Exchange Mail Applications for Smartphones and Tablets

Introduction to Exchange Mail Applications

Mobile Mail and Active Sync Applications are applications for smartphone and tablet users to connect to email, calendar, contacts, and notes through an Exchange server. Web applications and file shares are supported on smartphones and tablets.

Mobile Mail Applications

Mobile Mail Applications work with Exchange servers to make business email available on mobile devices with a Capsule Workspace App. The application is in a secure area on the Mobile Device that is usually protected with a passcode. All data in Capsule Workspace is encrypted.

During the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Wizard, if you select Mobile Devices > Capsule Workspace, and enter an Exchange server, a Mobile Mail Application is automatically created. Make sure that users have access to the Mobile Mail Application in your Mobile Access policy.

Configuring Mobile Mail Applications

To create and configure a new Mobile Mail application:

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Objects > Object Explorer (Ctrl+E).
Click New Custom Application/Site > Mobile Application > Business Mail.

The Mobile Mail Application window opens.
In the General Properties page:
- Enter a Name for the application in SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings.
- Enter the name of the Exchange Server that communicates with the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and the Port. For example, ad.example.com
In the Exchange Access page, in the Define access settings area:
- Use encryption (https) - By default, traffic to the Exchange server works with HTTPS.
- Use non-default path - If the Exchange Web Services path on the Exchange server to the application is not the default, enter the path here.
  
  The default path is EWS/Exchange.asmx and the URL is:
  
  https://<IP address of the Exchange Server>/EWS/Exchange.asmx
- Use specific domain - If you want users to authenticate to a specified domain on the Exchange server, enter it here.
In the Exchange Access page, in the Proxy Settings area, if there is a proxy server between the Exchange Server and the Security Gateway, configure these settings:
- Use gateway proxy settings - By default the proxy settings configured for the Security Gateway are used.
- Do not use proxy server - Select if no proxy server is required.
- Use specific proxy server - Configure a proxy server that the Security Gateway communicates with to reach the Exchange Server.
1. Select the Host and Service.
2. If credentials are required to access the proxy server, select Use credentials for accessing the proxy server and enter the Username and Password.
In the Display Link page:
- Title - The name of the application that users will see on their mobile devices.
- Description - The description of the application that users will see on their mobile devices.
In the Single Sign On page, select the source of the credentials used for Single Sign-On for this application:
- Login to Exchange with the application credentials - By default, use the same credentials that users use to log in to the Business Secure Container. This only applies if the authentication method configured for them on the Security Gateway is Username/Password (Gateway Properties > Mobile Access > Authentication).
- Prompt for user credentials and store them locally for reuse - Use different credentials for the Business Secure Container.
  - Show the user the following message on the credentials prompt - Select this and enter a message that users see when prompted to enter the credentials required for the Business Secure Container.
In the Periodic Test page, select which tests are run regularly on the Security Gateways to make sure they can connect to the Exchange server. If there is a connectivity problem, a System Alert log generated.
- Run periodic test from gateways that have access to this application - A test makes sure there is connectivity between the Security Gateway and Exchange server. The test runs at the interval that you enter.
- Perform extensive test using the following account - Periodically run a test to make sure that a user can authenticate to the Exchange server. To run this test you must enter a valid Username and Password.
Note - If the account password changes, you must enter the new password here.
Click OK.
Install the policy.

Office 365 / OAuth 2.0

The Mobile Access Blade and Capsule Workspace can connect to the Office 365 cloud mail service with the OAuth 2.0 authentication protocol.

Configuration

You must configure the:

Security Gateway
SmartConsole
End-user directory
Office 365 service.

Security Gateway Configuration

For Capsule Workspace to authenticate through OAuth 2.0 to Office 365, and for the Mobile Access gateway to subscribe to Office 365-related notifications, you must include this configuration in the $CVPNDIR/conf/cvpnd.C file:

Attribute Name	Default Value	Description
`:Office365TenantID`	`("")`	The customer’s UUID, as registered on the Microsoft Entra ID (formerly Azure AD) Office365 application object.
`:Office365ApplicationID`	`("")`	The Office 365 application’s UUID, as registered on the Microsoft Entra ID (formerly Azure AD) Office 365 application object.
`:Office365ClientSecret`	`("")`	The customer’s client secret (value, not ID), generated by Microsoft Entra ID (formerly Azure AD) for the Office 365 application object, specified in obfuscated form. To obtain the secret’s obfuscated form, type the following command on a Mobile Access gateway: `obfuscate_password client_secret` where `client_secret` is the secret value for Microsoft Entra ID (formerly Azure AD).

Attribute Name

Default Value

Description

:Office365TenantID

("")

The customer’s UUID, as registered on the Microsoft Entra ID (formerly Azure AD) Office365 application object.

:Office365ApplicationID

("")

The Office 365 application’s UUID, as registered on the Microsoft Entra ID (formerly Azure AD) Office 365 application object.

:Office365ClientSecret

("")

The customer’s client secret (value, not ID), generated by Microsoft Entra ID (formerly Azure AD) for the Office 365 application object, specified in obfuscated form.

To obtain the secret’s obfuscated form, type the following command on a Mobile Access gateway:

obfuscate_password client_secret

where client_secret is the secret value for Microsoft Entra ID (formerly Azure AD).

To configure attributes in the $CVPNDIR/conf/cvpnd.C file:

Connect to the command line on the Security Gateway / each Cluster Member Security Gateway that is part of a cluster..
Log in to the Expert mode.

Configure each of the applicable attributes:

cvpnd_settings $CVPNDIR/conf/cvpnd.C set <Attribute Name> <Attribute Value>

Best Practice - Create a backup copy of the file.

Example:

cvpnd_settings $CVPNDIR/conf/cvpnd.C set Office365TenantID 1234ab56-c78d-9efa-b01c-de2f0ab12c3

Restart the Mobile Access services:

cvpnrestart

SmartConsole Configuration

Use a Mobile Mail Application object to configure the Office 365 mail application.

To configure a Mobile Mail Application object as an Office365 Mail Application:

Go to General Properties > Exchange Server.
Enter:

'outlook.office365.com'
Go to Exchange Access > Use Specific Domain.
Enter the domain configured for your Office 365 Enterprise account.

Example:

'mailaccountdomain.onmicrosoft.com'
Go to Single Sign-On.
Select Prompt for user credentials.
Go to Single Sign-On > Credential Formats.
Select username@domain.
After you complete the object configuration, use the access policy to add it to one or more Capsule Workspace user groups.

To support push notifications from the Office 365 cloud service:

Note - The Mobile Access gateway has a single ‘ExchangeRegistration’ portal for receiving mail notifications. If the gateway has more than one interface, the portal can be configured to listen on an internal interface or on an external one. This means that the gateway cannot receive notifications from an internal Exchange Server and Office365’s service simultaneously.

Configure the Mobile Access ‘Exchange registration’ portal to use the gateway’s publicly accessible URL:

In SmartConsole, open the Mobile Access Gateway object.
From the left, click Mobile Access > Capsule Workspace.
Select Enable Push Notifications.
Click OK.
Publish the SmartConsole session
Connect with the Database Tool (GuiDBEdit Tool) to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
In the top left panel, go to Network Objects > network_objects.
In the top right panel, select the Mobile Access Gateway object.
Press the CTRL+F keys,
Search for this attribute:

portals
Browse through the portal_name attributes, until you reach the ExchangeRegistration portal.
Modify the portal’s main_url attribute to use a publicly accessible host name, served through SSL/TLS.

The portal’s path must remain the same.

Example:

https://mab.example.com/ExchangeRegistration
Save the changes (File menu > Save All).
Close the Database Tool (GuiDBEdit Tool).
In SmartConsole, install the policy on the Mobile Access Gateway object..

End-User Directory Configuration

Mobile Access learns end-user email addresses from their directory records. The directory can either be the internal user database, a local Active Directory, Microsoft Entra ID (formerly Azure AD)or another LDAP-based directory.

Capsule Workspace receives the email address of each Mobile Access end-user right after the end-user authenticates to the gateway. Such mail addresses are later used for authenticating to the Office 365 mail service, and also obtaining each end-user’s mail identity. Therefore, it is essential to configure end-user records with the correct email address.

The email address should be in this format:

username@mailaccountdomain.onmicrosoft.com

Note - The username used for the Office 365 email address is sometimes different from the one used for authenticating to the Mobile Access Gateway. This depends on the user directories used by Mobile Access and by the Office 365 service.

Office 365 Service Configuration

OAuth 2.0 Authentication is configured on the Microsoft Entra ID (formerly Azure AD) management WebUI through an 'Office 365 Exchange Online' application object.

You must get the ‘client secret’ OAuth 2.0 parameter you configure on the gateway from an application object which has ‘impersonation’ privileges for reading mail (Application Permission: 'full_access_as_app'). This is necessary for the Mobile Access gateway to register for mail notifications for logged in end-users.

In addition, Capsule Workspace needs application permissions so that its end-users can authenticate via OAuth 2.0 to the 'Office 365 Exchange Online' application (Delegated Permission: 'EWS.AccessAsUser.All').

Depending on the Capsule Workspace platform (iOS / Android), you must also configure the application's 'Redirect URIs'.

For Capsule Workspace on iOS:

Bundle ID	Redirect URI
`com.checkpoint.secureconnectid`	`msauth.com.checkpoint.secureconnectid://auth`

For Capsule Workspace on Android:

Package Name	Signature Hash	Redirect URI
`com.CheckPoint.SSLVpn`	`N+JwdXkEsT15pn8v2+RNjPjwmcs=`	`msauth://com.CheckPoint.SSLVpn/N%2BJwdXkEsT15pn8v2%2BRNjPjwmcs%3D`

Notes:

For Office 365 applications, Capsule Workspace connects and authenticates to Office 365’s service directly. The gateway has no way to forward end-users’ credentials for subscription purposes.
These gateway features are not supported for Office 365 applications, as Capsule Workspace connects to and authenticates these applications directly:
- Session management
- Authorization (except to display relevant links in Capsule Workspace’s ‘app list’)
- Traffic logs
- Single Sign-On (SSO)
- Gateway-side security features such as IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System).

ActiveSync Applications

An ActiveSync application is an email application that works with ActiveSync, which is native in most Mobile devices. Mobile devices that can use the ActiveSync protocol and connect to an Exchange server can access ActiveSync applications.

As opposed to Mobile Mail applications, ActiveSync applications are not located in the Business Secure Container and are not protected. If you use the ActiveSync application, make sure that your mobile device is protected in other ways so that your sensitive business data and Exchange user credentials stay safe.

Make sure to give users access to the ActiveSync application in your Mobile Access policy.

Configuring ActiveSync Applications

To create a new ActiveSync application:

In SmartConsole, click Objects > Object Explorer (Ctrl+E).
Click New Custom Application/Site > Mobile Application > ActiveSync Application.

The ActiveSync Application window opens.

To configure an ActiveSync application:

In SmartConsole, click Objects > Object Explorer (Ctrl+E).
Search for the Mobile Access application.
Double-click the application.

The ActiveSync Application window opens.
In the General Properties page:
- Enter a Name for the application in SmartDashboard
- Enter the name of the Exchange Server that will communicate with the Security Gateway and the Port. For example, ad. example.com
In the Exchange Access page, in the Define access settings area:
- Use encryption (https) - By default, traffic to the Exchange server works with HTTPS.
- Use non-default path - If the ActiveSync path on the Exchange server to the application is not the default, enter the path here.
- Use specific domain - If you want users to authenticate to a specified domain on the Exchange server, enter it here.
In the Exchange Access page, in the Proxy Settings area, if there is a proxy server between the Exchange Server and the Security Gateway, configure the settings here.
- Use gateway proxy settings - By default the proxy settings configured for the Security Gateway are used.
- Do not use proxy server - Select if no proxy server is required.
- Use specific proxy server - Configure a proxy server that the Security Gateway communicates with to reach the Exchange Server.
1. Select the Host and Service.
2. If credentials are required to access the proxy server, select Use credentials for accessing the proxy server and enter the Username and Password.
In the Display Link page:
- Title - The name of the application that users will see on their mobile devices.
- Description - The description of the application that users will see on their mobile devices.
In the Periodic Test page, select which tests are run regularly on the Security Gateways to make sure they can connect to the Exchange server. If there is a connectivity problem, a System Alert log generated.
- Run periodic test from gateways that have access to this application - A test makes sure there is connectivity between the Security Gateway and Exchange server. The test runs at the interval that you enter.
- Perform extensive test using the following account - Periodically run a test to make sure that a user can authenticate to the Exchange server. To run this test you must enter a valid Username and Password.
Note - If the account password changes, you must enter the new password here.
Click OK.
Install the policy.

Policy Requirements for ActiveSync Applications

To access ActiveSync, users must belong to a user group that is allowed to access ActiveSync applications.
Each user must have an email address defined the Email Address field in the properties of an internal user object, or on an LDAP server (for LDAP users).
If users are internal, their Check Point client passwords must be the same as their Exchange passwords, otherwise ActiveSync will not work.