Native Applications for Client-Based Access

Introduction to Native Applications

A native application is any IP-based application that is hosted on servers within the organization, and requires an installed client on the endpoint. The client is used to access the application and encrypt all traffic between the endpoint and Mobile Access.

SSL Network Extender automatically works with Mobile Access to support native applications.

Microsoft Exchange, Telnet, and FTP, are all examples of native application servers. Authorized users can use their native clients (for example, telnet.exe, ftp.exe, or Outlook) to access these internal applications from outside the organization.

A native application is defined by the:

  • Server hosting applications.

  • Services used by applications.

  • Connection direction (usually client to server, but can also be server to client, or client to client).

  • Applications on the endpoint (client) machines.

    These applications are launched on demand on the user machine when the user clicks a link in the user portal.

    They can be one of these:

    • Already installed on the endpoint machine

    • Run via a default browser

    • Downloaded from Mobile Access

SSL Network Extender for Accessing Native Applications

The SSL Network Extender client makes it possible to access native applications via Mobile Access. SSL Network Extender can operate in two modes: Network Mode and Applications Mode.

SSL Network Extender with Mobile Access

The SSL Network Extender client lets users access native applications using Mobile Access.

  • If the Mobile Access blade is enabled on the Security Gateway, SSL Network Extender works through Mobile Access only. Configure its policy in the Policy page of the Mobile Access tab.

  • If the Mobile Access blade is disabled and the IPsec VPN blade is enabled, SSL Network Extender works through the IPsec VPN blade. Configure its policy in the main security rule base.

Note - If SSL Network Extender was configured through IPsec VPN, and now you enabled the Mobile Access blade on the Security Gateway, you must reconfigure the SSL Network Extender policy in the Mobile Access tab of SmartDashboard. SSL Network Extender rules in the main security rule base are not active if the Mobile Access tab is enabled.

SSL Network Extender is downloaded automatically from the Mobile Access portal to the endpoint machines, so that client software does not have to be pre-installed and configured on users' PCs and laptops. SSL Network Extender tunnels application traffic using a secure, encrypted and authenticated SSL tunnel to the Mobile Access Security Gateway.

SSL Network Extender requires The Mobile Access Portal.

SSL Network Extender Network Mode

The SSL Network Extender Network Mode client provides secure remote access for all application types (both Native-IP-based and Web-based) in the internal network via SSL tunneling. To install the Network mode client, users must have administrator privileges on the client computer.

After installing the client, an authenticated user can access any authorized internal resource that is defined on Mobile Access as a native application. The user can access the resource by launching the client application, either directly from the desktop or from the Mobile Access portal.

SSL Network Extender Application Mode

The SSL Network Extender Application Mode client provides secure remote access for most application types (both Native (IP-based) and Web-based) in the internal network via SSL tunneling. Most TCP applications can be accessed in Application mode. The user does not require administrator privileges on the endpoint machine.

After the client is installed, the user can access any internal resource that is defined on Mobile Access as a native application. The application must be launched from the Mobile Access portal and not from the user's desktop.

If an application is defined in the Mobile Access tab in SmartDashboard as one that can be used in Application Mode, a user that connects in Application Mode will be able to see it and launch it. If the application is not supported in Application Mode, a user who connects with Application Mode will not see it in the list of applications. While Application Mode is designed to work with most applications, only OPSEC-certified applications have been tested and verified to work with SSL Network Extender in Application mode.

Note - UDP based applications are not supported with SSL Network Extender in Application mode.

Supported Application Mode Applications

Most TCP applications work with SSL Network Extender in the Application Mode. If an application is defined in the Mobile Access tab in SmartDashboard as one that can be used in Application Mode, a user that connects in Application Mode will be able to see it and launch it. If the application is not supported in Application Mode, a user who connects with Application Mode will not see it in the list of applications.

The following applications have been tested and are Check Point OPSEC-certified for use with Mobile Access SSL Network Extender in Application mode. Note that this mode is different from SSL Network Extender in Network mode which supports any IP-based application. While Application Mode is designed to work with most applications, only OPSEC-certified applications have been tested and verified to work with SSL Network Extender in Application mode. Only specified versions are guaranteed to work and are fully supported. However, in most cases other versions of the same client and most other applications that are TCP based will work.

Note - Some Anti-Virus applications do not scan email when Microsoft Outlook is launched with SSL Network Extender Application mode, because the mail is encrypted in SSL before scanning begins.

Configuring SSL Network Extender as a VPN Client

Office Mode

When working with Office Mode, Remote Access clients receive an IP address allocated for them by the VPN administrator. These addresses are used by the clients in the source field of the IP packets they build. Since the IP packets are then encrypted and encapsulated, the packets appear to the Internet with their original IP address. To the organization's internal network, after decapsulation and decryption, they appear with the allocated IP address. The clients seem to be on the internal network.

For more about Office Mode, see the R80.40 Remote Access VPN Administration Guide.

Configuring Office Mode

Configure Office Mode in Gateway Properties > Mobile Access > Office Mode. The settings configured here apply to Mobile Access clients and IPsec VPN clients.

Office Mode Method

Choose the methods used to allocate IP addresses for Office Mode. All of the methods selected below will be tried sequentially until the office mode IP addresses are allocated.

  • From $FWDIR/conf/ipassignment.conf - You can over-ride the Office Mode settings created on Security Management Server. Edit the plain text file ipassignment.conf in the $FWDIR/conf/ directory on the Check Point Security Gateway. The Security Gateway uses these Office Mode settings and not those defined for the object in Security Management Server.

    The ipassignment.conf file can specify:

    • An IP per user/group, so that a particular user or user group always receives the same Office Mode address. This allows the administrator to assign specific addresses to users, or particular IP ranges/networks to groups when they connect using Office Mode.

    • A different WINS server for a particular user or group.

    • A different DNS server.

    • Different DNS domain suffixes for each entry in the file.

  • From the RADIUS server used to authenticate the user - A RADIUS server can be used for authenticating remote users. When a remote user connects to a Security Gateway, the user name and password are passed on to the RADIUS server, which checks that the information is correct, and authenticates the user.

  • Using one of the following methods

    • Manually (IP pool) - Create a Network Object with the relevant addresses. The allocated addresses can be illegal but they have to be routable within the internal network.

    • Automatically (Using DHCP) - Specify the machine on which the DHCP server is installed. In addition, specify the virtual IP address to which the DHCP server replies. The DHCP server allocates addresses from the appropriate address range and relates to VPN as a DHCP relay agent. The virtual IP address must be routable to enable the DHCP send replies correctly.

      DHCP allocates IP addresses per MAC address. When VPN needs an Office Mode address, it creates a MAC address that represents the client and uses it in the address request. The MAC address can be unique per machine or per user. If it is unique per machine, then VPN ignores the user identity. If different users work from the same Remote Access client they are allocated the same IP address.

Multiple Interfaces

If the Security Gateway has multiple external interfaces, there might be a routing problem for packets whose destination address is a client working in Office Mode. The destination IP address is replaced when the packet is encapsulated and thus previous routing information becomes irrelevant. Resolve this problem by setting the Security Gateway to Support connectivity enhancement for gateways with multiple external interfaces. Do not select this option if your Security Gateway has only one external interface, as this operation affects the performance.

Anti-Spoofing

If this option is selected, VPN verifies that packets whose encapsulated IP address is an Office Mode IP address are indeed coming from an address of a client working in Office Mode.

If the addresses are allocated by a DHCP server, VPN must know the range of allocated addresses from the DHCP scope for the Anti-Spoofing feature to work. Define a Network object that represents the DHCP scope and select it here.

IP Pool Optional Parameters

Configure additional optional parameters for how office mode addresses are assigned by clicking Optional Parameters. If the office mode addresses are allocated from an IP pool, this window allows you to you specify the DNS and WINS addresses by selecting the appropriate Network Objects. In addition, specify the backup DNS and WINS servers and supply the Domain name.

If the office mode addresses are allocated by a DHCP server, DNS and WINS addresses are set on the DHCP server.

These details are transferred to the Remote Access client when a VPN is established.

IP Lease Duration

Specify the amount of time after which the Remote Access client stops using the allocated IP address and disconnects. By default, the duration is 15 minutes. The client tries to renew the IP address by requesting the same address after half of the set time has elapsed. When this request is granted, the client receives the same address until the lease expires. When the new lease expires, it must be renewed again.

Configuring SSL Network Extender Advanced Options

Deployment Options

  • Client upgrade upon connection specifies how to deploy a new version of the SSL Network Extender Network Mode client on endpoint machines, when it becomes available.

    Note - Upgrading requires Administrator privileges on the endpoint machine.

  • Client uninstall upon disconnection specifies how to handle the installed SSL Network Extender Network Mode client on the endpoint machine when the client disconnects.

    • Do not uninstall allows the user to manually uninstall if they wish to.

    • Ask User allows the user to choose whether or not to uninstall.

    • Always uninstall does so automatically, when the user disconnects.

Encryption

  • Supported Encryption methods define the strength of the encryption used for communication between SSL Network Extender clients and all Mobile Access Security Gateways and Clusters that are managed by the Security Management Server.

    • AES, 3DES - This is the default setting. The 3DES encryption algorithm encrypts data three times, for an overall key length of 192 bits.

    • AES, 3DES or RC4 - to configure the SSL Network Extender client to support the RC4 encryption method, as well as AES and 3DES. RC4 is a variable key-size stream cipher. The algorithm is based on the use of a random permutation. It requires a secure exchange of a shared key that is outside the specification. RC4 is a faster encryption method than 3DES.

Launch SSL Network Extender Client

These settings define the behavior of the SSL Network Extender clients when launched on the endpoint machines.

  • On demand, when user clicks 'Connect" on the portal - SSL Network Extender only opens when the user clicks "Connect" from the Mobile Access portal.

  • Automatically, when user logs on - When users log in to the Mobile Access portal, SSL Network Extender launches automatically.

  • Automatically minimize client window after client connects - For either of the options above, choose to minimize the SSL Network Extender window to the system tray on the taskbar after connecting. This provides better usability for non-technical users.

Endpoint Application Types

When defining a Native Application, you can define applications on endpoint machines. These applications launch on the endpoint machine when the user clicks a link in the Mobile Access portal. You do not have to configure endpoint applications for users using SSL Network Extender in Network Mode, as they will be able to access them using their native clients.

Application Installed on Endpoint Machine

These endpoint applications are already installed on the endpoint machines.

Application Runs Via a Default Browser

Run via default browser is used to define a link to any URL. The link appears in the Mobile Access portal, and launches the current Web browser (the same browser as the Mobile Access portal). The link can include $$user, which represents the user name of the currently logged-in user.

This option has a user experience similar to a Web Application with a URL: The application is opened in a Web browser. However, Mobile Access Web applications perform Link Translation on the URL and encrypt the connection over SSL, while the "Run via default browser" option with SSL Network Extender does not perform link translation, and encrypts using SSL Network Extender. You may prefer to define a Native Application rather than a Web Application for convenience, or because some websites have problems working with Link Translation.

Applications Downloaded-from-Gateway

Downloaded-from-Gateway applications let you select applications that download from Mobile Access to the endpoint computer when the user clicks a link in the Mobile Access portal.

These applications allow end users to securely use client-server applications, without requiring a native client to be installed on their machines.

Mobile Access has built-in applications that the administrator can configure. Downloaded-from-Gateway applications are either Java-based applications or single-executable applications (including batch files). All the applications that are available by default, other than the Terminal (PuTTY) client, are Java based applications, and are therefore multi-platform applications. The PuTTY client can only be used on Windows machines.

You can add Native Applications for Client-Based Access, in addition to the built-in applications.

The Downloaded-from-Gateway applications are third-party applications, which are supplied as-is, and for which Check Point provides limited support.

Some of these packages are not signed by Check Point, and when they are downloaded by end- users a popup warning informs the user that the package is not signed.

Downloaded-from-Gateway Applications

Application

Description

Remote Desktop (RDP)

Downloaded-from-Gateway Client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services. Communicates using Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. Runs on Java 1.1 up (optimized for 1.4), and works on Linux, Windows and Mac.

Terminal (PuTTY)

An implementation of Telnet and SSH for Win32 platforms, including an Xterm terminal emulator.

Jabber

Downloaded-from-Gateway Jabber Client is an instant messenger based on the Jabber protocol. Runs on every computer with at least Java 1.4.

FTP

Graphical Java network and file transfer client. Supports FTP using its own FTP API and various other protocols like SMB, SFTP, NFS, HTTP, and file I/O using third party APIs, includes many advanced features such as recursive directory up/download, browsing FTP servers while transferring files, FTP resuming and queuing, browsing the LAN for Windows shares, and more.

Telnet

Telnet terminal. Provides user oriented command line login sessions between hosts on the Internet.

SSH

Secure Shell (SSH) is designed for logging into and executing commands on a networked computer. It provides secure encrypted communications between two hosts over an insecure network. An SSH server, by default, listens on the standard TCP port 22.

TN3270

IBM 3270 terminal emulator tailored to writing screen-scraping applications. TN3270 is the remote-login protocol used by software that emulates the IBM 3270 model of mainframe computer terminal.

TN5250

IBM 5250 terminal emulator that interprets and displays 5250 data streams.

You can also Native Applications for Client-Based Access.

Configuring Authorized Locations per User Group

The authorized locations (hosts or address ranges) of a Native application are defined in the Authorized Locations page of the Native Application. However, it is also possible to configure authorized locations per user group. Users who belong to two or more groups can access the union of the authorized locations of the groups.

For configuration details, see sk32111.

Ensuring the Link Appears in the End-User Browser

If an endpoint application is defined by the administrator, but is not available on the endpoint machine, the link to the application will not be shown in the Mobile Access portal.

For example, the link will not be shown if:

  • An endpoint application that is pre-installed on the endpoint machine (of type "Already Installed") is configured, and the application is in fact not installed on the endpoint machine.

  • A Downloaded-from-Gateway (Embedded) application requires Java, but Java is not installed on the endpoint machine.

Configuring a Simple Native Application

General Properties

In the General Properties page, define the name of the Native Application.

Authorized Locations

  1. Go to the Authorized Locations page.

    An authorized location ensures users of the Native Application can only access the specified locations using the specified services.

  2. Fill in the fields:

    • Host or Address Range is the machine or address range on which the application is hosted.

    • Service is the port on which the machine hosting the application listens for communication from application clients.

Applications on the Endpoint Computer

  1. Go to the Endpoint Applications page.

  2. Fill in the fields:

    • Add link in the Mobile Accessportal must be selected if you want to make endpoint application(s) associated with the Native Applications available to users.

    • Link text can include $$user, a variable that represents the user name of the currently logged-in user.

    • Tooltip for additional information. Can include $$user, which represents the user name of the currently logged-in user.

    • Path and executable name must specify one of the following:

      Note - If the endpoint application is not available on the endpoint machine, the link to the application will not be shown in the end user's browser.

      • Full path of the application on the endpoint machines. For example: c:\WINDOWS\system32\ftp.exe

      • The location of the application by means of an environment variable. This allows the location of the application to be specified in a more generalized way. For example: %windir%\system32\ftp.exe

      • If the application is listed in the Windows Start > Programs menu, only the application name need be entered, as it appears to the user in the Start menu. For example HyperTerminal.

      • If the location of the application is in the path of the endpoint computer, only the application name need be entered. For example:
        ftp.exe

    • Parameters are used to pass additional information to applications on the endpoint computer, and to configure the way they are launched.

Using the $$user Variable in Native Applications

You can use the $$user variable to define customized login parameters for native applications. To do this, enter the $$user variable wherever you need to specify a user name.

For example, you can use the $$user variable to return the user name as a part of the login string for Remote Desktop. In this example, $$user.example.com (in the Parameters field) resolves to the login string ethan.example.com for Ethan or richard.example.com for Richard.

Completing the Native Application Configuration

To complete the configuration, add the Native application to a policy rule and install policy from SmartConsole.

If necessary, configure the Native Applications for Client-Based Access.

For Unified Access Policy, see Mobile Access and the Unified Access Policy.

For legacy policy, see Getting Started with Mobile Access.

Configuring an Advanced Native Application

Configuring Connection Direction

  1. In the General Properties page of the Native Application object, click Connection direction.

    The Advanced window opens.

  2. Select an option for the Direction of communication from the connection initiator:

    • Client to server: (For example, Telnet.) This is the default option. When you create a client to server application and assign it to a user group, you enable users of the group to initiate a connection to the specified server.

    • Server to client: (For example, X11.) When you create a server to client application, the specified server can initiate a connection to all SSL Network Extender or Secure Client Mobile users currently logged on to the Mobile Access Security Gateway, regardless of their group association.

    • Client to client: (For example, running Remote Administration from one client to another.) When you create a client to client Native Application and assign it to a user group, you enable users of that group to initiate a connection to all of the SSL Network Extender or Secure Client Mobile users currently logged on to Mobile Access, regardless of their user group association.

Note - A Client to Client Native Application does not require configuration of a destination address.

Multiple Hosts and Services

The native application can reside on a range of hosts, which can be accessed by the native application clients. You can also specify more than one service that clients may use to communicate with the application.

Users of the native application can only access the specified locations using the specified services.

Configuring the Endpoint Application to Run Via a Default Browser

Automatically Starting the Application

To configure the Endpoint Application to start automatically:

  1. Define a Native Application.

  2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.

  3. Select Advanced > Edit.

    The Endpoint Applications - Advanced window opens.

  4. Click Add or Edit.

    The Edit Endpoint Application window opens.

  5. Click Advanced.

    • Automatically Start this Application - Configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode). When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications.

    • When SSL Network Extender is disconnected - Do not use this option to launch applications that require connectivity to the organization - SSL Network Extender Application Mode. In Network Mode, automatic start of applications when SSL Network Extender is disconnected, works correctly.

Making an Application Available in Application Mode

Note - If this option is NOT selected users who connect with Application Mode, do not see it in their list of applications.

Automatically Running Commands or Scripts

It is possible to configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode).

Note - The user must have the appropriate privileges on the endpoint machine to run the commands.

One example of how automatically running a command can be useful is to mount or unmount a network drive. Giving users access to network drives is a convenient way of providing access to internal resources. A drive can be mapped by configuring an application that invokes the Windows net use command.

Note - When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications.

For configuration details, see the "Native Applications for Client-Based Access" section.

It is possible to extend this ability by defining a dynamic add-on Downloaded-from-Gateway application that runs a script (batch file) containing a sequence of commands to execute on the endpoint machine. This script can be launched manually when the user clicks a link, or it can launch automatically after connecting to or disconnecting from SSL Network Extender.

For configuration details, see the "Native Applications for Client-Based Access" section.

How to Automatically Map and Unmap a Network Drive

A drive can be mapped by configuring an application that invokes the Windows "net use" command.

Note - The "net use" command is available for SSL Network Mode only.

To automatically map (mount) and unmap (unmount) a network drive, create a Native Application that automatically maps the network drive when SSL Network Extender is launched:

  1. Define a Native Application.

  2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access portal.

  3. Select Advanced > Edit.

    The Endpoint Applications - Advanced window opens.

  4. Click Add or Edit.

    The Edit Endpoint Application window opens.

  5. Configure the Edit Endpoint Application page as follows:

    • Already installed.

    • Path and executable name: net.exe

    • Parameters: use drive_letter: \\server name\share name

  6. Click Advanced.

  7. Check When SSL Network Extender is launched.

  8. Create another Native Application that automatically unmaps the network drive when SSL Network Extender is disconnected. Configure these settings in the Edit Endpoint Application page:

    • Already installed

    • Path and executable name: net.exe

    • Parameters: use /DELETE drive_letter:

  9. Click Advanced.

  10. Check When SSL Network Extender is disconnected.

  11. Click OK.

How to Automatically Run a Script (Batch File)

It is possible to define a new Downloaded-from-Gateway Endpoint Application (embedded application) that runs a script (batch file) automatically after connecting to or disconnecting from SSL Network Extender.

Protection Levels for Native Applications

You can define a protection level for each native application. Configure this in the Properties window of each native application in Additional Settings > Protection Level.

The options are:

  • This application relies on the security requirements of the gateway
    Rely on the Security Gateway security requirements. Users authorized to use the portal are also authorized to use this application. This is the default option.

  • This application has additional security requirements specific to the following protection level
    Associate the Protection Level with the application. Users must be compliant with the security requirement for this application in addition to the requirements for the portal.

Defining Protection Levels

Adding Downloaded-from-Gateway Endpoint Applications

You can add Downloaded-from-Gateway applications to Mobile Access, in addition to the built-in applications. This section explains how, and gives detailed examples.

Downloaded-from-Gateway Application Requirements

Downloaded-from-Gateway applications are either Java-based applications or single-executable applications (including batch files).

Java applications have the following requirements:

  • Application must be packaged into a JAR file

  • The JVM of a version required by the application must be installed on the endpoint machine.

  • The application must have a Main class.

Single-executable applications have the following requirements:

  • Must not require installation.

  • Must be platform-specific for Windows, Linux or MAC OS.

Adding a New Application

To add a new Downloaded-from-Gateway application, first put the application in the relevant directory on the Security Gateway. Then use GuiDBedit Tool (see sk13009) to set its properties.

To add a new downloaded-from-gateway endpoint application:

  1. Compress your downloaded-from-gateway application file into CAB file with the same name as the original file but with a .cab extension.

    To compress a file into a CAB file, you can use the Microsoft Cabinet Tool cabarc.exe (which can be downloaded from the Microsoft Web site).

    For example:

    cabarc.exe -m LZX:20 -s 6144 N ssh2.cab ssh2.jar

  2. Copy both your downloaded-from-gateway application file and the .cab file you created to the Security Gateway machine at:

    $CVPNDIR/htdocs/SNX/CSHELL

  3. Change the application file permissions to read, write and execute.

  4. Run the Check Point Database Tool - see sk13009.

  5. Log in to the Security Management Server.

  6. Select Table > Other > embedded_applications.

  7. In the right side pane, right-click and select New.

  8. In the Object field, enter a name for the new downloaded-from-gateway application.

  9. Specify the characteristics of the new downloaded-from-gateway application.

    Field Name

    Description

    display_name

    The application name, which will appear in the drop-down list of downloaded-from-gateway applications in SmartDashboard, in the Edit Endpoint Application window.

    embedded_application_type

    The type of downloaded-from-gateway application. Choose one of the options in the Valid Values list (java_applet, linux_executable, mac_executable, windows_executable).

    file_name

    The name of the file you placed in $CPVNDIR/htdocs/SNX/CSHELL (not the .cab version).

    server_name_required_params

    Indicate if the new downloaded-from-gateway application requires the server name to be configured in the Parameters field of the new downloaded-from-gateway application, in the SmartDashboard Edit Endpoint Application window.

    pre_custom_params

    Parameters concatenated before the server_name_required_params field. Usually used when configuring a new downloaded-from-gateway Java application. In that case, specify the Main Class name of the application.

    post_custom_params

    Parameters concatenated after the server_name_required_params field. Can be left blank.

    type

    Leave as embedded_application.

You can see and configure the new downloaded-from-gateway application in SmartDashboard, just as you do with the built-in downloaded-from-gateway applications. The downloaded-from-gateway applications appear in the Edit Network Application page of the Native Application object (Getting there: Native Application object > Endpoint applications page > Advanced: Edit > Add/Edit.

Example: Adding a New SSH Application

This example adds two applications to Mobile Access as new downloaded-from-Mobile Access applications:

  1. SSH2 Java application:

    • JAR file name: ssh2.jar

    • Main class name: ssh2.Main

    • The application gets its server name as a parameter.

    • Name in SmartDashboard: Jssh2 Client.

  2. SSH2 Windows executable:

    • Executable file name: WinSsh2.exe

    • The application gets its server name as parameter.

    • Name in SmartDashboard: Essh2 Client.

To add these applications:

  1. Compress the ssh2.jar and WinSsh2.exe application files into ssh2.cab and WinSsh2.cab

    # cabarc.exe -m LZX:20 -s 6144 N ssh2.cab ssh2.jar

    # cabarc.exe -m LZX:20 -s 6144 N WinSsh2.cab WinSsh2.exe

  2. Assuming the IP address of the SSH2 server is 1.1.1.1, save the files ssh2.jar and WinSsh2.exe to $CVPNDIR/htdocs/SNX/CSHELL with the proper permissions.

  3. Put the application files in $CVPNDIR/htdocs/SNX/CSHELL with the proper permissions.

  4. Use GuiDBedit Tool (see sk13009) or dbedit (see skI3301) to configure the two new downloaded-from-Mobile Access applications.

When you configure one of these new downloaded-from-Mobile Access applications (Jssh2 Client and Essh2 Client) in SmartDashboard, the Parameters field will be: 1.1.1.1 (the SSH2 server IP in this example).

Example: Adding a New Microsoft Remote Desktop Profile

This example demonstrates how to configure Mobile Access to work with Microsoft Remote Desktop, with a predefined profile. It also shows how to configure the profile per user group.

Repeat for every new Microsoft Remote Desktop Connection.

Configuring Downloaded-from-Gateway Endpoint Applications

In the Endpoint Applications page of the Native Application object:

  1. Select Add link in the Mobile Access portal.

  2. Select Advanced > Edit.

    The Endpoint Applications - Advanced window opens.

  3. Click Add.

    The Edit Endpoint Application window opens.

  4. Select Downloaded-from-Gateway.

  5. From the Name drop-down list, select the applicable downloaded-from-gateway application.

  6. Specify the Parameters for the downloaded-from-Security Gateway application. The parameters field is used to pass additional information to the downloaded-from-gateway applications on the endpoint machine, and to configure the way they are launched.

    The $$user variable can be used here to dynamically change according to the login name of the currently logged in user.

    See the configuration sections below for details of the required parameters:

    Note - In the configuration sections for certified and add-on applications, below:

    • parameter is a compulsory parameter,
    • [parameter] is an optional parameter,
    • | indicates a required choice of one from many.
  7. Configure Native Applications for Client-Based Access.