Getting Started with Mobile Access

Recommended Deployments

Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. can be deployed in a variety of ways depending on an organization's system architecture and preferences.

Simple Deployment

In the simplest Mobile Access deployment, one Mobile Access enabled Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. inspects all traffic, including all Mobile Access traffic. IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). and Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. can be active on all traffic as well. The Security Gateway can be on the network perimeter.

This is the recommended deployment. It is also the least expensive and easiest to configure as it only requires one Security Gateway machine for easy and secure remote access.

Item	Description
1	Internal servers
2	Security Gateway with Mobile Access enabled
3	SSL Tunnel through Internet
4	Remote User

Deployment in the DMZ

When a Mobile Access enabled Security Gateway is put in the DMZ, traffic initiated both from the Internet and from the LAN to Mobile Access is subject to Firewall restrictions. By deploying Mobile Access in the DMZ, the need to enable direct access from the Internet to the LAN is avoided. Remote users initiate an SSL connection to the Mobile Access Security Gateway. You must configure the Access Control Policy to allow traffic from the user to the Mobile Access server, where SSL termination, IPS and Anti-Virus inspection, authentication, and authorization take place. The Security Gateway forwards requests to the internal servers.

Cluster Deployment

If you have large numbers of concurrent remote access users and continuous, uninterrupted remote access is crucial to your organization, you may choose to have Mobile Access active on a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.. A cluster can be deployed in any of the deployments described above.

Item	Description
1	Internal servers
2	Mobile Access enabled cluster member Security Gateway that is part of a cluster. B
3	Internet
4	Remote User making SSL connection through Internet
5	Mobile Access enabled cluster member A
6	Secure Network (Sync)

Each cluster member has three interfaces: one data interface leading to the organization, a second interface leading to the internet, and a third for synchronization. Each interface is on a different subnet.

In a simple deployment with the Mobile Access cluster in the DMZ, two interfaces suffice; a data interface leading to the organization and the internet, and a second interface for synchronization.

Deployments with VSX

You can enable the Mobile Access Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Virtual Systems.

You can use a VSX deployment to support different Mobile Access scenarios. Each Virtual System can have a Mobile Access Portal with different applications, access policies, authentication requirements, and mobile clients.

For example, in the picture below, a VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. has four Virtual Systems with Mobile Access enabled. Each Virtual System has Mobile Access configured with different settings to meet the company's needs for different users.

Item	Description	Example Mobile Access Portal URL
1	Remote Users
2	Internet
3	Router
4	VSX Gateway
5	Virtual Switch
6	Virtual System 4 with Mobile Access enabled	https://guest.company.com/sslvpn
7	Virtual System 3 with Mobile Access enabled	https://finance.company.com/sslvpn
8	Virtual System 2 with Mobile Access enabled	https://sales.company.com/sslvpn
9	Virtual System 1 with Mobile Access enabled	https://dev.company.com/sslvpn

This table shows an example of different settings that you can have on each Virtual System.

Virtual System	Users	Clients Allowed	Authentication Schemes	Endpoint Health Checks	Applications Configured
Virtual System 9	Development team	Mobile Access Portal, SSL Network Extender, Capsule Workspace	Certificate + AD Password	Mobile Access Portal ESOD check for company Endpoint Security requirements Jail broken or rooted devices not allowed	Development applications
Virtual System 8	Sales team	Capsule Workspace, Capsule Connect	SecurID + AD password	Jail broken or rooted devices not allowed	Sales applications
Virtual System 7	Finance team	Mobile Access Portal, Capsule Workspace	SecurID + AD password	Cooperative enforcement with company MDM server	Finance applications
Virtual System 6	Contractors	Mobile Access Portal	Certificate that expires after 30 days	Mobile Access Portal ESOD check for commercial AV solution and recent AV signature updates	Contractor internal applications

Deployment as a Reverse Proxy

You can configure a Mobile Access Security Gateway to be a reverse proxy for Web Applications on your servers, using Mobile Access. Reverse Proxy users browse to an address (URL) that is resolved to the Security Gateway IP address. Then the Security Gateway passes the request to an internal server, according to the Reverse Proxy rules. You control the security level (HTTP or HTTPS) of connections between users and resources.

See Reverse Proxy.

You can also enable Single Sign-On for Capsule Workspace with Capsule Docs users. See the R81.10 Harmony Endpoint Security Server Administration Guide for details.

Sample Mobile Access Workflow

This is a high-level workflow to configure remote access to Mobile Access applications and resources.

Use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to enable the Mobile Access Software Blade on the Security Gateway.
Follow the steps in the Mobile Access Configuration wizard to configure these settings:
1. Select mobile clients.
2. Define the Mobile Access Portal.
3. Define applications, for example Outlook Web App.
4. Connect to the AD server for user information.
Select the policy type:
- The default is to use the Legacy Policy, configured in the Mobile Access tab in SmartConsole.
- To include Mobile Access in the Unified Access Policy, select this in Gateway Properties > Mobile Access.
Add rules to the Policy:
- For Legacy Policy: Add rules in SmartConsole. Select Security Policies > Shared Policies > Mobile Access > Open Mobile Access Policy in SmartConsole.
- For Unified Access Policy: Add rules in SmartConsole > Security Policies Access Control Policy.
Configure the authentication settings in Gateway Properties > Mobile Access > Authentication.
Install the Access Control Policy on the Security Gateway.

Users can access mobile applications through the configured Mobile Access Portal with the defined authentication method.
Optional: Give secure access to users through the Capsule Workspace app with certificate authentication.
1. In the Security Gateway, Mobile Access > Authentication, click Settings, and select Require client certificate.
2. Use the Certificate Creation and Distribution Wizard (in the Security Policies view > Client Certificates > New.
3. Users download the Capsule Workspace app.
4. Users open the Capsule Workspace app and enter the Mobile Access Site Name and necessary authentication, such as user name and password.

Mobile Access Wizard

The Mobile Access Wizard runs when you enable the Mobile Access blade on a Security Gateway. It lets you quickly allow selected remote users access to internal web or mail applications, through a web browser, mobile device, or remote access client.

See Check Point Remote Access Solutions to understand more about the remote access clients mentioned in the wizard. Many of the settings in the wizard are also in Gateway Properties > Mobile Access.

Mobile Access

Select from where users can access the Mobile Access applications:

Web - Through a browser on any computer. SSL Network Extender can be downloaded by users when necessary to access native applications.
Mobile Devices - Through an iOS or Android Mobile device. Devices must have a Check Point app installed.
- Capsule Workspace - Use Check Point Capsule Workspace app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.
- Capsule Connect/VPN - A full Layer 3 tunnel app that gives users network access to all mobile applications.
Desktops/Laptops - Check Point clients for PCs and Macs that use a Layer 3 tunnel to provide access to internal network resources.

Mobile Access Portal

Enter the primary URL for the Mobile Access Portal.

The default URL is:

https://<IP address of the Security Gateway>/sslvpn

You can use the same IP address for all portals on the Security Gateway with a variation in the path.

You can import a p12 certificate for the portal to use for SSL negotiation. All portals on the same IP address use the same certificate.

Note - For information about Mobile Access Portal Clients Release Updates, refer to sk168353.

Applications

Select the applications that will be available to web or mobile device users:

Web Applications - Select the web applications to show on the Mobile Access Portal.
- Demo web application (world clock) - Select while testing Mobile Access, to have a web application show as it will when you are in production.
- Custom web application - Enter the URL of the web application that you want users to be able to open when they connect with Mobile Access. For example, you can set the home page of your intranet site.
Mail/Calendar/Contacts - Enter the Exchange server that mobile devices work with and select which applications mobile device users can access.
- Mobile Mail
- ActiveSync Applications
- Outlook Web App

Active Directory Integration

Select the AD domain, enter your credentials and test connectivity. If you do not use AD, select I don't want to use active directory now.

Authorized Users

Select users and groups from Active Directory or internal users. You can also create a test user that will get access to the configured applications.

What's Next?

This window helps you understand steps that are required to complete the automatic configuration done by the Mobile Access wizard. Depending on the selections you made, you might see these steps:

Edit the Access Control policy and add a rule for Remote Access Community - To work with Desktop Remote Access Clients or Capsule Connect clients, the Mobile Access Wizard automatically includes this Security Gateway in the Remote Access VPN community. Remote Access Clients get access rules from the Firewall Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..
Install policy on this security gateway - When you install policy, the changes made by the Mobile Access Wizard become active.
Log in to the Web portal (usually https://<ip address>/sslvpn) - This is the web portal that you configured. Log in to see and use it.

Each Mobile Access-enabled Security Gateway leads to its own Mobile Access user portal. Remote users log in to the portal using an authentication scheme configured for that Security Gateway.

Remote users access the portal from a Web browser with https://<Gateway_IP>/sslvpn, where <Gateway_IP> is one of these:
- FQDN that resolves to the IP address of the Security Gateway
- IP address of the Security Gateway
Remote users that use HTTP are automatically redirected to the portal using HTTPS.

Note - If Hostname Translation is the method for link translation, FQDN is required.

Set up the URL for the first time in the Mobile Access First Time Wizard.
Install Check Point Capsule Workspace App and Desktop VPN client - Install an App or VPN client to start using it. Prepare for mobile devices and for desktop clients (see the "Preparing for Capsule Workspace" section).
Easily deploy client certificates to your users with the new client certificates tool - If you use authentication with client certificates, configure the client certificates (see the "Managing Client Certificates" section).

Setting up the Mobile Access Portal

Each Mobile Access-enabled Security Gateway leads to its own Mobile Access user portal. Remote users log in to the portal using an authentication scheme configured for that Security Gateway.

Remote users access the portal from a Web browser with https://<Gateway_IP>/sslvpn, where <Gateway_IP> is one of these:

FQDN that resolves to the IP address of the Security Gateway
IP address of the Security Gateway

Remote users that use HTTP are automatically redirected to the portal using HTTPS.

Note - If Hostname Translation is the method for link translation, FQDN is required.

Set up the URL for the first time in the Mobile Access First Time Wizard.

Customizing the User Portal

To change the IP address used for the user portal:

From the properties of the Security Gateway object, select Mobile Access > Portal Settings.

To configure the look and feel of the portal:

From the properties of the Security Gateway object, select Mobile Access > Portal Customization.

Configuring Mobile Access Policy

Users can access Mobile Access applications remotely as defined by the policy rules:

Unified Access Policy - Configure all rules for the Security Gateway in the Unified Access Policy. See Mobile Access and the Unified Access Policy.
Legacy Policy - Configure all rules for the Security Gateway in the shared Mobile Access Policy in the SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings.. This option is available for Security Gateways of all versions and is the default for all Security Gateways.

For all policy types, rules include these elements:

Users and User Groups - In the Unified Access Policy, these are included in Access Roles.
Applications that the users can access.
The Security Gateways, to which the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. applies.

You can also include VPN and Remote Access clients in rules to define which client users can use to access the application.

The Mobile Access policy applies to the Mobile Access Portal and Capsule Workspace. It does not apply to Desktop clients or Capsule Connect.

Settings related to what users can access from mobile devices are also defined in the Mobile Profile: SmartDashboard > Mobile Access tab > Capsule Workspace.

Including Mobile Access in the Unified Access Policy

To make a Mobile Access Security Gateway use the Unified Access Policy:

In SmartConsole, from the left navigation panel, click Gateways & Servers and double-click the Mobile Access Security Gateway object.
From the tree, select Mobile Access.
In the Policy Source area, select Unified Access Policy.
Click OK.
Install policy.

To create rules for Mobile Access in the Unified Access Policy:

See Mobile Access and the Unified Access Policy.

Creating Mobile Access Rules in the Legacy Policy

The order of the rules in the Legacy Policy is not important.

To create rules in the Mobile Access Rule Base:

In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

SmartDashboard opens and shows the Mobile Access tab.
From the navigation tree, click Policy.
Right-click the rule and select New Rule > Below.
In the Users column, right-click the cell and select Add Users.
In the User Viewer that opens, you can:
- Select a user directory, either internal or an Active Directory domain.
- Search for and select individual users, groups, or branches.
In the Applications column, right-click the cell and select Add Applications.
In the Application Viewer that opens, you can:
- Select an application from the list.
- Click New to define a new application.
If you create a New application:
1. Select the type of application.
2. In the window that opens enter a Display Name to show to end-users. For example, "Corporate Intranet".
3. Enter the URL or path to access the application according to the example shown.
In the Install On column, right-click the cell and select Add Objects and select the Security Gateways for the rule.
Click Save and then close SmartDashboard.
In SmartConsole, install policy.

Preparing for Capsule Workspace

To enable devices to connect to the Security Gateway with Capsule Workspace:

In SmartConsole, enable and configure Mobile Access on the Security Gateway.
From the Gateway Properties, click Mobile Access, and select Mobile Devices and Capsule Workspace.
In Gateway Properties > Mobile Access > Authentication, select how users authenticate to the mobile device.

If necessary, manage certificates for authentication between the devices and the Security Gateway (see the "Configuring Client Certificates" section).
Optional: Configure ESOD Bypass for Mobile Applications (see the "ESOD Bypass for Mobile Apps" section).
Make sure you have rules in the Access Control Policy that allow traffic for mobile devices. For example, access to Exchange and application servers from the Security Gateway.
Download a Capsule Workspace App from the App Store or Google Play to mobile devices.
Give users instructions to connect, including the:
- Site Name
- Registration key (if you use certificate authentication)
If you use certificate authentication, we recommend that you include this information in the client certificate distribution email.

Configuring Client Certificates

If you use certificates for mobile and desktop clients, use the Client Certificates page in SmartConsole to manage certificates for authentication between the devices and the Mobile Access for Smartphones and Tablets.

To configure client certificates:

In SmartConsole, select Security Policies > Access Control > Access Tools > Client Certificates.
In the Client Certificates pane, click New.

The Certificate Creation and Distribution wizard opens
From the navigation tree click Client Certificates.
Create and distribute the certificates.
Install Policy.

For more details see Mobile Access for Smartphones and Tablets.