The Legacy Mobile Access Portal

Starting in R81, Check Point introduced the new Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Portal. See The New Mobile Access Portal.

When you enable the Mobile Access Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., the new portal configuration is the default.

The Legacy Mobile Access Portal is available for backward compatibility.

Portal Customization

To customize the Mobile Access end user portal:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers and double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Mobile Access > Portal Customization.

    The Portal Customization page opens.

  3. Configure the following settings.

  4. Install the policy.

Localization Features

Mobile Access localizes the user interface of the Mobile Access user portal and the Secure Workspace to multiple languages.

The Mobile Access user portal and the Secure Workspace can be configured by Security Gateway in the Portal Settings > Portal Customization page to use these languages:

  • English (the default language)

  • Bulgarian

  • Chinese- Simplified

  • Chinese- Traditional

  • Finnish

  • French

  • German

  • Italian

  • Japanese

  • Polish

  • Romanian

  • Russian

  • Spanish

Auto Detection of User Language Preferences

Automatic language detection is an optional feature that gives priority to the language settings in the user's browser over the language chosen by the administrator.

Automatic language detection is activated by configuring the CVPN_PORTAL_LANGUAGE_AUTO_DETECT flag in the Main.virtualhost.conf file on Mobile Access.

By default, the language preference in the user's browser is not automatically detected. If automatic detection is configured, the language used in SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. is the first language supported by Mobile Access that is found in the Language Preference list defined in the user's browser settings. If no supported language is found in the Language Preference list in the user's browser, the language set by the administrator in SmartDashboard is used.

To activate automatic language detection, perform the following steps on each cluster member:

  1. Open an SSH connection to Mobile Access, or connect to it via a console.

  2. Log in to Mobile Access using your administrator user name and password.

  3. Change to the Expert mode by typing expert and supplying the password.

  4. Edit the $CVPNDIR/conf/includes/Main.virtualhost.conf file, and change the value of this parameter from 0 to 1:

    from:

    SetEnv CVPN_PORTAL_LANGUAGE_AUTO_DETECT 0

    to:

    SetEnv CVPN_PORTAL_LANGUAGE_AUTO_DETECT 1

  5. Restart the Mobile Access services:

    cvpnrestart

Language Selection by End Users

Any explicit language selection by the user in any of the portal pages overrides both the administrator's default language setting, and the automatic language detection.

Users can select a language in the user portal sign-in page, in the Change Language To field.

User Workflow for Mobile Access Portal

The user workflow includes these steps:

  1. Sign in and select the portal language.

  2. On first-time use, if you will use SSL Network Extender to access native applications, install ActiveX and Java Components.

  3. Initial setup.

  4. Access applications.

Signing In

In a browser, type in the URL assigned by the system administrator for the Mobile Access Security Gateway.

Best Practice - Some popup blockers can interfere with aspects of portal functionality. Tell users to configure popup blockers to allow pop-ups from Mobile Access.

If the Administrator configured Secure Workspace to be optional, users can choose to select it on the sign in page.

Users enter their authentication credentials and click Sign In. Before Mobile Access gives access to the applications on the LAN, the credentials of remote users are first validated. Mobile Access authenticates the users either through its own internal database, LDAP, RADIUS or RSA Authentication Manager. After the remote users are authenticated, and associated with Mobile Access groups, access is given to corporate applications.

Note - If the Endpoint ComplianceClosed Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Scanner is enabled, users computers might be scanned before they can access the Mobile Access Sign In page. This is to make sure that credentials are not compromised by 3rd party malicious software.

First Time Installation of ActiveX and Java Components

Some Mobile Access components such as the endpoint Compliance Scanner, Secure Workspace and SSL Network Extender require either an ActiveX component (for Windows with Internet Explorer machines) or a Java component to be installed on the endpoint machine.

When using one of these components for the first time on an endpoint machine using Windows and Internet Explorer, Mobile Access tries to install it using ActiveX. However, Internet Explorer may prevent the ActiveX installation because the user does not have Power User privileges, or display a yellow bar at the top of the page asking the user to explicitly allow the installation. The user is then instructed to click the yellow bar, or if having problems doing so, to follow a dedicated link. This link is used to install the required component using Java.

After the first of these components is installed, any other components are installed in the same way. For example, if the Endpoint compliance Scanner was installed using Java on Internet Explorer, Secure Workspace and SSL Network Extender are also installed using Java.

For general information about the Mobile Access Portal and Java compatibility see sk113410.

Note - To install using ActiveX after a component was installed using Java, delete the browser cookies.

Initial Setup

The user may be required to configure certain settings, such as application credentials. In addition, the user can define additional favorites for commonly used applications.

Accessing Applications

After the remote users have logged onto the Mobile Access Security Gateway, they are presented with a portal. The user portal enables access to the internal applications that the administrator has configured as available from within the organization, and that the user is authorized to use.

Limitations

Mobile Access Portal provides optimal support for Outlook Web Access 2013 / 2016 with the Host-name Translation (HT) method, and only when 'cookies on the endpoint machine' is enabled. The Path Translation (PT) method is partially supported, while the URL Translation (UT) method is not supported.