Downloaded-from-Gateway Endpoint Applications.

Add-on Applications

Add-on Downloaded-from-Gateway applications are third-party applications, which are supplied as-is, for which Check Point provides limited support.

These packages are not signed by Check Point, and when they are downloaded by end- users a popup warning informs the user that the package is not signed. If the application does not function as expected, it can be deleted or replaced. The following table lists the available Downloaded-from-Gateway Native Applications:

Downloaded-from-Gateway Add-On Applications

Application

Description

Remote Desktop (RDP)

Downloaded-from-Gateway Client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services. Communicates using Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. Runs on Java 1.1 up (optimized for 1.4), and works on Linux, Windows and Mac.

Terminal (PuTTY)

An implementation of Telnet and SSH for Win32 platforms, including an Xterm terminal emulator.

Jabber

Downloaded-from-Gateway Jabber Client is an instant messenger based on the Jabber protocol. Runs on every computer with at least Java 1.4.

FTP

Graphical Java network and file transfer client. Supports FTP using its own FTP API and various other protocols like SMB, SFTP, NFS, HTTP, and file I/O using third party APIs, includes many advanced features such as recursive directory up/download, browsing FTP servers while transferring files, FTP resuming and queuing, browsing the LAN for Windows shares, and more.

For configuration details, see Configuring Downloaded-from-Gateway Endpoint Applications.

Configuring Authorized Locations per User Group

The authorized locations (hosts or address ranges) of a Native application are defined in the Authorized Locations page of the Native Application. However, it is also possible to configure authorized locations per user group. Users who belong to two or more groups can access the union of the authorized locations of the groups.

For configuration details, see sk32111.

Ensuring the Link Appears in the End-User Browser

If an endpoint application is defined by the administrator, but is not available on the endpoint machine, the link to the application will not be shown in the Mobile Access portal.

For example, the link will not be shown if:

  • An endpoint application that is pre-installed on the endpoint machine (of type "Already Installed") is configured, and the application is in fact not installed on the endpoint machine.
  • A Downloaded-from-Gateway (Embedded) application requires Java, but Java is not installed on the endpoint machine.

Configuring a Simple Native Application

To configure a simple Native Application:

  1. In the Mobile Access tab navigation tree, select Applications > Native Application.
  2. Click New. The Native Application window opens. The following sections explain the fields in each page.

General Properties

In the General Properties page, define the name of the Native Application.

Authorized Locations

  1. Go to the Authorized Locations page.

    An authorized location ensures users of the Native Application can only access the specified locations using the specified services.

  2. Fill in the fields:
    • Host or Address Range is the machine or address range on which the application is hosted.
    • Service is the port on which the machine hosting the application listens for communication from application clients.

Applications on the Endpoint Computer

  1. Go to the Endpoint Applications page.
  2. Fill in the fields:
    • Add link in the Mobile Access portal must be selected if you want to make endpoint application(s) associated with the Native Applications available to users.
    • Link text can include $$user, a variable that represents the user name of the currently logged-in user.
    • Tooltip for additional information. Can include $$user, which represents the user name of the currently logged-in user.
    • Path and executable name must specify one of the following:

    Note - If the endpoint application is not available on the endpoint machine, the link to the application will not be shown in the end user's browser.

    • Full path of the application on the endpoint machines. For example,
      c:\WINDOWS\system32\ftp.exe
    • The location of the application by means of an environment variable. This allows the location of the application to be specified in a more generalized way. For example
      %windir%\system32\ftp.exe
    • If the application is listed in the Windows Start > Programs menu, only the application name need be entered, as it appears to the user in the Start menu. For example HyperTerminal.
    • If the location of the application is in the path of the endpoint computer, only the application name need be entered. For example
      ftp.exe
    • Parameters are used to pass additional information to applications on the endpoint computer, and to configure the way they are launched.

Using the $$user Variable in Native Applications

You can use the $$user variable to define customized login parameters for native applications. To do this, enter the $$user variable wherever you need to specify a user name.

For example, you can use the $$user variable to return the user name as a part of the login string for Remote Desktop. In this example, $$user.example.com (in the Parameters field) resolves to the login string ethan.example.com for Ethan or richard.example.com for Richard.

Completing the Native Application Configuration

If necessary, configure VPN clients. See Configuring VPN Clients.

After doing so:

  1. Go to the Policy page of the Mobile Access tab.
  2. In the Policy page, associate:
    • User groups.
    • Applications that the users in those user groups are allowed to access.
    • Install On the Mobile Access gateways and gateway clusters that users in those user groups are allowed to connect to.
  3. From the SmartDashboard main menu, choose Policy > Install and install the policy on the Mobile Access gateways.

Configuring an Advanced Native Application

To configure an advanced Native Application:

  1. In the Mobile Access tab navigation tree, select Applications > Native Application.
  2. Click New. The Native Application window opens. The following sections how to define advanced Native Application features.

Configuring Connection Direction

  1. In the General Properties page of the Native Application object, click Connection direction.

    An Advanced window opens.

  2. Select an option for the Direction of communication from the connection initiator:
    • Client to server: (For example, Telnet.) This is the default option. When you create a client to server application and assign it to a user group, you enable users of the group to initiate a connection to the specified server.
    • Server to client: (For example, X11.) When you create a server to client application, the specified server can initiate a connection to all SSL Network Extender or Secure Client Mobile users currently logged on to the Mobile Access gateway, regardless of their group association.
    • Client to client: (For example, running Remote Administration from one client to another.) When you create a client to client Native Application and assign it to a user group, you enable users of that group to initiate a connection to all of the SSL Network Extender or Secure Client Mobile users currently logged on to Mobile Access, regardless of their user group association.

Note - A Client to Client Native Application does not require configuration of a destination address.

Multiple Hosts and Services

The native application can reside on a range of hosts, which can be accessed by the native application clients. You can also specify more than one service that clients may use to communicate with the application.

Users of the native application can only access the specified locations using the specified services.

To define a native application with multiple hosts and services:

  1. Define a Native Application.
  2. In the Authorized Locations page of the Native Application object, select Advanced: Edit.

    The Native Application - Advanced window opens.

  3. Click Add or Edit.

    The Native Application Hosts window opens.

Configuring the Endpoint Application to Run Via a Default Browser

To configure the Endpoint Application to run via a default browser:

  1. Define a Native Application.
  2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.
  3. Select Advanced > Edit. The Endpoint Applications - Advanced window opens.
  4. Click Add. The Edit Endpoint Application window opens.
  5. Select Run via default browser. This is used to define a link to any URL. The link appears in the Mobile Access portal, and launches the current Web browser (the same browser as the Mobile Access portal). The link can include $$user, which represents the user name of the currently logged-in user.

    This option has a similar user experience to a Web Application with a URL: The application is opened in a Web browser. However, Mobile Access Web applications perform Link Translation on the URL and encrypt the connection over SSL, while the "Run via default browser" option with SSL Network Extender does not perform link translation, and encrypts using SSL Network Extender. You may prefer to define a Native Application rather than a Web Application for convenience, or because some Web sites have problems working with Link Translation.

Automatically Starting the Application

To configure the Endpoint Application to start automatically:

  1. Define a Native Application.
  2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.
  3. Select Advanced > Edit. The Endpoint Applications - Advanced window opens.
  4. Click Add or Edit. The Edit Endpoint Application window opens.
  5. Click Advanced.

    The Advanced window opens.

    • Automatically Start this Application - Configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode). When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications.
    • When SSL Network Extender is disconnected - Do not use this option to launch applications that require connectivity to the organization - SSL Network Extender Application Mode. In Network Mode, automatic start of applications when SSL Network Extender is disconnected, works correctly.

Making an Application Available in Application Mode

To make an application available in Application Mode:

  1. Define a Native Application.
  2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.
  3. Select Advanced > Edit. The Endpoint Applications - Advanced window opens.
  4. Click Add or Edit. The Edit Endpoint Application window opens.
  5. Click Advanced. The Advanced window opens.
  6. Select Show link to this application in SSL Network Extender Application Mode. The option SSL Network Extender application mode compatibility lets you make an application available to Application Mode clients. Users that connect using the SSL Network Extender Application Mode client are able to see a link to the application and launch it. Use this option if the application works well in Application Mode.

Note - If this option is NOT selected:

  • Users who connect with Application Mode, do not see it in their list of applications.
  • Users with SecureClient Mobile on handheld devices, are unable to connect to the application.

Automatically Running Commands or Scripts

It is possible to configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode).

Note - The user must have the appropriate privileges on the endpoint machine to run the commands.

One example of how automatically running a command can be useful is to mount or unmount a network drive. Giving users access to network drives is a convenient way of providing access to internal resources. A drive can be mapped by configuring an application that invokes the Windows net use command.

Note - When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications.

For configuration details, see How to Automatically Map and Unmap a Network Drive.

It is possible to extend this ability by defining a dynamic add-on Downloaded-from-Gateway application that runs a script (batch file) containing a sequence of commands to execute on the endpoint machine. This script can be launched manually when the user clicks a link, or it can launch automatically after connecting to or disconnecting from SSL Network Extender.

For configuration details, see How to Automatically Run a Script (Batch File).

How to Automatically Map and Unmap a Network Drive

A drive can be mapped by configuring an application that invokes the Windows net use command.

Note - The net use command is available for SSL Network Mode only.

To automatically map (mount) and unmap (unmount) a network drive, create a Native Application that automatically maps the network drive when SSL Network Extender is launched:

  1. Define a Native Application.
  2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.
  3. Select Advanced > Edit. The Endpoint Applications - Advanced window opens.
  4. Click Add or Edit. The Edit Endpoint Application window opens.
  5. Configure the Edit Endpoint Application page as follows:
    • Already installed.
    • Path and executable name: net.exe
    • Parameters: use drive_letter: \\server name\share name
  6. Click Advanced. In the Advanced page, check When SSL Network Extender is launched.
  7. Create another Native Application that automatically unmaps the network drive when SSL Network Extender is disconnected. Configure the Edit Endpoint Application page as follows:
    • Already installed.
    • Path and executable name: net.exe
    • Parameters: use /DELETE drive_letter:
  8. Click Advanced. In the Advanced page, check When SSL Network Extender is disconnected.

How to Automatically Run a Script (Batch File)

It is possible to define a new Downloaded-from-Gateway Endpoint Application (embedded application) that runs a script (batch file) automatically after connecting to or disconnecting from SSL Network Extender.

Proceed as follows:

  1. Create a batch (script) file containing a sequence of commands.
  2. Define the batch file as a new Downloaded-from-Gateway Endpoint Application (Embedded Application).
  3. Define a Native Application.
  4. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.
  5. Select Advanced > Edit. The Endpoint Applications - Advanced window opens.
  6. Click Add or Edit. The Edit Endpoint Application window opens.
  7. Click Advanced.
  8. In the Automatically start this application section of the Advanced page, select When SSL Network Extender is launched.

Protection Levels for Native Applications

On Mobile Access gateways of version R71 and higher, protection levels can be set individually for each native application.

Protection Levels are predefined sets of security settings that offer a balance between connectivity and security. Protection Levels allow Mobile Access administrators to define application protections for groups of applications with similar requirements.

Mobile Access comes with three default Protection Levels — Normal, Restrictive, and Permissive. You can create additional Protection Levels and change the protections for existing Protection Levels.

Protection Levels in Older Gateways:

For Mobile Access gateways of versions before R71, one Protection Level can be set for all native applications, or all native applications can rely on the security requirements of the Mobile Access gateway. These settings are configured on the main Native Applications page.

Protection Levels in R71 and Higher Gateways:

For Mobile Access gateways of versions R71 and higher, Protection Level settings are configured in the Properties window of each native application by selecting Additional Settings > Protection Level.

Note - The Protection Level settings in Mobile Access gateways of versions R71 and higher cannot be set globally on the main Native Applications page.

When defining an application, in the Protection Level page of the application object, you can choose:

  • This application relies on the security requirements of the gateway
    Rely on the gateway security requirement. Users authorized to use the portal are also authorized to use this application. This is the default option.
  • This application has additional security requirements specific to the following protection level
    Associate the Protection Level with the application. Users are required to be compliant with the security requirement for this application in addition to the requirements of the portal.

Defining Protection Levels

To access the Protection Level page from the Mobile Access tab:

  1. From the Mobile Access tab in SmartDashboard, select the Additional Settings > Protection Levels page from the navigation tree.
  2. Click New to create a new Protection Level or double-click an existing Protection Level to modify it.

    The Protection Levels window opens, displaying the General Properties page.

To access the Protection Level page from a Mobile Access application:

  1. From the Properties window of a Mobile Access application, select Additional Setting > Protection Level.
  2. To create a new Protection Level, select Manage > New.
  3. To edit the settings of a Protection Level, select the Protection Level from the drop down list and then select Manage > Details.

    The Protection Levels window opens, displaying the General Properties page.

To define a Protection Level:

  1. In the General Properties page, enter a unique name for the Protection Level (for a new Protection Level only), select a display color and optionally add a comment in the appropriate fields.
  2. Click on Authentication in the navigation tree and select one or more authentication methods from the available choices. Users accessing an application with this Protection Level must use one of the selected authentication schemes.
  3. If required, select User must successfully authenticate via SMS.
  4. Click Endpoint Security in the navigation tree and select one or both of the following options:
    • Applications using this Protection Level can only be accessed if the endpoint machine complies with the following Endpoint compliance policy. Also, select a policy. This option allows access to the associated application only if the scanned client computer complies with the selected policy.
    • Applications using this Protection Level can only be accesses from within Secure Workspace. This option requires Secure Workspace to be running on the client computer.
  5. Click OK to close the Protection Level window
  6. Install the Security Policy.

Adding Downloaded-from-Gateway Endpoint Applications

You can add Downloaded-from-Gateway applications to Mobile Access, in addition to the eight built-in applications. This section explains how, and gives two detailed examples.

Downloaded-from-Gateway Application Requirements

Downloaded-from-Gateway applications are either Java-based applications or single-executable applications (including batch files).

Java applications have the following requirements:

  • Application must be packaged into a JAR file
  • The JVM of a version required by the application must be installed on the endpoint machine.
  • The application must have a Main class.

Single-executable applications have the following requirements:

  • Must not require installation.
  • Must be platform-specific for Windows, Linux or MAC OS.

Adding a New Application

To add a new Downloaded-from-Gateway application, first put the application in the relevant directory on the gateway. Then use the Database Tool (GuiDBedit) to set its properties.

To add a new downloaded-from-gateway endpoint application:

  1. Compress your downloaded-from-gateway application file into CAB file with the same name as the original file but with a .cab extension.

    To compress a file into a CAB file, you can use the Microsoft Cabinet Tool cabarc.exe (which can be downloaded from the Microsoft Web site). For example:

    cabarc.exe -m LZX:20 -s 6144 N ssh2.cab ssh2.jar

  2. Copy both your downloaded-from-gateway application file and the .cab file you created to the gateway machine at: $CVPNDIR/htdocs/SNX/CSHELL
  3. Change the application file permissions to read, write and execute.
  4. Run the Check Point Database Tool GuiDBedit.exe from the directory where SmartConsole is installed (in the same installation directory as SmartDashboard).
  5. Log in to the Security Management Server.
  6. Select Table > Other > embedded_applications.

    The embedded_applications table shows.

  7. In the right side pane, right-click and select New.
  8. In the Object field, enter a name for the new downloaded-from-gateway application.
  9. Specify the characteristics of the new downloaded-from-gateway application.

Field Name

Explanation

display_name

The application name, which will appear in the drop-down list of downloaded-from-gateway applications in SmartDashboard, in the Edit Endpoint Application window.

embedded_application_type

The type of downloaded-from-gateway application. Choose one of the options in the Valid Values list (java_applet, linux_executable mac_executable, windows_executable).

file_name

The name of the file you placed in $CPVNDIR/htdocs/SNX/CSHELL (not the .cab version).

server_name_required_params

Indicate if the new downloaded-from-gateway application requires the server name to be configured in the Parameters field of the new downloaded-from-gateway application, in the SmartDashboard Edit Endpoint Application window.

pre_custom_params

Parameters concatenated before the server_name_required_params field. Usually used when configuring a new downloaded-from-gateway Java application. In that case, specify the Main Class name of the application.

post_custom_params

Parameters concatenated after the server_name_required_params field. Can be left blank.

type

Leave as embedded_application.

You will now be able to see and configure the new downloaded-from-gateway application in SmartDashboard, just as you do with the built-in downloaded-from-gateway applications. The downloaded-from-gateway applications appear in the Edit Network Application page of the Native Application object (Getting there: Native Application object > Endpoint applications page > Advanced: Edit > Add/Edit.

Example: Adding a New SSH Application

This example adds two applications to Mobile Access as new downloaded-from-Mobile Access applications:

  1. SSH2 Java application:
    • Jar file name: ssh2.jar
    • Main class name: ssh2.Main
    • The application gets its server name as a parameter.
    • Name in SmartDashboard: Jssh2 Client.
  2. SSH2 Windows executable:
    • Executable file name: WinSsh2.exe
    • The application gets its server name as parameter.
    • Name in SmartDashboard: Essh2 Client.

To add these applications:

  1. Compress the ssh2.jar and WinSsh2.exe application files into ssh2.cab and WinSsh2.cab

    # cabarc.exe -m LZX:20 -s 6144 N ssh2.cab ssh2.jar

    # cabarc.exe -m LZX:20 -s 6144 N WinSsh2.cab WinSsh2.exe

  2. Assuming the IP address of the SSH2 server is 1.1.1.1, save the files ssh2.jar and WinSsh2.exe to $CVPNDIR/htdocs/SNX/CSHELL with the proper permissions.
  3. Put the application files in $CVPNDIR/htdocs/SNX/CSHELL with the proper permissions.
  4. Use GuiDBedit to configure the two new downloaded-from-Mobile Access applications.  

SSH2 Java Application

Field Name

Value

display_name

Jssh2 Client

embedded_application_type

java_applet

file_name

ssh2.jar

post_custom_params

Empty

pre_custom_params

ssh2.Main

server_name_required_params

true

type

embedded_application

SSH2 Windows Executable

Field Name

Value

display_name

Essh2 Client

embedded_application_type

windows_executable

file_name

WinSsh2.exe

post_custom_params

Empty

pre_custom_params

Empty

server_name_required_params

true

type

embedded_application

When you configure one of these new downloaded-from-Mobile Access applications (Jssh2 Client and Essh2 Client) in SmartDashboard, the Parameters field will be: 1.1.1.1 (the SSH2 server IP in this example).

Example: Adding a New Microsoft Remote Desktop Profile

This example demonstrates how to configure Mobile Access to work with Microsoft Remote Desktop, with a predefined profile. It also shows how to configure the profile per user group.

  1. Create the Remote Desktop Profile
  2. Create a CAB Package from the Profile
  3. Configure the Package Downloaded-from-Gateway Application
  4. Configure the Link to the Remote Desktop Application
  5. Configure the Remote Desktop Profile to Start Automatically
  6. Assign the Native Application to the User Group

Repeat for every new Microsoft Remote Desktop Connection.

Create the Remote Desktop Profile

Create the RDP profile file (with an .rdp extension) using Microsoft Remote Desktop Connection, found at %SystemRoot%\system32\mstsc.exe.

When creating the profile, you can define the address, the settings, applications that should run at log in, and more.

In this example, the profile file has the name of the relevant user group. For a user group called mygr1, save a profile file called mygr1.rdp.

RDP Properties

Create a CAB Package from the Profile

  1. Compress the profile file into CAB file with the same name as the original file. The Microsoft Cabinet Tool Cabarc.exe can be used. It is available at http://msdn2.microsoft.com/en-us/library/aa751974.aspx.

    For this example, run the command:
    cabarc.exe -m LZX:20 -s 6144 N mygr1.cab mygr1.rdp

    This produces the output file mygr1.cab.

  2. Copy both mygr1.rdp and mygr1.cab to the Mobile Access machine at $CVPNDIR/htdocs/SNX/CSHELL.
  3. Change their permissions to read, write and execute.

Configure the Package Downloaded-from-Gateway Application

  1. Run the Database Tool GuiDBedit.exe from the directory where SmartConsole is installed. The default location is:
    C:\Program Files\CheckPoint\SmartConsole\R71\PROGRAM.
  2. Enter the administrator user name and password.
  3. Select Table > Other > embedded_applications.

    The embedded_applications table opens.

  4. In the right side pane, right-click and select New.
  5. In the Object field, enter a name for the new downloaded-from-gateway application. Give it the name of the relevant user group. In this example: mygr1
  6. Specify the characteristics of the new downloaded-from-gateway application as follows:
    • display_name: mygr1_RDP_Policy
    • embedded_application_type: windows_executable
    • file_name: mygr1.rdp

You can now see and configure the new downloaded-from-gateway application in SmartDashboard, just as for the built-in downloaded-from-gateway applications.

Configure the Link to the Remote Desktop Application

Configure the link to Microsoft Remote Desktop that will appear in the SSL Network Extender window. Define it as an Already Installed endpoint application.

  1. Define a Native Application.
  2. In the Endpoint Application page of the Native Application, select Add a Link to the application in the Mobile Access portal.
  3. Select Advanced, and click Edit.

    The Endpoint Applications - Advanced window opens.

  4. Click Add. The Edit Endpoint Application window opens.
  5. In the Edit Endpoint Application window, use the following settings, as shown in the screen capture:
    • Link text (Multi-language): MS-RDP (or any other name).
    • Path and executable name: %SystemRoot%\system32\mstsc.exe
    • Parameters: %temp%\mygr1.rdp
  6. Click OK.

Configure the Remote Desktop Profile to Start Automatically

In the same Native Application, add another endpoint application for the Remote Desktop Profile. Define it as a Downloaded from Mobile Access endpoint application, which is downloaded to the user desktop as soon as SSL Network Extender is launched.

  1. In the Endpoint Applications - Advanced window, click Add.

    The Edit Endpoint Application window opens.

  2. Configure the Remote Desktop profile package with the following settings.
    • Add link to the application in the Mobile Access portal must be unchecked.
    • Name: mygr1_RDP_Policy (as configured in GuiDBedit.exe).
  3. Click Advanced.

    The Advanced window opens

  4. Select Automatically Start this Application: When SSL Network Extender is launched.
  5. Click OK three times to save and close the Native Application.

Assign the Native Application to the User Group

Assign the Native Application to the relevant user group.

Configuring Downloaded-from-Gateway Endpoint Applications

In the Endpoint Applications page of the Native Application object:

  1. Select Add link in the Mobile Access portal.
  2. Select Advanced > Edit. The Endpoint Applications - Advanced window opens.
  3. Click Add. The Edit Endpoint Application window opens.
  4. Select Downloaded-from-Gateway.
  5. From the Name drop-down list, select the desired downloaded-from-gateway application.
  6. Specify the Parameters for the downloaded-from-gateway application. The parameters field is used to pass additional information to the downloaded-from-gateway applications on the endpoint machine, and to configure the way they are launched.

    The $$user variable can be used here to dynamically change according to the login name of the currently logged in user.

    See the configuration sections below for details of the required parameters :

    Note - In the configuration sections for certified and add-on applications, below:
    parameter is a compulsory parameter,
    [parameter] is an optional parameter,
    | indicates a required choice of one from many.

  7. Continue with Completing the Native Application Configuration.

Configuring the Telnet Client (Certified Application)

Supported Platforms

All

Parameters field

Server name or IP address. Default port is 23.

Parameters usage

server [port]

Description

Telnet terminal. Provides user oriented command line login sessions between hosts on the Internet.

Home page

http://javassh.org

Configuring the SSH Client (Certified Application)

Supported Platforms

All

Parameters field

Server name or IP address.

Parameters usage

server

Description

Secure Shell (SSH) is designed for logging into and executing commands on a networked computer. It provides secure encrypted communications between two hosts over an insecure network. An SSH server, by default, listens on the standard TCP port 22.

Home page

http://javassh.org

Configuring the TN3270 Client (Certified Application)

Supported Platforms

All. Requires Java 1.3.1 or higher.

Parameters field

Ignored

Description

IBM 3270 terminal emulator tailored to writing screen-scraping applications. TN3270 is the remote-login protocol used by software that emulates the IBM 3270 model of mainframe computer terminal.

Home page

http://jagacy.com

Configuring the TN5250 Client (Certified Application)

Supported Platforms

All endpoint machines must have Java 1.4 or higher.

Parameters field

Optional. Can use the Configure button on the application instead. For the full list of options that can be used in the parameters field, see the Quick Start Guide http://tn5250j.sourceforge.net/quick.html.

Parameters usage

[Server [options]]

Description

IBM 5250 terminal emulator that interprets and displays 5250 data streams.

You will be presented with a Connections screen for defining sessions. Select the configure button to define sessions when the session selection window opens.

On first invocation of the emulator there are some console warning messages. These inform you that defaults files are being set up for the first run.

Home page

http://tn5250j.sourceforge.net/index.html

Quick Start Guide

http://tn5250j.sourceforge.net/quick.html

Configuring the Remote Desktop Client (Add-On Application)

Supported Platforms

All platforms. Endpoint machines must have Java 1.4 or higher.

Parameters field

Must contain the server name or its IP address.

Parameters usage

[options] server[:port]

For example: -g 800x600 -l WARN RDP_Server. Options:

  • -b - Bandwidth saving (good for 56k modem, but higher latency). This option clears the TCP 'no delay' flag.
  • -d - Windows domain you are connecting to.
  • -f - Show the window full-screen (requires Java 1.4 for proper operation).
  • -g WIDTHxHEIGHT. - The size of the desktop in pixels.
  • -m - Keyboard layout on terminal server for languages (for example, en-us).
  • -l {DEBUG, INFO, WARN, ERROR, FATAL} - Amount of debug output (otherwise known as the logging level).
  • -lc - Path to a log4j configuration file.
  • -n - Override the name of the endpoint machine.
  • -u - Name of the user to connect as.
  • -p - Password for the above user.
  • -s - Shell to launch when the session is started.
  • -t - Port to connect to (useful if you are using an SSH tunnel, for example).
  • -T - Override the window title.

Description

Downloaded-from-Mobile Access Client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services. Communicates using Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. Runs on Java 1.1 up (optimized for 1.4), and works on Linux, Windows and Mac.

Home page

http://properjavardp.sourceforge.net

Configuring the PuTTY Client (Add-On Application)

Supported Platforms

Windows only

Parameters field

Optional. Leaving the Parameters field empty leads PuTTY Client to open in full graphical mode.

Parameters usage

[[-ssh | -telnet | -rlogin | -raw] [user@]server [port]]

Description

An implementation of Telnet and SSH for Win32 platforms, including an Xterm terminal emulator.

Home page

http://www.eos.ncsu.edu/remoteaccess/putty.html

Configuring the Jabber Client (Add-On Application)

Supported Platforms

All platforms. Endpoint machines must have Java 1.4 or higher.

Parameters field

Ignored

Description

Downloaded-from-Gateway Jabber Client is an instant messenger based on the Jabber protocol

Runs on every computer with at least Java 1.4.

Home page

http://jeti.jabberstudio.org

Configuring the FTP Client (Add-On Application)

Supported Platforms

All. endpoint machines must have Java 1.4 or higher.

Parameters field

Ignored

Description

Graphical Java network and file transfer client. Supports FTP using its own FTP API and various other protocols like SMB, SFTP, NFS, HTTP, and file I/O using third party APIs, includes many advanced features such as recursive directory up/download, browsing FTP servers while transferring files, FTP resuming and queuing, browsing the LAN for Windows shares, and more.

Home page

http://j-ftp.sourceforge.net

 
Top of Page ©2015 Check Point Software Technologies Ltd. All rights reserved. Download PDF Send Feedback Print