Web Applications

A Web application can be defined as a set of URLs that are used in the same context and are accessed via a Web browser, for example, inventory management or human resource management.

Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. supports browsing to websites that use HTML and JavaScript.

Browsing to websites with VBScript, Java, or Flash elements that contain embedded links is supported using SSL Network Extender, by defining the application as a native application.

Additionally, some sites will only work through a default browser, and therefore cannot be defined as a Web application. If that is the case, use a native application.

Web Applications of a Specific Type

It is possible to configure a Web Application with a specific type as iNotes (Domino Web Access) application or as an Outlook Web Access application.

iNotes

IBM iNotes (previously called Lotus Domino Web Access) is a Web application that provides access to a number of services including mail, contacts, calendar, scheduling, and collaboration services.

Domino Web Access requires its files to be temporarily cached by the client-side browser. As a result, the endpoint machine browser caching settings of the Mobile Access Protection Level do not apply to these files. To allow connectivity, the cross site scripting, command injection and SQL injection Web Intelligence protections are disabled for Domino Web Access.

Note - To make iNotes work through the Mobile Access Portal, you must work withMobile Access Applications.

These iNotes features are not supported:

• Working offline

• Notebooks with attachments.

• Color button in the Mail Composition window.

• Text-alignment buttons in the Mail Composition window.

• Decline, Propose new time and Delegate options in meeting notices.

• Online help- partial support is available.

Outlook Web Access

Outlook Web Access (OWA) is a Web-based mail service, with the look, feel and functionality of Microsoft Outlook. Mobile Access supports Outlook Web Access versions 2000, 2003 SP1, 2007, 2010, 2013, and 2016.

Configuring Mobile Applications

You can use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to create and configure the settings for all the Mobile Access application objects. However, there are some Mobile Access settings that you can configure only from SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings..

To create a new Mobile application in SmartDashboard:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

   SmartConsole opens and shows the Mobile Access tab.

2. From the navigation tree click Applications.

3. Click the applicable application category.

4. Click New.

To create a new Mobile application in SmartConsole:

1. In SmartConsole, click Objects > Object Explorer (Ctrl+E).

2. Click New > Custom Application/Site > Mobile Application and select the Mobile application type.

   The Mobile application window opens.

Web Application - General Properties Page

Use the General Properties page to configure the basic settings for the Web Application.

Domino Web Access requires its files to be temporarily cached by the client-side browser. As a result, the endpoint machine browser caching settings of the Mobile Access Endpoint Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Profile do not apply to these files.

To allow connectivity, the cross site scripting, command injection and SQL injection Web Intelligence protections are disabled for Domino Web Access.

• Name is the name of the application. Note that the name of the application that appears in the user portal is defined in the Link in Portal page.

• This application has a specific type - Select this option if the Web application is of one of the following types:

  • Domino Web Access is a Web application that provides access to a number of services including mail, contacts, calendar, scheduling, and collaboration services.

  • Outlook Web Access (OWA) is a Web-based mail service, with the look, feel and functionality of Microsoft Outlook. OWA functionality encompasses basic messaging components such as email, calendaring, and contacts.

Web Application - Authorized Locations Page

Use the Authorized Locations page to define the locations that can access the Web Application.

For an application that is defined as an Outlook Web Access application, the following are set as the allowed directories:

• Private Mailboxes: /exchange/

• Graphics and Controls: /exchweb/

• Client access: /owa/

• Public Folders: /public/

When two or more overlapping applications are configured (for example, one for any directory and one for a specific directory on the same host), it is undefined which application settings take effect. If one of the overlapping applications is OWA or iNotes, it will take precedence.

• Host or DNS name on which the application is hosted.

• Allow access to any directory gives the user access to all locations on the application server defined in Servers.

• Allow access to specific directories restricts user access to specific directories. For example /finance/data/. The pathscan include $$user, which is the name of the currently logged-in user.

• Application paths are case sensitive improves security. Use this setting for UNIX-based Web servers that are case sensitive.

• Services that are allowed are typically HTTP for cleartext access to the Web application, and HTTPS for SSL access.

  You can select which SSL version to use with HTTPS. Select an option from the list. The default is Automatic.

• Advanced lets you select multiple services.

Web Application - Link in Portal Page

Use the Link in Portal page to configure a link to the Web Application in the Mobile Access user portal.

• Add a link to this Web application in the Mobile Access Portal - If you do not enter a link, users will be able to access the application by typing its URL in the user portal, but will not have a pre-configured link to access it.

• Link text (multi-language) - Shows in the Mobile Access Portal. Can include $$user, which represents the user name of the currently logged-in user. If more than one link is configured with the same (case insensitive) name, only one of them will be shown in the portal.

• URL - The link to the location of the application. Can include $$user, which represents the user name of the currently logged-in user. For example, a URL that is defined as http://host/$$user appears for user aa as http://host/aa and for user bb as http://host/bb.

• Tooltip (multi-language) - Gives additional information. It can include $$user, which represents the user name of the currently logged-in user. The text appears automatically when the user holds the cursor over the link. It disappears when the user clicks a mouse button or moves the cursor away from the link.

Web Application - Protection Level Page

Use the Protection Level page to choose the protection level for Web applications, and configure how browser caching is configured.

Security Requirements for Accessing this Application:

• This application relies on the security requirements of the gateway

  Rely on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. security requirement. Users who have been authorized to the portal, are authorized to this application. This is the default option.

• This application has additional security requirements specific to the following protection level

  Associate the Protection Level with the application. Users are required to be compliant with the security requirement for this application in addition to the requirements of the portal.

Browser Caching on the Endpoint Machine - Control caching of web application content in the remote user's browser.

• Allow caching of all content - Recommended setting for Hostname Translation, method of Link Translation. ActiveX and streaming media will use Hostname Translation.

• Allow caching of these content types - Select type of web application content to cache: images, scripts, HTML.

• Prevent caching of all content - Improves security for remote users who access a Web Application from a workstation that is not under their full control. Personal data is not stored on the workstation. Be aware! This setting prevents files that require an external application (for example, MS Office files) from opening. It can cause some applications to malfunction, if the application requires caching.

Configuring Web Content Caching

Protection Levels let administrators prevent browsers from caching Web content. The caching feature in most browsers presents a security risk because cache contents are easily accessible to hackers.

When the Prevent caching of all content option is enabled, users may not be able to open files that require an external viewer application (for example, a Word or PDF file). This requires the user to first save the file locally.

To let users open external files:

1. Set the Protection Level to Allow caching of all content.

2. Add Microsoft Office documents to the HTML caching category.

   1. Run: cvpnstop

   2. Backup the Apache configuration file: $CVPNDIR/conf/http.conf

   3. In this file, uncomment the CvpnCacheGroups directives related to Microsoft Office documents.

   4. In cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. setups, repeat these steps for all cluster members.

   5. Run: cvpnstart

3. Install Policy.

Web Application - Link Translation Page

Use the Link Translation page to configure how the Web Application converts the internal URLs to valid links for the Internet.

• Use the method specified on the gateway through accessing this application - Uses the method configured in the: Additional Settings > Link Translation page, in the Link Translation Settings on Gateways section.

• Using the following method - Select the Mobile Access Applications that this application uses:

  • Path Translation - Default for new installations.

  • URL Translation - Supported by the Mobile Access Security Gateway with no further configuration

  • Hostname Translation - Mobile Access Applications.

Using the Login Name of the Currently Logged in User

Mobile Access applications can be configured to differ depending on the user name of the currently logged-in user. For example, portal links can include the name of the user, and a file-share can include the user's home directory. For this purpose, the $$user directive is used. During a Mobile Access session, $$user resolves to the login name of the currently logged-in user.

For such personalized configurations, insert the $$user string into the relevant location in the definitions of Web applications, file shares, and native applications.

For example, a Web application URL that is defined as http://host/$$user appears for user aa as http://host/aa and for user bb as http://host/bb.

If the user authenticates with a certificate, $$user resolves during the user's login process to the user name that is extracted from the certificate and authorized by the directory server.

For its use in configuring File Shares, see the "Mobile Access Applications" section.

Completing the Configuration of the Web Application

To complete the configuration, add the Web application to a policy rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. and install policy from SmartConsole.

For Unified Access Policy, see Mobile Access and the Unified Access Policy.

For legacy policy, see Getting Started with Mobile Access.

Configuring a Proxy per Web Application

It is possible to define an HTTP or HTTPS proxy server per Web application. This configuration allows additional control of access to Web resources allowed to users. For configuration details see sk34810.

Configuring Mobile Access to Forward Customized HTTP Headers

For proprietary Web applications that do not support a standard HTTP authentication method, the CvpnAddHeader directive can be used to forward end-user credentials (user name and IP address) that are carried in the HTTP header.

To configure Mobile Access to automatically forward a customized HTTP header, with a specified value, such as the user name or the client IP address:

1. Edit $CVPNDIR/conf/http.conf. For a Mobile Access cluster, edit all members.

2. Add or edit the line containing CvpnAddHeader according to the following syntax:

   CvpnAddHeader "customized_header_name" "customized_header_value"

You can use the following two macros for the customized_header_value string:

• $CLIENTIP, which is resolved to the actual IP address of the end-user's client machine.

• $USER NAME, which is resolved to the user name entered as a credential in the login page.

Examples:

• CvpnAddHeader "CustomHTTPHeaderName" "MyCustomHTTPHeaderValue"

• CvpnAddHeader "CustomIPHeader" "$CLIENTIP"

• CvpnAddHeader "CustomUsernameHeader" "$USER NAME"

Web Application Features

Mobile Access contains various features to make working with Web Applications efficient and secure. Some of these are described in the following sections.

Reuse TCP Connections

The Reuse TCP Connections feature enhances performance by letting the network reuse TCP connections that would otherwise be closed. To enable Reuse TCP Connections, make a change to the Security Gateway configuration files.

Best Practice - We strongly recommend that you back up configuration files before you make changes.

In the General Properties page of a Web application, there is a section called Application Type. In this section, you can define the application as having a specific type, either Domino Web Access or Outlook Web Access.

In previous versions, if you chose one of these Application Type options, the TCP connections for the application are closed after each request. However, if you enable Reuse TCP Connections, the connections are reused. This leads to a boost in performance as the three-way handshake does not have to be renewed and the optimized authorization cache feature can be fully utilized.

By default, Reuse TCP Connections is enabled.

To turn off Reuse TCP Connections:

1. Change this line in the $CVPNDIR/conf/http.conf configuration file:

   from:

   CvpnReuseConnections On

   to:

   CvpnReuseConnections Off

2. Save the changes.

3. Run the cvpnrestart command to activate the settings.

If your Mobile Access Security Gateway is part of a cluster, make the same changes on each cluster member Security Gateway that is part of a cluster..

Website Certificate Verification

Mobile Access lets you validate website security certificates, and either warn the user about problems, ignore any problems, or block websites with certificate problems.

By default, Website Certificate Verification is set to "monitor" this means that a record is entered in SmartLog and there is no effect on end-users. The setting can also be set to "warn" so that users are alerted to any potential security issues and can then decide what steps to take. The setting can also be set to "block," which blocks any website that has a problem with its SSL server certificate, or "ignore", to ignore any issues with a website's security. All settings create a record in SmartLog except for "ignore".

You must restart Mobile Access services after changing the website certificate verification setting.

You can configure Website Certificate Verification per Security Gateway and per application.

Website Certificate Verification is configured with Database Tool (GuiDBEdit Tool).

To change the Website Certificate Verification default behavior for Web applications on the Security Gateway:

1. Close all SmartConsole windows connected to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

2. Connect with Database Tool (GuiDBEdit Tool) to the Management Server.

3. Go to the Network Objects > network_objects > the Security Gateway object

4. In the bottom pane, go to the Connectra_settings section.

5. Search for:

   certificate_verification_policy

6. Enter block, warn, monitor, or ignore as the value.

   The default setting is monitor.

7. Save the changes (File menu > Save All).

8. Close the Database Tool (GuiDBEdit Tool).

If your internal web servers do not use a commonly known certificate (such as an internal CA), then either change the default setting, or add a trusted Certificate Authority for Website certification to Mobile Access.

If the Mobile Access Security Gateway is part of a cluster, be sure to make the same changes on the cluster object table.

To change the Website Certificate Verification default behavior per Web application:

1. In Database Tool (GuiDBEdit Tool), go to the Network Objects > network_objects > the Web application object

2. In the bottom pane, search for certificate_verification_policy.

3. Type block, warn, or ignore as the value.

4. For the use_gateway_settings parameter:

   • Enter true to use the Security Gateway settings.

   • Enter false to use the setting configured for the application.

5. Save the changes in Database Tool (GuiDBEdit Tool) and close it.

6. Install policy on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Adding a Trusted Certificate Authority for Website Certification

You can add specific Certificate Authorities that Mobile Access does not recognize by default, such as your organization's internal CA, to your trusted certificates. The list of default Certificate Authorities recognized by Mobile Access is the same as the list recognized by common browsers. To add CAs to this list, copy the certificate to a .pem file and then move the file to your Mobile Access Security Gateway. If your Mobile Access Security Gateway is part of a cluster, be sure to make the same changes on each cluster member.

Saving a Trusted Certificate in .pem Format

The procedure for saving a trusted certificate as a .pem file is similar for all browsers and versions with slight differences. Below is an example procedure, using Internet Explorer 7.0.

To save a trusted certificate in .pem format using Internet Explorer 7.0:

1. Using your browser, View the certificate of a website that uses the Certificate Authority you want to add. Be sure to choose the Certificate Authority certificate: In the Certification Path tab, choose the CA and click View Certificate.

2. Select the Details tab and click Copy to File.

   The Certificate Export Wizard opens.

3. In the Export File Format page, select Base-64 encoded.

4. In the File to Export page, type the File name under which you want to save the certificate information with a .pem file extension.

5. Click Finish.

Moving the CA Certificate to the Mobile Access Security Gateway

To move the CA Certificate to the Mobile Access Security Gateway:

1. Move the .pem file to your Mobile Access Security Gateway, into a directory called:

   $CVPNDIR/var/ssl/ca-bundle/

2. Run the following command: rehash_ca_bundle

   The Certificate Authority should now be accepted by the Mobile Access Security Gateway without any warnings. You do not need to restart Mobile Access services for the change to take effect.

Deleting a Certificate Authority from a Trusted List

To delete a Certificate Authority from your trusted Certificate Authorities:

1. Delete the .pem file from the $CVPNDIR/var/ssl/ca-bundle/ file of the Mobile Access Security Gateway.

2. Run the following command: rehash_ca_bundle

   You do not need to restart Mobile Access services for the change to take effect.