Endpoint Security on Demand

Endpoint Compliance Enforcement

The Check Point Endpoint Security on Demand scanner enforces endpoint compliance by scanning the endpoint to see if it complies with a pre-defined endpoint compliance policy. For example, an endpoint compliance policy can make sure that the endpoint client has updated Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. software and an active Firewall. If the endpoint is compliant with the endpoint compliance policy, the user is allowed to access the portal.

By ensuring that endpoints comply with a security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., Endpoint Security on Demand protects enterprises from threats emanating from unsecured endpoint computers that can result in data loss and excessive bandwidth consumption.

The endpoint compliance policy is made up of rules. A policy can specify, for example, that the endpoint machine must have an approved Anti-Virus application, and that it must be free of spyware. A policy could also specify that a machine must be managed by the organization in order to gain full access to internal data and applications.

On Security Gateways, a combination of Endpoint ComplianceClosed Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Policy and Secure Workspace Policy can require the following Policy: Any client connecting to the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. from a machine that is not managed by the organization or that does not meet a specific enforcement policy, must use Check Point Secure Workspace. This ensures that no unauthorized information is accessed.

Endpoint Compliance Policy Granularity

The administrators can make compliance with a policy a requirement for accessing either the portal or specific applications. This makes it possible to assign varying levels of security clearance to the portal and to Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. applications.

Endpoint Compliance policies can be assigned to Mobile Access Security Gateways. They can also be assigned to Protection Levels, which are in turn associated with Mobile Access applications.

  • If an Endpoint Compliance policy is assigned to a Security Gateway, endpoint machines must comply with the policy before they are allowed to log in to the portal.

  • If an endpoint machine does not comply with the Endpoint Compliance policy on a Security Gateway, users can be required to use Check Point Secure Workspace.

  • To provide additional protection to an application, it is possible to "harden" the Endpoint Compliance protection that is enforced by the Security Gateway by assigning an Endpoint Compliance policy to a Protection Level, and then assigning that Protection Level to an application.

    To access that application, the endpoint machine must comply with the policy associated with the Protection Level, in addition to the policy associated with the Security Gateway.

In either case, the scan takes place before logging in to the portal. Only one scan is performed. Compliance to policies is determined according to the results of the scan.

Endpoint Compliance Policy Rule Types

There are different types of Endpoint Compliance policy rules, for different types of security applications. It is possible to have multiple rules of the same type, each with different settings.

Windows Security Rule

Windows security rules perform Windows-specific checks. For example:

  • Check for the latest Windows Service Pack on endpoint.

  • Check the enabled/disabled state of the built-in Microsoft Windows Automatic Updates system.

  • Check for Microsoft Windows Hotfixes and patches on the endpoint.

  • Enforce Windows patches by their ID.

Endpoint computers running Windows must pass these checks in order to gain access to the network.

At least one of the Hotfixes in the ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. must be active on the endpoint computer in order for the endpoint to be considered compliant and be granted access to the portal.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.

Anti-Spyware Application Rule

Choose which Anti-Spyware applications endpoint computers (on the Windows platform) must have to gain access to the network.

Ensure that appropriate Anti-Spyware software is running on endpoint computers, and that the software version and virus signature files are up-to-date.

At least one of the Anti-Spyware applications in the rule must be active on the endpoint computer in order for the endpoint to be considered compliant and be granted access to the portal.

For convenience, Anti-Spyware enforcement rules are pre-configured with supported Anti-Spyware providers. To require a non-supported Anti-Spyware provider, use a custom check rule.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.

Anti-Virus Application Rule

Choose which Anti-Virus applications the endpoint computer must have in order to gain access to the network.

Ensure that appropriate Anti-Virus software is running on endpoint computers, and that the software version and virus signature files are up-to-date.

At least one of the Anti-Virus applications in the rule must be active on the endpoint computer in order for the endpoint to be considered compliant and be granted access to the portal.

For convenience, Anti-Virus enforcement rules are pre-configured with supported Anti-Virus providers. To require a non-supported anti-virus provider, use a custom check rule.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.

Firewall Application Rule

Choose which personal Firewall applications endpoint computers (on Windows, Linux or Macintosh platforms) must have to gain access to your network.

Ensure that appropriate Firewall software is installed, enabled and running on endpoint computers.

At least one of the Firewall applications in the rule must be active on the endpoint computer in order for the endpoint to be considered compliant and be granted access to the portal.

For convenience, Firewall enforcement rules are pre-configured with supported Firewall providers. To require a non-supported Firewall provider, use a custom check rule.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.

Custom Check Rule

Perform custom checks on endpoint computers (on the Windows, Linux or Macintosh platforms) that are not covered by any of the other rule types. For example:

  • Custom applications. These applications may include proprietary spyware scanners that supplement the predefined types and/or other special security solutions.

  • Specific files.

  • Registry keys or processes running on the endpoint computer.

  • Non-English or localized names of processes and files.

Custom check rules can be configured to check for specific versions and modification dates.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule, and the error message that is presented to users in the event of non-compliance, such as remediation information.

"OR" Group of Rules

An "OR Group of Rules" rule includes a list of previously defined rules. An endpoint satisfies a rule of type "OR Group of Rules" if it satisfies one or more of the rules included in the "OR Group of Rules" rule.

The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.

Spyware Scan Rule

Select the action that should take place for each type of spyware present on endpoint computers. You can change the protections for types of spyware threats.

Spyware Type

Description

Dialer

Software that change the user's dial-up connection settings so that instead of connecting to a local Internet Service Provider, the user connects to a different network, usually a toll number or international phone number.

Worm

Programs that replicate over a network for the purpose of disrupting communications or damaging software or data.

Keystroke Logger

Programs that record user input activity (keystrokes or mouse activity). Some keystroke loggers transmit the recorded information to third parties.

Hacker Tool

Tools that facilitate unauthorized access to a computer and/or extraction of data from a computer.

Remote Administration Tool

Commercially developed software that allows remote system access and control.

Trojan

Malicious programs that masquerade as harmless applications.

Adware

Programs that display advertisements or record information about Web use habits and forward it to marketers or advertisers without the user's authorization or knowledge.

Other

Any unsolicited software that secretly performs undesirable actions on a user's computer and does not fit any of the above descriptions.

Screen Logger

Software that record what a user's monitor displays.

Tracking Cookie

Cookies that are used to deliver information about the user's Internet activity to marketers.

Browser Plug-in

Software that modifies or adds browser functionality. Browser plug-ins change the default search page to a pay-per-search site, change the user's home page, or transmit the browser history to a third party.

Endpoint Security on Demand. For example, you can allow that a signature that is recognized as spyware by Mobile Access, but which you see as legitimate.

In the rule, set the action to take if an endpoint computer fails to comply. Set the error message that users see in the event of non-compliance, such as remediation information.

Endpoint Compliance Logs

If the end user machine is not compliant with one or more of the Endpoint Compliance policy rules, Mobile Access generates Endpoint Compliance-specific logs with the category "Endpoint Security on Demand". The log entries appear in SmartLog, and include the:

  1. Rule ID and name that causes the authorization failure.

  2. Policies that this rules belongs to.

  3. A description in the "info" field of the log. Two logging levels are available to the administrator: (For configuration details, see the "Configuring Endpoint Compliance Logs" section.)

    Note - Mobile Access logs non-compliant rules from all policies, not only the Endpoint Compliance policy that is assigned to the Security Gateway or to an application. This means that there may be entries in SmartLog for rules that do not appear in the report presented to the end user.

    • Summary: Only one log entry per scan is written to SmartLog. The log entry shows endpoints that do not comply with the Endpoint Compliance policy. The date and time of the scan, the source IP, and the Endpoint Compliance scan ID are logged.

    • Details: In addition to the Summary mode information, this adds a log entry for each non-compliant rule. For example, in the case of a Spyware Scan rule that screens for tracking cookies, a log entry is generated that contains the following fields:

      • Malware name: unwantedexample.

      • Malware type: 3rd party cookie.

      • Description: symptom type: URL. Symptom value: cookie:bob@unwantedexample.net.

Configuring Endpoint Compliance

The workflow for configuring Endpoint Compliance enforcement is below. Each step is described in detail in the sections that follow:

  1. Plan the Endpoint Compliance Policy

    Decide on security clearance levels for Mobile Access Portals and applications. For example, is it OK for users to gain access to all Mobile Access applications as long as they comply with a single policy? If some resources are more sensitive than others, you may wish to draw up a more stringent policy for some applications than for others.

  2. Use the ICSInfo Tool

    Set up a stand-alone test computer with all the endpoint security applications you want to create enforcement rules for, and the run the ICSinfo tool to obtain the information needed to correctly define Endpoint Compliance policy rules.

  3. Create Endpoint Compliance Policies

    Policies are made up of rules. In order to comply with the policy, endpoints must comply with all rules in the policy. Rules can be used in more than one policy. Rules that are not in a policy are not used.

    There are different types of rules for different security applications. The Endpoint Compliance policy configuration tool comes with a number of predefined rules which can be edited to match the needs of the organization.

  4. Configure Endpoint Compliance Settings for Applications and Gateways

    Configure which Endpoint Compliance Policies should be assigned to which applications and Security Gateways.

    • To make access to the portal conditional on passing an Endpoint Compliance scan, assign a policy to a Security Gateway

    • To make access to applications conditional on passing an Endpoint Compliance scan:

      • Assign a policy to a Protection Level.

      • Assign Protection Levels to Mobile Access applications.

  5. Complete the Endpoint Compliance Configuration

    Configure tracking options for the endpoint scan results, then save and install the security policy

Planning the Endpoint Compliance Policy

Defining the Endpoint Compliance policy for Mobile Access clients involves some planning, prior to performing the SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. configuration.

You need to define security clearance levels for the both the Mobile Access Portal (that is, the Security Gateway) and for portal applications. There are various approaches, and the best one to use depends on how granular you need to make the policy.

Basic Approach:

The simplest approach is to define a single Endpoint Compliance policy for the Security Gateway and all applications accessed via the Security Gateway. In this approach, all applications accessed via the Security Gateway are protected by the Endpoint Compliance policy of the Security Gateway. Users whose client machines comply with the policy have access to the portal and all applications.

For example:

Resource

Endpoint Compliance Policy

Security Gateway A

Low Security

Web App P

Rely on Security Gateway requirements

Web App Q

Rely on Security Gateway requirements

File Share R

Rely on Security Gateway requirements

Advanced Approach:

A more advanced approach is appropriate if there is one application (or a small number of applications) that has stricter security requirements than other applications. These additional requirements are specified in a separate Endpoint Compliance policy, which is enforced in addition to the Security Gateway policy. To access the Mobile Access Portal, all users must fulfill the threshold security requirements of the Security Gateway policy. Users clicking a link in the portal to an application with additional security requirements are only allowed access to the application if they fulfill those additional requirements.

For example:

Resource

Endpoint Compliance Policy

Security Gateway A

Low Security

Web App P

Rely on Security Gateway requirements

Web App Q

High Security

File Share R

Rely on Security Gateway requirements

Very Advanced Approach:

Where most or every application has its own endpoint security requirements, it is possible to define an individual Endpoint Compliance policy for each application. In this scenario, there are no Security Gateway security requirements: All users are able to access the portal. However, when clicking a link to an application, users are only allowed access if they fulfill the requirements for that application. If no requirements are configured for the application, users are allowed to access it.

For example:

Resource

Endpoint Compliance policy

Security Gateway A

None

Web App P

Low Security

Web App Q

High Security

File Share R

Medium Security

Example Rules for Endpoint Compliance Policies

The following table illustrates Endpoint Compliance policies with different rules, for different security requirements.

Rule

Description

High Security

Endpoint Compliance Policy

Medium Security

Endpoint Compliance Policy

Low Security

Endpoint Compliance Policy

1

Default Windows Security rule

Yes

Yes

No

2

Anti-Virus applications check

Yes

Yes

Yes

3

Firewall applications check

Yes

Yes

Yes

4

Spyware Scan rule

Yes

No

No

Using the ICSInfo Tool

When defining Endpoint Compliance policy rules, you must use the correct format. This format varies from vendor to vendor. The ICSinfo.exe utility scans your computer, and generates an xml file that gives you the information in the correct format for all supported security programs it finds.

Run the ICSinfo tool before configuring the Endpoint Compliance policy rules.

To use the ICSinfo.exe utility:

  1. Set up a stand-alone test computer with all the endpoint security applications you want to create enforcement rules for. Be sure to apply the latest updates to your security software.

  2. Copy the ICSinfo tool from the Mobile Access Security Gateway to the test computer. The tool is located at $CVPNDIR/htdocs/ICS/components/ICSinfo.exe.

  3. Run ICSinfo.exe.

    This utility lists all detected security software, along with the required information in the correct format.

    The XML format output file ICSinfo.xml can be viewed in a browser.

    The sections of the file can be collapsed or expanded by clicking the - or +.

  4. Record the information for each security program and use this information to create your Endpoint Compliance policy rules.

Creating Endpoint Compliance Policies

To configure Endpoint Compliance policies:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance.

  3. Click Edit policies.

    The Endpoint Compliance policy configuration tool opens at the Policies page.

  4. Either create a new Endpoint Compliance policy or edit an existing policy.

    • To create an Endpoint Compliance policy click New Policy.

      The Policies > New Policy page opens.

    • To edit an existing policy, select the policy and click Edit.

      The Policies > Edit Policy page opens.

  5. Give the policy a Name, and a Description.

  6. For policies with Spyware Scan rules, if an endpoint computer has a valid Anti-Spyware of Anti-Virus application, make sure that the Endpoint Security on Demand Spyware Scan is necessary.

    If not, select Bypass malware scan if endpoint meets Anti-Virus or Anti-Spyware requirements.

    Note - This option is disabled if there is no Spyware Scan rule in the policy.

  7. Within a Policy, either add previously defined Endpoint Compliance rules, or create new rules or edit previously defined rules.

    There are different types of rules for different security applications.

    It is possible to have multiple rules of the same type, each with different settings.

    • To add a previously defined rule, click Add.

      The Add Enforcement Rules page opens. Select a rule and click OK.

    • To create a rule, click New Rule, and select the rule type

    • To edit a previously defined rule, select the rule and click Edit.

  8. Define the rules.

    Note - For explanations of fields in the Endpoint Compliance rules, press the F1 key to see the online help.

  9. Click OK.

    This takes you back to the Edit Policy or the New Policy page.

  10. Click OK.

    This takes you back to the Policies page.

  11. Click OK.

    This completes the configuration of the Endpoint Compliance Policies, and takes you back to the Endpoint Security on Demand > Endpoint Compliance page.

    After the Endpoint Compliance policies are configured, Endpoint Compliance settings can be configured to make use of the polices.

  12. Close SmartDashboard.

  13. In SmartConsole, install the policy.

Configuring Endpoint Compliance Settings for Applications and Security Gateways

To configure Endpoint Compliance:

  1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance.

  3. Click Scan endpoint machine when user connects.

  4. Choose one of the available approaches:

    • Basic Approach - Configuring a Common Policy for the Portal and all Applications

    • Medium Approach - Configuring a Threshold Policy for the Portal, Hardened for Specific Applications

    • Advanced Approach - Configuring Individual Policies for Each Application

Basic Approach - Configuring a Common Policy for the Portal and all Applications

To assign a policy to the Security Gateway and require an Endpoint Compliance scan to connect to the Security Gateway:

  1. Click Threshold policy to access any application via this gateway, the endpoint must comply with the following policy.

  2. From the drop-down list, select the Endpoint Compliance policy that is used for all applications accessed with this Security Gateway.

  3. Click OK.

To make sure that the applications use the Security Gateway settings for their Endpoint compliance:

  1. From the Objects Bar, click Custom Application/Sites > Mobile Applications > Web Applications.

  2. Double-click the application.

    The Web Application settings window opens.

  3. From the navigation tree, click Additional Settings > Protection Level.

  4. Make sure that This application relies on the security requirements of the gateway is selected.

  5. Click OK.

  6. Repeat these steps for each application.

  7. Install policy.

  8. Configure the Endpoint Compliance logs.

Medium Approach - Configuring a Threshold Policy for the Portal, Hardened for Specific Applications

To configure the Security Gateway settings:

  1. Click Threshold policy: to access any application via this gateway, the endpoint must comply with the following policy.

  2. From the drop-down list, select the default Endpoint Compliance policy to be used for applications accessed via this Security Gateway.

  3. Click OK.

To make sure that the applications use the Security Gateway settings for their Endpoint compliance:

  1. From the Objects Bar, click Custom Application/Sites > Mobile Applications > Web Applications.

  2. Double-click the application that requires hardened endpoint security.

    The Web Application settings window opens.

  3. From the navigation tree, click Additional Settings > Protection Level.

  4. Click This application has additional security requirements, specified by the following protection level.

  5. From the drop-down list, select a Protection Level for this application.

    To define a new Protection Level, click Manage and Mobile Access Applications.

  6. Click OK.

  7. Repeat these steps for each application.

  8. Install policy.

  9. Configure the Endpoint Compliance logs.

Advanced Approach - Configuring Individual Policies for Each Application

To configure the Security Gateway settings:

  1. In the Endpoint Compliance page of the Security Gateway, click No threshold: to protect applications, configure endpoint compliance requirements individually per application.

  2. Click OK.

To configure an individual policy for each application:

  1. From the Objects Bar, click Custom Application/Sites > Mobile Applications > Web Applications.

  2. Double-click the application that requires hardened endpoint security.

    The Web Application settings window opens.

  3. From the navigation tree, click Additional Settings > Protection Level.

  4. Click This application has additional security requirements, specified by the following protection level.

    Note - If This application relies on the security requirements of the gateway is selected for the Mobile Access application, users are allowed to access the application without any Endpoint Compliance requirements.

  5. From the drop-down list, select a Protection Level for this application.

    To define a new Protection Level, click Manage and Mobile Access Applications.

  6. Click OK.

  7. Repeat these steps for each application.

  8. Install policy.

  9. Configure the Endpoint Compliance logs.

Configuring Advanced Endpoint Compliance Settings

You can edit the Advanced Endpoint Compliance Settings to configure whether or not to allow access to the Security Gateway and applications if the Endpoint Compliance scanner is not supported on the endpoint operating system.

  1. In SmartDashboard, from the navigation tree, click Endpoint Security on Demand > Endpoint Compliance page.

  2. Click Edit.

    The Advanced Endpoint Compliance Settings window opens.

    In this window you can decide whether or not to allow access to the Security Gateway and applications if the Endpoint Compliance scanner is not supported on the endpoint operating system.

The Endpoint Compliance scanner supports the following operating systems: Windows, Mac, and Linux.

Configuring Platform-Based Bypass Per OS

If you want to allow some endpoint operating systems to bypass Endpoint Compliance requirements, you must select the Allow access option in the Advanced Endpoint Compliance Settings window.

For details, see the operating system compatibility table in the Mobile Access Release Notes.

To configure different rules on endpoints with different operating systems, see SecureKnowledge solution sk34989.

Platform-Based Bypass Per Protection Level

Configuring Endpoint Compliance Settings per Protection Level lets you set Platform-Based Bypass per application.

By default all Advanced Endpoint Compliance Settings are taken from the SmartDashboard configuration, in the Advanced Endpoint Compliance Settings page.

Enabling Platform Based Bypass per Protection Level

To configure different access permissions for various Protection Levels for Endpoint Compliance scanning, run:

cvpnd_settings set useICSRelaxedModeInProtectionLevel true

To return to the default setting, change true to false in the above command.

Configuring the Protection Levels that are Bypassed

In the Mobile Access tab of SmartDashboard, under Additional Settings > Protection Levels, is a list of Protection Levels. From this page you can edit the Authentication and Endpoint Security settings that are required for applications assigned to each Protection Level. You can also create new Protection Levels.

In the Mobile Access application properties, assign a Protection Level to an application. For example, if you want to allow access to an application only if the user is compliant with Endpoint Compliance policy1, but you also need to accommodate the user connecting from an endpoint that does not support Endpoint Compliance scanning (such as an iPhone), then:

  1. Create or use a Protection Level named ESOD_Relaxed_PL which enforces Endpoint Compliance Policy policy1.

  2. Assign the Protection Level to the application.

  3. Configure the Protection Level as "Bypassed".

    To configure different access permissions for various Protection Levels for Endpoint Compliance, from the Mobile Access CLI, in expert mode, run:

    cvpnd_settings listAdd ICSRelaxedModeProtectionLevelNames ESOD_Relaxed_PL

You can add other Protection Levels as well.

To restore a Protection Level from being "Bypassed", for Endpoint Compliance:

  1. Run:

    cvpnd_settings listRemove ICSRelaxedModeProtectionLevelNames

  2. Follow the on-screen instructions.

To finalize the configuration of granular platform-based bypass for Endpoint Security on Demand:

  1. Restart the Mobile Access services by running cvpnrestart

    If the Mobile Access Security Gateway is part of a clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., be sure to make the same change on each cluster memberClosed Security Gateway that is part of a cluster..

  2. In SmartDashboard, assign the Protection Levels to the applications.

  3. Install the policy.

Configuring Endpoint Compliance Logs

Mobile Access generates Endpoint Compliance-specific logs. The logs can be viewed in SmartLog, and have the category Endpoint Security on Demand. The Endpoint Security on Demand information is in the info field of the logs.

To configure tracking options for the Endpoint Compliance scanner:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance.

  3. In the Endpoint Compliance page, in the Tracking section, enable Log the endpoint scan results to record the results of Endpoint Compliance scans to the log.

  4. Select Details or Summary to determine the level of detail to record in the log file.

  5. Click Save and then close SmartDashboard.

  6. In SmartConsole, install the policy.

The Tracking options are:

  • Summary: Only one log entry per scan is written to SmartLog. The log entry shows endpoints that do not comply with the Endpoint Compliance policy. The date and time of the scan, the source IP address, and the Endpoint Compliance scan ID are logged.

  • Details: In addition to the Summary mode information, this adds a log entry for each non-compliant rule. For example, in the case of a Spyware Scan rule that screens for tracking cookies, a log entry is generated that contains the following fields:

    1. Malware name: unwantedexample.

    2. Malware type: 3rd party cookie.

    3. Description: symptom type: URL. Symptom value: cookie:bob@unwantedexample.net.

Assign Policies to Security Gateways and Applications

To assign policies to Security Gateways:

  1. On the Endpoint Compliance page, add all Mobile Access Security Gateways to the Endpoint Security Settings on Mobile Access Security Gateways section.

  2. Edit each Security Gateway, whose access will be conditional on passing an Endpoint Compliance scan. Choose the Threshold policy and select Scan the endpoint machine when a user connects.

To assign policies to applications:

  1. To make access to applications conditional on passing an Endpoint Compliance scan, assign a policy to a Protection Level.

  2. Assign Protection Levels to Mobile Access applications.

Excluding a Spyware Signature from a Scan

To exclude a spyware signature from a scan:

  1. Configure Mobile Access so that endpoint computers must undergo an Endpoint compliance scan before they connect. The Endpoint Compliance policy must include a Spyware Scan rule.

  2. Set up a stand-alone test computer that has the spyware to be excluded from the scan.

  3. Run an Endpoint compliance scan on the test computer by connecting from it to Mobile Access.

    When Endpoint Security on Demand detects the spyware (irrespective of the action configured in the Spyware Scan rule), the name of the spyware (something like Win32.megaspy.passwordthief) is included in the report.

  4. Make a note of the name of the spyware.

  5. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  6. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance.

  7. Click Edit Policies.

  8. Select the policy that is applicable to the clients, and click Edit.

  9. Select the Spyware Scan rule from the list and click Edit.

  10. In the Software exception list section, click Add.

  11. Type the Name of the spyware, and a Description.

  12. Click OK three times to close the Endpoint Compliance policy editor.

  13. Click Save.

  14. Close SmartDashboard.

  15. In SmartConsole, install policy.

Preventing an Endpoint Compliance Scan Upon Every Login

By default, the end user computer is scanned by the Endpoint Compliance scanner every time the user logs in. This is the default, and most secure configuration.

It is possible to configure Mobile Access so that after logging in, the user is not scanned, even after logging in again, until the end of a timeout period.

For configuration details, see sk34844.

Endpoint Compliance Scanner End-User Workflow

The Endpoint Compliance scanner on endpoint computers is supported on browsers that run ActiveX (for Windows with Internet Explorer), or Java.

When using the Endpoint Compliance scanner with Internet Explorer, the browser must be configured to download and run ActiveX controls and to allow Active Scripting. This section explains how to configure Internet Explorer to ensure that the Endpoint Compliance scanner will install and run properly on the endpoint computer.

To configure Internet Explorer for the Endpoint Compliance scanner:

  1. Select Tools > Internet Options from the Internet Explorer menu.

  2. Select the Security tab.

  3. Select the Web content zone used by the endpoint computer for remote connections from the Security Settings window.

  4. Click Custom Level.

  5. Enable the following options in the Security Settings window and then click OK:

    • Download signed ActiveX controls

    • Run ActiveX controls and plug-ins

    • Script ActiveX controls marked as safe for scripting

    • Active scripting

  6. Select the Privacy tab > theMedium setting, and then click Advanced.

  7. Enable Override automatic cookie handling and in the 1st party cookies section, enable Accept.

  8. Click OK.

Endpoint Compliance Scanner End-User Experience

When a user connects to a portal where the Endpoint Compliance is enabled, the end user computer is scanned before the user sees the login screen.

The Endpoint Compliance Scanner is installed on the endpoint machine, by using ActiveX (for Windows with Internet Explorer), or The Legacy Mobile Access Portal.

Note - The Endpoint Compliance scan starts if Endpoint compliance is configured for a Mobile Access application in a portal, even if portal access does not require compliance with a policy.

To login to the Mobile Access Portal with the Endpoint Compliance scanner enabled:

  1. Enter the Mobile Access Portal URL in your browser.

  2. If you are using the Endpoint Compliance scanner for the first time on a particular endpoint computer, you are prompted to download and install the Check Point Mobile Access Portal Agent.

    You may see these warnings:

    1. Do you trust the Mobile Access site you are connecting to?

    2. Do you trust the certificate of the server of the Mobile Access site?

  3. During the scan, a progress bar is displayed.

  4. If the endpoint computer successfully passes the Endpoint compliance scan, the Mobile Access Portal login screen appears.

    If the endpoint computer fails to pass the scan, Endpoint Security on Demand displays a result screen showing the potentially harmful software and security rule violations detected during the scan.

    • Click on a potentially harmful software item to display a short description of the detected malware, what it does and recommended removal method(s).

    • If the Continue Anyway button appears, you can continue and log on to the Mobile Access Portal without removing the malware or correcting the security rule violation.

    • If there is no Continue Anyway button, you must remove the detected malware or correct the security rule violation before you can log on to the Mobile Access Portal. When you have corrected the problem, click Scan again to repeat the scan.

  5. When the Mobile Access Portal login page appears, you can log on normally.

Note - The user and administrator see the scan results as log entries in the Traffic Log. Each entry shows the user name, user group, source computer, malware name, malware type, and malware description.

Using Endpoint Security on Demand with Unsupported Browsers

Endpoint Security on Demand for Mobile Access requires browsers that support ActiveX or Java.

The following sections describe Endpoint Security on Demand behavior when users attempt to access the Mobile Access Portal using an unsupported browser.

  • If the Block access to all applications option on the Endpoint compliance scan Policy page is enabled, and either of the following conditions exist, the endpoint computer cannot connect to the Mobile Access Portal.

    • The Prevent Connectivity option is enabled for at least one malware protection rule.

    • The Restrict action is selected for at least one enforcement rule (anti-virus or custom).

      In this case, Endpoint Security on Demand presents an error message and generates a log entry in the administrator's traffic log.

  • In all other cases, users can log on to the Mobile Access Portal without passing an Endpoint compliance scan. In some cases, an incompatibility message appears with a Continue button that allows users to proceed with Mobile Access login. Endpoint Security on Demand generates a log entry in the administrator's traffic log.

  • When an application's Protection Level is configured to require an Endpoint Compliance scan, users can still gain access to the Mobile Access Portal, but cannot run that application.

Preventing Portal Access with Unsupported Browsers

The following steps can prevent users using unsupported browsers from gaining access to the Mobile Access Portal and applications without passing an Endpoint Compliance scan:

  • Enable the Scan endpoint machine when user connects option, and set a threshold policy. This setting is found on the Endpoint Security on Demand > Endpoint compliance page.

  • Assign Protection Levels that require passing an Endpoint Compliance scan to all applications.

  • Prevent users from using an unsupported browser to access the Mobile Access Portal by forcing Endpoint Security on Demand to reject all connections from unsupported browsers. See the "Configuring Advanced Endpoint Compliance Settings" section.

Completing the Endpoint Compliance Configuration

The Endpoint Compliance page shows:

  • Number of Mobile Access Security Gateways configured to scan endpoint machines.

  • Security policy required on the Security Gateway.

  • Number of Mobile Access applications, with Level of Enforcement (full, partial, or none).

If this is correct for your organization:

  1. Click Save.

  2. Close SmartDashboard.

  3. In SmartConsole, install policy.