In This Section: |
A native application is any IP-based application that is hosted on servers within the organization, and requires an installed client on the endpoint. The client is used to access the application and encrypt all traffic between the endpoint and Mobile Access.
SSL Network Extender automatically works with Mobile Access to support native applications.
Microsoft Exchange, Telnet, and FTP, are all examples of native application servers. Authorized users can use their native clients (for example, telnet.exe, ftp.exe, or Outlook) to access these internal applications from outside the organization.
A native application is defined by the:
The SSL Network Extender client makes it possible to access native applications via Mobile Access. SSL Network Extender can operate in two modes: Network Mode and Applications Mode.
The SSL Network Extender client lets users access native applications using Mobile Access.
Note - If SSL Network Extender was configured through IPsec VPN, and now you enabled the Mobile Access blade on the gateway, you must reconfigure the SSL Network Extender policy in the Mobile Access tab of SmartDashboard. SSL Network Extender rules in the main security rule base are not active if the Mobile Access tab is enabled. |
SSL Network Extender is downloaded automatically from the Mobile Access portal to the endpoint machines, so that client software does not have to be pre-installed and configured on users' PCs and laptops. SSL Network Extender tunnels application traffic using a secure, encrypted and authenticated SSL tunnel to the Mobile Access gateway.
SSL Network Extender requires ActiveX (for Windows with Internet Explorer), or Java.
The SSL Network Extender Network Mode client provides secure remote access for all application types (both Native-IP-based and Web-based) in the internal network via SSL tunneling. To install the Network mode client, users must have administrator privileges on the client computer.
After installing the client, an authenticated user can access any authorized internal resource that is defined on Mobile Access as a native application. The user can access the resource by launching the client application, either directly from the desktop or from the Mobile Access portal.
The SSL Network Extender Application Mode client provides secure remote access for most application types (both Native (IP-based) and Web-based) in the internal network via SSL tunneling. Most TCP applications can be accessed in Application mode. The user does not require administrator privileges on the endpoint machine.
After the client is installed, the user can access any internal resource that is defined on Mobile Access as a native application. The application must be launched from the Mobile Access portal and not from the user's desktop.
If an application is defined in the Mobile Access tab in SmartDashboard as one that can be used in Application Mode, a user that connects in Application Mode will be able to see it and launch it. If the application is not supported in Application Mode, a user who connects with Application Mode will not see it in the list of applications. While Application Mode is designed to work with most applications, only OPSEC-certified applications have been tested and verified to work with SSL Network Extender in Application mode.
Note - UDP based applications are not supported with SSL Network Extender in Application mode. |
Most TCP applications work with SSL Network Extender in the Application Mode. If an application is defined in the Mobile Access tab in SmartDashboard as one that can be used in Application Mode, a user that connects in Application Mode will be able to see it and launch it. If the application is not supported in Application Mode, a user who connects with Application Mode will not see it in the list of applications.
The following applications have been tested and are Check Point OPSEC-certified for use with Mobile Access SSL Network Extender in Application mode. Note that this mode is different from SSL Network Extender in Network mode which supports any IP-based application. While Application Mode is designed to work with most applications, only OPSEC-certified applications have been tested and verified to work with SSL Network Extender in Application mode. Only specified versions are guaranteed to work and are fully supported. However, in most cases other versions of the same client and most other applications that are TCP based will work.
Note - Some Anti-Virus applications do not scan email when Microsoft Outlook is launched with SSL Network Extender Application mode, because the mail is encrypted in SSL before scanning begins. |
To configure SSL Network Extender as a VPN client:
The gateway properties window opens and shows the General Properties page.
SSL Network Extender is automatically enabled when the Mobile Access blade is turned on.
If you had SSL Network Extender configured through IPsec VPN and now you enabled the Mobile Access blade on the gateway, you must reconfigure the SSL Network Extender policy in the Mobile Access tab of SmartDashboard. Rules regarding SSL Network Extender in the main security rule base are not active if the Mobile Access tab is enabled.
When working with Office Mode, Remote Access clients receive an IP address allocated for them by the VPN administrator. These addresses are used by the clients in the source field of the IP packets they build. Since the IP packets are then encrypted and encapsulated, the packets appear to the Internet with their original IP address. To the organization's internal network, after decapsulation and decryption, they appear with the allocated IP address. The clients seem to be on the internal network.
Configure Office Mode in Gateway Properties > Mobile Access > Office Mode. The settings configured here apply to Mobile Access clients and IPsec VPN clients.
Office Mode Method
Choose the methods used to allocate IP addresses for Office Mode. All of the methods selected below will be tried sequentially until the office mode IP addresses are allocated.
ipassignment.conf
in the $FWDIR/conf/
directory on the Check Point Security Gateway. The gateway uses these Office Mode settings and not those defined for the object in Security Management Server.
can specify:ipassignment.conf
DHCP allocates IP addresses per MAC address. When VPN needs an Office Mode address, it creates a MAC address that represents the client and uses it in the address request. The MAC address can be unique per machine or per user. If it is unique per machine, then VPN ignores the user identity. If different users work from the same Remote Access client they are allocated the same IP address.
Multiple Interfaces
If the gateway has multiple external interfaces, there might be a routing problem for packets whose destination address is a client working in Office Mode. The destination IP address is replaced when the packet is encapsulated and thus previous routing information becomes irrelevant. Resolve this problem by setting the gateway to Support connectivity enhancement for gateways with multiple external interfaces. Do not select this option if your gateway has only one external interface, as this operation affects the performance.
Anti-Spoofing
If this option is selected, VPN verifies that packets whose encapsulated IP address is an Office Mode IP address are indeed coming from an address of a client working in Office Mode.
If the addresses are allocated by a DHCP server, VPN must know the range of allocated addresses from the DHCP scope for the Anti-Spoofing feature to work. Define a Network object that represents the DHCP scope and select it here.
Configure additional optional parameters for how office mode addresses are assigned by clicking Optional Parameters. If the office mode addresses are allocated from an IP pool, this window allows you to you specify the DNS and WINS addresses by selecting the appropriate Network Objects. In addition, specify the backup DNS and WINS servers and supply the Domain name.
If the office mode addresses are allocated by a DHCP server, DNS and WINS addresses are set on the DHCP server.
These details are transferred to the Remote Access client when a VPN is established.
IP Lease Duration
Specify the amount of time after which the Remote Access client stops using the allocated IP address and disconnects. By default, the duration is 15 minutes. The client tries to renew the IP address by requesting the same address after half of the set time has elapsed. When this request is granted, the client receives the same address until the lease expires. When the new lease expires, it must be renewed again.
To configure SSL Network Extender advanced options:
SmartDashboard opens and shows the Mobile Access tab.
Note - Upgrading requires Administrator privileges on the endpoint machine. |
These settings define the behavior of the SSL Network Extender clients when launched on the endpoint machines.
When defining a Native Application, you can define applications on endpoint machines. These applications launch on the endpoint machine when the user clicks a link in the Mobile Access portal. You do not have to configure endpoint applications for users using SSL Network Extender in Network Mode, as they will be able to access them using their native clients.
These endpoint applications are already installed on the endpoint machines.
Run via default browser is used to define a link to any URL. The link appears in the Mobile Access portal, and launches the current Web browser (the same browser as the Mobile Access portal). The link can include $$user, which represents the user name of the currently logged-in user.
This option has a user experience similar to a Web Application with a URL: The application is opened in a Web browser. However, Mobile Access Web applications perform Link Translation on the URL and encrypt the connection over SSL, while the "Run via default browser" option with SSL Network Extender does not perform link translation, and encrypts using SSL Network Extender. You may prefer to define a Native Application rather than a Web Application for convenience, or because some websites have problems working with Link Translation.
Downloaded-from-Gateway applications let you select applications that download from Mobile Access to the endpoint computer when the user clicks a link in the Mobile Access portal.
These applications allow end users to securely use client-server applications, without requiring a native client to be installed on their machines.
Mobile Access has built-in applications that the administrator can configure. Downloaded-from-Gateway applications are either Java-based applications or single-executable applications (including batch files). All the applications that are available by default, other than the Terminal (PuTTY) client, are Java based applications, and are therefore multi-platform applications. The PuTTY client can only be used on Windows machines.
You can add Downloaded-from-Gateway applications to Mobile Access, in addition to the built-in applications.
The Downloaded-from-Gateway applications are third-party applications, which are supplied as-is, and for which Check Point provides limited support.
Some of these packages are not signed by Check Point, and when they are downloaded by end- users a popup warning informs the user that the package is not signed.
Application |
Description |
---|---|
Remote Desktop (RDP) |
Downloaded-from-Gateway Client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services. Communicates using Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. Runs on Java 1.1 up (optimized for 1.4), and works on Linux, Windows and Mac. |
Terminal (PuTTY) |
An implementation of Telnet and SSH for Win32 platforms, including an Xterm terminal emulator. |
Jabber |
Downloaded-from-Gateway Jabber Client is an instant messenger based on the Jabber protocol. Runs on every computer with at least Java 1.4. |
FTP |
Graphical Java network and file transfer client. Supports FTP using its own FTP API and various other protocols like SMB, SFTP, NFS, HTTP, and file I/O using third party APIs, includes many advanced features such as recursive directory up/download, browsing FTP servers while transferring files, FTP resuming and queuing, browsing the LAN for Windows shares, and more. |
Telnet |
Telnet terminal. Provides user oriented command line login sessions between hosts on the Internet. |
SSH |
Secure Shell (SSH) is designed for logging into and executing commands on a networked computer. It provides secure encrypted communications between two hosts over an insecure network. An SSH server, by default, listens on the standard TCP port 22. |
TN3270 |
IBM 3270 terminal emulator tailored to writing screen-scraping applications. TN3270 is the remote-login protocol used by software that emulates the IBM 3270 model of mainframe computer terminal. |
TN5250 |
IBM 5250 terminal emulator that interprets and displays 5250 data streams. |
You can also configure Endpoint applications that are Downloaded from the gateway.
The authorized locations (hosts or address ranges) of a Native application are defined in the Authorized Locations page of the Native Application. However, it is also possible to configure authorized locations per user group. Users who belong to two or more groups can access the union of the authorized locations of the groups.
For configuration details, see sk32111.
If an endpoint application is defined by the administrator, but is not available on the endpoint machine, the link to the application will not be shown in the Mobile Access portal.
For example, the link will not be shown if:
To configure a simple Native Application:
The Native Application window opens.
In the General Properties page, define the name of the Native Application.
An authorized location ensures users of the Native Application can only access the specified locations using the specified services.
$$user
, which represents the user name of the currently logged-in user.Note - If the endpoint application is not available on the endpoint machine, the link to the application will not be shown in the end user's browser. |
c:\WINDOWS\system32\ftp.exe
%windir%\system32\ftp.exe
path
of the endpoint computer, only the application name need be entered. For exampleftp.exe
You can use the
variable to define customized login parameters for native applications. To do this, enter the $$user
variable wherever you need to specify a user name.$$user
For example, you can use the
variable to return the user name as a part of the login string for Remote Desktop. In this example, $$user
(in the Parameters field) resolves to the login string $$user.example.com
for Ethan or ethan.example.com
for Richard.richard.example.com
To complete the configuration, add the Native application to a policy rule and install policy from SmartConsole.
If necessary, configure the VPN clients.
For unified Access Control policy, see Configuring Mobile Access in the Unified Policy.
For legacy policy, see Creating Mobile Access Rules in the Legacy Policy.
To configure an advanced Native Application:
SmartDashboard opens and shows the Mobile Access tab.
The Native Application window opens.
The Advanced window opens.
Note - A Client to Client Native Application does not require configuration of a destination address. |
The native application can reside on a range of hosts, which can be accessed by the native application clients. You can also specify more than one service that clients may use to communicate with the application.
Users of the native application can only access the specified locations using the specified services.
To define a native application with multiple hosts and services:
The Native Application - Advanced window opens.
The Native Application Hosts window opens.
To configure the Endpoint Application to run via a default browser:
The Endpoint Applications - Advanced window opens.
The Edit Endpoint Application window opens.
$$user
, which represents the user name of the currently logged-in user. To configure the Endpoint Application to start automatically:
The Endpoint Applications - Advanced window opens.
The Edit Endpoint Application window opens.
The Advanced window opens.
To make an application available in Application Mode:
The Endpoint Applications - Advanced window opens.
The Advanced window opens.
Note - If this option is NOT selected users who connect with Application Mode, do not see it in their list of applications. |
It is possible to configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode).
Note - The user must have the appropriate privileges on the endpoint machine to run the commands. |
One example of how automatically running a command can be useful is to mount or unmount a network drive. Giving users access to network drives is a convenient way of providing access to internal resources. A drive can be mapped by configuring an application that invokes the Windows
command.net use
Note - When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications. |
For configuration details, see How to Automatically Map and Unmap a Network Drive.
It is possible to extend this ability by defining a dynamic add-on Downloaded-from-Gateway application that runs a script (batch file) containing a sequence of commands to execute on the endpoint machine. This script can be launched manually when the user clicks a link, or it can launch automatically after connecting to or disconnecting from SSL Network Extender.
For configuration details, see How to Automatically Run a Script (Batch File).
A drive can be mapped by configuring an application that invokes the Windows
command.net use
Note - The |
To automatically map (mount) and unmap (unmount) a network drive, create a Native Application that automatically maps the network drive when SSL Network Extender is launched:
The Endpoint Applications - Advanced window opens.
The Edit Endpoint Application window opens.
net.exe
use drive_letter: \\server name\share name
net.exe
use /DELETE drive_letter:
It is possible to define a new Downloaded-from-Gateway Endpoint Application (embedded application) that runs a script (batch file) automatically after connecting to or disconnecting from SSL Network Extender.
To automatically run a script:
The Endpoint Applications - Advanced window opens.
The Edit Endpoint Application window opens.
You can define a protection level for each native application. Configure this in the Properties window of each native application in Additional Settings > Protection Level.
The options are:
To access the Protection Level page from the Mobile Access tab:
SmartDashboard opens and shows the Mobile Access tab.
The Protection Levels window opens, and shows the General Properties page.
To access the Protection Level page from a Mobile Access application:
The Protection Levels window opens, and shows the General Properties page.
To configure the settings for a Protection Level:
You can add Downloaded-from-Gateway applications to Mobile Access, in addition to the built-in applications. This section explains how, and gives detailed examples.
Downloaded-from-Gateway applications are either Java-based applications or single-executable applications (including batch files).
Java applications have the following requirements:
Main
class.Single-executable applications have the following requirements:
To add a new Downloaded-from-Gateway application, first put the application in the relevant directory on the gateway. Then use GuiDBedit to set its properties (see sk13009).
To add a new downloaded-from-gateway endpoint application:
.cab
extension.To compress a file into a CAB file, you can use the Microsoft Cabinet Tool
(which can be downloaded from the Microsoft Web site). For example:cabarc.exe
|
.cab
file you created to the gateway machine at: $CVPNDIR/htdocs/SNX/CSHELL
The
table shows.embedded_applications
Field Name |
Description |
---|---|
|
The application name, which will appear in the drop-down list of downloaded-from-gateway applications in SmartDashboard, in the Edit Endpoint Application window. |
|
The type of downloaded-from-gateway application. Choose one of the options in the Valid Values list (java_applet, linux_executable mac_executable, windows_executable). |
|
The name of the file you placed in |
|
Indicate if the new downloaded-from-gateway application requires the server name to be configured in the Parameters field of the new downloaded-from-gateway application, in the SmartDashboard Edit Endpoint Application window. |
|
Parameters concatenated before the |
|
Parameters concatenated after the |
|
Leave as embedded_application. |
You can see and configure the new downloaded-from-gateway application in SmartDashboard, just as you do with the built-in downloaded-from-gateway applications. The downloaded-from-gateway applications appear in the Edit Network Application page of the Native Application object (Getting there: Native Application object > Endpoint applications page > Advanced: Edit > Add/Edit.
This example adds two applications to Mobile Access as new downloaded-from-Mobile Access applications:
ssh2.jar
ssh2.Main
Jssh2 Client
.WinSsh2.exe
Essh2 Client
.To add these applications:
ssh2.jar
and WinSsh2.exe
application files into ssh2.cab
and WinSsh2.cab
|
ssh2.jar
and WinSsh2.exe
to $CVPNDIR/htdocs/SNX/CSHELL
with the proper permissions.$CVPNDIR/htdocs/SNX/CSHELL
with the proper permissions.SSH2 Java Application
Field Name |
Value |
---|---|
|
Jssh2 Client |
|
java_applet |
|
ssh2.jar |
|
Empty |
|
ssh2.Main |
|
true |
|
embedded_application |
SSH2 Windows Executable
Field Name |
Value |
---|---|
|
Essh2 Client |
|
windows_executable |
|
WinSsh2.exe |
|
Empty |
|
Empty |
|
true |
|
embedded_application |
When you configure one of these new downloaded-from-Mobile Access applications (Jssh2 Client and Essh2 Client) in SmartDashboard, the Parameters field will be: 1.1.1.1 (the SSH2 server IP in this example).
This example demonstrates how to configure Mobile Access to work with Microsoft Remote Desktop, with a predefined profile. It also shows how to configure the profile per user group.
Repeat for every new Microsoft Remote Desktop Connection.
Create the RDP profile file (with an .rdp extension) using Microsoft Remote Desktop Connection, found at
.%SystemRoot%\system32\mstsc.exe
When creating the profile, you can define the address, the settings, applications that should run at log in, and more.
In this example, the profile file has the name of the relevant user group. For a user group called
, save a profile file called mygr1
.mygr1.rdp
For this example, run the command:cabarc.exe -m LZX:20 -s 6144 N mygr1.cab mygr1.rdp
This produces the output file mygr1.cab.
mygr1.rdp
and mygr1.cab
to the Mobile Access machine at $CVPNDIR/htdocs/SNX/CSHELL
.The embedded_applications table opens.
You can now see and configure the new downloaded-from-gateway application in SmartDashboard, just as for the built-in downloaded-from-gateway applications.
Configure the link to Microsoft Remote Desktop that will appear in the SSL Network Extender window. Define it as an Already Installed endpoint application.
The Endpoint Applications - Advanced window opens.
MS-RDP
(or any other name).%SystemRoot%\system32\mstsc.exe
%temp%\mygr1.rdp
In the same Native Application, add another endpoint application for the Remote Desktop Profile. Define it as a Downloaded from Mobile Access endpoint application, which is downloaded to the user desktop as soon as SSL Network Extender is launched.
The Edit Endpoint Application window opens.
GuiDBedit.exe
).The Advanced window opens
Assign the Native Application to the relevant user group.
In the Endpoint Applications page of the Native Application object:
The Endpoint Applications - Advanced window opens.
The Edit Endpoint Application window opens.
The
variable can be used here to dynamically change according to the login name of the currently logged in user.$$user
See the configuration sections below for details of the required parameters :
Note - In the configuration sections for certified and add-on applications, below:
is a compulsory parameter,parameter
is an optional parameter, [parameter]
indicates a required choice of one from many.|
Supported Platforms |
All |
Parameters field |
Server name or IP address. Default port is 23. |
Parameters usage |
|
Description |
Telnet terminal. Provides user oriented command line login sessions between hosts on the Internet. |
Home page |
http://javassh.org |
Supported Platforms |
All |
Parameters field |
Server name or IP address. |
Parameters usage |
|
Description |
Secure Shell (SSH) is designed for logging into and executing commands on a networked computer. It provides secure encrypted communications between two hosts over an insecure network. An SSH server, by default, listens on the standard TCP port 22. |
Home page |
http://javassh.org |
Supported Platforms |
All. Requires Java 1.3.1 or higher. |
Parameters field |
Ignored |
Description |
IBM 3270 terminal emulator tailored to writing screen-scraping applications. TN3270 is the remote-login protocol used by software that emulates the IBM 3270 model of mainframe computer terminal. |
Home page |
http://jagacy.com |
Supported Platforms |
All endpoint machines must have Java 1.4 or higher. |
Parameters field |
Optional. Can use the Configure button on the application instead. For the full list of options that can be used in the parameters field, see the Quick Start Guide http://tn5250j.sourceforge.net/quick.html. |
Parameters usage |
|
Description |
IBM 5250 terminal emulator that interprets and displays 5250 data streams. You will be presented with a Connections screen for defining sessions. Select the configure button to define sessions when the session selection window opens. On first invocation of the emulator there are some console warning messages. These inform you that defaults files are being set up for the first run. |
Home page |
http://tn5250j.sourceforge.net/index.html |
Quick Start Guide |
http://tn5250j.sourceforge.net/quick.html |
Supported Platforms |
All platforms. Endpoint machines must have Java 1.4 or higher. |
Parameters field |
Must contain the server name or its IP address. |
Parameters usage |
For example: -g 800x600 -l WARN RDP_Server. Options:
|
Description |
Downloaded-from-Mobile Access Client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services. Communicates using Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. Runs on Java 1.1 up (optimized for 1.4), and works on Linux, Windows and Mac. |
Home page |
http://properjavardp.sourceforge.net |
Supported Platforms |
Windows only |
Parameters field |
Optional. Leaving the Parameters field empty leads PuTTY Client to open in full graphical mode. |
Parameters usage |
|
Description |
An implementation of Telnet and SSH for Win32 platforms, including an Xterm terminal emulator. |
Home page |
http://www.eos.ncsu.edu/remoteaccess/putty.html |
Supported Platforms |
All platforms. Endpoint machines must have Java 1.4 or higher. |
Parameters field |
Ignored |
Description |
Downloaded-from-Gateway Jabber Client is an instant messenger based on the Jabber protocol Runs on every computer with at least Java 1.4. |
Home page |
http://jeti.jabberstudio.org |
Supported Platforms |
All. endpoint machines must have Java 1.4 or higher. |
Parameters field |
Ignored |
Description |
Graphical Java network and file transfer client. Supports FTP using its own FTP API and various other protocols like SMB, SFTP, NFS, HTTP, and file I/O using third party APIs, includes many advanced features such as recursive directory up/download, browsing FTP servers while transferring files, FTP resuming and queuing, browsing the LAN for Windows shares, and more. |
Home page |
http://j-ftp.sourceforge.net |