In This Section: |
The Security Gateway runs different web-based portals over HTTPS:
All of these portals can resolve HTTPS hosts to IPv4 and IPv6 addresses over port 443.
These portals (and HTTPS inspection) support the latest versions of the TLS protocol. In addition to SSLv3 and TLS 1.0 (RFC 2246), the Security Gateway supports:
Support for TLS 1.1 and TLS 1.2 is enabled by default but can be disabled in SmartDashboard (for web-based portals) or GuiDBedit Tool (see sk13009) (for HTTPS Inspection).
To configure TLS protocol support for portals:
The Advanced Configuration window opens.
To Configure TLS Protocol Support for HTTPS inspection:
Each Mobile Access-enabled Security Gateway leads to its own Mobile Access user portal. Remote users log in to the portal using an authentication scheme configured for that Security Gateway.
Remote users access the portal from a Web browser with https://<Gateway_IP>/sslvpn, where <Gateway_IP> is one of these:
Remote users that use HTTP are automatically redirected to the portal using HTTPS.
Note - If Hostname Translation is the method for link translation, FQDN is required.
Set up the URL for the first time in the Mobile Access First Time Wizard.
To change the Mobile Access portal URL:
The gateway window opens and shows the General Properties page.
If you do not import a certificate, the portal uses a Check Point auto-generated certificate. This might cause browser warnings if the browser does not recognize the gateway's management. All portals on the same IP address use the same certificate.
To configure the accessibility settings for the portal:
The gateway window opens and shows the General Properties page.
Configure from where users access the Mobile Access portal. The options are based on the topology configured for the gateway.
To configure the accessibility settings for the portal:
The gateway window opens and shows the General Properties page.
To customize the Mobile Access end user portal:
The gateway window opens and shows the General Properties page.
The Portal Customization page opens.
Mobile Access localizes the user interface of the Mobile Access user portal and the Secure Workspace to multiple languages.
The Mobile Access user portal and the Secure Workspace can be configured by gateway in the Portal Settings > Portal Customization page to use these languages:
Automatic language detection is an optional feature that gives priority to the language settings in the user’s browser over the language chosen by the administrator.
Automatic language detection is activated by configuring the CVPN_PORTAL_LANGUAGE_AUTO_DETECT
flag in the Main.virtualhost.conf
file on Mobile Access.
By default, the language preference in the user’s browser is not automatically detected. If automatic detection is configured, the language used in SmartDashboard is the first language supported by Mobile Access that is found in the Language Preference list defined in the user’s browser settings. If no supported language is found in the Language Preference list in the user’s browser, the language set by the administrator in SmartDashboard is used.
To activate automatic language detection, perform the following steps on each cluster member:
$CVPNDIR/conf/includes/Main.virtualhost.conf
file, and change the following line from:SetEnv CVPN_PORTAL_LANGUAGE_AUTO_DETECT 0
to:
SetEnv CVPN_PORTAL_LANGUAGE_AUTO_DETECT 1
cvpnrestart
.Any explicit language selection by the user in any of the portal pages overrides both the administrator’s default language setting, and the automatic language detection.
Users can select a language in the user portal sign-in page, in the Change Language To field.
Note - There should be a Mobile Access policy rule that includes the alternative portal as a Web application and allows its intended users to access it.
To specify an alternative user portal:
SmartDashboard opens and shows the Mobile Access tab.
The Mobile Access Sign-In Home Page window opens.
When a user belongs to more than one group, the table in the Alternative Portal page acts as an ordered rule base. Users are directed to the alternative portal of the first group that they are part of.
The user workflow includes these steps:
In a browser, type in the URL assigned by the system administrator for the Mobile Access gateway.
Best Practice - Some popup blockers can interfere with aspects of portal functionality. Tell users to configure popup blockers to allow pop-ups from Mobile Access.
If the Administrator configured Secure Workspace to be optional, users can choose to select it on the sign in page.
Users enter their authentication credentials and click Sign In. Before Mobile Access gives access to the applications on the LAN, the credentials of remote users are first validated. Mobile Access authenticates the users either through its own internal database, LDAP, RADIUS or RSA ACE/Servers. After the remote users are authenticated, and associated with Mobile Access groups, access is given to corporate applications.
Note - If the Endpoint Compliance Scanner is enabled, users computers might be scanned before they can access the Mobile Access Sign In page. This is to make sure that credentials are not compromised by 3rd party malicious software.
Some Mobile Access components such as the endpoint Compliance Scanner, Secure Workspace and SSL Network Extender require either an ActiveX component (for Windows with Internet Explorer machines) or a Java component to be installed on the endpoint machine.
When using one of these components for the first time on an endpoint machine using Windows and Internet Explorer, Mobile Access tries to install it using ActiveX. However, Internet Explorer may prevent the ActiveX installation because the user does not have Power User privileges, or display a yellow bar at the top of the page asking the user to explicitly allow the installation. The user is then instructed to click the yellow bar, or if having problems doing so, to follow a dedicated link. This link is used to install the required component using Java.
After the first of these components is installed, any other components are installed in the same way. For example, if the Endpoint compliance Scanner was installed using Java on Internet Explorer, Secure Workspace and SSL Network Extender are also installed using Java.
For general information about the Mobile Access Portal and Java compatibility see sk113410.
Note - To install using ActiveX after a component was installed using Java, delete the browser cookies.
The user may be required to configure certain settings, such as application credentials. In addition, the user can define additional favorites for commonly used applications.
After the remote users have logged onto the Mobile Access gateway, they are presented with a portal. The user portal enables access to the internal applications that the administrator has configured as available from within the organization, and that the user is authorized to use.