Mobile Access and the Unified Access Policy

Overview of Mobile Access in the Unified Policy

When you include Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. in the Unified Policy, you configure all rules related to the Mobile Access Portal, Capsule Workspace, and on-demand clients in the Access Control Policy.

In the Access Control Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., you can configure rules that:

Apply to all Mobile Access Security Gateways, or some of them.
Apply to one or more Mobile Access clients, such as the Mobile Access Portal or Capsule Workspace.

Mobile Access features such as Protection Levels, Secure Workspace, and Endpoint Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. also apply.

Note that when you use the Unified Access Policy, some Mobile Access features and settings are still configured in the SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. > Mobile Access tab.

Configuring Mobile Access in the Unified Policy

You can include Mobile Access rules in Policy Layers and Inline Layers. You must enable Mobile Access on each Layer that contains rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. with Mobile Access applications.

See the R81 Security Management Administration Guide for more about layers.
To make a Mobile Access application show in the Mobile Access Portal or in Capsule Workspace, you must put the application in the Services & Applications column.
- If you put Any in the Services & Applications column, the application does not show in the portal but it is allowed. You can open it from the Mobile Access Portal if you manually enter the URL, but not from Capsule Workspace. You can change this behavior. See sk112576 for details.
- If you put an application's service, such as HTTPS, in the Services & Applications column, it does not match Mobile Access https applications.
In the Services & Applications column, you must use Mobile Access Application objects in rules to match Mobile Access traffic. You can define these applications in:
- In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.: CustomApplications/Sites > Mobile Access and the Unified Access Policy
- In SmartDashboard > Mobile Access tab > define an application
Application objects defined for Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI., for example, are not supported in Mobile Access rules.
When you enable Mobile Access on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., the Security Gateway is automatically added to the RemoteAccess VPN Community. Include that Community in the VPN column of the rule or use Any to make the rule apply to Mobile Access Security Gateways. If the Security Gateway was removed from the VPN Community, the VPN column must contain Any.
Use Access Roles as the Source or Destination for a rule to make the rule apply to specified users or networks. You can also use an Access Role to represent Mobile Access or other remote access.

You must enable Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. on each Security Gateway that is an installation target for rules with Access Roles.

Creating Mobile Access Rules in the Unified Access Policy

Create Mobile Access rules in the Access Control Policy with these requirements:

Column	Value	Explanation
No	Make sure that the rule position is logical.	The order of rules in the Rule Base is important. The first rule that matches the traffic is enforced.
Name	All	We recommend that you use a descriptive name.
Source	Access Role	Create an Access Role that includes the Users, User Groups, or Mobile/Remote Access Client that the rule applies to. See the "Mobile Access and the Unified Access Policy" section.
Destination	The internal server on which the Mobile Access application is set.	Mobile Access Applications are defined in the Services & Applications column.
VPN	Any or a Remote Access Community that includes the Mobile Access Security Gateway	When you enable the Mobile Access or IPsec Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on a Security Gateway, the Security Gateway is automatically added to the default RemoteAccess VPN Community. By default the community also contains a user group that contains all users. If you remove the Security Gateway from the VPN Community, you must select Any.
Services & Applications	Mobile Applications Do not include applications or service objects that are not specified as Mobile Access.	To create a Mobile Application: Click > click > Mobile Applications > select an application type and define it. To select an existing Mobile Application: Click > *All > Mobile Applications and select one. Mobile Applications only show in the list if Mobile Access is enabled on the Layer
Content	Any	Content Awareness Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. Acronym: CTNT. is not relevant for Mobile Access rules.
Action	Accept or Drop	Only Accept and Drop are supported. Reject is also supported but acts the same as Drop. You can also select Inline Layer to send all traffic that matches the rule to a "Mobile Access and the Unified Access Policy".
Track	All log options	Right-click in the cell and select More > Extended log
Install On	One or more Security Gateways	Each Security Gateway must have Mobile Access and Identity Awareness enabled and have Unified Access Policy selected as the Policy Source.

Mobile Access Applications in the Unified Access Policy

To use a Mobile Access application in the Unified Access Policy, you must define it as a Mobile Application from the SmartConsole or define it in the in SmartDashboard > Mobile Access tab.

Other application objects, such as URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. applications, are not relevant for Mobile Access. For example: To authorize Facebook as a web application in Mobile Access, you must create a new Web Application and specify Facebook's URL. You cannot use the URL Filtering Facebook application, because it is not for Mobile Access.

Creating Mobile Applications for the Access Control Policy

To create a Mobile Application object to use in the Access Control Policy:

In SmartConsole, expand the Objects pane.
Select New > More > Custom Application/Site > Mobile Application.
Select a type of Mobile Application.
Define the General Properties and Authorized Locations.
Optional: Define more settings for the Application.
Click OK.

Access Roles for Remote Access

Create a rule in the Access Control Rule Base that handles remote access connections.

Go to Security Policies and right-click the cell in the VPN column.
Select Specific VPN Communities.
Choose the community and click .
Close the VPN community window.
Define Services & Applications and Actions columns.
Install the policy.

Example:

To allow remote access users to access the organization's SMTP server, called SMTP_SRV, create the following rule:

Source	Destination	VPN	Service	Action	Track
Any	SMTP_SRV	Remote_Access_Community	SMTP	Accept	Log

Including Mobile Access in the Unified Policy

After you configure rules for Mobile Access in the Unified Access Policy, configure the Security Gateway to use the Unified Access Policy.

To make a Mobile Access Security Gateway use the Unified Access Policy:

In SmartConsole, click Gateways & Servers and double-click the Mobile Access Security Gateway object.
From the tree, select Mobile Access.
In the Policy Source area, select Unified Access Policy.
Click OK.
Install policy.

Enabling Access Control Features on a Layer

To enable Mobile Access on an Ordered Layer:

In SmartConsole, click Security Policies.
Under Access Control, right-click Policy and select Edit Policy.
Click options for the Layer.
Click Edit Layer.

The Layer Editor window opens and shows the General view.
Select Mobile Access.
Click OK.

To enable Mobile Access on an Inline Layer:

In SmartConsole, click Security Policies.
Select the Ordered Layer.
In the parent rule of the Inline Layer, right-click the Action column, and select Inline Layer > Edit Layer.
Select Mobile Access.
Click OK.

Best Practices for Mobile Access in the Unified Policy

When you include Mobile Access in the Unified Access Policy, these are some factors that you need to be aware of:

How to use layers
How the content of rules affects your policy
How rule order can affect your policy

Best Practices with Layers

We recommend that you make an Inline Layer for Mobile Access rules, to easily manage the Mobile Access policy.

To use an Inline Layer effectively, define a parent rule in the main layer. The parent rule matches all Mobile Access traffic and sends the traffic to the Inline Layer. It requires an Access Role that includes all Mobile Access client types or traffic in the Source column.

When a rule contains Inline Layer in the Action column, an Inline Layer is automatically created below it and it becomes a parent rule.

No	Name	Source	Destination	VPN	Services & Applications	Action	Track
1	Network rules	My_network	GW	Any	Any	Accept	Log
2	Mobile Access Inline Layer Entry Point	All Mobile Access traffic	Any	Any	Any	Mobile Access Inline Layer	Extended Log
2.1	Capsule Workspace rule	Capsule Workspace traffic	Any	Any	Business Mail Corporate Ordering	Accept	Extended Log
2.2	Special access rule	Managers	Any	Any	Internal App	Accept	Extended Log
2.3	Mobile Access Inline Layer Cleanup rule	Any	Any	Any	Any	Drop	Extended Log
3	Cleanup rule	Any	Any	Any	Any	Drop	Log

To make a rule that sends all Mobile Access traffic to a Mobile Access Inline Layer:

From the Source column of a rule in the Access Control Policy, create a new Access Role that includes all Mobile Access client types:
1. In the New Access Role window, click Remote Access Clients.
2. Select Specific Client and create a New > Allowed Client for all Mobile Access Portals or clients that are used in your environment. These can include: Capsule Workspace, Mobile Access Portal, ActiveSync, and SSL Network Extender A secure connectivity framework for remote access VPN to a corporate network. SSL Network Extender uses a thin VPN client installed on the user's remote computer that connects to an SSL-enabled web server on a VPN Gateway. Acronym: SNX..
Make sure the VPN column contains Any or the RemoteAccess VPN Community that contains your Mobile Access Security Gateways.
In the Action column, select Inline Layer > New Layer.
In the Layer Editor:
- Enter a name for the layer, such as Mobile Access Inline Layer.
- In the Blades area, select Mobile Access.
- Optional: To use this Mobile Access Inline Layer in multiple policies, in the Sharing area, click Multiple policies and rules can use this layer.

To configure rules in the Inline Layer:

Click the Cleanup rule in the Inline Layer that was created automatically and the click the Add Rule Above icon.
Configure rules for the Mobile Access policy as required. See the "Mobile Access and the Unified Access Policy" section.
Make sure that the Cleanup rule stays at the end of the layer and that the Action is Drop.
Right-click in the Track cell and select More > Extended log.

Mobile Access with Ordered Layers

If you work with Ordered Layers, you can configure a Mobile Access Inline Layer in any Ordered Layer.

Make sure to create a bypass rule for Mobile Access traffic in all layers that come before the Mobile Access layer. For example, if your Mobile Access Inline Layer is in the third layer, you must create a bypass rule in the first and second Ordered Layers.

The bypass rule matches the Mobile Access traffic in the layer and allows the traffic. The traffic then moves to the next layer, until it gets to the Mobile Access Inline Layer.

To create a bypass rule, use the Access Role for all Mobile Access users in the Source column and Accept in the Action column.

Best Practices for Rules

Do not use a Security Gateway as the Destination in a Mobile Access rule. The rules authorize a user's access to an internal resource. Use Any or the internal hosts of relevant applications in the Destination column.
Do not use Any in the Services & Applications column. To make an application show in the Mobile Access Portal or Capsule Workspace, it must be Mobile Access application object that is used explicitly in the Rule Base.

If you do use Any to represent all Mobile Access applications, configured Mobile Access applications are authorized, but they do not show in the portal or Capsule Workspace. Users can enter the URL of the App in the Address field of the Mobile Access Portal.

To change the behavior when Any is used to represent Mobile Access applications, see sk112576.

Best Practices for Rule Order

In the Unified Access Policy, put Mobile Access rules that authorize applications above rules that contain a related service. For example, put a rule to allow a web application above a rule that allows or blocks HTTP/HTTPS. If the HTTP/HTTPS rule is first, the user will not see the Mobile Access Web application in the portal or in Capsule Workspace and will not be able to access it.

For example, this Rule Base allows Outlook Web Access (OWA), a web-based Mobile Access application. It also allows HTTPS traffic:

Correct way to allow the HTTPS service and also Mobile Access HTTPS applications:

No	Name	Source	Destination	Services & Applications	Action	Track
1	Network rule	My_network	GW_1	Any	Accept	Log
2	Mobile Access Inline Layer	All Mobile Access traffic	Any	Any	Mobile Access Inline Layer	Log
2.1	Mobile Access applications	All Mobile Access traffic	Any	Internal App OWA Business Mail	Accept	Log
2.2	Cleanup rule	Any	Any	Any	Drop	Log
3	Allow HTTPS	Any	Any	https	Accept	Log
4	Cleanup rule	Any	Any	Any	Drop	None

Rule 2.1, that allows access to Mobile Access applications, including Outlook Web Access (OWA) on HTTPS, is above rule 3, which allows all HTTPS traffic.

If you put rule 3 to allow HTTPS above the Mobile Access rules, the user will not see the OWA Web application in the portal or in Capsule Workspace and will not be able to access it. To authorize a Mobile Access application, you must use a Mobile Access application in the Services & Applications column.

You can use HTTPS in the parent rule of the Mobile Access Inline Layer, but specify the Mobile Access application inside the Inline Layer. That way, the HTTPS traffic for OWA, for example, will match on the HTTPS rule, and will also match on the OWA App inside the Inline Layer.

Native Applications

In this scenario with a Native application:

The Native application is in an Inline Layer in the rule base.
And the Native application configuration includes Any in the Authorized Locations tab.

Then the parent rule of the Inline Layer must include one of these in the Services & Applications column:

Any service
HTTPS service
The Native Application

Mobile Access Behavior in the Rule Base

In a policy with Policy Layers, for the traffic to be approved, it needs to be accepted in all layers. It is only authorized when accepted in the last layer. The policy keeps going to the next layer until the Mobile Access traffic is matched with a Drop rule or it is accepted in all layers.

In Inline Layers, like in multi-layered policies: Mobile Access is matched on the Inline Layer parent rule and then on the inner rule inside the Inline Layer. The matched application for Mobile Access is taken from the last rule matched with a Mobile Access application. If the matched rule inside the Inline Layer has no Mobile Access application, the policy looks for a Mobile Access application in the parent rule of the Inline Layer.

Limitations for Mobile Access in the Unified Policy

Mobile Access cannot work with Content Awareness or URL Filtering. Do not use Content Awareness or URL Filtering objects in rules with Mobile Access.
These limitation apply for Access Roles in Mobile Access rules in the Unified Access Policy:
- In the Source column - Access Roles can include Networks, Users, and Remote Access Clients.
- In the Destination column - Access Roles can include Networks and Users.
The Native Applications Connect button always shows in the Mobile Access Portal when SSL Network Extender is enabled.
If users do not meet the defined Protection Level requirements for an application, the application does not show for them. This is true in the Mobile Access Portal and Capsule Workspace. (In the Legacy Mobile Access policy, the applications show but are disabled).
If the Mobile Access Security Gateway was removed from the RemoteAccess VPN Community, the VPN column must contain Any.

If you configure Unified Policy, you must include the authorized location (the range of IP addresses) for each application inside the encryption domain for remote access.

Note - The range of IP addresses for an application must not overlap with the range for another application. Users with access to the first application have access to other applications within the same range.