Getting Started with Mobile Access

Recommended Deployments

Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. can be deployed in a variety of ways depending on an organization's system architecture and preferences.

Simple Deployment

In the simplest Mobile Access deployment, one Mobile Access enabled Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. inspects all traffic, including all Mobile Access traffic. IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). and Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. can be active on all traffic as well. The Security Gateway can be on the network perimeter.

This is the recommended deployment. It is also the least expensive and easiest to configure as it only requires one Security Gateway machine for easy and secure remote access.

Item

Description

1

Internal servers

2

Security Gateway with Mobile Access enabled

3

SSL Tunnel through Internet

4

Remote User

Deployment in the DMZ

When a Mobile Access enabled Security Gateway is put in the DMZ, traffic initiated both from the Internet and from the LAN to Mobile Access is subject to Firewall restrictions. By deploying Mobile Access in the DMZ, the need to enable direct access from the Internet to the LAN is avoided. Remote users initiate an SSL connection to the Mobile Access Security Gateway. You must configure the Access Control Policy to allow traffic from the user to the Mobile Access server, where SSL termination, IPS and Anti-Virus inspection, authentication, and authorization take place. The Security Gateway forwards requests to the internal servers.

Cluster Deployment

If you have large numbers of concurrent remote access users and continuous, uninterrupted remote access is crucial to your organization, you may choose to have Mobile Access active on a clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.. A cluster can be deployed in any of the deployments described above.

Item

Description

1

Internal servers

2

Mobile Access enabled cluster memberClosed Security Gateway that is part of a cluster. B

3

Internet

4

Remote User making SSL connection through Internet

5

Mobile Access enabled cluster member A

6

Secure Network (Sync)

Each cluster member has three interfaces: one data interface leading to the organization, a second interface leading to the internet, and a third for synchronization. Each interface is on a different subnet.

In a simple deployment with the Mobile Access cluster in the DMZ, two interfaces suffice; a data interface leading to the organization and the internet, and a second interface for synchronization.

Deployments with VSX

You can enable the Mobile Access Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Virtual Systems.

You can use a VSX deployment to support different Mobile Access scenarios. Each Virtual System can have a Mobile Access Portal with different applications, access policies, authentication requirements, and mobile clients.

For example, in the picture below, a VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. has four Virtual Systems with Mobile Access enabled. Each Virtual System has Mobile Access configured with different settings to meet the company's needs for different users.

Item

Description

Example Mobile Access Portal URL

1

Remote Users

 

2

Internet

 

3

Router

 

4

VSX Gateway

 

5

Virtual Switch

 

6

Virtual System 4 with Mobile Access enabled

https://guest.company.com/sslvpn

7

Virtual System 3 with Mobile Access enabled

https://finance.company.com/sslvpn

8

Virtual System 2 with Mobile Access enabled

https://sales.company.com/sslvpn

9

Virtual System 1 with Mobile Access enabled

https://dev.company.com/sslvpn

This table shows an example of different settings that you can have on each Virtual System.

Virtual System

Users

Clients Allowed

Authentication Schemes

Endpoint Health Checks

Applications Configured

Virtual System 9

Development team

Mobile Access Portal, SSL Network Extender, Capsule Workspace

Certificate + AD Password

Mobile Access Portal ESOD check for company Endpoint Security requirements

Jail broken or rooted devices not allowed

Development applications

Virtual System 8

Sales team

Capsule Workspace, Capsule Connect

SecurID + AD password

Jail broken or rooted devices not allowed

Sales applications

Virtual System 7

Finance team

Mobile Access Portal, Capsule Workspace

SecurID + AD password

Cooperative enforcement with company MDM server

Finance applications

Virtual System 6

Contractors

Mobile Access Portal

Certificate that expires after 30 days

Mobile Access Portal ESOD check for commercial AV solution and recent AV signature updates

Contractor internal applications

Deployment as a Reverse Proxy

You can configure a Mobile Access Security Gateway to be a reverse proxy for Web Applications on your servers, using Mobile Access. Reverse Proxy users browse to an address (URL) that is resolved to the Security Gateway IP address. Then the Security Gateway passes the request to an internal server, according to the Reverse Proxy rules. You control the security level (HTTP or HTTPS) of connections between users and resources.

See Reverse Proxy.

You can also enable Single Sign-On for Capsule Workspace with Capsule Docs users. See the R81.20 Harmony Endpoint Security Server Administration Guide for details.

Sample Mobile Access Workflow

This is a high-level workflow to configure remote access to Mobile Access applications and resources.

  1. Use SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to enable the Mobile Access Software Blade on the Security Gateway.

  2. Follow the steps in the Mobile Access Configuration wizard to configure these settings:

    1. Select mobile clients.

    2. Define the Mobile Access Portal.

    3. Define applications, for example Outlook Web App.

    4. Connect to the AD server for user information.

  3. Select the policy type:

    • The default is to use the Legacy Policy, configured in the Mobile Access tab in SmartConsole.

    • To include Mobile Access in the Unified Access Policy, select this in Gateway Properties > Mobile Access.

  4. Add rules to the Policy:

    • For Legacy Policy: Add rules in SmartConsole. Select Security Policies > Shared Policies > Mobile Access > Open Mobile Access Policy in SmartConsole.

    • For Unified Access Policy: Add rules in SmartConsole > Security Policies Access Control Policy.

  5. Configure the authentication settings in Gateway Properties > Mobile Access > Authentication.

  6. Install the Access Control Policy on the Security Gateway.

    Users can access mobile applications through the configured Mobile Access Portal with the defined authentication method.

  7. Optional: Give secure access to users through the Capsule Workspace app with certificate authentication.

    1. In the Security Gateway, Mobile Access > Authentication, click Settings, and select Require client certificate.

    2. Use the Certificate Creation and Distribution Wizard (in the Security Policies view > Client Certificates > New.

    3. Users download the Capsule Workspace app.

    4. Users open the Capsule Workspace app and enter the Mobile Access Site Name and necessary authentication, such as user name and password.

Mobile Access Wizard

The Mobile Access Wizard runs when you enable the Mobile Access blade on a Security Gateway. It lets you quickly allow selected remote users access to internal web or mail applications, through a web browser, mobile device, or remote access client.

See Check Point Remote Access Solutions to understand more about the remote access clients mentioned in the wizard. Many of the settings in the wizard are also in Gateway Properties > Mobile Access.

Mobile Access

Select from where users can access the Mobile Access applications:

  • Web - Through a browser on any computer. SSL Network Extender can be downloaded by users when necessary to access native applications.

  • Mobile Devices - Through an iOS or Android Mobile device. Devices must have a Check Point app installed.

    • Capsule Workspace - Use Check Point Capsule Workspace app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.

    • Capsule Connect/VPN - A full Layer 3 tunnel app that gives users network access to all mobile applications.

  • Desktops/Laptops - Check Point clients for PCs and Macs that use a Layer 3 tunnel to provide access to internal network resources.

Mobile Access Portal

Enter the primary URL for the Mobile Access Portal.

The default URL is:

https://<IP address of the Security Gateway>/sslvpn

You can use the same IP address for all portals on the Security Gateway with a variation in the path.

You can import a p12 certificate for the portal to use for SSL negotiation. All portals on the same IP address use the same certificate.

Note - For information about Mobile Access Portal Clients Release Updates, refer to sk168353.

Applications

Select the applications that will be available to web or mobile device users:

  • Web Applications - Select the web applications to show on the Mobile Access Portal.

    • Demo web application (world clock) - Select while testing Mobile Access, to have a web application show as it will when you are in production.

    • Custom web application - Enter the URL of the web application that you want users to be able to open when they connect with Mobile Access. For example, you can set the home page of your intranet site.

  • Mail/Calendar/Contacts - Enter the Exchange server that mobile devices work with and select which applications mobile device users can access.

    • Mobile Mail

    • ActiveSync Applications

    • Outlook Web App

Active Directory Integration

Select the AD domain, enter your credentials and test connectivity. If you do not use AD, select I don't want to use active directory now.

Authorized Users

Select users and groups from Active Directory or internal users. You can also create a test user that will get access to the configured applications.

What's Next?

This window helps you understand steps that are required to complete the automatic configuration done by the Mobile Access wizard. Depending on the selections you made, you might see these steps:

  • Edit the Access Control policy and add a rule for Remote Access Community - To work with Desktop Remote Access Clients or Capsule Connect clients, the Mobile Access Wizard automatically includes this Security Gateway in the Remote Access VPN community. Remote Access Clients get access rules from the Firewall Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

  • Install policy on this security gateway - When you install policy, the changes made by the Mobile Access Wizard become active.

  • Log in to the Web portal (usually https://<ip address>/sslvpn) - This is the web portal that you configured. Log in to see and use it.

    Each Mobile Access-enabled Security Gateway leads to its own Mobile Access user portal. Remote users log in to the portal using an authentication scheme configured for that Security Gateway.

    Remote users access the portal from a Web browser with https://<Gateway_IP>/sslvpn, where <Gateway_IP> is one of these:

    • FQDN that resolves to the IP address of the Security Gateway

    • IP address of the Security Gateway

    Remote users that use HTTP are automatically redirected to the portal using HTTPS.

    Note - If Hostname Translation is the method for link translation, FQDN is required.

    Set up the URL for the first time in the Mobile Access First Time Wizard.

  • Install Check Point Capsule Workspace App and Desktop VPN client - Install an App or VPN client to start using it. Prepare for mobile devices and for desktop clients (see the "Preparing for Capsule Workspace" section).

  • Easily deploy client certificates to your users with the new client certificates tool - If you use authentication with client certificates, configure the client certificates (see the "Managing Client Certificates" section).

Setting up the Mobile Access Portal

Each Mobile Access-enabled Security Gateway leads to its own Mobile Access user portal. Remote users log in to the portal using an authentication scheme configured for that Security Gateway.

Remote users access the portal from a Web browser with https://<Gateway_IP>/sslvpn, where <Gateway_IP> is one of these:

  • FQDN that resolves to the IP address of the Security Gateway

  • IP address of the Security Gateway

Remote users that use HTTP are automatically redirected to the portal using HTTPS.

Note - If Hostname Translation is the method for link translation, FQDN is required.

Set up the URL for the first time in the Mobile Access First Time Wizard.

Customizing the User Portal

To change the IP address used for the user portal:

From the properties of the Security Gateway object, select Mobile Access > Portal Settings.

To configure the look and feel of the portal:

From the properties of the Security Gateway object, select Mobile Access > Portal Customization.

Configuring Mobile Access Policy

Users can access Mobile Access applications remotely as defined by the policy rules:

For all policy types, rules include these elements:

You can also include VPN and Remote Access clients in rules to define which client users can use to access the application.

The Mobile Access policy applies to the Mobile Access Portal and Capsule Workspace. It does not apply to Desktop clients or Capsule Connect.

Settings related to what users can access from mobile devices are also defined in the Mobile Profile: SmartDashboard > Mobile Access tab > Capsule Workspace.

Including Mobile Access in the Unified Access Policy

To make Mobile Access Security Gateway use the Unified Access Policy:

  1. In SmartConsole, from the left navigation panel, click Gateways & Servers and double-click the Mobile Access Security Gateway object.

  2. From the tree, select Mobile Access.

  3. In the Policy Source area, select Unified Access Policy.

  4. Click OK.

  5. Install policy.

To create rules for Mobile Access in the Unified Access Policy:

See Mobile Access and the Unified Access Policy.

Creating Mobile Access Rules in the Legacy Policy

The order of the rules in the Legacy Policy is not important.

To create rules in the Mobile Access Rule Base:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Policy.

  3. Right-click the rule and select New Rule > Below.

  4. In the Users column, right-click the cell and select Add Users.

  5. In the User Viewer that opens, you can:

    • Select a user directory, either internal or an Active Directory domain.

    • Search for and select individual users, groups, or branches.

  6. In the Applications column, right-click the cell and select Add Applications.

  7. In the Application Viewer that opens, you can:

    • Select an application from the list.

    • Click New to define a new application.

  8. If you create a New application:

    1. Select the type of application.

    2. In the window that opens enter a Display Name to show to end-users. For example, "Corporate Intranet".

    3. Enter the URL or path to access the application according to the example shown.

  9. In the Install On column, right-click the cell and select Add Objects and select the Security Gateways for the rule.

  10. Click Save and then close SmartDashboard.

  11. In SmartConsole, install policy.

Preparing for Capsule Workspace

To enable devices to connect to the Security Gateway with Capsule Workspace:

  1. In SmartConsole, enable and configure Mobile Access on the Security Gateway.

  2. From the Gateway Properties, click Mobile Access, and select Mobile Devices and Capsule Workspace.

  3. In Gateway Properties > Mobile Access > Authentication, select how users authenticate to the mobile device.

    If necessary, manage certificates for authentication between the devices and the Security Gateway (see the "Configuring Client Certificates" section).

  4. Optional: Configure ESOD Bypass for Mobile Applications (see the "ESOD Bypass for Mobile Apps" section).

  5. Make sure you have rules in the Access Control Policy that allow traffic for mobile devices. For example, access to Exchange and application servers from the Security Gateway.

  6. Download a Capsule Workspace App from the App Store or Google Play to mobile devices.

  7. Give users instructions to connect, including the:

    • Site Name

    • Registration key (if you use certificate authentication)

    If you use certificate authentication, we recommend that you include this information in the client certificate distribution email.

Configuring Client Certificates

If you use certificates for mobile and desktop clients, use the Client Certificates page in SmartConsole to manage certificates for authentication between the devices and the Mobile Access for Smartphones and Tablets.

To configure client certificates:

  1. In SmartConsole, select Security Policies > Access Control > Access Tools > Client Certificates.

  2. In the Client Certificates pane, click New.

    The Certificate Creation and Distribution wizard opens

  3. From the navigation tree click Client Certificates.

  4. Create and distribute the certificates.

  5. Install Policy.

For more details, see Mobile Access for Smartphones and Tablets.