Endpoint Security on Demand

Endpoint Compliance Enforcement

The Check Point Endpoint Security on Demand scanner enforces endpoint compliance by scanning the endpoint to see if it complies with a pre-defined endpoint compliance policy. For example, an endpoint compliance policy can make sure that the endpoint client has updated Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. software and an active Firewall. If the endpoint is compliant with the endpoint compliance policy, the user is allowed to access the portal.

By ensuring that endpoints comply with a security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., Endpoint Security on Demand protects enterprises from threats emanating from unsecured endpoint computers that can result in data loss and excessive bandwidth consumption.

The endpoint compliance policy is made up of rules. A policy can specify, for example, that the endpoint machine must have an approved Anti-Virus application, and that it must be free of spyware. A policy could also specify that a machine must be managed by the organization in order to gain full access to internal data and applications.

On Security Gateways, a combination of Endpoint ComplianceClosed Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Policy and Secure Workspace Policy can require the following Policy: Any client connecting to the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. from a machine that is not managed by the organization or that does not meet a specific enforcement policy, must use Check Point Secure Workspace. This ensures that no unauthorized information is accessed.

Endpoint Compliance Policy Granularity

The administrators can make compliance with a policy a requirement for accessing either the portal or specific applications. This makes it possible to assign varying levels of security clearance to the portal and to Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. applications.

Endpoint Compliance policies can be assigned to Mobile Access Security Gateways. They can also be assigned to Protection Levels, which are in turn associated with Mobile Access applications.

  • If an Endpoint Compliance policy is assigned to a Security Gateway, endpoint machines must comply with the policy before they are allowed to log in to the portal.

  • If an endpoint machine does not comply with the Endpoint Compliance policy on a Security Gateway, users can be required to use Check Point Secure Workspace.

  • To provide additional protection to an application, it is possible to "harden" the Endpoint Compliance protection that is enforced by the Security Gateway by assigning an Endpoint Compliance policy to a Protection Level, and then assigning that Protection Level to an application.

    To access that application, the endpoint machine must comply with the policy associated with the Protection Level, in addition to the policy associated with the Security Gateway.

In either case, the scan takes place before logging in to the portal. Only one scan is performed. Compliance to policies is determined according to the results of the scan.

Endpoint Compliance Policy Rule Types

There are different types of Endpoint Compliance policy rules, for different types of security applications. It is possible to have multiple rules of the same type, each with different settings.

Windows Security Rule

Windows security rules perform Windows-specific checks. For example:

  • Check for the latest Windows Service Pack on endpoint.

  • Check the enabled/disabled state of the built-in Microsoft Windows Automatic Updates system.

  • Check for Microsoft Windows Hotfixes and patches on the endpoint.

  • Enforce Windows patches by their ID.

Endpoint computers running Windows must pass these checks in order to gain access to the network.

At least one of the Hotfixes in the ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. must be active on the endpoint computer in order for the endpoint to be considered compliant and be granted access to the portal.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.

Anti-Spyware Application Rule

Choose which Anti-Spyware applications endpoint computers (on the Windows platform) must have to gain access to the network.

Ensure that appropriate Anti-Spyware software is running on endpoint computers, and that the software version and virus signature files are up-to-date.

At least one of the Anti-Spyware applications in the rule must be active on the endpoint computer in order for the endpoint to be considered compliant and be granted access to the portal.

For convenience, Anti-Spyware enforcement rules are pre-configured with supported Anti-Spyware providers. To require a non-supported Anti-Spyware provider, use a custom check rule.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.

Anti-Virus Application Rule

Choose which Anti-Virus applications the endpoint computer must have in order to gain access to the network.

Ensure that appropriate Anti-Virus software is running on endpoint computers, and that the software version and virus signature files are up-to-date.

At least one of the Anti-Virus applications in the rule must be active on the endpoint computer in order for the endpoint to be considered compliant and be granted access to the portal.

For convenience, Anti-Virus enforcement rules are pre-configured with supported Anti-Virus providers. To require a non-supported anti-virus provider, use a custom check rule.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.

Firewall Application Rule

Choose which personal Firewall applications endpoint computers (on Windows, Linux or Macintosh platforms) must have to gain access to your network.

Ensure that appropriate Firewall software is installed, enabled and running on endpoint computers.

At least one of the Firewall applications in the rule must be active on the endpoint computer in order for the endpoint to be considered compliant and be granted access to the portal.

For convenience, Firewall enforcement rules are pre-configured with supported Firewall providers. To require a non-supported Firewall provider, use a custom check rule.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.

Custom Check Rule

Perform custom checks on endpoint computers (on the Windows, Linux or Macintosh platforms) that are not covered by any of the other rule types. For example:

  • Custom applications. These applications may include proprietary spyware scanners that supplement the predefined types and/or other special security solutions.

  • Specific files.

  • Registry keys or processes running on the endpoint computer.

  • Non-English or localized names of processes and files.

Custom check rules can be configured to check for specific versions and modification dates.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule, and the error message that is presented to users in the event of non-compliance, such as remediation information.

OR Group of Rules

An "OR Group of Rules" rule includes a list of previously defined rules. An endpoint satisfies a rule of type "OR Group of Rules" if it satisfies one or more of the rules included in the "OR Group of Rules" rule.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.

Spyware Scan Rule

Select the action that should take place for each type of spyware present on endpoint computers. You can change the protections for types of spyware threats.

Spyware Type

Description

Dialer

Software that change the user's dial-up connection settings so that instead of connecting to a local Internet Service Provider, the user connects to a different network, usually a toll number or international phone number.

Worm

Programs that replicate over a network for the purpose of disrupting communications or damaging software or data.

Keystroke Logger

Programs that record user input activity (keystrokes or mouse activity). Some keystroke loggers transmit the recorded information to third parties.

Hacker Tool

Tools that facilitate unauthorized access to a computer and/or extraction of data from a computer.

Remote Administration Tool

Commercially developed software that allows remote system access and control.

Trojan

Malicious programs that masquerade as harmless applications.

Adware

Programs that display advertisements or record information about Web use habits and forward it to marketers or advertisers without the user's authorization or knowledge.

Other

Any unsolicited software that secretly performs undesirable actions on a user's computer and does not fit any of the above descriptions.

Screen Logger

Software that record what a user's monitor displays.

Tracking Cookie

Cookies that are used to deliver information about the user's Internet activity to marketers.

Browser Plug-in

Software that modifies or adds browser functionality. Browser plug-ins change the default search page to a pay-per-search site, change the user's home page, or transmit the browser history to a third party.

Endpoint Security on Demand. For example, you can allow that a signature that is recognized as spyware by Mobile Access, but which you see as legitimate.

In the rule, set the action to take if an endpoint computer fails to comply. Set the error message that users see in the event of non-compliance, such as remediation information.

Endpoint Compliance Logs

If the end user machine is not compliant with one or more of the Endpoint Compliance policy rules, Mobile Access generates Endpoint Compliance-specific logs with the category "Endpoint Security on Demand". The log entries appear in SmartLog, and include the:

  1. Rule ID and name that causes the authorization failure.

  2. Policies that this rules belongs to.

  3. A description in the "info" field of the log. Two logging levels are available to the administrator: (For configuration details, see the "Configuring Endpoint Compliance Logs" section.)

    Note - Mobile Access logs non-compliant rules from all policies, not only the Endpoint Compliance policy that is assigned to the Security Gateway or to an application. This means that there may be entries in SmartLog for rules that do not appear in the report presented to the end user.

    • Summary: Only one log entry per scan is written to SmartLog. The log entry shows endpoints that do not comply with the Endpoint Compliance policy. The date and time of the scan, the source IP, and the Endpoint Compliance scan ID are logged.

    • Details: In addition to the Summary mode information, this adds a log entry for each non-compliant rule. For example, in the case of a Spyware Scan rule that screens for tracking cookies, a log entry is generated that contains the following fields:

      • Malware name: unwantedexample.

      • Malware type: 3rd party cookie.

      • Description: symptom type: URL. Symptom value: cookie:bob@unwantedexample.net.

Configuring Endpoint Compliance

The workflow for configuring Endpoint Compliance enforcement is below. Each step is described in detail in the sections that follow:

  1. Plan the Endpoint Compliance Policy

    Decide on security clearance levels for Mobile Access Portals and applications. For example, is it OK for users to gain access to all Mobile Access applications as long as they comply with a single policy? If some resources are more sensitive than others, you may wish to draw up a more stringent policy for some applications than for others.

  2. Use the ICSInfo Tool

    Set up a stand-alone test computer with all the endpoint security applications you want to create enforcement rules for, and the run the ICSinfo tool to obtain the information needed to correctly define Endpoint Compliance policy rules.

  3. Create Endpoint Compliance Policies

    Policies are made up of rules. In order to comply with the policy, endpoints must comply with all rules in the policy. Rules can be used in more than one policy. Rules that are not in a policy are not used.

    There are different types of rules for different security applications. The Endpoint Compliance policy configuration tool comes with a number of predefined rules which can be edited to match the needs of the organization.

  4. Configure Endpoint Compliance Settings for Applications and Gateways

    Configure which Endpoint Compliance Policies should be assigned to which applications and Security Gateways.

    • To make access to the portal conditional on passing an Endpoint Compliance scan, assign a policy to a Security Gateway

    • To make access to applications conditional on passing an Endpoint Compliance scan:

      • Assign a policy to a Protection Level.

      • Assign Protection Levels to Mobile Access applications.

  5. Complete the Endpoint Compliance Configuration

    Configure tracking options for the endpoint scan results, then save and install the security policy

Planning the Endpoint Compliance Policy

Defining the Endpoint Compliance policy for Mobile Access clients involves some planning, prior to performing the SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. configuration.

You need to define security clearance levels for the both the Mobile Access Portal (that is, the Security Gateway) and for portal applications. There are various approaches, and the best one to use depends on how granular you need to make the policy.

Basic Approach:

The simplest approach is to define a single Endpoint Compliance policy for the Security Gateway and all applications accessed via the Security Gateway. In this approach, all applications accessed via the Security Gateway are protected by the Endpoint Compliance policy of the Security Gateway. Users whose client machines comply with the policy have access to the portal and all applications.

For example:

Resource

Endpoint Compliance Policy

Security Gateway A

Low Security

Web App P

Rely on Security Gateway requirements

Web App Q

Rely on Security Gateway requirements

File Share R

Rely on Security Gateway requirements

Advanced Approach:

A more advanced approach is appropriate if there is one application (or a small number of applications) that has stricter security requirements than other applications. These additional requirements are specified in a separate Endpoint Compliance policy, which is enforced in addition to the Security Gateway policy. To access the Mobile Access Portal, all users must fulfill the threshold security requirements of the Security Gateway policy. Users clicking a link in the portal to an application with additional security requirements are only allowed access to the application if they fulfill those additional requirements.

For example:

Resource

Endpoint Compliance Policy

Security Gateway A

Low Security

Web App P

Rely on Security Gateway requirements

Web App Q

High Security

File Share R

Rely on Security Gateway requirements

Very Advanced Approach:

Where most or every application has its own endpoint security requirements, it is possible to define an individual Endpoint Compliance policy for each application. In this scenario, there are no Security Gateway security requirements: All users are able to access the portal. However, when clicking a link to an application, users are only allowed access if they fulfill the requirements for that application. If no requirements are configured for the application, users are allowed to access it.

For example:

Resource

Endpoint Compliance policy

Security Gateway A

None

Web App P

Low Security

Web App Q

High Security

File Share R

Medium Security

Example Rules for Endpoint Compliance Policies

The following table illustrates Endpoint Compliance policies with different rules, for different security requirements.

Rule

Description

High Security

Endpoint Compliance Policy

Medium Security

Endpoint Compliance Policy

Low Security

Endpoint Compliance Policy

1

Default Windows Security rule

Yes

Yes

No

2

Anti-Virus applications check

Yes

Yes

Yes

3

Firewall applications check

Yes

Yes

Yes

4

Spyware Scan rule

Yes

No

No

Using the ICSInfo Tool

When defining Endpoint Compliance policy rules, you must use the correct format. This format varies from vendor to vendor. The ICSinfo.exe utility scans your computer, and generates an xml file that gives you the information in the correct format for all supported security programs it finds.

Run the ICSinfo tool before configuring the Endpoint Compliance policy rules.

To use the ICSinfo.exe utility:

  1. Set up a stand-alone test computer with all the endpoint security applications you want to create enforcement rules for. Be sure to apply the latest updates to your security software.

  2. Copy the ICSinfo tool from the Mobile Access Security Gateway to the test computer. The tool is located at $CVPNDIR/htdocs/ICS/components/ICSinfo.exe.

  3. Run ICSinfo.exe.

    This utility lists all detected security software, along with the required information in the correct format.

    The XML format output file ICSinfo.xml can be viewed in a browser.

    The sections of the file can be collapsed or expanded by clicking the - or +.

  4. Record the information for each security program and use this information to create your Endpoint Compliance policy rules.

Creating Endpoint Compliance Policies

To configure Endpoint Compliance policies:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance.

  3. Click Edit policies.

    The Endpoint Compliance policy configuration tool opens at the Policies page.

  4. Either create a new Endpoint Compliance policy or edit an existing policy.

    • To create an Endpoint Compliance policy click New Policy.

      The Policies > New Policy page opens.

    • To edit an existing policy, select the policy and click Edit.

      The Policies > Edit Policy page opens.

  5. Give the policy a Name, and a Description.

  6. For policies with Spyware Scan rules, if an endpoint computer has a valid Anti-Spyware of Anti-Virus application, make sure that the Endpoint Security on Demand Spyware Scan is necessary.

    If not, select Bypass malware scan if endpoint meets Anti-Virus or Anti-Spyware requirements.

    Note - This option is disabled if there is no Spyware Scan rule in the policy.

  7. Within a Policy, either add previously defined Endpoint Compliance rules, or create new rules or edit previously defined rules.

    There are different types of rules for different security applications.

    It is possible to have multiple rules of the same type, each with different settings.

    • To add a previously defined rule, click Add.

      The Add Enforcement Rules page opens. Select a rule and click OK.

    • To create a rule, click New Rule, and select the rule type

    • To edit a previously defined rule, select the rule and click Edit.

  8. Define the rules.

    Note - For explanations of fields in the Endpoint Compliance rules, see the online help.

  9. Click OK.

    This takes you back to the Edit Policy or the New Policy page.

  10. Click OK.

    This takes you back to the Policies page.

  11. Click OK.

    This completes the configuration of the Endpoint Compliance Policies, and takes you back to the Endpoint Security on Demand > Endpoint Compliance page.

    After the Endpoint Compliance policies are configured, Endpoint Compliance settings can be configured to make use of the polices.

  12. Close SmartDashboard.

  13. In SmartConsole, install the policy.

Configuring Endpoint Compliance Settings for Applications and Security Gateways

To configure Endpoint Compliance:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance.

  3. Click Scan endpoint machine when user connects.

  4. Choose one of the available approaches:

    • Basic Approach - Configuring a Common Policy for the Portal and all Applications

    • Medium Approach - Configuring a Threshold Policy for the Portal, Hardened for Specific Applications

    • Advanced Approach - Configuring Individual Policies for Each Application

Basic Approach - Configuring a Common Policy for the Portal and all Applications

To assign a policy to the Security Gateway and require an Endpoint Compliance scan to connect to the Security Gateway:

  1. Click Threshold policy to access any application via this gateway, the endpoint must comply with the following policy.

  2. From the drop-down list, select the Endpoint Compliance policy that is used for all applications accessed with this Security Gateway.

  3. Click OK.

To make sure that the applications use the Security Gateway settings for their Endpoint compliance:

  1. From the Objects Bar, click Custom Application/Sites > Mobile Applications > Web Applications.

  2. Double-click the application.

    The Web Application settings window opens.

  3. From the navigation tree, click Additional Settings > Protection Level.

  4. Make sure that This application relies on the security requirements of the gateway is selected.

  5. Click OK.

  6. Repeat these steps for each application.

  7. Install policy.

  8. Configure the Endpoint Compliance logs.

Medium Approach - Configuring a Threshold Policy for the Portal, Hardened for Specific Applications

To configure the Security Gateway settings:

  1. Click Threshold policy: to access any application via this gateway, the endpoint must comply with the following policy.

  2. From the drop-down list, select the default Endpoint Compliance policy to be used for applications accessed via this Security Gateway.

  3. Click OK.

To make sure that the applications use the Security Gateway settings for their Endpoint compliance:

  1. From the Objects Bar, click Custom Application/Sites > Mobile Applications > Web Applications.

  2. Double-click the application that requires hardened endpoint security.

    The Web Application settings window opens.

  3. From the navigation tree, click Additional Settings > Protection Level.

  4. Click This application has additional security requirements, specified by the following protection level.

  5. From the drop-down list, select a Protection Level for this application.

    To define a new Protection Level, click Manage and Mobile Access Applications.

  6. Click OK.

  7. Repeat these steps for each application.

  8. Install policy.

  9. Configure the Endpoint Compliance logs.

Advanced Approach - Configuring Individual Policies for Each Application

To configure the Security Gateway settings:

  1. In the Endpoint Compliance page of the Security Gateway, click No threshold: to protect applications, configure endpoint compliance requirements individually per application.

  2. Click OK.

To configure an individual policy for each application:

  1. From the Objects Bar, click Custom Application/Sites > Mobile Applications > Web Applications.

  2. Double-click the application that requires hardened endpoint security.

    The Web Application settings window opens.

  3. From the navigation tree, click Additional Settings > Protection Level.

  4. Click This application has additional security requirements, specified by the following protection level.

    Note - If This application relies on the security requirements of the gateway is selected for the Mobile Access application, users are allowed to access the application without any Endpoint Compliance requirements.

  5. From the drop-down list, select a Protection Level for this application.

    To define a new Protection Level, click Manage and Mobile Access Applications.

  6. Click OK.

  7. Repeat these steps for each application.

  8. Install policy.

  9. Configure the Endpoint Compliance logs.

Configuring Advanced Endpoint Compliance Settings

You can edit the Advanced Endpoint Compliance Settings to configure whether or not to allow access to the Security Gateway and applications if the Endpoint Compliance scanner is not supported on the endpoint operating system.

  1. In SmartDashboard, from the navigation tree, click Endpoint Security on Demand > Endpoint Compliance page.

  2. Click Edit.

    The Advanced Endpoint Compliance Settings window opens.

    In this window you can decide whether or not to allow access to the Security Gateway and applications if the Endpoint Compliance scanner is not supported on the endpoint operating system.

The Endpoint Compliance scanner supports the following operating systems: Windows, Mac, and Linux.

Configuring Platform-Based Bypass Per OS

If you want to allow some endpoint operating systems to bypass Endpoint Compliance requirements, you must select the Allow access option in the Advanced Endpoint Compliance Settings window.

For details, see the operating system compatibility table in the Mobile Access Release Notes.

To configure different rules on endpoints with different operating systems, see SecureKnowledge solution sk34989.

Platform-Based Bypass Per Protection Level

Configuring Endpoint Compliance Settings per Protection Level lets you set Platform-Based Bypass per application.

By default all Advanced Endpoint Compliance Settings are taken from the SmartDashboard configuration, in the Advanced Endpoint Compliance Settings page.

Enabling Platform Based Bypass per Protection Level

To configure different access permissions for various Protection Levels for Endpoint Compliance scanning, run:

cvpnd_settings set useICSRelaxedModeInProtectionLevel true

To return to the default setting, change true to false in the above command.

Configuring the Protection Levels that are Bypassed

In the Mobile Access tab of SmartDashboard, under Additional Settings > Protection Levels, is a list of Protection Levels. From this page you can edit the Authentication and Endpoint Security settings that are required for applications assigned to each Protection Level. You can also create new Protection Levels.

In the Mobile Access application properties, assign a Protection Level to an application. For example, if you want to allow access to an application only if the user is compliant with Endpoint Compliance policy1, but you also need to accommodate the user connecting from an endpoint that does not support Endpoint Compliance scanning (such as an iPhone), then:

  1. Create or use a Protection Level named ESOD_Relaxed_PL which enforces Endpoint Compliance Policy policy1.

  2. Assign the Protection Level to the application.

  3. Configure the Protection Level as "Bypassed".

    To configure different access permissions for various Protection Levels for Endpoint Compliance, from the Mobile Access CLI, in expert mode, run:

    cvpnd_settings listAdd ICSRelaxedModeProtectionLevelNames ESOD_Relaxed_PL

You can add other Protection Levels as well.

To restore a Protection Level from being "Bypassed", for Endpoint Compliance:

  1. Run:

    cvpnd_settings listRemove ICSRelaxedModeProtectionLevelNames

  2. Follow the on-screen instructions.

To finalize the configuration of granular platform-based bypass for Endpoint Security on Demand:

  1. Restart the Mobile Access services by running cvpnrestart

    If the Mobile Access Security Gateway is part of a clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., be sure to make the same change on each cluster memberClosed Security Gateway that is part of a cluster..

  2. In SmartDashboard, assign the Protection Levels to the applications.

  3. Install the policy.

Configuring Endpoint Compliance Logs

Mobile Access generates Endpoint Compliance-specific logs. The logs can be viewed in SmartLog, and have the category Endpoint Security on Demand. The Endpoint Security on Demand information is in the info field of the logs.

To configure tracking options for the Endpoint Compliance scanner:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance.

  3. In the Endpoint Compliance page, in the Tracking section, enable Log the endpoint scan results to record the results of Endpoint Compliance scans to the log.

  4. Select Details or Summary to determine the level of detail to record in the log file.

  5. Click Save and then close SmartDashboard.

  6. In SmartConsole, install the policy.

The Tracking options are:

  • Summary: Only one log entry per scan is written to SmartLog. The log entry shows endpoints that do not comply with the Endpoint Compliance policy. The date and time of the scan, the source IP address, and the Endpoint Compliance scan ID are logged.

  • Details: In addition to the Summary mode information, this adds a log entry for each non-compliant rule. For example, in the case of a Spyware Scan rule that screens for tracking cookies, a log entry is generated that contains the following fields:

    1. Malware name: unwantedexample.

    2. Malware type: 3rd party cookie.

    3. Description: symptom type: URL. Symptom value: cookie:bob@unwantedexample.net.

Assign Policies to Security Gateways and Applications

To assign policies to Security Gateways:

  1. On the Endpoint Compliance page, add all Mobile Access Security Gateways to the Endpoint Security Settings on Mobile Access Security Gateways section.

  2. Edit each Security Gateway, whose access will be conditional on passing an Endpoint Compliance scan. Choose the Threshold policy and select Scan the endpoint machine when a user connects.

To assign policies to applications:

  1. To make access to applications conditional on passing an Endpoint Compliance scan, assign a policy to a Protection Level.

  2. Assign Protection Levels to Mobile Access applications.

Excluding a Spyware Signature from a Scan

To exclude a spyware signature from a scan:

  1. Configure Mobile Access so that endpoint computers must undergo an Endpoint compliance scan before they connect. The Endpoint Compliance policy must include a Spyware Scan rule.

  2. Set up a stand-alone test computer that has the spyware to be excluded from the scan.

  3. Run an Endpoint compliance scan on the test computer by connecting from it to Mobile Access.

    When Endpoint Security on Demand detects the spyware (irrespective of the action configured in the Spyware Scan rule), the name of the spyware (something like Win32.megaspy.passwordthief) is included in the report.

  4. Make a note of the name of the spyware.

  5. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  6. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance.

  7. Click Edit Policies.

  8. Select the policy that is applicable to the clients, and click Edit.

  9. Select the Spyware Scan rule from the list and click Edit.

  10. In the Software exception list section, click Add.

  11. Type the Name of the spyware, and a Description.

  12. Click OK three times to close the Endpoint Compliance policy editor.

  13. Click Save and then close SmartDashboard.

  14. In SmartConsole, install policy.

Preventing an Endpoint Compliance Scan Upon Every Login

By default, the end user computer is scanned by the Endpoint Compliance scanner every time the user logs in. This is the default, and most secure configuration.

It is possible to configure Mobile Access so that after logging in, the user is not scanned, even after logging in again, until the end of a timeout period.

For configuration details, see sk34844.

Endpoint Compliance Scanner End-User Workflow

The Endpoint Compliance scanner on endpoint computers is supported on browsers that run ActiveX (for Windows with Internet Explorer), or Java.

When using the Endpoint Compliance scanner with Internet Explorer, the browser must be configured to download and run ActiveX controls and to allow Active Scripting. This section explains how to configure Internet Explorer to ensure that the Endpoint Compliance scanner will install and run properly on the endpoint computer.

To configure Internet Explorer for the Endpoint Compliance scanner:

  1. Select Tools > Internet Options from the Internet Explorer menu.

  2. Select the Security tab.

  3. Select the Web content zone used by the endpoint computer for remote connections from the Security Settings window.

  4. Click Custom Level.

  5. Enable the following options in the Security Settings window and then click OK:

    • Download signed ActiveX controls

    • Run ActiveX controls and plug-ins

    • Script ActiveX controls marked as safe for scripting

    • Active scripting

  6. Select the Privacy tab > theMedium setting, and then click Advanced.

  7. Enable Override automatic cookie handling and in the 1st party cookies section, enable Accept.

  8. Click OK.

Endpoint Compliance Scanner End-User Experience

When a user connects to a portal where the Endpoint Compliance is enabled, the end user computer is scanned before the user sees the login screen.

The Endpoint Compliance Scanner is installed on the endpoint machine, by using ActiveX (for Windows with Internet Explorer), or The Legacy Mobile Access Portal.

Note - The Endpoint Compliance scan starts if Endpoint compliance is configured for a Mobile Access application in a portal, even if portal access does not require compliance with a policy.

To login to the Mobile Access Portal with the Endpoint Compliance scanner enabled:

  1. Enter the Mobile Access Portal URL in your browser.

  2. If you are using the Endpoint Compliance scanner for the first time on a particular endpoint computer, you are prompted to download and install the Check Point Mobile Access Portal Agent.

    You may see these warnings:

    1. Do you trust the Mobile Access site you are connecting to?

    2. Do you trust the certificate of the server of the Mobile Access site?

  3. During the scan, a progress bar is displayed.

  4. If the endpoint computer successfully passes the Endpoint compliance scan, the Mobile Access Portal login screen appears.

    If the endpoint computer fails to pass the scan, Endpoint Security on Demand displays a result screen showing the potentially harmful software and security rule violations detected during the scan.

    • Click on a potentially harmful software item to display a short description of the detected malware, what it does and recommended removal method(s).

    • If the Continue Anyway button appears, you can continue and log on to the Mobile Access Portal without removing the malware or correcting the security rule violation.

    • If there is no Continue Anyway button, you must remove the detected malware or correct the security rule violation before you can log on to the Mobile Access Portal. When you have corrected the problem, click Scan again to repeat the scan.

  5. When the Mobile Access Portal login page appears, you can log on normally.

Note - The user and administrator see the scan results as log entries in the Traffic Log. Each entry shows the user name, user group, source computer, malware name, malware type, and malware description.

Using Endpoint Security on Demand with Unsupported Browsers

Endpoint Security on Demand for Mobile Access requires browsers that support ActiveX or Java.

The following sections describe Endpoint Security on Demand behavior when users attempt to access the Mobile Access Portal using an unsupported browser.

  • If the Block access to all applications option on the Endpoint compliance scan Policy page is enabled, and either of the following conditions exist, the endpoint computer cannot connect to the Mobile Access Portal.

    • The Prevent Connectivity option is enabled for at least one malware protection rule.

    • The Restrict action is selected for at least one enforcement rule (anti-virus or custom).

      In this case, Endpoint Security on Demand presents an error message and generates a log entry in the administrator's traffic log.

  • In all other cases, users can log on to the Mobile Access Portal without passing an Endpoint compliance scan. In some cases, an incompatibility message appears with a Continue button that allows users to proceed with Mobile Access login. Endpoint Security on Demand generates a log entry in the administrator's traffic log.

  • When an application's Protection Level is configured to require an Endpoint Compliance scan, users can still gain access to the Mobile Access Portal, but cannot run that application.

Preventing Portal Access with Unsupported Browsers

The following steps can prevent users using unsupported browsers from gaining access to the Mobile Access Portal and applications without passing an Endpoint Compliance scan:

  • Enable the Scan endpoint machine when user connects option, and set a threshold policy. This setting is found on the Endpoint Security on Demand > Endpoint compliance page.

  • Assign Protection Levels that require passing an Endpoint Compliance scan to all applications.

  • Prevent users from using an unsupported browser to access the Mobile Access Portal by forcing Endpoint Security on Demand to reject all connections from unsupported browsers. See the "Configuring Advanced Endpoint Compliance Settings" section.

Completing the Endpoint Compliance Configuration

The Endpoint Compliance page shows:

  • Number of Mobile Access Security Gateways configured to scan endpoint machines.

  • Security policy required on the Security Gateway.

  • Number of Mobile Access applications, with Level of Enforcement (full, partial, or none).

If this is correct for your organization:

  1. Click Save and then close SmartDashboard.

  2. In SmartConsole, install policy.

Secure Workspace

Important - Starting 01 February 2024, Check Point is announcing the Feature Deprecation and End-of-Support dates for the Secure Workspace feature within the Mobile Access Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.. See sk181968.

Secure Workspace is a security solution that allows remote users to connect to enterprise network resources safely and securely. The Secure Workspace virtual workspace provides a secure environment on endpoint computers that is segregated from the "real" workspace.

No data is allowed to leave this secure environment except through the Mobile Access Portal. Secure Workspace users cannot access any applications, files, system tools, or other resources from the virtual workspace unless they are explicitly permitted by the Secure Workspace policy.

Administrators can easily configure Secure Workspace policy to allow or prevent activity according to enterprise requirements.

Secure Workspace creates an encrypted folder called My Secured Documents on the virtual desktop that contains temporary user files. It deletes this folder and all other session data when the session terminates.

After Secure Workspace is enabled, configure a Security Gateway to either require all users to connect to the Mobile Access Portal through Secure Workspace, or to give users the option of connecting through Secure Workspace or from their endpoint computers.

Prerequisites for Secure Workspace

Check Point Portal Agent (Active X component) and SSL Network Extender must be installed on the endpoint computer.

Enabling Secure Workspace

To enable Secure Workspace for an Mobile Access Security Gateway:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Endpoint Security on Demand > Secure Workspace.

  3. To configure the Secure Workspace policy, click Edit policy.

    For details, see the "Configuring the Secure Workspace Policy" section.

  4. Click Save and then close SmartDashboard.

  5. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  6. From the navigation tree, click Mobile Access > Check Point Secure Workspace.

  7. To enable Secure Workspace on the Security Gateway, click This gateway supports access to applications from within the Secure Workspace.

  8. Select the options to define the behavior of Secure Workspace when a user logs in to the Mobile Access Portal:

    • Allow user to choose whether to use Check Point Secure Workspace

    • Users must use Check Point Secure Workspace

    • User must use Check Point Secure Workspace only if the following Endpoint Compliance policy is not satisfied - This option lets you to set a rule that if a certain Endpoint Compliance policy is not satisfied by the client connecting to the Security Gateway, the client must use Secure Workspace. If the Endpoint Compliance policy is satisfied, using Secure Workspace is optional.

  9. Select the Endpoint Compliance Policy that is enforced on the Security Gateway. If the criteria of the selected policy are not satisfied, the client connecting must use Secure Workspace.

  10. Click OK.

  11. In SmartConsole, install policy.

Configuring Advanced Secure Workspace Settings

In the Endpoint Security on Demand > Secure Workspace page, in the Advanced Secure Workspace Settings section, click Edit. The Advanced Secure Workspace Settings window opens.

In this window you can decide whether or not to allow access to the Security Gateway and applications if Secure Workspace is not supported on the endpoint operating system.

To configure advanced operating system-specific settings, see sk34989.

Configuring Platform-Based Bypass Per OS in Secure Workspace

If you want to let some endpoint operating systems to bypass Secure Workspace requirements, you must select the Allow access option in the Advanced Secure Workspace Settings window.

To configure different rules on endpoints with different operating systems, see sk34989.

Platform-Based Bypass Per Protection Level in Secure Workspace

Configuring Secure Workspace Settings per Protection Level allows you to configure "Platform-Based Bypass" per application.

By default all Advanced Secure Workspace Settings are taken from the SmartDashboard configuration, in the Advanced Secure Workspace Settings page.

Enabling Platform Based Bypass per Protection Level

To configure different access permissions for various Protection Levels for Secure Workspace, from the CLI run:

cvpnd_settings set useISWRelaxedModeInProtectionLevel true

To return to the default setting, change true to false in the above command.

Configuring the Protection Levels that are Bypassed

In the Mobile Access tab of SmartDashboard, under Additional Settings > Protection Levels, is a list of Protection Levels. From this page you can edit the Authentication and Endpoint Security settings that are required for applications assigned to each Protection Level. You can also create new Protection Levels. If you select, Applications using this protections level can only be accessed from within Check Point Secure Workspace, all applications assigned to that Protection level will only be accessed from within Secure Workspace.

However, if you want to allow access to an application only from Secure Workspace, but you also need to accommodate the user connecting from an endpoint that does not support Secure Workspace (such as an iPhone), then:

  1. Create or use a Protection Level named ESOD_Relaxed_PL which enforces Endpoint Compliance Policy policy1.

  2. Assign the Protection Level to the application.

  3. Configure the Protection Level as "Bypassed".

    To configure different access permissions for various Protection Levels for Secure Workspace, from the Mobile Access CLI, in expert mode, run:

    cvpnd_settings listAdd ISWRelaxedModeProtectionLevelNames ESOD_Relaxed_PL

You can add other Protection Levels as well.

Restoring a Protection Level from being Bypassed for Secure Workspace

  1. Run:

    cvpnd_settings listRemove ISWRelaxedModeProtectionLevelNames

  2. Follow the on-screen instructions.

Finalize the Configuration for Secure Workspace

  1. Restart the Mobile Access services by running cvpnrestart.

    If the Mobile Access Security Gateway is part of a cluster, make the same change on each cluster member.

  2. In SmartDashboard, assign the Protection Levels to the applications.

  3. Install the policy.

Applications Permitted by Secure Workspace

In its default configuration, Secure Workspace allows access to a limited group of applications. This is usually sufficient for most end-users working with the Mobile Access Portal and retrieving information from network hosts.

See sk114454 for the list of supported applications.

SSL Network Extender in Secure Workspace

When using SSL Network Extender inside Secure Workspace, Secure Workspace traffic and traffic from outside the Secure Workspace are encrypted.

Secure Workspace Policy Overview

Secure Workspace controls access to applications and directories on endpoint computers based on the Secure Workspace policy.

Each Mobile Access Security Gateway has its own Secure Workspace policy. The policy:

  • Grants or denies permission for users to run applications.

  • Allows applications to save files to specific files and directories.

  • Defines general portal protection security settings and user experience behavior.

You can add to the list of Approved Applications, and can add, edit, or delete applications from the list.

You can define locations where the application is allowed to save files that remain after Secure Workspace shuts down. These locations are called Allowed Save locations. There is no need to define locations for files that are not needed after Secure Workspace shuts down. Temporary files are deleted when the Secure Workspace is closed.

Secure Workspace includes a built-in Firewall that lets you define Outbound Firewall Rules. These are the IP addresses and ports that approved applications are allowed to access. By default, desktop applications are allowed to access all addresses and ports.

Note that settings for the approved applications, save locations, and Outbound Firewall Rules are independent. For example, the save locations are not restricted to a particular application, and similarly, Outbound Firewall Rules apply to all applications.

Configuring the Secure Workspace Policy

The Secure Workspace policy determines the permitted activities and behavior that end users will experience when working in Secure Workspace.

To configure the Secure Workspace Policy:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Endpoint Security on Demand > Secure Workspace.

  3. Configure the Secure Workspace policy, click Edit policy.

    The Secure Workspace Settings window opens.

  4. Fill in the fields in the tabs described in the next sections.

General Settings

Self Protection

  • Enable Secure Workspace Self Protection - Best Practice is to select this to add driver-level protection for Secure Workspace and prevent attempts to tamper with the environment.

    This requires administrative privileges and the User Access Control (UAC) prompt might show during the Secure Workspace startup.

    • Prevent Secure Workspace startup if the Self Protection driver fails to install - When selected, Secure Workspace can only start if the Self Protection driver is successfully installed.

SSL Network Extender

  • Allow SSL Network Extender connections only from within Secure Workspace - Select this option to use corporate resources from within Secure Workspace only. Use this if your organizational security policy requires access to corporate resources from within a clean, segregated environment, and with a strict set of allowed applications.

Data Protection

  • Prevent the host PC from printing secure documents - Users cannot print documents from Secure Workspace.

  • Prevent copying clipboard content to the host PC - Users cannot copy content from inside Secure Workspace to paste or save it outside of Secure Workspace.

Application Control Settings

  • Enable Reputation Services to validate the integrity of allowed applications in the Applications Table - When a user starts an application that is not an Approved Application, Secure Workspace contacts Check Point Reputation Services to ask if the application is legitimate. Reputation Services returns one of three responses: The application is trusted, the application is untrusted, or the application is unknown. Configure the Secure Workspace policy to handle Reputation Services responses:

    • Allow Trusted only

    • Allow Trusted and Unknown

Application Table

Approved applications show on the Secure Workspace desktop, and are allowed to run on endpoint computers. You can add, edit, or remove applications from the list.

Configuring Applications in the Application Table

  • To add an application: Click Add Application.

  • To remove an application: Click Remove.

  • To edit the information for the application: Click the application Display Name in the table.

When you add a new application or edit an application, you can include this information:

  • Display Name (required)- The name of the approved application as it shows on the desktop.

  • Executable File (required) - The path and filename for the application selected. .

    Enter the path in one of these formats:

    • Absolute path in this format: <disk>:\<folder_path>\<binary_name>. Secure Workspace allows the endpoint to run the binary from specified location only. The full path is necessary if the location of the program does not appear in the PATH.

    • File name, for example: \<binary_name>. Secure Workspace allows the endpoint to run the binary with the specified name from all locations on the disk. Use if the location appears in the PATH.

    • Path with environment variable, for example: <path_with_env_variable>\<binary_name>. Secure Workspace resolves the environment variable on the endpoint, and uses its value as part of the path to the executable.

  • Executable Original File Name (optional) - Enter this if you also select an Executable Vendor Name, so Secure Workspace can make sure that the application certificate meets the requirement. The original filename shows in the details of the application's certificate.

  • Executable Vendor Name (optional) - When a vendor is selected, Secure Workspace checks the application's certificate to make sure that it is signed by this vendor. The same application is blocked with a different vendor.

  • File hash (optional) - Enter the MD5 or SHA256 signature of the application. You can add multiple hashes, for example, one for each version of the application.

  • Select the hash type that you use: MD5 or SHA256.

  • Comment (optional) - Add a comment that describes the application.

  • Add shortcut to Start Menu (optional) - Select to add a shortcut to the application to the Start Menu in the Secure Workspace. The shortcut is only added if the application exists on the client computer. You can also enter a command line argument to run as a shortcut.

  • Add shortcut to Desktop (optional) - Select to add a shortcut to the application to the Desktop in Secure Workspace. The shortcut is only added if the application exists on the client computer. You can also enter a command line argument to run as a shortcut.

Vendor Control Settings

You can configure which applications users can access from Secure Workspace. If a vendor is trusted then all applications from this vendor are trusted. See sk114526 for the vendors trusted by default. You cannot add a vendor to the list.

  • To block a vendor: Clear the checkbox for the vendor.

  • To allow a vendor: Select the checkbox for the vendor.

Allowed Save Locations

Allowed Save locations are locations where applications are allowed to save files that remain after Secure Workspace shuts down. There is no need to define locations for temporary files that can be deleted after Secure Workspace shuts down.

To add an allowed save location:

  1. In the Allowed Save locations tab, click Add Location.

  2. In the window that opens enter:

    • Name - A descriptive name of the location.

    • Path - The complete path to the location.

    • Description (optional) - A longer description.

  3. Click Save Location.

Outbound Firewall Rules

Outbound Firewall Rules define which IP addresses and ports approved applications are allowed to access when they make outbound connections.

These options are available:

  • Localhost Connection. Do not allow connection to application on host PC - When selected Secure Workspace users can only use applications in Secure Workspace and cannot access the host PC. When cleared, users can access the host PC when Secure Workspace is active, but can only save things in the defined locations.

  • Accept Rules - Select a rule in the table to enable it. Clear a rule in the table to disable it. Only connections that match enabled rules are allowed. The default rules are:

    • Everywhere - Allows desktop applications to access all addresses and ports.

    • Localhost connection - Required for Internet Explorer. Not recommended to delete.

Best practice is to use the default rules. You can delete the default rules and replace them with more restrictive rules, but do so carefully.

Virtual Registry Rules

You can add custom rules to the Secure Workspace virtual registry. Contact Check Point support for more information about this feature.

User Experience Settings

In the User Experience settings, configure what users see and how they interact with Secure Workspace.

General

  • Prevent Host PC/ Secure Workspace desktop switching - Users cannot switch between the host PC and Secure Workspace environments. Access to the regular desktop is only allowed if Secure Workspace is closed.

  • Display welcome window - When selected, "Welcome to Secure Workspace" is shown to users. Select if it always shows or if users can disable it.

  • Disable "Run" option in Start menu inside Secure Workspace - Users cannot run programs with the Run command from the Start menu in Secure Workspace.

  • Hide all system drives - Local drives are hidden when in Secure Workspace.

  • Prevent to start browser inside Secure Workspace - Disable the automatic launch of an internet browser in Secure Workspace after Secure Desktop is started. As a result SSL Network Extender does not start and automatically establish a VPN tunnel.

Desktop Background - Change the Secure Workspace desktop background picture and its position.

Display Start dialog - Show a Start window that you customize.

Configuring a Secure Workspace Policy per Security Gateway

A Secure Workspace policy that is configured in SmartDashboard applies to all Mobile Access Security Gateways. To configure a Secure workspace policy for each Security Gateway, see sk34939.

Integration with Endpoint Security Reputation Service

Secure Workspace can work together with the Check Point Endpoint Security Reputation Services to check whether an application that is not an approved application is legitimate. Reputation Services identifies programs according to their filename and MD5 hash.

For details of the Endpoint Security Reputation Services, see your version of the R81.10 Harmony Endpoint Security Server Administration Guide. If you use Reputation Services, the sequence of Secure Workspace is:

  1. The user selects a program to run in Secure Workspace.

  2. Secure Workspace checks the policy. If the program is not allowed by the Secure Workspace policy, program execution is blocked.

  3. If the program is allowed by the policy, Secure Workspace queries Reputation Services about the program.

  4. Reputation Services returns one of three responses about the application: Trusted, Untrusted, or Unknown.

  5. Secure Workspace allows or blocks the application according to the Reputation Services responses, as defined in the policy:

    • Allow Trusted only.

    • Allow Trusted and Unknown.

Secure Workspace End-User Experience

This section provides an overview of the Secure Workspace workflow.

Disabling Internet Explorer Protected Mode

If users use Internet Explorer to open the Mobile Access Portal on Windows Vista or higher, they must disable Internet Explorer Protected Mode. If Protected Mode is not disabled, SSL VPN might run, but they can have unexpected errors.

On Windows 7 and higher, protected mode is enabled by default. You can see that it is enabled:

  • In the Internet Options > Security tab. See that Enable Protected Mode is selected.

  • In the bottom right of the Internet Explorer browser window, it says Protected Mode On.

If Endpoint Security on Demand is configured on the Security Gateway, the scan detects that Protected mode is on and instruction to disable Protected Mode open.

If Endpoint Security on Demand is not configured on the Security Gateway, users are not alerted that they must disable Protected Mode. However they must do the same steps to disable Protected Mode so that they can access the SSL VPN portal without problems.

To disable Protected mode for the SSL VPN Portal:

In Internet Explorer, select Tools > Internet Options.

  1. In the Internet Options window, select the Security tab.

  2. In the Security tab, select Trusted Sites and clear the Enable Protected Mode checkbox.

  3. Click Sites.

  4. In the Trusted sites window:

    1. Click Add.

    2. In Add this website to the zone, enter the web address of the SSL VPN portal.

      The portal web address shows in the Websites area of the window.

  5. Click Close.

  6. Click OK.

All users must do these steps even if they do not get the instructions automatically. After these steps, close all Internet Explorer windows. The next time you open Internet Explorer, Protected Mode is off.

Logging on to the Mobile Access Portal Using Secure Workspace

Secure Workspace initializes when a user logs on to the Mobile Access Portal. If the administrator has configured the Mobile Access Security Gateway to require Secure Workspace, this occurs automatically. If the administrator has configured the Security Gateway to allow users to choose whether or not to use Endpoint Security on Demand, an option appears on the Login screen.

Working with the Secure Workspace Virtual Desktop

The Secure Workspace virtual desktop looks and feels like a normal Windows desktop.

The principal difference is that Secure Workspace only allows users to work with a limited number of pre-approved applications and files and, by default, does not allow users to print, customize the desktop or perform any system configuration activities. Since most users only use Secure Workspace to work with the Mobile Access Portal, these functions are rarely needed.

Start Menu and Taskbar

The virtual desktop Start menu and taskbar function in the same manner their "real" counterparts do. Configuration settings in the Secure Workspace policy determine which shortcuts and options are available to users.

Allowing Users to Save Files to the "Real" Desktop

Users occasionally need to download and save files from resources behind the Mobile Access Security Gateway to "real" desktop folders. Conversely remote users may need to upload files to the corporate network from the endpoint computer.

To allow this, the administrator must configure the Secure Workspace policy to allow endpoints to switch between the secure and regular desktops. This is accomplished in the User Experience Settings section of the Secure Workspace policy editor.

Accessing Files and Applications on the Endpoint Computer

Generally, users can access files and run applications in Secure Workspace in the same manner as on the "real" desktop. Since, by default, users have read-only (access) privileges to all folders and files, they can freely navigate the file system using Windows Explorer. When attempting to run a program or open a file for which a user does not have Secure Workspace permission, an error message appears.

Likewise, if a user attempts to save a file to a "real" desktop folder without Secure Workspace permissions, an error message appears.

Accessing Endpoint Applications in Secure Workspace

When SSL Network Extender network mode users initiate a Secure Workspace session, permitted Endpoint Applications are available in the virtual desktop as follows:

An Endpoint Application defined in the Native Application as...

... is available to Users as a

Path and executable name (already installed)

Shortcut in the Windows Start menu.

Runs via default browser

Shortcut on the desktop.

Downloaded-from-Mobile Access application

Link in the Mobile Access Portal.

Note - During a Secure Workspace session, SSL Network Extender cannot toggle between the Network Mode and the Application Mode. User can change the mode, but must start a new Secure Workspace session after doing so.

Switching Between Secure Workspace and the "Real" Desktop

You can switch back and forth between the Secure Workspace virtual workspace and the "real" desktop at any time. To do so, click the lock icon, located in the tray area of the taskbar.

Exiting Secure Workspace

To exit Secure Workspace:

  1. From the Windows Start menu, select Close Secure Workspace.

    A confirmation and reminder to save open files appears.

  2. Click Yes, close it now to continue closing Secure Workspace.

Troubleshooting Secure Workspace

Secure Workspace logs are automatically saved in %temp%\IswTmp\Logs when the environment variable ISWLOG is set to 0 (zero). If you have issues with Secure Workspace, you can examine these logs or send them to Check Point technical support.

If an application stops working, a Secure Workspace window opens to help you send technical information to Check Point. Users can manually open this window if a process hangs or they experience instability.

To collect technical information:

  1. Press Ctrl+Alt+End.

    A Secure Workspace window opens to help you send technical information to Check Point.

  2. Fill in the required information and click Collect and Send.

  3. Send the file to Check Point support.

Endpoint Compliance Updates

Check Point provides Endpoint Compliance updates. You can download Endpoint Security on Demand updates from the Mobile Access tab in SmartDashboard.

You can configure Endpoint Security on Demand to retrieve updates automatically according to a defined schedule or you can manually download and install the updates.

Working with Automatic Updates

You can periodically check for and automatically download Endpoint Compliance updates. You can choose to download updates from the Check Point Download Center or you can install updates previously downloaded to your Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Note - Before performing an Endpoint Security on Demand update, install a policy at least once.

To configure automatic updates:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance Updates.

  3. In the Update Configuration section, click Configure.

    The Automatic Updates window opens.

  4. On the Activation tab, click Enter User Center credentials.

  5. Enter your User Center email address and password.

  6. Click the Endpoint Security on Demand tab.

  7. Configure these update settings:

    1. To install updates from the Download Center, select the Check Point website option.

    2. To install updates from your Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., select the My local Security Management Server option. If you want to install updates from the Download Center when the Security Management Server is unavailable, enable the indicated option.

    3. Select the interval, in minutes, after which Endpoint Security on Demand checks for available downloads.

  8. In the Tracking Configuration tab, select the various tracking options from the lists. You can select logging events or a variety of alert types.

  9. If there is a proxy server between the Security Management Server and the User Center, select the Proxy tab, and enter the proxy host name or IP address, and the proxy port number (for example: 8080).

  10. Click OK to complete the definition.

  11. Click Save and then close SmartDashboard.

  12. In SmartConsole, install policy.

Performing Manual Updates

To perform a manual Endpoint Security on Demand update:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance Updates.

  3. Click Update Databases Now.

  4. Enter your Check Point User Center credentials and click Next.

  5. Choose the All supporting gateways option to download to all available Mobile Access Security Gateways. Alternatively, choose the Select option to select specific Mobile Access Security Gateways for update, and then select the applicable Mobile Access Security Gateways in the left-hand list and then click Add.

  6. Click Finish. A progress bar appears during the download.

  7. Click Save and then close SmartDashboard.

  8. In SmartConsole, install policy.