The Mobile Access Portal
Security Gateway Portals
The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. runs different web-based portals over HTTPS:
-
Gaia Portal Web interface for the Check Point Gaia operating system.
-
DLP portal
-
SSL Network Extender portal
-
Reverse Proxy SSL portal
-
Reverse Proxy Clear portal
-
UserCheck portal
-
Endpoint Security portals (CCC)
All of these portals can resolve HTTPS hosts to IPv4 and IPv6 addresses over port 443.
These portals (and HTTPS inspection) support the latest versions of the TLS protocol. In addition to SSLv3 and TLS 1.0 (RFC 2246), the Security Gateway supports:
Support for TLS 1.1 and TLS 1.2 is enabled by default, but can be disabled in SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. (for web-based portals) or Database Tool (GuiDBEdit Tool) (see sk13009) (for HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi.).
To configure TLS protocol support for portals:
-
In SmartDashboard, open Global Properties > SmartDashboard Customization.
-
In the Advanced Configuration section, click Configure.
The Advanced Configuration window opens.
-
On the Portal Properties page, set minimum and maximum versions for SSL and TLS protocols.
To Configure TLS Protocol Support for HTTPS inspection:
-
In Database Tool (GuiDBEdit Tool), on the Tables tab, select Other > ssl_inspection.
-
In the Objects column, select general_confs_obj.
-
In the Fields column, select the minimum and maximum TLS version values in these fields:
-
ssl_max_ver (default = TLS 1.2)
-
ssl_min_ver (default = SSLv3)
-
Portal Settings
Each Mobile Access-enabled Security Gateway leads to its own Mobile Access user portal. Remote users log in to the portal using an authentication scheme configured for that Security Gateway.
Portal URL
Remote users access the portal from a Web browser with https://<Gateway_IP>/sslvpn, where <Gateway_IP> is one of these:
-
FQDN that resolves to the IP address of the Security Gateway
-
IP address of the Security Gateway
Remote users that use HTTP are automatically redirected to the portal using HTTPS.
Note - If Hostname Translation is the method for link translation, FQDN is required.
Set up the URL for the first time in the Mobile Access First Time Wizard.
To change the Mobile Access Portal URL:
-
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers and double-click the Security Gateway.
The Security Gateway window opens and shows the General Properties page.
-
From the navigation tree, click Mobile Access > Portal Settings.
-
Change the Main URL.
-
Optional: Click the Aliases button to Add URL aliases that are redirected to the main portal URL. For example, portal.example.com can send users to the portal. To make the alias work, it must be resolved to the main URL on your DNS server.
-
Install policy.
Portal Certificate
If you do not import a certificate, the portal uses a Check Point auto-generated certificate. This might cause browser warnings if the browser does not recognize the Security Gateway's management. All portals on the same IP address use the same certificate.
To configure the accessibility settings for the portal:
-
In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The Security Gateway window opens and shows the General Properties page.
-
From the navigation tree, click Mobile Access > Portal Settings.
-
Click Import to import a p12 certificate for the portal website to use.
-
Click OK.
-
Install policy.
Portal Accessibility Settings
Configure from where users access the Mobile Access Portal. The options are based on the topology configured for the Security Gateway.
To configure the accessibility settings for the portal:
-
In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The Security Gateway window opens and shows the General Properties page.
-
From the navigation tree, click Mobile Access > Portal Settings.
-
In the Accessibility area, click Edit.
-
Through all interfaces
-
Through internal interfaces
-
Including undefined internal interfaces
-
Including DMZ internal interfaces
-
Including VPN encrypted interfaces - Interfaces used for establishing route-based VPN tunnels (VTIs)
-
According to the Firewall policy - Select this if there is a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that states who can access the portal.
-
-
Install policy.
Portal Customization
To customize the Mobile Access end user portal:
-
In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The Security Gateway window opens and shows the General Properties page.
-
From the navigation tree, click Mobile Access > Portal Customization.
The Portal Customization page opens.
-
Configure the following settings.
-
Install the policy.
Localization Features
Mobile Access localizes the user interface of the Mobile Access user portal and the Secure Workspace to multiple languages.
The Mobile Access user portal and the Secure Workspace can be configured by Security Gateway in the Portal Settings > Portal Customization page to use these languages:
-
English (the default language)
-
Bulgarian
-
Chinese- Simplified
-
Chinese- Traditional
-
Finnish
-
French
-
German
-
Italian
-
Japanese
-
Polish
-
Romanian
-
Russian
-
Spanish
Auto Detection of User Language Preferences
Automatic language detection is an optional feature that gives priority to the language settings in the user's browser over the language chosen by the administrator.
Automatic language detection is activated by configuring the CVPN_PORTAL_LANGUAGE_AUTO_DETECT
flag in the Main.virtualhost.conf
file on Mobile Access.
By default, the language preference in the user's browser is not automatically detected. If automatic detection is configured, the language used in SmartDashboard is the first language supported by Mobile Access that is found in the Language Preference list defined in the user's browser settings. If no supported language is found in the Language Preference list in the user's browser, the language set by the administrator in SmartDashboard is used.
To activate automatic language detection, perform the following steps on each cluster member:
-
Open an SSH connection to Mobile Access, or connect to it via a console.
-
Log in to Mobile Access using your administrator user name and password.
-
Change to the Expert mode by typing expert and supplying the password.
-
Edit the
$CVPNDIR/conf/includes/Main.virtualhost.conf
file, and change the following line from:SetEnv CVPN_PORTAL_LANGUAGE_AUTO_DETECT 0
to:
SetEnv CVPN_PORTAL_LANGUAGE_AUTO_DETECT 1
-
Run the command:
cvpnrestart
.
Language Selection by End Users
Any explicit language selection by the user in any of the portal pages overrides both the administrator's default language setting, and the automatic language detection.
Users can select a language in the user portal sign-in page, in the Change Language To field.
Alternative Portal Configuration
Note - There should be a Mobile Access policy rule that includes the alternative portal as a Web application and allows its intended users to access it.
To specify an alternative user portal:
-
In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.
SmartDashboard opens and shows the Mobile Access tab.
-
From the navigation tree, click Portal Settings > Alternative Portal.
-
Click Add.
The Mobile Access Sign-In Home Page window opens.
-
In the User Groups tab, specify user groups that may access the alternative user portal.
-
In the Install On tab, specify the Mobile Access Security Gateways and Clusters that host the alternative portal.
-
In the Sign-In Home Page tab, choose an alternative portal for users, in place of the Mobile Access user portal that users reach by default. URL is the location of the alternative user portal for the user group(s) specified in the User Groups tab.
When a user belongs to more than one group, the table in the Alternative Portal page acts as an ordered rule base All rules configured in a given Security Policy. Synonym: Rulebase.. Users are directed to the alternative portal of the first group that they are part of.
-
Click OK.
-
Click Save and then close SmartDashboard.
-
In SmartConsole, install policy.
User Workflow for Mobile Access Portal
The user workflow includes these steps:
-
Sign in and select the portal language.
-
On first-time use, if you will use SSL Network Extender to access native applications, install ActiveX and Java Components.
-
Initial setup.
-
Access applications.
Signing In
In a browser, type in the URL assigned by the system administrator for the Mobile Access Security Gateway.
|
Best Practice - Some popup blockers can interfere with aspects of portal functionality. Tell users to configure popup blockers to allow pop-ups from Mobile Access. |
If the Administrator configured Secure Workspace to be optional, users can choose to select it on the sign in page.
Users enter their authentication credentials and click Sign In. Before Mobile Access gives access to the applications on the LAN, the credentials of remote users are first validated. Mobile Access authenticates the users either through its own internal database, LDAP, RADIUS or RSA Authentication Manager. After the remote users are authenticated, and associated with Mobile Access groups, access is given to corporate applications.
Note - If the Endpoint Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Scanner is enabled, users computers might be scanned before they can access the Mobile Access Sign In page. This is to make sure that credentials are not compromised by 3rd party malicious software.
First Time Installation of ActiveX and Java Components
Some Mobile Access components such as the endpoint Compliance Scanner, Secure Workspace and SSL Network Extender require either an ActiveX component (for Windows with Internet Explorer machines) or a Java component to be installed on the endpoint machine.
When using one of these components for the first time on an endpoint machine using Windows and Internet Explorer, Mobile Access tries to install it using ActiveX. However, Internet Explorer may prevent the ActiveX installation because the user does not have Power User privileges, or display a yellow bar at the top of the page asking the user to explicitly allow the installation. The user is then instructed to click the yellow bar, or if having problems doing so, to follow a dedicated link. This link is used to install the required component using Java.
After the first of these components is installed, any other components are installed in the same way. For example, if the Endpoint compliance Scanner was installed using Java on Internet Explorer, Secure Workspace and SSL Network Extender are also installed using Java.
For general information about the Mobile Access Portal and Java compatibility see sk113410.
Note - To install using ActiveX after a component was installed using Java, delete the browser cookies.
Initial Setup
The user may be required to configure certain settings, such as application credentials. In addition, the user can define additional favorites for commonly used applications.
Accessing Applications
After the remote users have logged onto the Mobile Access Security Gateway, they are presented with a portal. The user portal enables access to the internal applications that the administrator has configured as available from within the organization, and that the user is authorized to use.