Mobile Access and the Unified Access Policy

Overview of Mobile Access in the Unified Policy

When you include Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. in the Unified Policy, you configure all rules related to the Mobile Access Portal, Capsule Workspace, and on-demand clients in the Access Control Policy.

In the Access Control Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase., you can configure rules that:

  • Apply to all Mobile Access Security Gateways, or some of them.

  • Apply to one or more Mobile Access clients, such as the Mobile Access Portal or Capsule Workspace.

Mobile Access features such as Protection Levels, Secure Workspace, and Endpoint ComplianceClosed Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. also apply.

Note that when you use the Unified Access Policy, some Mobile Access features and settings are still configured in the SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. > Mobile Access tab.

Configuring Mobile Access in the Unified Policy

Creating Mobile Access Rules in the Unified Access Policy

Create Mobile Access rules in the Access Control Policy with these requirements:

Column

Value

Explanation

No

Make sure that the rule position is logical.

The order of rules in the Rule Base is important. The first rule that matches the traffic is enforced.

Name

All

We recommend that you use a descriptive name.

Source

Access Role

Create an Access Role that includes the Users, User Groups, or Mobile/Remote Access Client that the rule applies to. See the "Mobile Access and the Unified Access Policy" section.

Destination

The internal server on which the Mobile Access application is set.

Mobile Access Applications are defined in the Services & Applications column.

VPN

Any or a Remote Access Community that includes the Mobile Access Security Gateway

When you enable the Mobile Access or IPsec Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on a Security Gateway, the Security Gateway is automatically added to the default RemoteAccess VPN Community. By default the community also contains a user group that contains all users. If you remove the Security Gateway from the VPN Community, you must select Any.

Services & Applications

Mobile Applications

Do not include applications or service objects that are not specified as Mobile Access.

To create a Mobile Application: Click > click > Mobile Applications > select an application type and define it.

To select an existing Mobile Application: Click > *All > Mobile Applications and select one.

Mobile Applications only show in the list if Mobile Access is enabled on the Layer

Content

Any

Content AwarenessClosed Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. Acronym: CTNT. is not relevant for Mobile Access rules.

Action

Accept or Drop

Only Accept and Drop are supported. Reject is also supported but acts the same as Drop. You can also select Inline Layer to send all traffic that matches the rule to a "Mobile Access and the Unified Access Policy".

Track

All log options

Right-click in the cell and select More > Extended log

Install On

One or more Security Gateways

Each Security Gateway must have Mobile Access and Identity Awareness enabled and have Unified Access Policy selected as the Policy Source.

Mobile Access Applications in the Unified Access Policy

To use a Mobile Access application in the Unified Access Policy, you must define it as a Mobile Application from the SmartConsole or define it in the in SmartDashboard > Mobile Access tab.

Other application objects, such as URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. applications, are not relevant for Mobile Access. For example: To authorize Facebook as a web application in Mobile Access, you must create a new Web Application and specify Facebook's URL. You cannot use the URL Filtering Facebook application, because it is not for Mobile Access.

Creating Mobile Applications for the Access Control Policy

To create a Mobile Application object to use in the Access Control Policy:

  1. In SmartConsole, expand the Objects pane.

  2. Select New > More > Custom Application/Site > Mobile Application.

  3. Select a type of Mobile Application.

  4. Define the General Properties and Authorized Locations.

  5. Optional: Define more settings for the Application.

  6. Click OK.

Access Roles for Remote Access

Create a rule in the Access Control Rule Base that handles remote access connections.

  1. Go to Security Policies and right-click the cell in the VPN column.

  2. Select Specific VPN Communities.

  3. Choose the community and click .

  4. Close the VPN community window.

  5. Define Services & Applications and Actions columns.

  6. Install the policy.

Example:

To allow remote access users to access the organization's SMTP server, called SMTP_SRV, create the following rule:

Source

Destination

VPN

Service

Action

Track

Any

SMTP_SRV

Remote_Access_Community

SMTP

Accept

Log

Including Mobile Access in the Unified Policy

After you configure rules for Mobile Access in the Unified Access Policy, configure the Security Gateway to use the Unified Access Policy.

To make an R80.x Mobile Access Security Gateway use the Unified Access Policy:

  1. In SmartConsole, click Gateways & Servers and double-click the Mobile Access Security Gateway object.

  2. From the tree, select Mobile Access.

  3. In the Policy Source area, select Unified Access Policy.

  4. Click OK.

  5. Install policy.

Enabling Access Control Features on a Layer

To enable Mobile Access on an Ordered Layer:

  1. In SmartConsole, click Security Policies.

  2. Under Access Control, right-click Policy and select Edit Policy.

  3. Click options for the Layer.

  4. Click Edit Layer.

    The Layer Editor window opens and shows the General view.

  5. Select Mobile Access.

  6. Click OK.

To enable Mobile Access on an Inline Layer:

  1. In SmartConsole, click Security Policies.

  2. Select the Ordered Layer.

  3. In the parent rule of the Inline Layer, right-click the Action column, and select Inline Layer > Edit Layer.

  4. Select Mobile Access.

  5. Click OK.

Best Practices for Mobile Access in the Unified Policy

When you include Mobile Access in the Unified Access Policy, these are some factors that you need to be aware of:

  • How to use layers

  • How the content of rules affects your policy

  • How rule order can affect your policy

Best Practices with Layers

We recommend that you make an Inline Layer for Mobile Access rules, to easily manage the Mobile Access policy.

To use an Inline Layer effectively, define a parent rule in the main layer. The parent rule matches all Mobile Access traffic and sends the traffic to the Inline Layer. It requires an Access Role that includes all Mobile Access client types or traffic in the Source column.

When a rule contains Inline Layer in the Action column, an Inline Layer is automatically created below it and it becomes a parent rule.

No

Name

Source

Destination

VPN

Services & Applications

Action

Track

1

Network rules

My_network

GW

Any

Any

Accept

Log

2

Mobile Access Inline Layer Entry Point

All Mobile Access traffic

Any

Any

Any

Mobile Access Inline Layer

Extended Log

2.1

Capsule Workspace rule

Capsule Workspace traffic

Any

Any

Business Mail
Corporate
Ordering

Accept

Extended Log

2.2

Special access rule

Managers

Any

Any

Internal App

Accept

Extended Log

2.3

Mobile Access Inline Layer Cleanup rule

Any

Any

Any

Any

Drop

Extended Log

3

Cleanup rule

Any

Any

Any

Any

Drop

Log

To make a rule that sends all Mobile Access traffic to a Mobile Access Inline Layer:

  1. From the Source column of a rule in the Access Control Policy, create a new Access Role that includes all Mobile Access client types:

    1. In the New Access Role window, click Remote Access Clients.

    2. Select Specific Client and create a New > Allowed Client for all Mobile Access Portals or clients that are used in your environment. These can include: Capsule Workspace, Mobile Access Portal, ActiveSync, and SSL Network Extender.

  2. Make sure the VPN column contains Any or the RemoteAccess VPN Community that contains your Mobile Access Security Gateways.

  3. In the Action column, select Inline Layer > New Layer.

  4. In the Layer Editor:

    • Enter a name for the layer, such as Mobile Access Inline Layer.

    • In the Blades area, select Mobile Access.

    • Optional: To use this Mobile Access Inline Layer in multiple policies, in the Sharing area, click Multiple policies and rules can use this layer.

To configure rules in the Inline Layer:

  1. Click the Cleanup rule in the Inline Layer that was created automatically and the click the Add Rule Above icon.

  2. Configure rules for the Mobile Access policy as required. See the "Mobile Access and the Unified Access Policy" section.

  3. Make sure that the Cleanup rule stays at the end of the layer and that the Action is Drop.

  4. Right-click in the Track cell and select More > Extended log.

Mobile Access with Ordered Layers

If you work with Ordered Layers, you can configure a Mobile Access Inline Layer in any Ordered Layer.

Make sure to create a bypass rule for Mobile Access traffic in all layers that come before the Mobile Access layer. For example, if your Mobile Access Inline Layer is in the third layer, you must create a bypass rule in the first and second Ordered Layers.

The bypass rule matches the Mobile Access traffic in the layer and allows the traffic. The traffic then moves to the next layer, until it gets to the Mobile Access Inline Layer.

To create a bypass rule, use the Access Role for all Mobile Access users in the Source column and Accept in the Action column.

Best Practices for Rules

  • Do not use a Security Gateway as the Destination in a Mobile Access rule. The rules authorize a user's access to an internal resource. Use Any or the internal hosts of relevant applications in the Destination column.

  • Do not use Any in the Services & Applications column. To make an application show in the Mobile Access Portal or Capsule Workspace, it must be Mobile Access application object that is used explicitly in the Rule Base.

    If you do use Any to represent all Mobile Access applications, configured Mobile Access applications are authorized, but they do not show in the portal or Capsule Workspace. Users can enter the URL of the App in the Address field of the Mobile Access Portal.

    To change the behavior when Any is used to represent Mobile Access applications, see sk112576.

Best Practices for Rule Order

In the Unified Access Policy, put Mobile Access rules that authorize applications above rules that contain a related service. For example, put a rule to allow a web application above a rule that allows or blocks HTTP/HTTPS. If the HTTP/HTTPS rule is first, the user will not see the Mobile Access Web application in the portal or in Capsule Workspace and will not be able to access it.

For example, this Rule Base allows Outlook Web Access (OWA), a web-based Mobile Access application. It also allows HTTPS traffic:

Correct way to allow the HTTPS service and also Mobile Access HTTPS applications:

No

Name

Source

Destination

Services & Applications

Action

Track

1

Network rule

My_network

GW_1

Any

Accept

Log

2

Mobile Access Inline Layer

All Mobile Access traffic

Any

Any

Mobile Access Inline Layer

Log

2.1

Mobile Access applications

All Mobile Access traffic

Any

Internal App

OWA

Business Mail

Accept

 

Log

2.2

Cleanup rule

Any

Any

Any

Drop

Log

3

Allow HTTPS

Any

Any

https

Accept

Log

4

Cleanup rule

Any

Any

Any

Drop

None

Rule 2.1, that allows access to Mobile Access applications, including Outlook Web Access (OWA) on HTTPS, is above rule 3, which allows all HTTPS traffic.

If you put rule 3 to allow HTTPS above the Mobile Access rules, the user will not see the OWA Web application in the portal or in Capsule Workspace and will not be able to access it. To authorize a Mobile Access application, you must use a Mobile Access application in the Services & Applications column.

You can use HTTPS in the parent rule of the Mobile Access Inline Layer, but specify the Mobile Access application inside the Inline Layer. That way, the HTTPS traffic for OWA, for example, will match on the HTTPS rule, and will also match on the OWA App inside the Inline Layer.

Native Applications

In this scenario with a Native application:

  • The Native application is in an Inline Layer in the rule base.

  • And the Native application configuration includes Any in the Authorized Locations tab.

Then the parent rule of the Inline Layer must include one of these in the Services & Applications column:

  • Any service

  • HTTPS service

  • The Native Application

Mobile Access Behavior in the Rule Base

  • In a policy with Policy Layers, for the traffic to be approved, it needs to be accepted in all layers. It is only authorized when accepted in the last layer. The policy keeps going to the next layer until the Mobile Access traffic is matched with a Drop rule or it is accepted in all layers.

  • In Inline Layers, like in multi-layered policies: Mobile Access is matched on the Inline Layer parent rule and then on the inner rule inside the Inline Layer. The matched application for Mobile Access is taken from the last rule matched with a Mobile Access application. If the matched rule inside the Inline Layer has no Mobile Access application, the policy looks for a Mobile Access application in the parent rule of the Inline Layer.

Limitations for Mobile Access in the Unified Policy

  • Mobile Access cannot work with Content Awareness or URL Filtering. Do not use Content Awareness or URL Filtering objects in rules with Mobile Access.

  • These limitation apply for Access Roles in Mobile Access rules in the Unified Access Policy:

    • In the Source column - Access Roles can include Networks, Users, and Remote Access Clients.

    • In the Destination column - Access Roles can include Networks and Users.

  • The Native Applications Connect button always shows in the Mobile Access Portal when SSL Network Extender is enabled.

  • If users do not meet the defined Protection Level requirements for an application, the application does not show for them. This is true in the Mobile Access Portal and Capsule Workspace. (In the Legacy Mobile Access policy, the applications show but are disabled).

  • If the Mobile Access Security Gateway was removed from the RemoteAccess VPN Community, the VPN column must contain Any.

  • If you configure Unified Policy, you must include the authorized location (the range of IP addresses) for each application inside the encryption domain for remote access.

    Note - The range of IP addresses for an application must not overlap with the range for another application. Users with access to the first application have access to other applications within the same range.