In This Section: |
The Mobile Access Software Blade is fully integrated with the other Software Blades. Any Security Gateway running on SecurePlatform or Gaia with the Firewall blade enabled can also have the Mobile Access blade enabled.
Most Network objects, Resources, and Users created in SmartDashboard also apply to Mobile Access and can be used when configuring Access to Applications. Similarly, any Network objects, Users and User Groups that you create or modify in Mobile Access appear in the SmartDashboard navigation tree and are usable in all of the SmartDashboard applications.
When you enable Mobile Access on a Security Gateway certain IPS Web Intelligence protections are activated. The settings of these protections are taken from a local file and are not connected to the IPS profile. These IPS protections always apply to Mobile Access traffic only, even if the Security Gateway does not have the IPS blade enabled.
You should only disable the Mobile Access Web Intelligence protections for advanced troubleshooting.
Important - We do not recommend that you deactivate these protections because of potential security risks to the Security Gateway while the protections are off. |
To disable the local Web Intelligence protections:
$CVPNDIR/conf/httpd.conf
configuration file.$CVPNDIR/conf/httpd.conf
by deleting or commenting out this line:LoadModule wi_module /opt/CPcvpn-<
current version>/lib/libModWI.so
Where <current version> is the Check Point version installed. For example, R77.20.
We recommend using the local IPS Web Intelligence protections that are automatically configured and activated when you enable the Mobile Access blade. If you want to use the IPS profile that you assign to the Security Gateway instead of the local file, make sure that certain crucial protections are active so that your Security Gateway stays secure.
To change to a Security Gateway IPS profile configuration for Mobile Access instead of the local configuration:
|
$CVPNDIR/conf/cvpnd.C
cvpnstop, cvpnstart.
Note - If IPS is disabled, Mobile Access will use the local IPS configuration to ensure that the Security Gateway is protected. This is true regardless of the use_ws_local_configuration flag settings. |
To switch back to the local, automatic IPS settings for Mobile Access:
|
cvpnstop, cvpnstart
.The protections listed below should always be active on Mobile Access traffic. They are included in the local IPS settings that are automatically activated when Mobile Access is enabled on a Security Gateway. See that most but not all are included in the Recommended_Protection IPS Profile.
Protection Name |
In Recommended_Protection Profile? |
---|---|
HTTP Format Sizes |
yes |
HTTP Methods |
yes |
ASCII Only Request |
yes |
General HTTP Worm Catcher |
yes |
Directory Traversal |
yes |
Cross-Site Scripting |
no |
Command Injection |
yes |
Header Rejection |
yes |
Malicious Code Protector |
no |
Non Compliant HTTP |
yes |
Certain Anti-Virus settings configured for a Security Gateway in the Traditional Anti-Virus > Security Gateway > HTTP page of the Threat Prevention tab also apply to Mobile Access traffic. To activate traditional Anti-Virus protection, enable the Traditional Anti-Virus on the Security Gateway.
These settings apply to Mobile Access traffic when Traditional Anti-Virus is configured to scan traffic By File Direction:
If Traditional Anti-Virus is configured to scan traffic By IPs, all portal traffic is scanned according to the settings defined for the Mail, FTP and HTTP protocols in SmartDashboard.
Mobile Access Anti-Virus protections always work in proactive mode regardless of which option you select.
Note - After SSL Network Extender traffic is rerouted to the Security Gateway, Anti-Virus inspects the traffic as it does to any other unencrypted traffic. |
The Anti-Virus blade and Traditional Anti-Virus can be activated on Security Gateways in your system.
Note - You cannot activate the Anti-Virus blade and Traditional Anti-Virus on the same Security Gateway. |
To configure traditional Anti-Virus:
The gateway window opens and shows the General Properties page.
The IPsec VPN blade and Mobile Access blade can be enabled on the same gateways. They can be used in parallel to enable optimal site to site and remote access VPN connectivity for your environment.
Certain VPN Clients that worked with Mobile Access in previous versions do not work with the Mobile Access blade on R71 and higher gateways. They only work with the IPsec VPN blade. These are:
SSL Network Extender works either with Mobile Access or with IPsec VPN, however, if the Mobile Access blade is enabled on a gateway, SSL Network Extender must be configured through Mobile Access. If you had SSL Network Extender configured through IPsec VPN and now you enabled the Mobile Access blade on the gateway, you must reconfigure SSL Network Extender policy in the Mobile Access tab of SmartDashboard. Rules regarding SSL Network Extender in the main security rule base are not active if the Mobile Access tab is enabled.
Office mode can be configured either with Mobile Access or with IPsec VPN.
In the Gateway Properties > Optimization > Capacity Optimization section you can configure the maximum limit for concurrent connections.
When users connect to corporate resources through the Mobile Access blade, it creates multiple connections. For example, from the user to the gateway, and from the gateway to the internal server. Therefore, in an environment with over 1000 remote users, we recommend that you increase the maximum concurrent connections.
For example: The default maximum is 25,000. If you have 2000 mobile access users, increase the maximum to 29,000 (2 times 2000).