The Legacy Mobile Access Portal

Security Gateway Portals

The Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. runs different web-based portals over HTTPS:

All of these portals can resolve HTTPS hosts to IPv4 and IPv6 addresses over port 443.

In addition to SSLv3 and TLS 1.0 (RFC 2246), the Security Gateway supports:

Support for TLS 1.1 and TLS 1.2 is enabled by default, but can be disabled in SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. (for web-based portals) or Database Tool (GuiDBEdit Tool) (see sk13009) (for HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi.).

To configure TLS protocol support for portals:

  1. In SmartDashboard, open Global Properties > SmartDashboard Customization.

  2. In the Advanced Configuration section, click Configure.

    The Advanced Configuration window opens.

  3. On the Portal Properties page, set minimum and maximum versions for SSL and TLS protocols.

To Configure TLS Protocol Support for HTTPS inspection:

  1. In Database Tool (GuiDBEdit Tool), on the Tables tab, select Other > ssl_inspection.

  2. In the Objects column, select general_confs_obj.

  3. In the Fields column, select the minimum and maximum TLS version values in these fields:

    • ssl_max_ver (default = TLS 1.2)

    • ssl_min_ver (default = SSLv3)

Portal Settings

Each Mobile Access-enabled Security Gateway leads to its own Mobile Access user portal. Remote users log in to the portal using an authentication scheme configured for that Security Gateway.

R81 introduced the new Mobile Access Portal. See The New Mobile Access Portal.

Portal URL

Remote users access the portal from a Web browser with https://<Gateway_IP>/sslvpn, where <Gateway_IP> is one of these:

  • FQDN that resolves to the IP address of the Security Gateway

  • IP address of the Security Gateway

Remote users that use HTTP are automatically redirected to the portal using HTTPS.

Note - If Hostname Translation is the method for link translation, FQDN is required.

Set up the URL for the first time in the Mobile Access First Time Wizard.

To change the Mobile Access Portal URL:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers and double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Mobile Access > Portal Settings.

  3. Change the Main URL.

  4. Optional: Click the Aliases button to Add URL aliases that are redirected to the main portal URL. For example, portal.example.com can send users to the portal. To make the alias work, it must be resolved to the main URL on your DNS server.

  5. Install policy.

Portal Certificate

If you do not import a certificate, the portal uses a Check Point auto-generated certificate. This might cause browser warnings if the browser does not recognize the Security Gateway's management. All portals on the same IP address use the same certificate.

To configure the accessibility settings for the portal:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Mobile Access > Portal Settings.

  3. Click Import to import a p12 certificate for the portal website to use.

  4. Click OK.

  5. Install policy.

Portal Accessibility Settings

Configure from where users access the Mobile Access Portal. The options are based on the topology configured for the Security Gateway.

To configure the accessibility settings for the portal:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Mobile Access > Portal Settings.

  3. In the Accessibility area, click Edit.

  4. Install policy.

Portal Customization

To customize the Mobile Access end user portal:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Mobile Access > Portal Customization.

    The Portal Customization page opens.

  3. Configure the following settings.

  4. Install the policy.

Localization Features

Mobile Access localizes the user interface of the Mobile Access user portal and the Secure Workspace to multiple languages.

The Mobile Access user portal and the Secure Workspace can be configured by Security Gateway in the Portal Settings > Portal Customization page to use these languages:

  • English (the default language)

  • Bulgarian

  • Chinese- Simplified

  • Chinese- Traditional

  • Finnish

  • French

  • German

  • Italian

  • Japanese

  • Polish

  • Romanian

  • Russian

  • Spanish

Auto Detection of User Language Preferences

Automatic language detection is an optional feature that gives priority to the language settings in the user's browser over the language chosen by the administrator.

Automatic language detection is activated by configuring the CVPN_PORTAL_LANGUAGE_AUTO_DETECT flag in the Main.virtualhost.conf file on Mobile Access.

By default, the language preference in the user's browser is not automatically detected. If automatic detection is configured, the language used in SmartDashboard is the first language supported by Mobile Access that is found in the Language Preference list defined in the user's browser settings. If no supported language is found in the Language Preference list in the user's browser, the language set by the administrator in SmartDashboard is used.

To activate automatic language detection, perform the following steps on each cluster member:

  1. Open an SSH connection to Mobile Access, or connect to it via a console.

  2. Log in to Mobile Access using your administrator user name and password.

  3. Change to the Expert mode by typing expert and supplying the password.

  4. Edit the $CVPNDIR/conf/includes/Main.virtualhost.conf file, and change the value of this parameter from 0 to 1:

    from:

    SetEnv CVPN_PORTAL_LANGUAGE_AUTO_DETECT 0

    to:

    SetEnv CVPN_PORTAL_LANGUAGE_AUTO_DETECT 1

  5. Restart the Mobile Access services:

    cvpnrestart

Language Selection by End Users

Any explicit language selection by the user in any of the portal pages overrides both the administrator's default language setting, and the automatic language detection.

Users can select a language in the user portal sign-in page, in the Change Language To field.

Alternative Portal Configuration

Note - There should be a Mobile Access policy rule that includes the alternative portal as a Web application and allows its intended users to access it.

To specify an alternative user portal:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Portal Settings > Alternative Portal.

  3. Click Add.

    The Mobile Access Sign-In Home Page window opens.

  4. In the User Groups tab, specify user groups that may access the alternative user portal.

  5. In the Install On tab, specify the Mobile Access Security Gateways and Clusters that host the alternative portal.

  6. In the Sign-In Home Page tab, choose an alternative portal for users, in place of the Mobile Access user portal that users reach by default. URL is the location of the alternative user portal for the user group(s) specified in the User Groups tab.

    When a user belongs to more than one group, the table in the Alternative Portal page acts as an ordered rule baseClosed All rules configured in a given Security Policy. Synonym: Rulebase.. Users are directed to the alternative portal of the first group that they are part of.

  7. Click OK.

  8. Click Save and then close SmartDashboard.

  9. In SmartConsole, install policy.

User Workflow for Mobile Access Portal

The user workflow includes these steps:

  1. Sign in and select the portal language.

  2. On first-time use, if you will use SSL Network Extender to access native applications, install ActiveX and Java Components.

  3. Initial setup.

  4. Access applications.

Signing In

In a browser, type in the URL assigned by the system administrator for the Mobile Access Security Gateway.

Best Practice - Some popup blockers can interfere with aspects of portal functionality. Tell users to configure popup blockers to allow pop-ups from Mobile Access.

If the Administrator configured Secure Workspace to be optional, users can choose to select it on the sign in page.

Users enter their authentication credentials and click Sign In. Before Mobile Access gives access to the applications on the LAN, the credentials of remote users are first validated. Mobile Access authenticates the users either through its own internal database, LDAP, RADIUS or RSA Authentication Manager. After the remote users are authenticated, and associated with Mobile Access groups, access is given to corporate applications.

Note - If the Endpoint ComplianceClosed Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Scanner is enabled, users computers might be scanned before they can access the Mobile Access Sign In page. This is to make sure that credentials are not compromised by 3rd party malicious software.

First Time Installation of ActiveX and Java Components

Some Mobile Access components such as the endpoint Compliance Scanner, Secure Workspace and SSL Network Extender require either an ActiveX component (for Windows with Internet Explorer machines) or a Java component to be installed on the endpoint machine.

When using one of these components for the first time on an endpoint machine using Windows and Internet Explorer, Mobile Access tries to install it using ActiveX. However, Internet Explorer may prevent the ActiveX installation because the user does not have Power User privileges, or display a yellow bar at the top of the page asking the user to explicitly allow the installation. The user is then instructed to click the yellow bar, or if having problems doing so, to follow a dedicated link. This link is used to install the required component using Java.

After the first of these components is installed, any other components are installed in the same way. For example, if the Endpoint compliance Scanner was installed using Java on Internet Explorer, Secure Workspace and SSL Network Extender are also installed using Java.

For general information about the Mobile Access Portal and Java compatibility see sk113410.

Note - To install using ActiveX after a component was installed using Java, delete the browser cookies.

Initial Setup

The user may be required to configure certain settings, such as application credentials. In addition, the user can define additional favorites for commonly used applications.

Accessing Applications

After the remote users have logged onto the Mobile Access Security Gateway, they are presented with a portal. The user portal enables access to the internal applications that the administrator has configured as available from within the organization, and that the user is authorized to use.

Limitations

Mobile Access Portal provides optimal support for Outlook Web Access 2013 / 2016 with the Host-name Translation (HT) method, and only when 'cookies on the endpoint machine' is enabled. The Path Translation (PT) method is partially supported, while the URL Translation (UT) method is not supported.