Introduction to Mobile Access

Mobile Access

Check Point Mobile Remote Access VPN Software Blade is the safe and easy solution to connect to corporate applications over the internet with your mobile device or PC. The solution provides enterprise-grade remote access with both Layer 3 VPN and SSL VPN. It gives you simple, safe and secure connectivity to your email, calendar, contacts and corporate applications. At the same time, it protects networks and endpoint computers from threats.

The Mobile Access Portal lets mobile and remote workers connect easily and securely to critical resources over the internet.

Check Point Mobile Apps enables secure encrypted communication from unmanaged smartphones and tablets to your corporate resources.

Mobile Access Applications

Mobile Access provides the remote user with access to the various corporate applications, including, Web applications, file shares, Citrix services, Web mail, and native applications.

  • A Web application is a set of URLs that are used in the same context and that are accessed through a Web browser. For example, an application for inventory management, or HR management.

  • A file share is a collection of files, made available across the network through a protocol that enables actions on files, such as opening, reading, writing and deleting files across the network.

  • Mobile Access supports Citrix client connectivity to internal XenApp servers.

  • Mobile Access supports Web mail services including:

    • Built-in Web mail: Web mail services give users access to corporate mail servers via the browser. Mobile Access provides a front end for any email server that supports the IMAP and SMTP protocols.

    • Other Web-based mail services, such as Outlook Web Access (OWA) and IBM Lotus Domino Web Access (iNotes). Mobile Access relays the session between the client and the OWA server.

  • Mobile device support:

    • Access to Web applications.

    • Access to email, calendar, and contacts.

    • Multi-factor authentication.

  • Mobile Access supports IPv6 for access to:

    • The Mobile Access Portal.

    • Capsule Workspace.

    Notes:

    • SSL Network Extender is not supported with IPv6.

    • IPv6 is supported for inbound connections to the Security Gateway only. It is not supported for outbound connections from the Security Gateway, even with an external interface.

  • SSL Network Extender support for macOS as part of Capsule Workspace Access.

  • Mobile Access supports all native applications, through SSL Network Extender. A native application is an IP-based application that is hosted on servers within the organization. When a user is allowed to use a native application, Mobile Access launches SSL Network Extender and allows users to employ native clients to connect to native applications, while ensuring that all traffic is encrypted.

Remote users initiate a standard HTTPS request to the Mobile Access Security Gateway. The Security Gateway authenticates users based on one or more of the configured authentication methods, such as user name and password, certificates, or SecurID. Users have access to applications based on the Mobile Access policy.

For information about Web applications, file shares, Citrix services, Web mail see Mobile Access Applications.

For information about native applications, see Native Applications for Client-Based Access.

Mobile Access Management

  • The Security Management Server that manages all Check Point Security Gateways, also manages Mobile Access Security Gateways.

  • Configure Mobile Access from the Mobile Access tab of SmartDashboard and in the Access Control Rule Base.

  • Mobile Access users and related network objects are shown in SmartConsole.

  • See Mobile Access logs in SmartLog from the SmartConsole Logs & Monitor view.

  • Mobile Access supports SNMP. See the R81 Gaia Administration Guide > Chapter System Management > Section SNMP.

Commonly Used Concepts

This section briefly describes commonly used concepts that you will encounter when dealing with Mobile Access.

Authentication

All remote users that access the Mobile Access Portal must be authenticated by one or more of the supported authentication methods. Multiple login options for users and multi-factor authentication are supported. See User Authentication in Mobile Access.

Authorization

Authorization determines how remote users access internal applications on the corporate LAN. If the remote user is not authorized, access to the services provided by the Mobile Access Security Gateway is not granted.

After authentication, the user can open an application based on the Mobile Access policy.

Endpoint Compliance Scanner

The Check Point Endpoint Security on Demand scanner scans the endpoint machine to see if it complies with the endpoint compliance policy. For example, an endpoint compliance policy can make sure that the endpoint clients have updated Anti-Virus signatures and an active Firewall. If the endpoint is compliant with the endpoint compliance policy, the user is allowed to access the portal.

Secure Workspace

End-users can utilize Check Point's proprietary virtual desktop that enables data protection during user-sessions, and enables cache wiping, after the sessions have ended. Secure Workspace protects all session-specific data accumulated on the client side. It uses protected disk space and file encryption to secure files created during the access session. Afterward, it cleans the protected session cache, eliminating any exposure of proprietary data that would have been inadvertently left on public PCs.

Protection Levels

Protection Levels maintain a balance between connectivity and security. The Protection Level is a security requirement that users must meet before they can access the resource. For example, an application can have a Protection Level that requires users to use a specified authentication method. Mobile Access has three pre-defined Protection Levels: Permissive, Normal, and Restrictive. You can edit Protection Level settings, and define new Protection Levels.

Session

After authentication, remote users are assigned a Mobile Access session. The session is the period of communication with the Security Gateway until the user logs out or the connection times out.

SSL Network Extender

The SSL Network Extender client makes it possible to access native applications through Mobile Access.

SSL Network Extender is downloaded automatically from the Mobile Access Portal to the endpoint machines, so that client software does not have to be pre-installed and configured on users' PCs and laptops. SSL Network Extender transports application traffic through a secure, encrypted, and authenticated SSL tunnel to the Mobile Access Security Gateway.

Server Side Security Highlights

Mobile Access Gateways are fully integrated with and benefit from the same security features as other Security Gateways. In addition, Mobile Access Gateways have numerous security features to enable secure remote access. These are some of the security features available on Mobile Access Gateways:

  • IPS - Protects organizations from all known, and most unknown network attacks using intelligent security technology.

    The Web Intelligence component of IPS enables protection against malicious code transferred in Web-related applications: worms, various attacks such as Cross Site Scripting, buffer overflows, SQL injections, Command injections, Directory traversal, and HTTP code inspection.

  • IPS Service - Downloads new defense mechanisms to the IPS console, and brings existing defense mechanisms up-to-date.

  • Anti-Virus - Many Anti-Virus settings enabled on the Security Gateway also apply to Mobile Access traffic to prevent virus infection for end users and the enterprise.

  • Granular authorization policy - Limits which users are granted access to which applications based on: authentication, encryption, and client security requirements.

  • Web Application support over HTTPS - All traffic to Web-based applications is encrypted with HTTPS. Access is allowed for a specific application set rather than full network-level access.

  • Encryption - SSL Network Extender, used by Mobile Access, encrypts traffic with the 3DES or the RC4 encryption algorithm.

Client Side Security Highlights

These are some of the security features available on the client side:

  • Endpoint Compliance for Mobile Access on the endpoint machine - Prevents threats posed by endpoint clients that do not have updated protection, for example, updated Anti-Virus and Firewall Endpoint Security on Demand.

  • Secure Workspace protects all session-specific data, accumulated on the client side - End-users can utilize Check Point's proprietary virtual desktop that prevents data leakage. It encrypts all files and deletes data from the computer at the end of the user session. The administrator can use Protection Levels to force end users to use Secure Workspace to access the user portal or sensitive Endpoint Security on Demand.

  • Controls browser caching - You can disable browser caching or decide which web content can be cached by browsers when users access Mobile Access Applications.

  • Captures cookies sent to the remote client by the internal Web server - In most configurations, Mobile Access captures cookies and keeps them on the Security Gateway. Mobile Access attaches the cookie information, stored on Mobile Access, to the request that Mobile Access makes to the internal Web server to simulate user or web server cookie transmission.

  • Supports multi-factor authentication methods and multiple log-in options - For example, use SecurID tokens, or SSL client certificates in combination with a one-time DynamicID password.