Check Point Mobile Access Solutions

Check Point Mobile Access has a range of flexible clients and features that let users access internal resources from remote locations. All these solutions include these features:

• Enterprise-grade, secure connectivity to corporate resources
• Strong user authentication
• Granular access control

For more information about the newest versions of Mobile Access solutions and clients, go to sk67820.

Client-Based vs. Clientless

Check Point remote access solutions use IPsec and SSL encryption protocols to create secure connections. All Check Point clients can work through NAT devices, hotspots, and proxies in situations with complex topologies, such as airports or hotels. These are the types of installations for remote access solutions:

• Client-based - Client application installed on endpoint computers and devices. The client supplies access to most types of corporate resources according to the access privileges of the user.
• Clientless - Users connect through a web browser and use HTTPS connections. Clientless solutions usually supply access to web-based corporate resources.
• On demand client - Users connect through a web browser and a client is installed when necessary. The client supplies access to most types of corporate resources according to the access privileges of the user.

Mobile Access Clients

• Capsule Workspace - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.
• Capsule Connect - A full L3 tunnel app that gives users network access to all mobile applications.
• Check Point Mobile for Windows - A Windows IPsec VPN client that supplies secure IPsec VPN connectivity and authentication.

Mobile Access Web Portal

The Mobile Access Portal is a clientless SSL VPN solution that supplies secure access to web-based resources. After users authenticate to the portal, they can access Mobile Access applications such as Outlook Web App and a corporate wiki.

SSL Network Extender

SSL Network Extender is an on-demand SSL VPN client and is installed on the computer or mobile device from an Internet browser. It supplies secure access to internal network resources.

Configuring Mobile Access to Network Resources

Sample Mobile Access Workflow

This is a high-level workflow to configure remote access to Mobile Access applications and resources.

1. Use SmartConsole to enable the Mobile Access Software Blade on the gateway.
2. Follow the steps in the Mobile Access Configuration wizard to configure these settings:
   1. Select mobile clients.
   2. Define the Mobile Access portal.
   3. Define applications, for example Outlook Web App.
   4. Connect to the AD server for user information.
3. Select the policy type:
   • The default is to use the Legacy Policy, configured in the Mobile Access tab in SmartConsole.
   • To include Mobile Access in the Unified Access Control Policy, select this in Gateway Properties > Mobile Access.
4. Add rules to the Policy:
   • For Legacy Policy: Add rules in SmartConsole. Select Security Policies > Shared Policies > Mobile Access > Open Mobile Access Policy in SmartConsole
   • For Unified Access Control Policy: Add rules in SmartConsole > Security Policies Access Control Policy.
5. Configure the authentication settings in Gateway Properties > Mobile Access > Authentication.
6. Install the Access Control Policy on the gateway.

   Users can access mobile applications through the configured Mobile Access portal with the defined authentication method.

7. Optional: Give secure access to users through the Capsule Workspace app with certificate authentication.
   1. In the gateway Mobile Access > Authentication, click Settings, and select Require client certificate.
   2. Use the Certificate Creation and Distribution Wizard (in the Security Policies view > Client Certificates > New.
   3. Users download the Capsule Workspace app.
   4. Users open the Capsule Workspace app and enter the Mobile Access Site Name and necessary authentication, such as user name and password.

Enable Mobile Access		Configure settings in Mobile Access wizard		Select the policy type and add rules to policy		Update the Authentication settings
Users can access internal resources		Users download app, open it, and enter settings		Generate a certificate for the clients		Install the Access Control Policy

Sample Mobile Access Deployment

This is a sample deployment of a Mobile Access Security Gateway with an AD and Exchange server in the internal network.

Item	Description
1	Mobile devices
2	Mobile Access tunnels
3	Internet (external networks)
4	Mobile Access Security Gateway
5	Internal network resources, AD and Exchange servers

In this sample Mobile Access deployment, a mobile device uses a Mobile Access tunnel to connect to the internal network. The Mobile Access Security Gateway decrypts the packets and authenticates the user. The connection is allowed and the mobile device connects to the internal network resources.

Using the Mobile Access Configuration Wizard

This procedure describes how to enable and configure the Mobile Access Software Blade on a Security Gateway with the Configuration wizard. For this sample configuration, the AD user group Mobile_Access contains all the users that are allowed to connect to the internal network. The deployment is based on the Sample Mobile Access Deployment.

This configuration lets these clients connect to internal resources:

• Android and iOS mobile devices
• Windows and Mac computers
• Internet browsers can open a SSL Network Extender connection to the internal network

To configure Mobile Access:

1. In SmartConsole, go to Gateways & Servers and double-click the gateway object.

   The General Properties window opens.

2. In the General Properties > Network Security section, select Mobile Access.

   The Mobile Access page of the Mobile Access Configuration Wizard opens.

3. Configure the Security Gateway to allow connections from the Internet and mobile devices. Select these options:
   • Web
   • Mobile Devices - Select the required options.
   • Desktops/Laptops - Select the required options.
4. Click Next.

   The Web Portal page opens.

5. Enter the primary URL for the Mobile Access portal. The default is https://<gw_IPv4>/sslvpn
6. Click Next.

   The Applications page opens.

7. Configure the applications to show:
   1. In Web Applications, make sure Demo web application (World Clock) is selected.
   2. In Mail/Calendar/Contacts, enter the domain for the Exchange server and select:
      • Mobile Mail (including push mail notifications)
      • ActiveSync Applications
      • Outlook Web App

      The Mobile Access portal shows links to the Demo web and Outlook Web App applications. The client on the mobile device shows links to the other applications.

8. Click Next.

   The Active Directory page opens.

9. Select the AD domain and enter the user name and password.
10. Click Connect.

    The Security Gateway makes sure that it can connect to the AD server.

11. Click Next.

    The Users page opens.

    Click Add and then select the group Mobile_Access.

12. Click Next and then click Finish.

    The Mobile Access Configuration Wizard closes.

13. Click OK.

    The Gateway Properties window closes.

Allowing Mobile Connections

The Mobile Access Configuration Wizard enables and configures the Mobile Access Software Blade. It is necessary to add Firewall rules to allow connections from the VPN clients on the computers and devices. Create a Host Node object for the Exchange server, all of the other objects are predefined.

Name	Source	Destination	VPN	Service	Action	Install On	Track
Mobile Access Users	Any	ExchngSrvr	RemoteAccess	HTTP HTTPS MSExchange	Accept	MobileAccessGW	Log

All connections from the RemoteAccess VPN community to the Exchange server are allowed. These are the only protocols that are allowed: HTTP, HTTPS, and MS Exchange. This rule is installed on Security Gateways in the MobileAccessGW group.

Defining Access to Applications

Use the Security Policies page in SmartConsole to define rules that let users access Mobile Access applications. The applications that are selected in the Configuration Wizard are automatically added to this page. You can also create and edit the rules that include these SmartConsole objects:

• Users and user groups
• Mobile Access applications
• Mobile Access Security Gateways

Activating Single Sign On

Enable the SSO (Single Sign On) feature to let users authenticate one time for applications that they use during Mobile Access sessions. The credentials that users enter to log in to the Mobile Access portal can be re-used automatically to authenticate to different Mobile Access applications. SSO user credentials are securely stored on the Mobile Access Security Gateway for that session and are used again if users log in from different remote devices. After the session is completed, the credentials are stored in a database file.

By default, SSO is enabled on new Mobile Access applications that use HTTP. Most Web applications authenticate users with specified Web forms. You can configure SSO for an application to use the authentication credentials from the Mobile Access portal. It is not necessary for users to log in again to each application.

To configure SSO:

1. In SmartConsole, go to Security Policies > Shared Policies > Mobile Access.
2. Click Open Mobile Access Policy in SmartDashboard.
3. In the Mobile Access tab, select Additional Settings > Single Sign On.

   The Single Sign On page opens.

4. Select an application and click Edit.

   The application properties window opens and shows the Single Sign On page.

5. For Web form applications:
   1. In the Application Single Sign On Method section, select Advanced and click Edit.

      The Advanced window opens.

   2. Select This application reuses the portal credentials. Users are not prompted.
   3. Click OK.
   4. Select This application uses a Web form to accept credentials from users.
   5. Click OK.
6. Install the policy.