Native Applications for Client-Based Access

In This Section: Introduction to Native Applications SSL Network Extender for Accessing Native Applications Configuring SSL Network Extender as a VPN Client Configuring SSL Network Extender Advanced Options Endpoint Application Types Configuring a Simple Native Application Configuring an Advanced Native Application Protection Levels for Native Applications Adding Downloaded-from-Gateway Endpoint Applications Configuring Downloaded-from-Gateway Endpoint Applications

Introduction to Native Applications

A native application is any IP-based application that is hosted on servers within the organization, and requires an installed client on the endpoint. The client is used to access the application and encrypt all traffic between the endpoint and Mobile Access.

SSL Network Extender automatically works with Mobile Access to support native applications.

Microsoft Exchange, Telnet, and FTP, are all examples of native application servers. Authorized users can use their native clients (for example, telnet.exe, ftp.exe, or Outlook) to access these internal applications from outside the organization.

A native application is defined by the:

• Server hosting applications.
• Services used by applications.
• Connection direction (usually client to server, but can also be server to client, or client to client).
• Applications on the endpoint (client) machines. These applications are launched on demand on the user machine when the user clicks a link in the user portal. They can be:
  • Already installed on the endpoint machine, or
  • Run via a default browser, or
  • Downloaded from Mobile Access.

SSL Network Extender for Accessing Native Applications

The SSL Network Extender client makes it possible to access native applications via Mobile Access. SSL Network Extender can operate in two modes: Network Mode and Applications Mode.

SSL Network Extender with Mobile Access

The SSL Network Extender client lets users access native applications using Mobile Access.

• If the Mobile Access blade is enabled on the gateway, SSL Network Extender works through Mobile Access only. Configure its policy in the Policy page of the Mobile Access tab.
• If the Mobile Access blade is disabled and the IPsec VPN blade is enabled, SSL Network Extender works through the IPsec VPN blade. Configure its policy in the main security rule base.

Note - If SSL Network Extender was configured through IPsec VPN, and now you enabled the Mobile Access blade on the gateway, you must reconfigure the SSL Network Extender policy in the Mobile Access tab of SmartDashboard. SSL Network Extender rules in the main security rule base are not active if the Mobile Access tab is enabled.

SSL Network Extender is downloaded automatically from the Mobile Access portal to the endpoint machines, so that client software does not have to be pre-installed and configured on users' PCs and laptops. SSL Network Extender tunnels application traffic using a secure, encrypted and authenticated SSL tunnel to the Mobile Access gateway.

SSL Network Extender requires ActiveX (for Windows with Internet Explorer), or Java.

SSL Network Extender Network Mode

The SSL Network Extender Network Mode client provides secure remote access for all application types (both Native-IP-based and Web-based) in the internal network via SSL tunneling. To install the Network mode client, users must have administrator privileges on the client computer.

After installing the client, an authenticated user can access any authorized internal resource that is defined on Mobile Access as a native application. The user can access the resource by launching the client application, either directly from the desktop or from the Mobile Access portal.

SSL Network Extender Application Mode

The SSL Network Extender Application Mode client provides secure remote access for most application types (both Native (IP-based) and Web-based) in the internal network via SSL tunneling. Most TCP applications can be accessed in Application mode. The user does not require administrator privileges on the endpoint machine.

After the client is installed, the user can access any internal resource that is defined on Mobile Access as a native application. The application must be launched from the Mobile Access portal and not from the user's desktop.

If an application is defined in the Mobile Access tab in SmartDashboard as one that can be used in Application Mode, a user that connects in Application Mode will be able to see it and launch it. If the application is not supported in Application Mode, a user who connects with Application Mode will not see it in the list of applications. While Application Mode is designed to work with most applications, only OPSEC-certified applications have been tested and verified to work with SSL Network Extender in Application mode.

Note - UDP based applications are not supported with SSL Network Extender in Application mode.

Supported Application Mode Applications

Most TCP applications work with SSL Network Extender in the Application Mode. If an application is defined in the Mobile Access tab in SmartDashboard as one that can be used in Application Mode, a user that connects in Application Mode will be able to see it and launch it. If the application is not supported in Application Mode, a user who connects with Application Mode will not see it in the list of applications.

The following applications have been tested and are Check Point OPSEC-certified for use with Mobile Access SSL Network Extender in Application mode. Note that this mode is different from SSL Network Extender in Network mode which supports any IP-based application. While Application Mode is designed to work with most applications, only OPSEC-certified applications have been tested and verified to work with SSL Network Extender in Application mode. Only specified versions are guaranteed to work and are fully supported. However, in most cases other versions of the same client and most other applications that are TCP based will work.

Note - Some Anti-Virus applications do not scan email when Microsoft Outlook is launched with SSL Network Extender Application mode, because the mail is encrypted in SSL before scanning begins.

Configuring SSL Network Extender as a VPN Client

To configure SSL Network Extender as a VPN client:

1. From the Gateways & Servers tab, right-click the Mobile Access Security Gateway and select Edit.

   The gateway properties window opens and shows the General Properties page.

2. From the navigation tree, click Mobile Access > SSL Clients.

   SSL Network Extender is automatically enabled when the Mobile Access blade is turned on.

3. Select an option:
   • Automatically decide on client type according to endpoint machine capabilities downloads the SSL Network Extender Network Mode client if the user on the endpoint machine has administrator permissions, and downloads the Application Mode client if the user does not have administrator permissions.
   • Application Mode only specifies that the SSL Network Extender Application Mode client is downloaded to the endpoint machines — irrespective of the capabilities of the endpoint machine.
   • Network Mode only specifies that the SSL Network Extender Network Mode client is downloaded to the endpoint machines — irrespective of the capabilities of the endpoint machine. The user on the endpoint machine must have administrator permissions in order to access Native Applications.
4. Click OK.
5. Install the policy.

   If you had SSL Network Extender configured through IPsec VPN and now you enabled the Mobile Access blade on the gateway, you must reconfigure the SSL Network Extender policy in the Mobile Access tab of SmartDashboard. Rules regarding SSL Network Extender in the main security rule base are not active if the Mobile Access tab is enabled.

Office Mode

When working with Office Mode, Remote Access clients receive an IP address allocated for them by the VPN administrator. These addresses are used by the clients in the source field of the IP packets they build. Since the IP packets are then encrypted and encapsulated, the packets appear to the Internet with their original IP address. To the organization's internal network, after decapsulation and decryption, they appear with the allocated IP address. The clients seem to be on the internal network.

Configuring Office Mode

Configure Office Mode in Gateway Properties > Mobile Access > Office Mode. The settings configured here apply to Mobile Access clients and IPsec VPN clients.

Office Mode Method

Choose the methods used to allocate IP addresses for Office Mode. All of the methods selected below will be tried sequentially until the office mode IP addresses are allocated.

• From $FWDIR/conf/ipassignment.conf - You can over-ride the Office Mode settings created on Security Management Server. Edit the plain text file ipassignment.conf in the $FWDIR/conf/ directory on the Check Point Security Gateway. The gateway uses these Office Mode settings and not those defined for the object in Security Management Server.

  ipassignment.conf can specify:

  • An IP per user/group, so that a particular user or user group always receives the same Office Mode address. This allows the administrator to assign specific addresses to users, or particular IP ranges/networks to groups when they connect using Office Mode.
  • A different WINS server for a particular user or group.
  • A different DNS server.
  • Different DNS domain suffixes for each entry in the file.
• From the RADIUS server used to authenticate the user - A RADIUS server can be used for authenticating remote users. When a remote user connects to a gateway, the user name and password are passed on to the RADIUS server, which checks that the information is correct, and authenticates the user.
• Using one of the following methods:
  • Manually (IP pool) - Create a Network Object with the relevant addresses. The allocated addresses can be illegal but they have to be routable within the internal network.
  • Automatically (Using DHCP) - Specify the machine on which the DHCP server is installed. In addition, specify the virtual IP address to which the DHCP server replies. The DHCP server allocates addresses from the appropriate address range and relates to VPN as a DHCP relay agent. The virtual IP address must be routable to enable the DHCP send replies correctly.

    DHCP allocates IP addresses per MAC address. When VPN needs an Office Mode address, it creates a MAC address that represents the client and uses it in the address request. The MAC address can be unique per machine or per user. If it is unique per machine, then VPN ignores the user identity. If different users work from the same Remote Access client they are allocated the same IP address.

Multiple Interfaces

If the gateway has multiple external interfaces, there might be a routing problem for packets whose destination address is a client working in Office Mode. The destination IP address is replaced when the packet is encapsulated and thus previous routing information becomes irrelevant. Resolve this problem by setting the gateway to Support connectivity enhancement for gateways with multiple external interfaces. Do not select this option if your gateway has only one external interface, as this operation affects the performance.

Anti-Spoofing

If this option is selected, VPN verifies that packets whose encapsulated IP address is an Office Mode IP address are indeed coming from an address of a client working in Office Mode.

If the addresses are allocated by a DHCP server, VPN must know the range of allocated addresses from the DHCP scope for the Anti-Spoofing feature to work. Define a Network object that represents the DHCP scope and select it here.

IP Pool Optional Parameters

Configure additional optional parameters for how office mode addresses are assigned by clicking Optional Parameters. If the office mode addresses are allocated from an IP pool, this window allows you to you specify the DNS and WINS addresses by selecting the appropriate Network Objects. In addition, specify the backup DNS and WINS servers and supply the Domain name.

If the office mode addresses are allocated by a DHCP server, DNS and WINS addresses are set on the DHCP server.

These details are transferred to the Remote Access client when a VPN is established.

IP Lease Duration

Specify the amount of time after which the Remote Access client stops using the allocated IP address and disconnects. By default, the duration is 15 minutes. The client tries to renew the IP address by requesting the same address after half of the set time has elapsed. When this request is granted, the client receives the same address until the lease expires. When the new lease expires, it must be renewed again.

Configuring SSL Network Extender Advanced Options

To configure SSL Network Extender advanced options:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

   SmartDashboard opens and shows the Mobile Access tab.

2. From the navigation tree click Additional Settings > VPN Clients.
3. From the Advanced Settings for SSL Network Extender section, click Edit.
4. Configure the applicable options.
5. Click OK.
6. Click Save and then close SmartDashboard.
7. From SmartConsole, install policy.

Deployment Options

• Client upgrade upon connection specifies how to deploy a new version of the SSL Network Extender Network Mode client on endpoint machines, when it becomes available.

Note - Upgrading requires Administrator privileges on the endpoint machine.

• Client uninstall upon disconnection specifies how to handle the installed SSL Network Extender Network Mode client on the endpoint machine when the client disconnects.
  • Do not uninstall allows the user to manually uninstall if they wish to.
  • Ask User allows the user to choose whether or not to uninstall.
  • Always uninstall does so automatically, when the user disconnects.

Encryption

• Supported Encryption methods defines the strength of the encryption used for communication between SSL Network Extender clients and all Mobile Access gateways and gateway clusters that are managed by the Security Management Server.
  • AES, 3DES - This is the default setting. The 3DES encryption algorithm encrypts data three times, for an overall key length of 192 bits.
  • AES, 3DES or RC4 - to configure the SSL Network Extender client to support the RC4 encryption method, as well as AES and 3DES. RC4 is a variable key-size stream cipher. The algorithm is based on the use of a random permutation. It requires a secure exchange of a shared key that is outside the specification. RC4 is a faster encryption method than 3DES.

Launch SSL Network Extender Client

These settings define the behavior of the SSL Network Extender clients when launched on the endpoint machines.

• On demand, when user clicks 'Connect" on the portal - SSL Network Extender only opens when the user clicks "Connect" from the Mobile Access portal.
• Automatically, when user logs on - When users log in to the Mobile Access portal, SSL Network Extender launches automatically.
• Automatically minimize client window after client connects - For either of the options above, choose to minimize the SSL Network Extender window to the system tray on the taskbar after connecting. This provides better usability for non-technical users.

Endpoint Application Types

When defining a Native Application, you can define applications on endpoint machines. These applications launch on the endpoint machine when the user clicks a link in the Mobile Access portal. You do not have to configure endpoint applications for users using SSL Network Extender in Network Mode, as they will be able to access them using their native clients.

Application Installed on Endpoint Machine

These endpoint applications are already installed on the endpoint machines.

Application Runs Via a Default Browser

Run via default browser is used to define a link to any URL. The link appears in the Mobile Access portal, and launches the current Web browser (the same browser as the Mobile Access portal). The link can include $$user, which represents the user name of the currently logged-in user.

This option has a user experience similar to a Web Application with a URL: The application is opened in a Web browser. However, Mobile Access Web applications perform Link Translation on the URL and encrypt the connection over SSL, while the "Run via default browser" option with SSL Network Extender does not perform link translation, and encrypts using SSL Network Extender. You may prefer to define a Native Application rather than a Web Application for convenience, or because some websites have problems working with Link Translation.

Applications Downloaded-from-Gateway

Downloaded-from-Gateway applications let you select applications that download from Mobile Access to the endpoint computer when the user clicks a link in the Mobile Access portal.

These applications allow end users to securely use client-server applications, without requiring a native client to be installed on their machines.

Mobile Access has built-in applications that the administrator can configure. Downloaded-from-Gateway applications are either Java-based applications or single-executable applications (including batch files). All the applications that are available by default, other than the Terminal (PuTTY) client, are Java based applications, and are therefore multi-platform applications. The PuTTY client can only be used on Windows machines.

You can add Downloaded-from-Gateway applications to Mobile Access, in addition to the built-in applications.

The Downloaded-from-Gateway applications are third-party applications, which are supplied as-is, and for which Check Point provides limited support.

Some of these packages are not signed by Check Point, and when they are downloaded by end- users a popup warning informs the user that the package is not signed.

Downloaded-from-Gateway Applications

Application	Description
Remote Desktop (RDP)	Downloaded-from-Gateway Client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services. Communicates using Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. Runs on Java 1.1 up (optimized for 1.4), and works on Linux, Windows and Mac.
Terminal (PuTTY)	An implementation of Telnet and SSH for Win32 platforms, including an Xterm terminal emulator.
Jabber	Downloaded-from-Gateway Jabber Client is an instant messenger based on the Jabber protocol. Runs on every computer with at least Java 1.4.
FTP	Graphical Java network and file transfer client. Supports FTP using its own FTP API and various other protocols like SMB, SFTP, NFS, HTTP, and file I/O using third party APIs, includes many advanced features such as recursive directory up/download, browsing FTP servers while transferring files, FTP resuming and queuing, browsing the LAN for Windows shares, and more.
Telnet	Telnet terminal. Provides user oriented command line login sessions between hosts on the Internet.
SSH	Secure Shell (SSH) is designed for logging into and executing commands on a networked computer. It provides secure encrypted communications between two hosts over an insecure network. An SSH server, by default, listens on the standard TCP port 22.
TN3270	IBM 3270 terminal emulator tailored to writing screen-scraping applications. TN3270 is the remote-login protocol used by software that emulates the IBM 3270 model of mainframe computer terminal.
TN5250	IBM 5250 terminal emulator that interprets and displays 5250 data streams.

You can also configure Endpoint applications that are Downloaded from the gateway.

Configuring Authorized Locations per User Group

The authorized locations (hosts or address ranges) of a Native application are defined in the Authorized Locations page of the Native Application. However, it is also possible to configure authorized locations per user group. Users who belong to two or more groups can access the union of the authorized locations of the groups.

For configuration details, see sk32111.

Ensuring the Link Appears in the End-User Browser

If an endpoint application is defined by the administrator, but is not available on the endpoint machine, the link to the application will not be shown in the Mobile Access portal.

For example, the link will not be shown if:

• An endpoint application that is pre-installed on the endpoint machine (of type "Already Installed") is configured, and the application is in fact not installed on the endpoint machine.
• A Downloaded-from-Gateway (Embedded) application requires Java, but Java is not installed on the endpoint machine.

Configuring a Simple Native Application

To configure a simple Native Application:

1. In SmartConsole, click Objects > Object Explorer (Ctrl+E).
2. Click New Custom Application/Site > Mobile Application > Native Applications.
3. Click New.

   The Native Application window opens.

General Properties

In the General Properties page, define the name of the Native Application.

Authorized Locations

1. Go to the Authorized Locations page.

   An authorized location ensures users of the Native Application can only access the specified locations using the specified services.

2. Fill in the fields:
   • Host or Address Range is the machine or address range on which the application is hosted.
   • Service is the port on which the machine hosting the application listens for communication from application clients.

Applications on the Endpoint Computer

1. Go to the Endpoint Applications page.
2. Fill in the fields:
   • Add link in the Mobile Access portal must be selected if you want to make endpoint application(s) associated with the Native Applications available to users.
   • Link text can include $$user, a variable that represents the user name of the currently logged-in user.
   • Tooltip for additional information. Can include $$user, which represents the user name of the currently logged-in user.
   • Path and executable name must specify one of the following:

   Note - If the endpoint application is not available on the endpoint machine, the link to the application will not be shown in the end user's browser.

   • Full path of the application on the endpoint machines. For example,
     c:\WINDOWS\system32\ftp.exe
   • The location of the application by means of an environment variable. This allows the location of the application to be specified in a more generalized way. For example
     %windir%\system32\ftp.exe
   • If the application is listed in the Windows Start > Programs menu, only the application name need be entered, as it appears to the user in the Start menu. For example HyperTerminal.
   • If the location of the application is in the path of the endpoint computer, only the application name need be entered. For example
     ftp.exe
   • Parameters are used to pass additional information to applications on the endpoint computer, and to configure the way they are launched.

Using the $$user Variable in Native Applications

You can use the $$user variable to define customized login parameters for native applications. To do this, enter the $$user variable wherever you need to specify a user name.

For example, you can use the $$user variable to return the user name as a part of the login string for Remote Desktop. In this example, $$user.example.com (in the Parameters field) resolves to the login string ethan.example.com for Ethan or richard.example.com for Richard.

Completing the Native Application Configuration

To complete the configuration, add the Native application to a policy rule and install policy from SmartConsole.

If necessary, configure the VPN clients.

For unified Access Control policy, see Configuring Mobile Access in the Unified Policy.

For legacy policy, see Creating Mobile Access Rules in the Legacy Policy.

Configuring an Advanced Native Application

To configure an advanced Native Application:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

   SmartDashboard opens and shows the Mobile Access tab.

2. From the navigation tree click Applications > Native Applications.
3. Click New.

   The Native Application window opens.

Configuring Connection Direction

1. In the General Properties page of the Native Application object, click Connection direction.

   The Advanced window opens.

2. Select an option for the Direction of communication from the connection initiator:
   • Client to server: (For example, Telnet.) This is the default option. When you create a client to server application and assign it to a user group, you enable users of the group to initiate a connection to the specified server.
   • Server to client: (For example, X11.) When you create a server to client application, the specified server can initiate a connection to all SSL Network Extender or Secure Client Mobile users currently logged on to the Mobile Access gateway, regardless of their group association.
   • Client to client: (For example, running Remote Administration from one client to another.) When you create a client to client Native Application and assign it to a user group, you enable users of that group to initiate a connection to all of the SSL Network Extender or Secure Client Mobile users currently logged on to Mobile Access, regardless of their user group association.

Note - A Client to Client Native Application does not require configuration of a destination address.

Multiple Hosts and Services

The native application can reside on a range of hosts, which can be accessed by the native application clients. You can also specify more than one service that clients may use to communicate with the application.

Users of the native application can only access the specified locations using the specified services.

To define a native application with multiple hosts and services:

1. Define a Native Application.
2. In the Authorized Locations page of the Native Application object, select Advanced.
3. Click Edit.

   The Native Application - Advanced window opens.

4. Click Add or Edit.

   The Native Application Hosts window opens.

5. Configure the hosts.
6. Click OK.

Configuring the Endpoint Application to Run Via a Default Browser

To configure the Endpoint Application to run via a default browser:

1. Define a Native Application.
2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.
3. Select Advanced > Edit.

   The Endpoint Applications - Advanced window opens.

4. Click Add.

   The Edit Endpoint Application window opens.

5. Select Run via default browser. This is used to define a link to any URL. The link appears in the Mobile Access portal, and launches the current Web browser (the same browser as the Mobile Access portal). The link can include $$user, which represents the user name of the currently logged-in user.
   
   This option has a similar user experience to a Web Application with a URL: The application is opened in a Web browser. However, Mobile Access Web applications perform Link Translation on the URL and encrypt the connection over SSL, while the "Run via default browser" option with SSL Network Extender does not perform link translation, and encrypts using SSL Network Extender. You may prefer to define a Native Application rather than a Web Application for convenience, or because some Web sites have problems working with Link Translation.

Automatically Starting the Application

To configure the Endpoint Application to start automatically:

1. Define a Native Application.
2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.
3. Select Advanced > Edit.

   The Endpoint Applications - Advanced window opens.

4. Click Add or Edit.

   The Edit Endpoint Application window opens.

5. Click Advanced.

   The Advanced window opens.

   • Automatically Start this Application - Configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode). When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications.
   • When SSL Network Extender is disconnected - Do not use this option to launch applications that require connectivity to the organization - SSL Network Extender Application Mode. In Network Mode, automatic start of applications when SSL Network Extender is disconnected, works correctly.

Making an Application Available in Application Mode

To make an application available in Application Mode:

1. Define a Native Application.
2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.
3. Select Advanced > Edit.

   The Endpoint Applications - Advanced window opens.

4. Click Add or Edit. The Edit Endpoint Application window opens.
5. Click Advanced.

   The Advanced window opens.

6. Select Show link to this application in SSL Network Extender Application Mode. The option SSL Network Extender application mode compatibility lets you make an application available to Application Mode clients. Users that connect using the SSL Network Extender Application Mode client are able to see a link to the application and launch it. Use this option if the application works well in Application Mode.

Note - If this option is NOT selected users who connect with Application Mode, do not see it in their list of applications.

Automatically Running Commands or Scripts

It is possible to configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode).

Note - The user must have the appropriate privileges on the endpoint machine to run the commands.

One example of how automatically running a command can be useful is to mount or unmount a network drive. Giving users access to network drives is a convenient way of providing access to internal resources. A drive can be mapped by configuring an application that invokes the Windows net use command.

Note - When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications.

For configuration details, see How to Automatically Map and Unmap a Network Drive.

It is possible to extend this ability by defining a dynamic add-on Downloaded-from-Gateway application that runs a script (batch file) containing a sequence of commands to execute on the endpoint machine. This script can be launched manually when the user clicks a link, or it can launch automatically after connecting to or disconnecting from SSL Network Extender.

For configuration details, see How to Automatically Run a Script (Batch File).

How to Automatically Map and Unmap a Network Drive

A drive can be mapped by configuring an application that invokes the Windows net use command.

Note - The net use command is available for SSL Network Mode only.

To automatically map (mount) and unmap (unmount) a network drive, create a Native Application that automatically maps the network drive when SSL Network Extender is launched:

1. Define a Native Application.
2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.
3. Select Advanced > Edit.

   The Endpoint Applications - Advanced window opens.

4. Click Add or Edit.

   The Edit Endpoint Application window opens.

5. Configure the Edit Endpoint Application page as follows:
   • Already installed.
   • Path and executable name: net.exe
   • Parameters: use drive_letter: \\server name\share name
6. Click Advanced.
7. In the Advanced page, check When SSL Network Extender is launched.
8. Create another Native Application that automatically unmaps the network drive when SSL Network Extender is disconnected. Configure these settings in the Edit Endpoint Application page:
   • Already installed
   • Path and executable name: net.exe
   • Parameters: use /DELETE drive_letter:
9. Click Advanced.
10. In the Advanced page, check When SSL Network Extender is disconnected.
11. Click OK.

How to Automatically Run a Script (Batch File)

It is possible to define a new Downloaded-from-Gateway Endpoint Application (embedded application) that runs a script (batch file) automatically after connecting to or disconnecting from SSL Network Extender.

To automatically run a script:

1. Create a batch (script) file containing a sequence of commands.
2. Define the batch file as a new Downloaded-from-Gateway Endpoint Application (Embedded Application).
3. Define a Native Application.
4. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.
5. Select Advanced > Edit.

   The Endpoint Applications - Advanced window opens.

6. Click Add or Edit.

   The Edit Endpoint Application window opens.

7. Click Advanced.
8. In the Automatically start this application section of the Advanced page, select When SSL Network Extender is launched.

Protection Levels for Native Applications

You can define a protection level for each native application. Configure this in the Properties window of each native application in Additional Settings > Protection Level.

The options are:

• This application relies on the security requirements of the gateway
  Rely on the gateway security requirements. Users authorized to use the portal are also authorized to use this application. This is the default option.
• This application has additional security requirements specific to the following protection level
  Associate the Protection Level with the application. Users must be compliant with the security requirement for this application in addition to the requirements for the portal.

Defining Protection Levels

To access the Protection Level page from the Mobile Access tab:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

   SmartDashboard opens and shows the Mobile Access tab.

2. From the navigation tree click Additional Settings > Protection Levels page from the navigation tree.
3. Click New to create a new Protection Level or double-click an existing Protection Level to modify it.

   The Protection Levels window opens, and shows the General Properties page.

To access the Protection Level page from a Mobile Access application:

1. In SmartConsole, click Objects > Object Explorer (Ctrl+E). Or in SmartDashboard, Mobile Access tab, go to Applications > Application type.
2. Search for the Mobile Access application.
3. Double-click the application.
4. From the navigation tree, select Additional Setting > Protection Level.
5. To create a new Protection Level, select Manage > New.
6. To edit the settings of a Protection Level, select the Protection Level from the drop down list and then select Manage > Details.

   The Protection Levels window opens, and shows the General Properties page.

To configure the settings for a Protection Level:

1. From the General Properties page in the Protection Level window, enter the Name for the Protection Level (for a new Protection Level only).
2. In the navigation tree, click Authentication and select one or more authentication methods from the available choices. Users accessing an application with this Protection Level must use one of the selected authentication schemes.
3. If necessary, select User must successfully authenticate via SMS.
4. In the navigation tree, click Endpoint Security and select one or both of these options:
   • Applications using this Protection Level can only be accessed if the endpoint machine complies with the following Endpoint compliance policy. Also, select a policy. This option gives access to the associated application only if the scanned client computer complies with the selected policy.
   • Applications using this Protection Level can only be accesses from within Secure Workspace. This option requires Secure Workspace to be running on the client computer.
5. Click OK to close the Protection Level window
6. Install the policy.

Adding Downloaded-from-Gateway Endpoint Applications

You can add Downloaded-from-Gateway applications to Mobile Access, in addition to the built-in applications. This section explains how, and gives detailed examples.

Downloaded-from-Gateway Application Requirements

Downloaded-from-Gateway applications are either Java-based applications or single-executable applications (including batch files).

Java applications have the following requirements:

• Application must be packaged into a JAR file
• The JVM of a version required by the application must be installed on the endpoint machine.
• The application must have a Main class.

Single-executable applications have the following requirements:

• Must not require installation.
• Must be platform-specific for Windows, Linux or MAC OS.

Adding a New Application

To add a new Downloaded-from-Gateway application, first put the application in the relevant directory on the gateway. Then use GuiDBedit to set its properties (see sk13009).

To add a new downloaded-from-gateway endpoint application:

1. Compress your downloaded-from-gateway application file into CAB file with the same name as the original file but with a .cab extension.

   To compress a file into a CAB file, you can use the Microsoft Cabinet Tool cabarc.exe (which can be downloaded from the Microsoft Web site). For example:

   cabarc.exe -m LZX:20 -s 6144 N ssh2.cab ssh2.jar

2. Copy both your downloaded-from-gateway application file and the .cab file you created to the gateway machine at: $CVPNDIR/htdocs/SNX/CSHELL
3. Change the application file permissions to read, write and execute.
4. Run the Check Point Database Tool - see sk13009.
5. Log in to the Security Management Server.
6. Select Table > Other > embedded_applications.

   The embedded_applications table shows.

7. In the right side pane, right-click and select New.
8. In the Object field, enter a name for the new downloaded-from-gateway application.
9. Specify the characteristics of the new downloaded-from-gateway application.

   Field Name	Description
   display_name	The application name, which will appear in the drop-down list of downloaded-from-gateway applications in SmartDashboard, in the Edit Endpoint Application window.
   embedded_application_type	The type of downloaded-from-gateway application. Choose one of the options in the Valid Values list (java_applet, linux_executable mac_executable, windows_executable).
   file_name	The name of the file you placed in $CPVNDIR/htdocs/SNX/CSHELL (not the .cab version).
   server_name_required_params	Indicate if the new downloaded-from-gateway application requires the server name to be configured in the Parameters field of the new downloaded-from-gateway application, in the SmartDashboard Edit Endpoint Application window.
   pre_custom_params	Parameters concatenated before the server_name_required_params field. Usually used when configuring a new downloaded-from-gateway Java application. In that case, specify the Main Class name of the application.
   post_custom_params	Parameters concatenated after the server_name_required_params field. Can be left blank.
   type	Leave as embedded_application.

You can see and configure the new downloaded-from-gateway application in SmartDashboard, just as you do with the built-in downloaded-from-gateway applications. The downloaded-from-gateway applications appear in the Edit Network Application page of the Native Application object (Getting there: Native Application object > Endpoint applications page > Advanced: Edit > Add/Edit.

Example: Adding a New SSH Application

This example adds two applications to Mobile Access as new downloaded-from-Mobile Access applications:

1. SSH2 Java application:
   • Jar file name: ssh2.jar
   • Main class name: ssh2.Main
   • The application gets its server name as a parameter.
   • Name in SmartDashboard: Jssh2 Client.
2. SSH2 Windows executable:
   • Executable file name: WinSsh2.exe
   • The application gets its server name as parameter.
   • Name in SmartDashboard: Essh2 Client.

To add these applications:

1. Compress the ssh2.jar and WinSsh2.exe application files into ssh2.cab and WinSsh2.cab

   # cabarc.exe -m LZX:20 -s 6144 N ssh2.cab ssh2.jar # cabarc.exe -m LZX:20 -s 6144 N WinSsh2.cab WinSsh2.exe

2. Assuming the IP address of the SSH2 server is 1.1.1.1, save the files ssh2.jar and WinSsh2.exe to $CVPNDIR/htdocs/SNX/CSHELL with the proper permissions.
3. Put the application files in $CVPNDIR/htdocs/SNX/CSHELL with the proper permissions.
4. Use GuiDBedit Tool (see sk13009) or dbedit (see skI3301) to configure the two new downloaded-from-Mobile Access applications.

SSH2 Java Application

Field Name	Value
display_name	Jssh2 Client
embedded_application_type	java_applet
file_name	ssh2.jar
post_custom_params	Empty
pre_custom_params	ssh2.Main
server_name_required_params	true
type	embedded_application

SSH2 Windows Executable

Field Name	Value
display_name	Essh2 Client
embedded_application_type	windows_executable
file_name	WinSsh2.exe
post_custom_params	Empty
pre_custom_params	Empty
server_name_required_params	true
type	embedded_application

When you configure one of these new downloaded-from-Mobile Access applications (Jssh2 Client and Essh2 Client) in SmartDashboard, the Parameters field will be: 1.1.1.1 (the SSH2 server IP in this example).

Example: Adding a New Microsoft Remote Desktop Profile

This example demonstrates how to configure Mobile Access to work with Microsoft Remote Desktop, with a predefined profile. It also shows how to configure the profile per user group.

1. Create the Remote Desktop Profile
2. Create a CAB Package from the Profile
3. Configure the Package Downloaded-from-Gateway Application
4. Configure the Link to the Remote Desktop Application
5. Configure the Remote Desktop Profile to Start Automatically
6. Assign the Native Application to the User Group

Repeat for every new Microsoft Remote Desktop Connection.

Create the Remote Desktop Profile

Create the RDP profile file (with an .rdp extension) using Microsoft Remote Desktop Connection, found at %SystemRoot%\system32\mstsc.exe.

When creating the profile, you can define the address, the settings, applications that should run at log in, and more.

In this example, the profile file has the name of the relevant user group. For a user group called mygr1, save a profile file called mygr1.rdp.

Create a CAB Package from the Profile

1. Compress the profile file into CAB file with the same name as the original file. The Microsoft Cabinet Tool Cabarc.exe can be used. It is available at http://msdn2.microsoft.com/en-us/library/aa751974.aspx.

   For this example, run the command:
   cabarc.exe -m LZX:20 -s 6144 N mygr1.cab mygr1.rdp

   This produces the output file mygr1.cab.

2. Copy both mygr1.rdp and mygr1.cab to the Mobile Access machine at $CVPNDIR/htdocs/SNX/CSHELL.
3. Change their permissions to read, write and execute.

Configure the Package Downloaded-from-Gateway Application

1. Run the Database Tool (see sk13009).
2. Enter the administrator user name and password.
3. In the top left pane, go to Table > Other > embedded_applications.

   The embedded_applications table opens.

4. In the top right pane, right-click and select New....
5. In the Object field, enter a name for the new downloaded-from-gateway application. Give it the name of the relevant user group. In this example: mygr1
6. Specify the characteristics of the new downloaded-from-gateway application as follows:
   • display_name: mygr1_RDP_Policy
   • embedded_application_type: windows_executable
   • file_name: mygr1.rdp

   You can now see and configure the new downloaded-from-gateway application in SmartDashboard, just as for the built-in downloaded-from-gateway applications.

7. Save the changes (File menu > Save All).
8. Close the Database Tool.
9. Open the SmartDashboard.

Configure the Link to the Remote Desktop Application

Configure the link to Microsoft Remote Desktop that will appear in the SSL Network Extender window. Define it as an Already Installed endpoint application.

1. Define a Native Application.
2. In the Endpoint Application page of the Native Application, select Add a Link to the application in the Mobile Access portal.
3. Select Advanced, and click Edit.

   The Endpoint Applications - Advanced window opens.

4. Click Add. The Edit Endpoint Application window opens.
5. In the Edit Endpoint Application window, use the following settings, as shown in the screen capture:
   • Link text (Multi-language): MS-RDP (or any other name).
   • Path and executable name: %SystemRoot%\system32\mstsc.exe
   • Parameters: %temp%\mygr1.rdp
6. Click OK.

Configure the Remote Desktop Profile to Start Automatically

In the same Native Application, add another endpoint application for the Remote Desktop Profile. Define it as a Downloaded from Mobile Access endpoint application, which is downloaded to the user desktop as soon as SSL Network Extender is launched.

1. In the Endpoint Applications - Advanced window, click Add.

   The Edit Endpoint Application window opens.

2. Configure the Remote Desktop profile package with the following settings.
   • Add link to the application in the Mobile Access portal must be unchecked.
   • Name: mygr1_RDP_Policy (as configured in GuiDBedit.exe).
3. Click Advanced.

   The Advanced window opens

4. Select Automatically Start this Application: When SSL Network Extender is launched.
5. Click OK three times to save and close the Native Application.

Assign the Native Application to the User Group

Assign the Native Application to the relevant user group.

Configuring Downloaded-from-Gateway Endpoint Applications

In the Endpoint Applications page of the Native Application object:

1. Select Add link in the Mobile Access portal.
2. Select Advanced > Edit.

   The Endpoint Applications - Advanced window opens.

3. Click Add.

   The Edit Endpoint Application window opens.

4. Select Downloaded-from-Gateway.
5. From the Name drop-down list, select the desired downloaded-from-gateway application.
6. Specify the Parameters for the downloaded-from-gateway application. The parameters field is used to pass additional information to the downloaded-from-gateway applications on the endpoint machine, and to configure the way they are launched.

   The $$user variable can be used here to dynamically change according to the login name of the currently logged in user.

   See the configuration sections below for details of the required parameters :

   Note - In the configuration sections for certified and add-on applications, below:
   parameter is a compulsory parameter,
   [parameter] is an optional parameter,
   | indicates a required choice of one from many.

   • Configuring the Telnet Client (Certified Application)
   • Configuring the SSH Client (Certified Application)
   • Configuring the TN3270 Client (Certified Application)
   • Configuring the TN5250 Client (Certified Application)
   • Configuring the Remote Desktop Client (Add-On Application)
   • Configuring the PuTTY Client (Add-On Application)
   • Configuring the Jabber Client (Add-On Application)
   • Configuring the FTP Client (Add-On Application)
7. Continue with Completing the Native Application Configuration.

Configuring the Telnet Client

Supported Platforms	All
Parameters field	Server name or IP address. Default port is 23.
Parameters usage	server [port]
Description	Telnet terminal. Provides user oriented command line login sessions between hosts on the Internet.
Home page	http://javassh.org

Configuring the SSH Client

Supported Platforms	All
Parameters field	Server name or IP address.
Parameters usage	server
Description	Secure Shell (SSH) is designed for logging into and executing commands on a networked computer. It provides secure encrypted communications between two hosts over an insecure network. An SSH server, by default, listens on the standard TCP port 22.
Home page	http://javassh.org

Configuring the TN3270 Client

Supported Platforms	All. Requires Java 1.3.1 or higher.
Parameters field	Ignored
Description	IBM 3270 terminal emulator tailored to writing screen-scraping applications. TN3270 is the remote-login protocol used by software that emulates the IBM 3270 model of mainframe computer terminal.
Home page	http://jagacy.com

Configuring the TN5250 Client

Supported Platforms	All endpoint machines must have Java 1.4 or higher.
Parameters field	Optional. Can use the Configure button on the application instead. For the full list of options that can be used in the parameters field, see the Quick Start Guide http://tn5250j.sourceforge.net/quick.html.
Parameters usage	[Server [options]]
Description	IBM 5250 terminal emulator that interprets and displays 5250 data streams. You will be presented with a Connections screen for defining sessions. Select the configure button to define sessions when the session selection window opens. On first invocation of the emulator there are some console warning messages. These inform you that defaults files are being set up for the first run.
Home page	http://tn5250j.sourceforge.net/index.html
Quick Start Guide	http://tn5250j.sourceforge.net/quick.html

Configuring the Remote Desktop Client

Supported Platforms	All platforms. Endpoint machines must have Java 1.4 or higher.
Parameters field	Must contain the server name or its IP address.
Parameters usage	[options] server[:port] For example: -g 800x600 -l WARN RDP_Server. Options: -b - Bandwidth saving (good for 56k modem, but higher latency). This option clears the TCP 'no delay' flag. -d - Windows domain you are connecting to. -f - Show the window full-screen (requires Java 1.4 for proper operation). -g WIDTHxHEIGHT. - The size of the desktop in pixels. -m - Keyboard layout on terminal server for languages (for example, en-us). -l {DEBUG, INFO, WARN, ERROR, FATAL} - Amount of debug output (otherwise known as the logging level). -lc - Path to a log4j configuration file. -n - Override the name of the endpoint machine. -u - Name of the user to connect as. -p - Password for the above user. -s - Shell to launch when the session is started. -t - Port to connect to (useful if you are using an SSH tunnel, for example). -T - Override the window title.
Description	Downloaded-from-Mobile Access Client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services. Communicates using Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. Runs on Java 1.1 up (optimized for 1.4), and works on Linux, Windows and Mac.
Home page	http://properjavardp.sourceforge.net

Configuring the PuTTY Client

Supported Platforms	Windows only
Parameters field	Optional. Leaving the Parameters field empty leads PuTTY Client to open in full graphical mode.
Parameters usage	[[-ssh | -telnet | -rlogin | -raw] [user@]server [port]]
Description	An implementation of Telnet and SSH for Win32 platforms, including an Xterm terminal emulator.
Home page	http://www.eos.ncsu.edu/remoteaccess/putty.html

Configuring the Jabber Client

Supported Platforms	All platforms. Endpoint machines must have Java 1.4 or higher.
Parameters field	Ignored
Description	Downloaded-from-Gateway Jabber Client is an instant messenger based on the Jabber protocol Runs on every computer with at least Java 1.4.
Home page	http://jeti.jabberstudio.org

Configuring the FTP Client

Supported Platforms	All. endpoint machines must have Java 1.4 or higher.
Parameters field	Ignored
Description	Graphical Java network and file transfer client. Supports FTP using its own FTP API and various other protocols like SMB, SFTP, NFS, HTTP, and file I/O using third party APIs, includes many advanced features such as recursive directory up/download, browsing FTP servers while transferring files, FTP resuming and queuing, browsing the LAN for Windows shares, and more.
Home page	http://j-ftp.sourceforge.net