Mobile Access and the Unified Access Policy

In This Section: Overview of Mobile Access in the Unified Policy Configuring Mobile Access in the Unified Policy Including Mobile Access in the Unified Policy Enabling Access Control Features on a Layer Best Practices for Mobile Access in the Unified Policy Mobile Access Behavior in the Rule Base Limitations for Mobile Access in the Unified Policy

Overview of Mobile Access in the Unified Policy

When you include Mobile Access in the Unified Policy, you configure all rules related to the Mobile Access portal, Capsule Workspace, and on-demand clients in the Access Control Policy.

In the Access Control Rule Base, you can configure rules that:

• Apply to all Mobile Access gateways, or some of them.
• Apply to one or more Mobile Access clients, such as the Mobile Access portal or Capsule Workspace.

Mobile Access features such as Protection Levels, Secure Workspace, and Endpoint Compliance also apply.

Note that when you use the Unified Access Policy, some Mobile Access features and settings are still configured in the SmartDashboard > Mobile Access tab.

Configuring Mobile Access in the Unified Policy

• You can include Mobile Access rules in Policy Layers and Inline Layers. You must enable Mobile Access on each Layer that contains rule with Mobile Access applications.

  See the R80.10 Next Generation Security Gateway Guide for more about layers.

• To make a Mobile Access application show in the Mobile Access portal or in Capsule Workspace, you must put the application in the Services & Applications column.
  • If you put Any in the Services & Applications column, the application does not show in the portal but it is allowed. You can open it from the Mobile Access portal if you manually enter the URL, but not from Capsule Workspace. You can change this behavior. See sk112576 for details.
  • If you put an application's service, such as HTTPS, in the Services & Applications column, it does not match Mobile Access https applications.
• In the Services & Applications column, you must use Mobile Access Application objects in rules to match Mobile Access traffic. You can define these applications in:
  • In SmartConsole: CustomApplications/Sites > Mobile Applications
  • In SmartDashboard > Mobile Access tab > define an application.

  Application objects defined for Application Control, for example, are not supported in Mobile Access rules.

• When you enable Mobile Access on a gateway, the gateway is automatically added to the RemoteAccess VPN Community. Include that Community in the VPN column of the rule or use Any to make the rule apply to Mobile Access gateways. If the gateway was removed from the VPN Community, the VPN column must contain Any.
• Use Access Roles as the Source or Destination for a rule to make the rule apply to specified users or networks. You can also use an Access Role to represent Mobile Access or other remote access clients.

  You must enable Identity Awareness on each gateway that is an installation target for rules with Access Roles.

Creating Mobile Access Rules in the Unified Access Control Policy

Create Mobile Access rules in the Access Control Policy with these requirements:

Column	Value	Explanation
No.	Make sure that the rule position is logical.	The order of rules in the Rule Base is important. The first rule that matches the traffic is enforced.
Name	All	We recommend that you use a descriptive name.
Source	Access Role	Create an Access Role that includes the Users, User Groups, or Mobile/Remote Access Client that the rule applies to. See Access Roles for Remote Access.
Destination	The internal server on which the Mobile Access application is set.	Mobile Access Applications are defined in the Services & Applications column.
VPN	Any or a Remote Access Community that includes the Mobile Access gateway	When you enable the Mobile Access or IPsec Software Blade on a gateway, the gateway is automatically added to the default RemoteAccess VPN Community. By default the community also contains a user group that contains all users. If you remove the gateway from the VPN Community, you must select Any.
Services & Applications	Mobile Applications Do not include applications or service objects that are not specified as Mobile Access.	To create a Mobile Application: Click > click > Mobile Applications > select an application type and define it. To select an existing Mobile Application: Click > *All > Mobile Applications and select one. Mobile Applications only show in the list if Mobile Access is enabled on the Layer
Content	Any	Content Awareness is not relevant for Mobile Access rules.
Action	Accept or Drop	Only Accept and Drop are supported. Reject is also supported but acts the same as Drop. You can also select Inline Layer to send all traffic that matches the rule to an Inline Layer under it.
Track	All log options	Right-click in the cell and select More > Extended log
Install On	One or more gateways	Each gateway must have Mobile Access and Identity Awareness enabled and have Unified Access Policy selected as the Policy Source.

Mobile Access Applications in the Unified Access Control policy

To use a Mobile Access application in the Unified Access Control Policy, you must define it as a Mobile Application from the SmartConsole or define it in the in SmartDashboard > Mobile Access tab.

Other application objects, such as URL Filtering applications, are not relevant for Mobile Access. For example: To authorize Facebook as a web application in Mobile Access, you must create a new Web Application and specify Facebook’s URL. You cannot use the URL Filtering Facebook application, because it is not for Mobile Access.

Creating Mobile Applications for the Access Control Policy

To create a Mobile Application object to use in the Access Control Policy:

1. In SmartConsole, expand the Objects pane.
2. Select New > More > Custom Application/Site >Mobile Application.
3. Select a type of Mobile Application.
4. Define the General Properties and Authorized Locations.
5. Optional: Define more settings for the Application.
6. Click OK.

Access Roles for Remote Access

For R80.x gateways, create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base. This applies to Mobile Access and IPsec clients. When an Access Role for a client is in the Source column of a rule, the rule applies to traffic that originates from that client.

You can also use an Access Role in the Destination column.

You must enable Identity Awareness on each gateway that is an installation target for rules with Access Roles.

Creating Access Roles for Remote Access and VPN Clients

To create an Access Role for a new Remote Access or VPN client:

1. Open a New Access Role window in one of these ways:
   • In the object tree, click New> More > User > Access Role.
   • From the Source column of the Access Control policy Rule Base: Click > click > select Access Role.
2. Enter a Name for the access role.
3. Optional: Enter a Comment or click the down arrow to select a Color for the object.
4. From the left pane, select Remote Access Clients.
5. Expand the Specific Client list and click New > Allowed client.
6. Click to select a client and enter an object name.
7. Click OK.
8. Optional: To make the Access Role include only specified users, select Users from the left pane and define the allowed users.
9. Click OK.

Including Mobile Access in the Unified Policy

After you configure rules for Mobile Access in the Unified Access Control Policy, configure the gateway to use the Unified Access Policy.

To make an R80.x Mobile Access gateway use the Unified Access Control Policy:

1. In SmartConsole, Gateways & Servers, open a Mobile Access gateway object.
2. From the tree, select Mobile Access.
3. In the Policy Source area, select Unified Access Policy.
4. Install policy.

Enabling Access Control Features on a Layer

To enable Mobile Access on an Ordered Layer:

1. In SmartConsole, click Security Policies.
2. Under Access Control, right-click Policy and select Edit Policy.
3. Click options for the Layer.
4. Click Edit Layer.

   The Layer Editor window opens and shows the General view.

5. Select Mobile Access.
6. Click OK.

To enable Mobile Access on an Inline Layer:

1. In SmartConsole, click Security Policies.
2. Select the Ordered Layer.
3. In the parent rule of the Inline Layer, right-click the Action column, and select Inline Layer > Edit Layer.
4. Select Mobile Access.
5. Click OK.

Best Practices for Mobile Access in the Unified Policy

When you include Mobile Access in the Unified Access Control Policy, these are some factors that you need to be aware of:

• How to use layers
• How the content of rules affects your policy
• How rule order can affect your policy

Best Practices with Layers

We recommend that you make an Inline Layer for Mobile Access rules, to easily manage the Mobile Access policy.

To use an Inline Layer effectively, define a parent rule in the main layer. The parent rule matches all Mobile Access traffic and sends the traffic to the Inline Layer. It requires an Access Role that includes all Mobile Access client types or traffic in the Source column.

When a rule contains Inline Layer in the Action column, an Inline Layer is automatically created below it and it becomes a parent rule.

No	Name	Source	Destination	VPN	Services & Applications	Action	Track
1	Network rules	My_network	R80.10_GW	Any	Any	Accept	Log
2	Mobile Access Inline Layer Entry Point	All Mobile Access traffic	Any	Any	Any	Mobile Access Inline Layer	Extended Log
2.1	Capsule Workspace rule	Capsule Workspace traffic	Any	Any	Business Mail Corporate Ordering	Accept	Extended Log
2.2	Special access rule	Managers	Any	Any	Internal App	Accept	Extended Log
2.3	Mobile Access Inline Layer Cleanup rule	Any	Any	Any	Any	Drop	Extended Log
3	Cleanup rule	Any	Any	Any	Any	Drop	Log

To make a rule that sends all Mobile Access traffic to a Mobile Access Inline Layer:

1. From the Source column of a rule in the Access Control Policy, create a new Access Role that includes all Mobile Access client types:
   1. In the New Access Role window, click Remote Access Clients.
   2. Select Specific Client and create a New > Allowed Client for all Mobile Access portals or clients that are used in your environment. These can include: Capsule Workspace, Mobile Access Portal, ActiveSync, and SSL Network Extender.
2. Make sure the VPN column contains Any or the RemoteAccess VPN Community that contains your Mobile Access gateways.
3. In the Action column, select Inline Layer > New Layer.
4. In the Layer Editor:
   • Enter a name for the layer, such as Mobile Access Inline Layer.
   • In the Blades area, select Mobile Access.
   • Optional: To use this Mobile Access Inline Layer in multiple policies, in the Sharing area, click Multiple policies and rules can use this layer.

To configure rules in the Inline Layer:

1. Click the Cleanup rule in the Inline Layer that was created automatically and the click the Add Rule Above icon.
2. Configure rules for the Mobile Access policy as required. See Creating Mobile Access Rules in the Unified Policy.
3. Make sure that the Cleanup rule stays at the end of the layer and that the Action is Drop.
4. Right-click in the Track cell and select More > Extended log.

Mobile Access with Ordered Layers

If you work with Ordered Layers, you can configure a Mobile Access Inline Layer in any Ordered Layer.

Make sure to create a bypass rule for Mobile Access traffic in all layers that come before the Mobile Access layer. For example, if your Mobile Access Inline Layer is in the third layer, you must create a bypass rule in the first and second Ordered Layers.

The bypass rule matches the Mobile Access traffic in the layer and allows the traffic. The traffic then moves to the next layer, until it gets to the Mobile Access Inline Layer.

To create a bypass rule, use the Access Role for all Mobile Access users in the Source column and Accept in the Action column.

Best Practices for Rules

• Do not use a gateway as the Destination in a Mobile Access rule. The rules authorize a user's access to an internal resource. Use Any or the internal hosts of relevant applications in the Destination column.
• Do not use Any in the Services & Applications column. To make an application show in the Mobile Access portal or Capsule Workspace, it must be Mobile Access application object that is used explicitly in the Rule Base.

  If you do use Any to represent all Mobile Access applications, configured Mobile Access applications are authorized, but they do not show in the portal or Capsule Workspace. Users can enter the URL of the App in the Address field of the Mobile Access portal.

  To change the behavior when Any is used to represent Mobile Access applications, see sk112576.

Best Practices for Rule Order

In the Unified Access Control Policy, put Mobile Access rules that authorize applications above rules that contain a related service. For example, put a rule to allow a web application above a rule that allows or blocks HTTP/HTTPS. If the HTTP/HTTPS rule is first, the user will not see the Mobile Access Web application in the portal or in Capsule Workspace and will not be able to access it.

For example, this Rule Base allows Outlook Web Access (OWA), a web-based Mobile Access application. It also allows HTTPS traffic:

Correct way to allow the HTTPS service and also Mobile Access HTTPS applications:

No	Name	Source	Destination	Services & Applications	Action	Track
1	Network rule	My_network	GW_1	Any	Accept	Log
2	Mobile Access Inline Layer	All Mobile Access traffic	Any	Any	Mobile Access Inline Layer	Log
2.1	Mobile Access applications	All Mobile Access traffic	Any	Internal App OWA Business Mail	Accept	Log
2.2	Cleanup rule	Any	Any	Any	Drop	Log
3	Allow HTTPS	Any	Any	https	Accept	Log
4	Cleanup rule	Any	Any	Any	Drop	None

Rule 2.1, that allows access to Mobile Access applications, including Outlook Web Access (OWA) on HTTPS, is above rule 3, which allows all HTTPS traffic.

If you put rule 3 to allow HTTPS above the Mobile Access rules, the user will not see the OWA Web application in the portal or in Capsule Workspace and will not be able to access it. To authorize a Mobile Access application, you must use a Mobile Access application in the Services & Applications column.

You can use HTTPS in the parent rule of the Mobile Access Inline Layer, but specify the Mobile Access application inside the Inline Layer. That way, the HTTPS traffic for OWA, for example, will match on the HTTPS rule, and will also match on the OWA App inside the Inline Layer.

Native Applications

In this scenario with a Native application:

• The Native application is in an Inline Layer in the rule base.
• And the Native application configuration includes Any in the Authorized Locations tab.

Then the parent rule of the Inline Layer must include one of these in the Services & Applications column:

• Any service
• HTTPS service
• The Native Application

Mobile Access Behavior in the Rule Base

• In a policy with Policy Layers, for the traffic to be approved, it needs to be accepted in all layers. It is only authorized when accepted in the last layer. The policy keeps going to the next layer until the Mobile Access traffic is matched with a Drop rule or it is accepted in all layers.
• In Inline Layers, like in multi-layered policies: Mobile Access is matched on the Inline Layer parent rule and then on the inner rule inside the Inline Layer. The matched application for Mobile Access is taken from the last rule matched with a Mobile Access application. If the matched rule inside the Inline Layer has no Mobile Access application, the policy looks for a Mobile Access application in the parent rule of the Inline Layer.

Limitations for Mobile Access in the Unified Policy

• Mobile Access cannot work with Content Awareness or URL Filtering. Do not use Content Awareness or URL Filtering objects in rules with Mobile Access.
• These limitation apply for Access Roles in Mobile Access rules in the Unified Access Policy:
  • In the Source column - Access Roles can include Networks, Users, and Remote Access Clients.
  • In the Destination column - Access Roles can include Networks and Users.
• The Native Applications Connect button always shows in the Mobile Access portal when SSL Network Extender is enabled.
• If users do not meet the defined Protection Level requirements for an application, the application does not show for them. This is true in the Mobile Access portal and Capsule Workspace. (In the Legacy Mobile Access policy, the applications show but are disabled).
• If the Mobile Access gateway was removed from the RemoteAccess VPN Community, the VPN column must contain Any.