Print Download PDF Send Feedback

Previous

Next

Mobile Access and the Unified Access Policy

In This Section:

Overview of Mobile Access in the Unified Policy

Configuring Mobile Access in the Unified Policy

Including Mobile Access in the Unified Policy

Enabling Access Control Features on a Layer

Best Practices for Mobile Access in the Unified Policy

Mobile Access Behavior in the Rule Base

Limitations for Mobile Access in the Unified Policy

Overview of Mobile Access in the Unified Policy

When you include Mobile Access in the Unified Policy, you configure all rules related to the Mobile Access portal, Capsule Workspace, and on-demand clients in the Access Control Policy.

In the Access Control Rule Base, you can configure rules that:

Mobile Access features such as Protection Levels, Secure Workspace, and Endpoint Compliance also apply.

Note that when you use the Unified Access Policy, some Mobile Access features and settings are still configured in the SmartDashboard > Mobile Access tab.

Configuring Mobile Access in the Unified Policy

Creating Mobile Access Rules in the Unified Access Control Policy

Create Mobile Access rules in the Access Control Policy with these requirements:

Column

Value

Explanation

No.

Make sure that the rule position is logical.

The order of rules in the Rule Base is important. The first rule that matches the traffic is enforced.

Name

All

We recommend that you use a descriptive name.

Source

Access Role

Create an Access Role that includes the Users, User Groups, or Mobile/Remote Access Client that the rule applies to. See Access Roles for Remote Access.

Destination

The internal server on which the Mobile Access application is set.

Mobile Access Applications are defined in the Services & Applications column.

VPN

Any or a Remote Access Community that includes the Mobile Access gateway

When you enable the Mobile Access or IPsec Software Blade on a gateway, the gateway is automatically added to the default RemoteAccess VPN Community. By default the community also contains a user group that contains all users. If you remove the gateway from the VPN Community, you must select Any.

Services & Applications

Mobile Applications

Do not include applications or service objects that are not specified as Mobile Access.

To create a Mobile Application: Click > click > Mobile Applications > select an application type and define it.

To select an existing Mobile Application: Click > *All > Mobile Applications and select one.

Mobile Applications only show in the list if Mobile Access is enabled on the Layer

Content

Any

Content Awareness is not relevant for Mobile Access rules.

Action

Accept or Drop

Only Accept and Drop are supported. Reject is also supported but acts the same as Drop. You can also select Inline Layer to send all traffic that matches the rule to an Inline Layer under it.

Track

All log options

Right-click in the cell and select More > Extended log

Install On

One or more gateways

Each gateway must have Mobile Access and Identity Awareness enabled and have Unified Access Policy selected as the Policy Source.

Mobile Access Applications in the Unified Access Control policy

To use a Mobile Access application in the Unified Access Control Policy, you must define it as a Mobile Application from the SmartConsole or define it in the in SmartDashboard > Mobile Access tab.

Other application objects, such as URL Filtering applications, are not relevant for Mobile Access. For example: To authorize Facebook as a web application in Mobile Access, you must create a new Web Application and specify Facebook’s URL. You cannot use the URL Filtering Facebook application, because it is not for Mobile Access.

Creating Mobile Applications for the Access Control Policy

To create a Mobile Application object to use in the Access Control Policy:

  1. In SmartConsole, expand the Objects pane.
  2. Select New > More > Custom Application/Site >Mobile Application.
  3. Select a type of Mobile Application.
  4. Define the General Properties and Authorized Locations.
  5. Optional: Define more settings for the Application.
  6. Click OK.

Access Roles for Remote Access

For R80.x gateways, create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base. This applies to Mobile Access and IPsec clients. When an Access Role for a client is in the Source column of a rule, the rule applies to traffic that originates from that client.

You can also use an Access Role in the Destination column.

You must enable Identity Awareness on each gateway that is an installation target for rules with Access Roles.

Creating Access Roles for Remote Access and VPN Clients

To create an Access Role for a new Remote Access or VPN client:

  1. Open a New Access Role window in one of these ways:
    • In the object tree, click New> More > User > Access Role.
    • From the Source column of the Access Control policy Rule Base: Click > click > select Access Role.
  2. Enter a Name for the access role.
  3. Optional: Enter a Comment or click the down arrow to select a Color for the object.
  4. From the left pane, select Remote Access Clients.
  5. Expand the Specific Client list and click New > Allowed client.
  6. Click to select a client and enter an object name.
  7. Click OK.
  8. Optional: To make the Access Role include only specified users, select Users from the left pane and define the allowed users.
  9. Click OK.

Including Mobile Access in the Unified Policy

After you configure rules for Mobile Access in the Unified Access Control Policy, configure the gateway to use the Unified Access Policy.

To make an R80.x Mobile Access gateway use the Unified Access Control Policy:

  1. In SmartConsole, Gateways & Servers, open a Mobile Access gateway object.
  2. From the tree, select Mobile Access.
  3. In the Policy Source area, select Unified Access Policy.
  4. Install policy.

Enabling Access Control Features on a Layer

To enable Mobile Access on an Ordered Layer:

  1. In SmartConsole, click Security Policies.
  2. Under Access Control, right-click Policy and select Edit Policy.
  3. Click options for the Layer.
  4. Click Edit Layer.

    The Layer Editor window opens and shows the General view.

  5. Select Mobile Access.
  6. Click OK.

To enable Mobile Access on an Inline Layer:

  1. In SmartConsole, click Security Policies.
  2. Select the Ordered Layer.
  3. In the parent rule of the Inline Layer, right-click the Action column, and select Inline Layer > Edit Layer.
  4. Select Mobile Access.
  5. Click OK.

Best Practices for Mobile Access in the Unified Policy

When you include Mobile Access in the Unified Access Control Policy, these are some factors that you need to be aware of:

Best Practices with Layers

We recommend that you make an Inline Layer for Mobile Access rules, to easily manage the Mobile Access policy.

To use an Inline Layer effectively, define a parent rule in the main layer. The parent rule matches all Mobile Access traffic and sends the traffic to the Inline Layer. It requires an Access Role that includes all Mobile Access client types or traffic in the Source column.

When a rule contains Inline Layer in the Action column, an Inline Layer is automatically created below it and it becomes a parent rule.

No

Name

Source

Destination

VPN

Services & Applications

Action

Track

1

Network rules

My_network

R80.10_GW

Any

Any

Accept

Log

2

Mobile Access Inline Layer Entry Point

All Mobile Access traffic

Any

Any

Any

Mobile Access Inline Layer

Extended Log

2.1

Capsule Workspace rule

Capsule Workspace traffic

Any

Any

Business Mail
Corporate
Ordering

Accept

Extended Log

2.2

Special access rule

Managers

Any

Any

Internal App

Accept

Extended Log

2.3

Mobile Access Inline Layer Cleanup rule

Any

Any

Any

Any

Drop

Extended Log

3

Cleanup rule

Any

Any

Any

Any

Drop

Log

To make a rule that sends all Mobile Access traffic to a Mobile Access Inline Layer:

  1. From the Source column of a rule in the Access Control Policy, create a new Access Role that includes all Mobile Access client types:
    1. In the New Access Role window, click Remote Access Clients.
    2. Select Specific Client and create a New > Allowed Client for all Mobile Access portals or clients that are used in your environment. These can include: Capsule Workspace, Mobile Access Portal, ActiveSync, and SSL Network Extender.
  2. Make sure the VPN column contains Any or the RemoteAccess VPN Community that contains your Mobile Access gateways.
  3. In the Action column, select Inline Layer > New Layer.
  4. In the Layer Editor:
    • Enter a name for the layer, such as Mobile Access Inline Layer.
    • In the Blades area, select Mobile Access.
    • Optional: To use this Mobile Access Inline Layer in multiple policies, in the Sharing area, click Multiple policies and rules can use this layer.

To configure rules in the Inline Layer:

  1. Click the Cleanup rule in the Inline Layer that was created automatically and the click the Add Rule Above icon.
  2. Configure rules for the Mobile Access policy as required. See Creating Mobile Access Rules in the Unified Policy.
  3. Make sure that the Cleanup rule stays at the end of the layer and that the Action is Drop.
  4. Right-click in the Track cell and select More > Extended log.

Mobile Access with Ordered Layers

If you work with Ordered Layers, you can configure a Mobile Access Inline Layer in any Ordered Layer.

Make sure to create a bypass rule for Mobile Access traffic in all layers that come before the Mobile Access layer. For example, if your Mobile Access Inline Layer is in the third layer, you must create a bypass rule in the first and second Ordered Layers.

The bypass rule matches the Mobile Access traffic in the layer and allows the traffic. The traffic then moves to the next layer, until it gets to the Mobile Access Inline Layer.

To create a bypass rule, use the Access Role for all Mobile Access users in the Source column and Accept in the Action column.

Best Practices for Rules

Best Practices for Rule Order

In the Unified Access Control Policy, put Mobile Access rules that authorize applications above rules that contain a related service. For example, put a rule to allow a web application above a rule that allows or blocks HTTP/HTTPS. If the HTTP/HTTPS rule is first, the user will not see the Mobile Access Web application in the portal or in Capsule Workspace and will not be able to access it.

For example, this Rule Base allows Outlook Web Access (OWA), a web-based Mobile Access application. It also allows HTTPS traffic:

Correct way to allow the HTTPS service and also Mobile Access HTTPS applications:

No

Name

Source

Destination

Services & Applications

Action

Track

1

Network rule

My_network

GW_1

Any

Accept

Log

2

Mobile Access Inline Layer

All Mobile Access traffic

Any

Any

Mobile Access Inline Layer

Log

2.1

Mobile Access applications

All Mobile Access traffic

Any

Internal App

OWA

Business Mail

Accept

 

Log

2.2

Cleanup rule

Any

Any

Any

Drop

Log

3

Allow HTTPS

Any

Any

https

Accept

Log

4

Cleanup rule

Any

Any

Any

Drop

None

Rule 2.1, that allows access to Mobile Access applications, including Outlook Web Access (OWA) on HTTPS, is above rule 3, which allows all HTTPS traffic.

If you put rule 3 to allow HTTPS above the Mobile Access rules, the user will not see the OWA Web application in the portal or in Capsule Workspace and will not be able to access it. To authorize a Mobile Access application, you must use a Mobile Access application in the Services & Applications column.

You can use HTTPS in the parent rule of the Mobile Access Inline Layer, but specify the Mobile Access application inside the Inline Layer. That way, the HTTPS traffic for OWA, for example, will match on the HTTPS rule, and will also match on the OWA App inside the Inline Layer.

Native Applications

In this scenario with a Native application:

Then the parent rule of the Inline Layer must include one of these in the Services & Applications column:

Mobile Access Behavior in the Rule Base

Limitations for Mobile Access in the Unified Policy