The Mobile Access Portal

In This Section: Security Gateway Portals Portal Settings User Workflow for Mobile Access Portal

Security Gateway Portals

The Security Gateway runs different web-based portals over HTTPS:

• Mobile Access portal
• SecurePlatform WebUI
• Gaia WebUI
• Identity Awareness (Captive Portal)
• DLP portal
• SSL Network Extender portal
• Reverse Proxy SSL portal
• Reverse Proxy Clear portal
• UserCheck portal
• Endpoint Security portals (CCC)

All of these portals can resolve HTTPS hosts to IPv4 and IPv6 addresses over port 443.

These portals (and HTTPS inspection) support the latest versions of the TLS protocol. In addition to SSLv3 and TLS 1.0 (RFC 2246), the Security Gateway supports:

• TLS 1.1 (RFC 4346)
• TLS 1.2 (RFC 5246)

Support for TLS 1.1 and TLS 1.2 is enabled by default but can be disabled in SmartDashboard (for web-based portals) or GuiDBedit Tool (see sk13009) (for HTTPS Inspection).

To configure TLS protocol support for portals:

1. In SmartDashboard, open Global Properties > SmartDashboard Customization.
2. In the Advanced Configuration section, click Configure.

   The Advanced Configuration window opens.

3. On the Portal Properties page, set minimum and maximum versions for SSL and TLS protocols.

To Configure TLS Protocol Support for HTTPS inspection:

1. In GuiDBedit Tool, on the Tables tab, select Other > ssl_inspection.
2. In the Objects column, select general_confs_obj.
3. In the Fields column, select the minimum and maximum TLS version values in these fields:
   • ssl_max_ver (default = TLS 1.2)
   • ssl_min_ver (default = SSLv3)

Portal Settings

Each Mobile Access-enabled Security Gateway leads to its own Mobile Access user portal. Remote users log in to the portal using an authentication scheme configured for that Security Gateway.

Portal URL

Remote users access the portal from a Web browser with https://<Gateway_IP>/sslvpn, where <Gateway_IP> is one of these:

• FQDN that resolves to the IP address of the Security Gateway
• IP address of the Security Gateway

Remote users that use HTTP are automatically redirected to the portal using HTTPS.

Note - If Hostname Translation is the method for link translation, FQDN is required.

Set up the URL for the first time in the Mobile Access First Time Wizard.

To change the Mobile Access portal URL:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Mobile Access > Portal Settings.
3. Change the Main URL.
4. Optional: Click the Aliases button to Add URL aliases that are redirected to the main portal URL. For example, portal.example.com can send users to the portal. To make the alias work, it must be resolved to the main URL on your DNS server.
5. Install policy.

Portal Certificate

If you do not import a certificate, the portal uses a Check Point auto-generated certificate. This might cause browser warnings if the browser does not recognize the gateway's management. All portals on the same IP address use the same certificate.

To configure the accessibility settings for the portal:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Mobile Access > Portal Settings.
3. Click Import to import a p12 certificate for the portal website to use.
4. Click OK.
5. Install policy.

Portal Accessibility Settings

Configure from where users access the Mobile Access portal. The options are based on the topology configured for the gateway.

To configure the accessibility settings for the portal:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Mobile Access > Portal Settings.
3. In the Accessibility area, click Edit.
   • Through all interfaces
   • Through internal interfaces
   • Including undefined internal interfaces
   • Including DMZ internal interfaces
   • Including VPN encrypted interfaces
   • According to the Firewall policy - Select this if there is a rule that states who can access the portal.
4. Install policy.

Portal Customization

To customize the Mobile Access end user portal:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Mobile Access > Portal Customization.

   The Portal Customization page opens.

3. Configure the following settings.
4. Publish the changes and install the policy.

Localization Features

Mobile Access localizes the user interface of the Mobile Access user portal and the Secure Workspace to multiple languages.

The Mobile Access user portal and the Secure Workspace can be configured by gateway in the Portal Settings > Portal Customization page to use these languages:

• English (the default language)
• Bulgarian
• Chinese- Simplified
• Chinese- Traditional
• Finnish
• French
• German
• Italian
• Japanese
• Polish
• Romanian
• Russian
• Spanish

Auto Detection of User Language Preferences

Automatic language detection is an optional feature that gives priority to the language settings in the user’s browser over the language chosen by the administrator.

Automatic language detection is activated by configuring the CVPN_PORTAL_LANGUAGE_AUTO_DETECT flag in the Main.virtualhost.conf file on Mobile Access.

By default, the language preference in the user’s browser is not automatically detected. If automatic detection is configured, the language used in SmartDashboard is the first language supported by Mobile Access that is found in the Language Preference list defined in the user’s browser settings. If no supported language is found in the Language Preference list in the user’s browser, the language set by the administrator in SmartDashboard is used.

To activate automatic language detection, perform the following steps on each cluster member:

1. Open an SSH connection to Mobile Access, or connect to it via a console.
2. Log in to Mobile Access using your administrator user name and password.
3. Change to Expert mode by typing expert and supplying the password.
4. Edit the $CVPNDIR/conf/includes/Main.virtualhost.conf file, and change the following line from:

   SetEnv CVPN_PORTAL_LANGUAGE_AUTO_DETECT 0

   to:

   SetEnv CVPN_PORTAL_LANGUAGE_AUTO_DETECT 1

5. Run the command: cvpnrestart.

Language Selection by End Users

Any explicit language selection by the user in any of the portal pages overrides both the administrator’s default language setting, and the automatic language detection.

Users can select a language in the user portal sign-in page, in the Change Language To field.

Alternative Portal Configuration

Note - There should be a Mobile Access policy rule that includes the alternative portal as a Web application and allows its intended users to access it.

To specify an alternative user portal:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

   SmartDashboard opens and shows the Mobile Access tab.

2. From the navigation tree, click Portal Settings > Alternative Portal.
3. Click Add.

   The Mobile Access Sign-In Home Page window opens.

4. In the User Groups tab, specify user groups that may access the alternative user portal.
5. In the Install On tab, specify the Mobile Access gateways and gateway clusters that host the alternative portal.
6. In the Sign-In Home Page tab, choose an alternative portal for users, in place of the Mobile Access user portal that users reach by default. URL is the location of the alternative user portal for the user group(s) specified in the User Groups tab.

   When a user belongs to more than one group, the table in the Alternative Portal page acts as an ordered rule base. Users are directed to the alternative portal of the first group that they are part of.

7. Click OK.
8. Click Save and then close SmartDashboard.
9. From SmartConsole, install policy.

User Workflow for Mobile Access Portal

The user workflow includes these steps:

1. Sign in and select the portal language.
2. On first-time use, if you will use SSL Network Extender to access native applications, install ActiveX and Java Components.
3. Initial setup.
4. Access applications.

Signing In

In a browser, the user types in the URL assigned by the system administrator for the Mobile Access gateway.

Best Practice - Some popup blockers can interfere with aspects of portal functionality. Tell users to configure popup blockers to allow pop-ups from Mobile Access.

If the Administrator configured Secure Workspace to be optional, users can choose to select it on the sign in page.

Users enter their authentication credentials and click Sign In. Before Mobile Access gives access to the applications on the LAN, the credentials of remote users are first validated. Mobile Access authenticates the users either through its own internal database, LDAP, RADIUS or RSA ACE/Servers. After the remote users are authenticated, and associated with Mobile Access groups, access is given to corporate applications.

Note - If the Endpoint Compliance Scanner is enabled, users computers might be scanned before they can access the Mobile Access Sign In page. This is to make sure that credentials are not compromised by 3rd party malicious software.

First Time Installation of ActiveX and Java Components

Some Mobile Access components such as the endpoint Compliance Scanner, Secure Workspace and SSL Network Extender require either an ActiveX component (for Windows with Internet Explorer machines) or a Java component to be installed on the endpoint machine.

When using one of these components for the first time on an endpoint machine using Windows and Internet Explorer, Mobile Access tries to install it using ActiveX. However, Internet Explorer may prevent the ActiveX installation because the user does not have Power User privileges, or display a yellow bar at the top of the page asking the user to explicitly allow the installation. The user is then instructed to click the yellow bar, or if having problems doing so, to follow a dedicated link. This link is used to install the required component using Java.

After the first of these components is installed, any other components are installed in the same way. For example, if the Endpoint compliance Scanner was installed using Java on Internet Explorer, Secure Workspace and SSL Network Extender are also installed using Java.

For general information about the Mobile Access Portal and Java compatibility see sk113410.

Note - To install using ActiveX after a component was installed using Java, delete the browser cookies.

Initial Setup

The user may be required to configure certain settings, such as application credentials. In addition, the user can define additional favorites for commonly used applications.

Accessing Applications

After the remote users have logged onto the Mobile Access gateway, they are presented with a portal. The user portal enables access to the internal applications that the administrator has configured as available from within the organization, and that the user is authorized to use.