Native Applications for Client-Based Access

Introduction to Native Applications

A native application is any IP-based application that is hosted on servers within the organization, and requires an installed client on the endpoint. The client is used to access the application and encrypt all traffic between the endpoint and Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB..

SSL Network ExtenderClosed A secure connectivity framework for remote access VPN to a corporate network. SSL Network Extender uses a thin VPN client installed on the user's remote computer that connects to an SSL-enabled web server on a VPN Gateway. Acronym: SNX. automatically works with Mobile Access to support native applications.

Microsoft Exchange, Telnet, and FTP, are all examples of native application servers. Authorized users can use their native clients (for example, telnet.exe, ftp.exe, or Outlook) to access these internal applications from outside the organization.

A native application is defined by the:

  • Server hosting applications.

  • Services used by applications.

  • Connection direction (usually client to server, but can also be server to client, or client to client).

  • Applications on the endpoint (client) machines.

    These applications are launched on demand on the user machine when the user clicks a link in the user portal.

    They can be one of these:

    • Already installed on the endpoint machine

    • Run via a default browser

    • Downloaded-from-Mobile Access

SSL Network Extender for Accessing Native Applications

The SSL Network Extender client makes it possible to access native applications via Mobile Access. SSL Network Extender can operate in two modes: Network Mode and Applications Mode.

SSL Network Extender with Mobile Access

The SSL Network Extender client lets users access native applications using Mobile Access.

Note - If SSL Network Extender was configured through IPsec VPN, and now you enabled the Mobile Access blade on the Security Gateway, you must reconfigure the SSL Network Extender policy in the Mobile Access tab of SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings.. SSL Network Extender rules in the main security ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. base are not active if the Mobile Access tab is enabled.

SSL Network Extender is downloaded automatically from the Mobile Access Portal to the endpoint machines, so that client software does not have to be pre-installed and configured on users' PCs and laptops. SSL Network Extender tunnels application traffic using a secure, encrypted and authenticated SSL tunnel to the Mobile Access Security Gateway.

SSL Network Extender requires The Legacy Mobile Access Portal.

SSL Network Extender Network Mode

The SSL Network Extender Network Mode client provides secure remote access for all application types (both Native-IP-based and Web-based) in the internal network via SSL tunneling. To install the Network mode client, users must have administrator privileges on the client computer.

After installing the client, an authenticated user can access any authorized internal resource that is defined on Mobile Access as a native application. The user can access the resource by launching the client application, either directly from the desktop or from the Mobile Access Portal.

SSL Network Extender Application Mode

The SSL Network Extender Application Mode client provides secure remote access for most application types (both Native (IP-based) and Web-based) in the internal network via SSL tunneling. Most TCP applications can be accessed in Application mode. The user does not require administrator privileges on the endpoint machine.

After the client is installed, the user can access any internal resource that is defined on Mobile Access as a native application. The application must be launched from the Mobile Access Portal and not from the user's desktop.

If an application is defined in the Mobile Access tab in SmartDashboard as one that can be used in Application Mode, a user that connects in Application Mode will be able to see it and launch it. If the application is not supported in Application Mode, a user who connects with Application Mode will not see it in the list of applications. While Application Mode is designed to work with most applications, only OPSEC-certified applications have been tested and verified to work with SSL Network Extender in Application mode.

Note - UDP based applications are not supported with SSL Network Extender in Application mode.

Supported Application Mode Applications

Most TCP applications work with SSL Network Extender in the Application Mode. If an application is defined in the Mobile Access tab in SmartDashboard as one that can be used in Application Mode, a user that connects in Application Mode will be able to see it and launch it. If the application is not supported in Application Mode, a user who connects with Application Mode will not see it in the list of applications.

The following applications have been tested and are Check Point OPSEC-certified for use with Mobile Access SSL Network Extender in Application mode. Note that this mode is different from SSL Network Extender in Network mode which supports any IP-based application. While Application Mode is designed to work with most applications, only OPSEC-certified applications have been tested and verified to work with SSL Network Extender in Application mode. Only specified versions are guaranteed to work and are fully supported. However, in most cases other versions of the same client and most other applications that are TCP based will work.

Note - Some Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. applications do not scan email when Microsoft Outlook is launched with SSL Network Extender Application mode, because the mail is encrypted in SSL before scanning begins.

Configuring SSL Network Extender as a VPN Client

  1. From the Gateways & Servers tab, right-click the Mobile AccessSecurity Gateway and select Edit.

    The Security Gateway properties window opens and shows the General Properties page.

  2. From the navigation tree, click Mobile Access > SSL Clients.

    SSL Network Extender is automatically enabled when the Mobile Access blade is turned on.

  3. Select an option:

    • Automatically decide on client type according to endpoint machine capabilities downloads the SSL Network Extender Network Mode client if the user on the endpoint machine has administrator permissions, and downloads the Application Mode client if the user does not have administrator permissions.

    • Application Mode only specifies that the SSL Network Extender Application Mode client is downloaded to the endpoint machines - irrespective of the capabilities of the endpoint machine.

    • Network Mode only specifies that the SSL Network Extender Network Mode client is downloaded to the endpoint machines - irrespective of the capabilities of the endpoint machine. The user on the endpoint machine must have administrator permissions in order to access Native Applications.

  4. Click OK.

  5. Install the policy.

    If you had SSL Network Extender configured through IPsec VPN and now you enabled the Mobile Access blade on the Security Gateway, you must reconfigure the SSL Network Extender policy in the Mobile Access tab of SmartDashboard. Rules regarding SSL Network Extender in the main security rule base are not active if the Mobile Access tab is enabled.

Office Mode

When working with Office Mode, Remote Access clients receive an IP address allocated for them by the VPN administrator. These addresses are used by the clients in the source field of the IP packets they build. Since the IP packets are then encrypted and encapsulated, the packets appear to the Internet with their original IP address. To the organization's internal network, after decapsulation and decryption, they appear with the allocated IP address. The clients seem to be on the internal network.

For more about Office Mode, see the R81 Remote Access VPN Administration Guide.

Configuring Office Mode

Configure Office Mode in Gateway Properties > Mobile Access > Office Mode. The settings configured here apply to Mobile Access clients and IPsec VPN clients.

Office Mode Method

Choose the methods used to allocate IP addresses for Office Mode. All of the methods selected below will be tried sequentially until the office mode IP addresses are allocated.

Multiple Interfaces

If the Security Gateway has multiple external interfaces, there might be a routing problem for packets whose destination address is a client working in Office Mode. The destination IP address is replaced when the packet is encapsulated and thus previous routing information becomes irrelevant. Resolve this problem by setting the Security Gateway to Support connectivity enhancement for gateways with multiple external interfaces. Do not select this option if your Security Gateway has only one external interface, as this operation affects the performance.

Anti-Spoofing

If this option is selected, VPN verifies that packets whose encapsulated IP address is an Office Mode IP address are indeed coming from an address of a client working in Office Mode.

If the addresses are allocated by a DHCP server, VPN must know the range of allocated addresses from the DHCP scope for the Anti-Spoofing feature to work. Define a Network object that represents the DHCP scope and select it here.

IP Pool Optional Parameters

Configure additional optional parameters for how office mode addresses are assigned by clicking Optional Parameters. If the office mode addresses are allocated from an IP pool, this window allows you to you specify the DNS and WINS addresses by selecting the appropriate Network Objects. In addition, specify the backup DNS and WINS servers and supply the Domain name.

If the office mode addresses are allocated by a DHCP server, DNS and WINS addresses are set on the DHCP server.

These details are transferred to the Remote Access client when a VPN is established.

IP Lease Duration

Specify the amount of time after which the Remote Access client stops using the allocated IP address and disconnects. By default, the duration is 15 minutes. The client tries to renew the IP address by requesting the same address after half of the set time has elapsed. When this request is granted, the client receives the same address until the lease expires. When the new lease expires, it must be renewed again.

Configuring SSL Network Extender Advanced Options

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree click Additional Settings > VPN Clients.

  3. From the Advanced Settings for SSL Network Extender section, click Edit.

  4. Configure the applicable options.

  5. Click OK.

  6. Click Save and then close SmartDashboard.

  7. In SmartConsole, install policy.

Deployment Options

  • Client upgrade upon connection specifies how to deploy a new version of the SSL Network Extender Network Mode client on endpoint machines, when it becomes available.

    Note - Upgrading requires Administrator privileges on the endpoint machine.

  • Client uninstall upon disconnection specifies how to handle the installed SSL Network Extender Network Mode client on the endpoint machine when the client disconnects.

    • Do not uninstall allows the user to manually uninstall if they wish to.

    • Ask User allows the user to choose whether or not to uninstall.

    • Always uninstall does so automatically, when the user disconnects.

Encryption

  • Supported Encryption methods define the strength of the encryption used for communication between SSL Network Extender clients and all Mobile Access Security Gateways and Clusters that are managed by the Security Management Server.

    • AES, 3DES - This is the default setting. The 3DES encryption algorithm encrypts data three times, for an overall key length of 192 bits.

    • AES, 3DES or RC4 - to configure the SSL Network Extender client to support the RC4 encryption method, as well as AES and 3DES. RC4 is a variable key-size stream cipher. The algorithm is based on the use of a random permutation. It requires a secure exchange of a shared key that is outside the specification. RC4 is a faster encryption method than 3DES.

Launch SSL Network Extender Client

These settings define the behavior of the SSL Network Extender clients when launched on the endpoint machines.

  • On demand, when user clicks 'Connect" on the portal - SSL Network Extender only opens when the user clicks "Connect" from the Mobile Access Portal.

  • Automatically, when user logs on - When users log in to the Mobile Access Portal, SSL Network Extender launches automatically.

  • Automatically minimize client window after client connects - For either of the options above, choose to minimize the SSL Network Extender window to the system tray on the taskbar after connecting. This provides better usability for non-technical users.

Endpoint Application Types

When defining a Native Application, you can define applications on endpoint machines. These applications launch on the endpoint machine when the user clicks a link in the Mobile Access Portal. You do not have to configure endpoint applications for users using SSL Network Extender in Network Mode, as they will be able to access them using their native clients.

Application Installed on Endpoint Machine

These endpoint applications are already installed on the endpoint machines.

Application Runs Via a Default Browser

Run via default browser is used to define a link to any URL. The link appears in the Mobile Access Portal, and launches the current Web browser (the same browser as the Mobile Access Portal). The link can include $$user, which represents the user name of the currently logged-in user.

This option has a user experience similar to a Web Application with a URL: The application is opened in a Web browser. However, Mobile Access Web applications perform Link Translation on the URL and encrypt the connection over SSL, while the "Run via default browser" option with SSL Network Extender does not perform link translation, and encrypts using SSL Network Extender. You may prefer to define a Native Application rather than a Web Application for convenience, or because some websites have problems working with Link Translation.

Applications Downloaded-from-Gateway

Downloaded-from-Gateway applications let you select applications that download from Mobile Access to the endpoint computer when the user clicks a link in the Mobile Access Portal.

These applications allow end users to securely use client-server applications, without requiring a native client to be installed on their machines.

Mobile Access has built-in applications that the administrator can configure. Downloaded-from-Gateway applications are either Java-based applications or single-executable applications (including batch files). All the applications that are available by default, other than the Terminal (PuTTY) client, are Java based applications, and are therefore multi-platform applications. The PuTTY client can only be used on Windows machines.

You can add Native Applications for Client-Based Access, in addition to the built-in applications.

The Downloaded-from-Gateway applications are third-party applications, which are supplied as-is, and for which Check Point provides limited support.

Some of these packages are not signed by Check Point, and when they are downloaded by end- users a popup warning informs the user that the package is not signed.

Downloaded-from-Gateway Applications

Application

Description

Remote Desktop (RDP)

Downloaded-from-Gateway Client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services. Communicates using Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICAClosed Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication., no server extensions are required. Runs on Java 1.1 up (optimized for 1.4), and works on Linux, Windows and Mac.

Terminal (PuTTY)

An implementation of Telnet and SSH for Win32 platforms, including an Xterm terminal emulator.

Jabber

Downloaded-from-Gateway Jabber Client is an instant messenger based on the Jabber protocol. Runs on every computer with at least Java 1.4.

FTP

Graphical Java network and file transfer client. Supports FTP using its own FTP API and various other protocols like SMB, SFTP, NFS, HTTP, and file I/O using third party APIs, includes many advanced features such as recursive directory up/download, browsing FTP servers while transferring files, FTP resuming and queuing, browsing the LAN for Windows shares, and more.

Telnet

Telnet terminal. Provides user oriented command line login sessions between hosts on the Internet.

SSH

Secure Shell (SSH) is designed for logging into and executing commands on a networked computer. It provides secure encrypted communications between two hosts over an insecure network. An SSH server, by default, listens on the standard TCP port 22.

TN3270

IBM 3270 terminal emulator tailored to writing screen-scraping applications. TN3270 is the remote-login protocol used by software that emulates the IBM 3270 model of mainframe computer terminal.

TN5250

IBM 5250 terminal emulator that interprets and displays 5250 data streams.

Notes:

  • You can also use Native Applications for Client-Based Access.

  • When users are connected to the Mobile Access Gateway with SSL Network Extender in Application Mode, the Downloaded-from-Gateway applications do not work inside Endpoint Security On Demand Secure Workspace.

Configuring Authorized Locations per User Group

The authorized locations (hosts or address ranges) of a Native application are defined in the Authorized Locations page of the Native Application. However, it is also possible to configure authorized locations per user group. Users who belong to two or more groups can access the union of the authorized locations of the groups.

For configuration details, see sk32111.

Ensuring the Link Appears in the End-User Browser

If an endpoint application is defined by the administrator, but is not available on the endpoint machine, the link to the application will not be shown in the Mobile Access Portal.

For example, the link will not be shown if:

  • An endpoint application that is pre-installed on the endpoint machine (of type "Already Installed") is configured, and the application is in fact not installed on the endpoint machine.

  • A Downloaded-from-Gateway (Embedded) application requires Java, but Java is not installed on the endpoint machine.

Configuring a Simple Native Application

  1. In SmartConsole, click Objects > Object Explorer (Ctrl+E).

  2. Click New Custom Application/Site > Mobile Application > Native Applications.

  3. Click New.

    The Native Application window opens.

General Properties

In the General Properties page, define the name of the Native Application.

Authorized Locations

  1. Go to the Authorized Locations page.

    An authorized location ensures users of the Native Application can only access the specified locations using the specified services.

  2. Fill in the fields:

    • Host or Address Range is the machine or address range on which the application is hosted.

    • Service is the port on which the machine hosting the application listens for communication from application clients.

Applications on the Endpoint Computer

  1. Go to the Endpoint Applications page.

  2. Fill in the fields:

    • Add link in the Mobile Accessportal must be selected if you want to make endpoint application(s) associated with the Native Applications available to users.

    • Link text can include $$user, a variable that represents the user name of the currently logged-in user.

    • Tooltip for additional information. Can include $$user, which represents the user name of the currently logged-in user.

    • Path and executable name must specify one of the following:

      Note - If the endpoint application is not available on the endpoint machine, the link to the application will not be shown in the end user's browser.

      • Full path of the application on the endpoint machines. For example: c:\WINDOWS\system32\ftp.exe

      • The location of the application by means of an environment variable. This allows the location of the application to be specified in a more generalized way. For example: %windir%\system32\ftp.exe

      • If the application is listed in the Windows Start > Programs menu, only the application name need be entered, as it appears to the user in the Start menu. For example HyperTerminal.

      • If the location of the application is in the path of the endpoint computer, only the application name need be entered. For example:
        ftp.exe

    • Parameters are used to pass additional information to applications on the endpoint computer, and to configure the way they are launched.

Using the $$user Variable in Native Applications

You can use the $$user variable to define customized login parameters for native applications. To do this, enter the $$user variable wherever you need to specify a user name.

For example, you can use the $$user variable to return the user name as a part of the login string for Remote Desktop. In this example, $$user.example.com (in the Parameters field) resolves to the login string ethan.example.com for Ethan or richard.example.com for Richard.

Completing the Native Application Configuration

To complete the configuration, add the Native application to a policy rule and install policy from SmartConsole.

If necessary, configure the Native Applications for Client-Based Access.

For Unified Access Policy, see Mobile Access and the Unified Access Policy.

For legacy policy, see Getting Started with Mobile Access.

Configuring an Advanced Native Application

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree click Applications > Native Applications.

  3. Click New.

    The Native Application window opens.

Configuring Connection Direction

  1. In the General Properties page of the Native Application object, click Connection direction.

    The Advanced window opens.

  2. Select an option for the Direction of communication from the connection initiator:

    • Client to server: (For example, Telnet.) This is the default option. When you create a client to server application and assign it to a user group, you enable users of the group to initiate a connection to the specified server.

    • Server to client: (For example, X11.) When you create a server to client application, the specified server can initiate a connection to all SSL Network Extender or Secure Client Mobile users currently logged on to the Mobile Access Security Gateway, regardless of their group association.

    • Client to client: (For example, running Remote Administration from one client to another.) When you create a client to client Native Application and assign it to a user group, you enable users of that group to initiate a connection to all of the SSL Network Extender or Secure Client Mobile users currently logged on to Mobile Access, regardless of their user group association.

Note - A Client to Client Native Application does not require configuration of a destination address.

Multiple Hosts and Services

The native application can reside on a range of hosts, which can be accessed by the native application clients. You can also specify more than one service that clients may use to communicate with the application.

Users of the native application can only access the specified locations using the specified services.

  1. Define a Native Application.

  2. In the Authorized Locations page of the Native Application object, select Advanced.

  3. Click Edit.

    The Native Application - Advanced window opens.

  4. Click Add or Edit.

    The Native Application Hosts window opens.

  5. Configure the hosts.

  6. Click OK.

Configuring the Endpoint Application to Run Via a Default Browser

  1. Define a Native Application.

  2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access Portal.

  3. Select Advanced > Edit.

    The Endpoint Applications - Advanced window opens.

  4. Click Add.

    The Edit Endpoint Application window opens.

  5. Select Run via default browser. This is used to define a link to any URL. The link appears in the Mobile Access Portal, and launches the current Web browser (the same browser as the Mobile Access Portal). The link can include $$user, which represents the user name of the currently logged-in user.

    This option has a similar user experience to a Web Application with a URL: The application is opened in a Web browser. However, Mobile Access Web applications perform Link Translation on the URL and encrypt the connection over SSL, while the "Run via default browser" option with SSL Network Extender does not perform link translation, and encrypts using SSL Network Extender. You may prefer to define a Native Application rather than a Web Application for convenience, or because some Web sites have problems working with Link Translation.

Automatically Starting the Application

To configure the Endpoint Application to start automatically:

  1. Define a Native Application.

  2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access Portal.

  3. Select Advanced > Edit.

    The Endpoint Applications - Advanced window opens.

  4. Click Add or Edit.

    The Edit Endpoint Application window opens.

  5. Click Advanced.

    • Automatically Start this Application - Configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode). When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications.

    • When SSL Network Extender is disconnected - Do not use this option to launch applications that require connectivity to the organization - SSL Network Extender Application Mode. In Network Mode, automatic start of applications when SSL Network Extender is disconnected, works correctly.

Making an Application Available in Application Mode

  1. Define a Native Application.

  2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access Portal.

  3. Select Advanced > Edit.

    The Endpoint Applications - Advanced window opens.

  4. Click Add or Edit.

    The Edit Endpoint Application window opens.

  5. Click Advanced.

  6. Select Show link to this application in SSL Network Extender Application Mode. The option SSL Network Extender application mode compatibility lets you make an application available to Application Mode clients. Users that connect using the SSL Network Extender Application Mode client are able to see a link to the application and launch it. Use this option if the application works well in Application Mode.

Note - If this option is NOT selected users who connect with Application Mode, do not see it in their list of applications.

Automatically Running Commands or Scripts

It is possible to configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode).

Note - The user must have the appropriate privileges on the endpoint machine to run the commands.

One example of how automatically running a command can be useful is to mount or unmount a network drive. Giving users access to network drives is a convenient way of providing access to internal resources. A drive can be mapped by configuring an application that invokes the Windows net use command.

Note - When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications.

For configuration details, see the "Native Applications for Client-Based Access" section.

It is possible to extend this ability by defining a dynamic add-on Downloaded-from-Gateway application that runs a script (batch file) containing a sequence of commands to execute on the endpoint machine. This script can be launched manually when the user clicks a link, or it can launch automatically after connecting to or disconnecting from SSL Network Extender.

For configuration details, see the "Native Applications for Client-Based Access" section.

How to Automatically Map and Unmap a Network Drive

A drive can be mapped by configuring an application that invokes the Windows "net use" command.

Note - The "net use" command is available for SSL Network Mode only.

To automatically map (mount) and unmap (unmount) a network drive, create a Native Application that automatically maps the network drive when SSL Network Extender is launched:

  1. Define a Native Application.

  2. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access Portal.

  3. Select Advanced > Edit.

    The Endpoint Applications - Advanced window opens.

  4. Click Add or Edit.

    The Edit Endpoint Application window opens.

  5. Configure the Edit Endpoint Application page as follows:

    • Already installed.

    • Path and executable name: net.exe

    • Parameters: use drive_letter: \\server name\share name

  6. Click Advanced.

  7. Check When SSL Network Extender is launched.

  8. Create another Native Application that automatically unmaps the network drive when SSL Network Extender is disconnected. Configure these settings in the Edit Endpoint Application page:

    • Already installed

    • Path and executable name: net.exe

    • Parameters: use /DELETE drive_letter:

  9. Click Advanced.

  10. Check When SSL Network Extender is disconnected.

  11. Click OK.

How to Automatically Run a Script (Batch File)

It is possible to define a new Downloaded-from-Gateway Endpoint Application (embedded application) that runs a script (batch file) automatically after connecting to or disconnecting from SSL Network Extender.

  1. Create a batch (script) file containing a sequence of commands.

  2. Define the batch file as a new Native Applications for Client-Based Access.

  3. Define a Native Application.

  4. In the Endpoint Applications page of the Native Application object, select Add link in the Mobile Access Portal.

  5. Select Advanced > Edit.

    The Endpoint Applications - Advanced window opens.

  6. Click Add or Edit.

    The Edit Endpoint Application window opens.

  7. Click Advanced.

  8. In the Automatically start this application section, select When SSL Network Extender is launched.

Protection Levels for Native Applications

You can define a protection level for each native application. Configure this in the Properties window of each native application in Additional Settings > Protection Level.

The options are:

  • This application relies on the security requirements of the gateway
    Rely on the Security Gateway security requirements. Users authorized to use the portal are also authorized to use this application. This is the default option.

  • This application has additional security requirements specific to the following protection level
    Associate the Protection Level with the application. Users must be compliant with the security requirement for this application in addition to the requirements for the portal.

Defining Protection Levels

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree click Additional Settings > Protection Levels page from the navigation tree.

  3. Click New to create a new Protection Level or double-click an existing Protection Level to modify it.

    The Protection Levels window opens, and shows the General Properties page.

  1. In SmartConsole, click Objects > Object Explorer (Ctrl+E). Or in SmartDashboard, Mobile Access tab, go to Applications > Application type.

  2. Search for the Mobile Access application.

  3. Double-click the application.

  4. From the navigation tree, select Additional Setting > Protection Level.

  5. To create a new Protection Level, select Manage > New.

  6. To edit the settings of a Protection Level, select the Protection Level from the drop down list and then select Manage > Details.

    The Protection Levels window opens, and shows the General Properties page.

  1. From the General Properties page in the Protection Level window, enter the Name for the Protection Level (for a new Protection Level only).

  2. In the navigation tree, click Authentication and select one or more authentication methods from the available choices. Users accessing an application with this Protection Level must use one of the selected authentication schemes.

  3. If necessary, select User must successfully authenticate via SMS.

  4. In the navigation tree, click Endpoint Security and select one or both of these options:

    • Applications using this Protection Level can only be accessed if the endpoint machine complies with the following Endpoint compliance policy. Also, select a policy. This option gives access to the associated application only if the scanned client computer complies with the selected policy.

    • Applications using this Protection Level can only be accesses from within Secure Workspace. This option requires Secure Workspace to be running on the client computer.

  5. Click OK to close the Protection Level window

  6. Install the policy.

Adding Downloaded-from-Gateway Endpoint Applications

You can add Downloaded-from-Gateway applications to Mobile Access, in addition to the built-in applications. This section explains how, and gives detailed examples.

Downloaded-from-Gateway Application Requirements

Downloaded-from-Gateway applications are either Java-based applications or single-executable applications (including batch files).

Java applications have the following requirements:

  • Application must be packaged into a JAR file

  • The JVM of a version required by the application must be installed on the endpoint machine.

  • The application must have a Main class.

Single-executable applications have the following requirements:

  • Must not require installation.

  • Must be platform-specific for Windows, Linux, or macOS.

Adding a New Application

To add a new Downloaded-from-Gateway application, first put the application in the relevant directory on the Security Gateway. Then use Database Tool (GuiDBEdit Tool) (see sk13009) to set its properties.

To add a new downloaded-from-gateway endpoint application:

  1. Compress your downloaded-from-gateway application file into CAB file with the same name as the original file but with a .cab extension.

    To compress a file into a CAB file, you can use the Microsoft Cabinet Tool cabarc.exe (which can be downloaded from the Microsoft Web site).

    For example:

    cabarc.exe -m LZX:20 -s 6144 N ssh2.cab ssh2.jar

  2. Copy both your downloaded-from-gateway application file and the .cab file you created to the Security Gateway machine at:

    $CVPNDIR/htdocs/SNX/CSHELL

  3. Change the application file permissions to read, write and execute.

  4. Run the Database Tool (GuiDBEdit Tool) - see sk13009.

  5. Log in to the Security Management Server.

  6. Select Table > Other > embedded_applications.

  7. In the right side pane, right-click and select New.

  8. In the Object field, enter a name for the new downloaded-from-application.

  9. Specify the characteristics of the new downloaded-from-gateway application.

    Field Name

    Description

    display_name

    The application name, which will appear in the drop-down list of downloaded-from-gateway applications in SmartDashboard, in the Edit Endpoint Application window.

    embedded_application_type

    The type of downloaded-from-gateway application. Choose one of the options in the Valid Values list (java_applet, linux_executable, mac_executable, windows_executable).

    file_name

    The name of the file you placed in $CPVNDIR/htdocs/SNX/CSHELL (not the .cab version).

    server_name_required_params

    Indicate if the new downloaded-from-gateway application requires the server name to be configured in the Parameters field of the new downloaded-from-gateway application, in the SmartDashboard Edit Endpoint Application window.

    pre_custom_params

    Parameters concatenated before the server_name_required_params field. Usually used when configuring a new downloaded-from-gateway Java application. In that case, specify the Main Class name of the application.

    post_custom_params

    Parameters concatenated after the server_name_required_params field. Can be left blank.

    type

    Leave as embedded_application.

You can see and configure the new downloaded-from-gateway application in SmartDashboard, just as you do with the built-in downloaded-from-gateway applications. The downloaded-from-gateway applications appear in the Edit Network Application page of the Native Application object (Getting there: Native Application object > Endpoint applications page > Advanced: Edit > Add/Edit.

Example: Adding a New SSH Application

This example adds two applications to Mobile Access as new downloaded-from-Mobile Access applications:

  1. SSH2 Java application:

    • JAR file name: ssh2.jar

    • Main class name: ssh2.Main

    • The application gets its server name as a parameter.

    • Name in SmartDashboard: Jssh2 Client.

  2. SSH2 Windows executable:

    • Executable file name: WinSsh2.exe

    • The application gets its server name as parameter.

    • Name in SmartDashboard: Essh2 Client.

To add these applications:

  1. Compress the ssh2.jar and WinSsh2.exe application files into ssh2.cab and WinSsh2.cab

    # cabarc.exe -m LZX:20 -s 6144 N ssh2.cab ssh2.jar

    # cabarc.exe -m LZX:20 -s 6144 N WinSsh2.cab WinSsh2.exe

  2. Assuming the IP address of the SSH2 server is 1.1.1.1, save the files ssh2.jar and WinSsh2.exe to $CVPNDIR/htdocs/SNX/CSHELL with the proper permissions.

  3. Put the application files in $CVPNDIR/htdocs/SNX/CSHELL with the proper permissions.

  4. Use Database Tool (GuiDBEdit Tool) (see sk13009) or dbedit (see skI3301) to configure the two new downloaded-from-Mobile Access applications.

    Field Name

    Value

    display_name

    Jssh2 Client

    embedded_application_type

    java_applet

    file_name

    ssh2.jar

    post_custom_params

    Empty

    pre_custom_params

    ssh2.Main

    server_name_required_params

    true

    type

    embedded_application

    Field Name

    Value

    display_name

    Essh2 Client

    embedded_application_type

    windows_executable

    file_name

    WinSsh2.exe

    post_custom_params

    Empty

    pre_custom_params

    Empty

    server_name_required_params

    true

    type

    embedded_application

When you configure one of these new downloaded-from-Mobile Access applications (Jssh2 Client and Essh2 Client) in SmartDashboard, the Parameters field will be: 1.1.1.1 (the SSH2 server IP in this example).

Example: Adding a New Microsoft Remote Desktop Profile

This example demonstrates how to configure Mobile Access to work with Microsoft Remote Desktop, with a predefined profile. It also shows how to configure the profile per user group.

  1. Create the RDP profile file (with an .rdp extension) using Microsoft Remote Desktop Connection, found at %SystemRoot%\system32\mstsc.exe.

    When creating the profile, you can define the address, the settings, applications that should run at log in, and more.

    In this example, the profile file has the name of the relevant user group. For a user group called mygr1, save a profile file called mygr1.rdp.

    1. Compress the profile file into CAB file with the same name as the original file.

      You can use the Microsoft Cabinet Tool cabarc.exe (which can be downloaded from the Microsoft Web site).

      For this example, run the command:

      cabarc.exe -m LZX:20 -s 6144 N mygr1.cab mygr1.rdp

      This produces the output file mygr1.cab

    2. Copy both mygr1.rdp and mygr1.cab to the Mobile Access machine at $CVPNDIR/htdocs/SNX/CSHELL.

    3. Change their permissions to read, write and execute.

    1. Run the Database Tool (GuiDBEdit Tool) - see sk13009.

    2. Enter the administrator user name and password.

    3. In the top left pane, go to Table > Other > embedded_applications.

      The embedded_applications table opens.

    4. In the top right pane, right-click and select New....

    5. In the Object field, enter a name for the new downloaded-from-gateway application. Give it the name of the relevant user group. In this example: mygr1

    6. Specify the characteristics of the new downloaded-from-gateway application as follows:

      • display_name: mygr1_RDP_Policy

      • embedded_application_type: windows_executable

      • file_name: mygr1.rdp

      You can now see and configure the new downloaded-from-gateway application in SmartDashboard, just as for the built-in downloaded-from-gateway applications.

    7. Save the changes (File menu > Save All).

    8. Close the Database Tool (GuiDBEdit Tool).

    9. Open the SmartDashboard.

  4. Configure the link to Microsoft Remote Desktop that will appear in the SSL Network Extender window. Define it as an Already Installed endpoint application.

    1. Define a Native Application.

    2. In the Endpoint Application page of the Native Application, select Add a Link to the application in the Mobile Access Portal.

    3. Select Advanced, and click Edit.

      The Endpoint Applications - Advanced window opens.

    4. Click Add. The Edit Endpoint Application window opens.

    5. In the Edit Endpoint Application window, use the following settings, as shown in the screen capture:

      • Link text (Multi-language): MS-RDP (or any other name).

      • Path and executable name: %SystemRoot%\system32\mstsc.exe

      • Parameters: %temp%\mygr1.rdp

    6. Click OK.

  5. In the same Native Application, add another endpoint application for the Remote Desktop Profile. Define it as a Downloaded-from-Mobile Access endpoint application, which is downloaded to the user desktop as soon as SSL Network Extender is launched.

    1. In the Endpoint Applications - Advanced window, click Add.

      The Edit Endpoint Application window opens.

    2. Configure the Remote Desktop profile package with the following settings.

      • Add link to the application in the Mobile Access Portal must be cleared.

      • Name: mygr1_RDP_Policy (as configured in the Database Tool (GuiDBEdit Tool)).

    3. Click Advanced.

    4. Select Automatically Start this Application: When SSL Network Extender is launched.

    5. Click OK three times to save and close the Native Application.

  6. Assign the Native Application to the relevant user group.

Repeat for every new Microsoft Remote Desktop Connection.

Configuring Downloaded-from-Gateway Endpoint Applications

In the Endpoint Applications page of the Native Application object:

  1. Select Add link in the Mobile Access Portal.

  2. Select Advanced > Edit.

    The Endpoint Applications - Advanced window opens.

  3. Click Add.

    The Edit Endpoint Application window opens.

  4. Select Downloaded-from-Gateway.

  5. From the Name drop-down list, select the applicable downloaded-from-gateway application.

  6. Specify the Parameters for the downloaded-from-Security Gateway application. The parameters field is used to pass additional information to the downloaded-from-gateway applications on the endpoint machine, and to configure the way they are launched.

    The $$user variable can be used here to dynamically change according to the login name of the currently logged in user.

    See the configuration sections below for details of the required parameters:

    Note - In the configuration sections for certified and add-on applications, below:

    • parameter is a compulsory parameter,
    • [parameter] is an optional parameter,
    • | indicates a required choice of one from many.

    • Supported Platforms

      All

      Parameters field

      Server name or IP address. Default port is 23.

      Parameters usage

      server [port]

      Description

      Telnet terminal. Provides user oriented command line login sessions between hosts on the Internet.

      Home page

      http://javassh.org

    • Supported Platforms

      All

      Parameters field

      Server name or IP address.

      Parameters usage

      server

      Description

      Secure Shell (SSH) is designed for logging into and executing commands on a networked computer. It provides secure encrypted communications between two hosts over an insecure network. An SSH server, by default, listens on the standard TCP port 22.

      Home page

      http://javassh.org

    • Supported Platforms

      All. Requires Java 1.3.1 or higher.

      Parameters field

      Ignored

      Description

      IBM 3270 terminal emulator tailored to writing screen-scraping applications. TN3270 is the remote-login protocol used by software that emulates the IBM 3270 model of mainframe computer terminal.

      Home page

      http://jagacy.com

    • Supported Platforms

      All endpoint machines must have Java 1.4 or higher.

      Parameters field

      Optional. Can use the Configure button on the application instead. For the full list of options that can be used in the parameters field, see the Quick Start Guide http://tn5250j.sourceforge.net/quick.html.

      Parameters usage

      [server [options]]

      Description

      IBM 5250 terminal emulator that interprets and displays 5250 data streams.

      You will be presented with a Connections screen for defining sessions. Select the configure button to define sessions when the session selection window opens.

      On first invocation of the emulator there are some console warning messages. These inform you that defaults files are being set up for the first run.

      Home page

      http://tn5250j.sourceforge.net/index.html

      Quick Start Guide

      http://tn5250j.sourceforge.net/quick.html

    • Supported Platforms

      All platforms. Endpoint machines must have Java 1.4 or higher.

      Parameters field

      Must contain the server name or its IP address.

      Parameters usage

      [options] server[:port]

      For example: -g 800x600 -l WARN RDP_Server

      Options:

      • -b - Bandwidth saving (good for 56k modem, but higher latency). This option clears the TCP 'no delay' flag.

      • -d - Windows domain you are connecting to.

      • -f - Show the window full-screen (requires Java 1.4 for proper operation).

      • -g - The size of the desktop in pixels (width x height).

      • -m - Keyboard layout on terminal server for languages (for example, en-us).

      • -l {DEBUG, INFO, WARN, ERROR, FATAL} - Amount of debug output (otherwise known as the logging level).

      • -lc - Path to a log4j configuration file.

      • -n - Override the name of the endpoint machine.

      • -u - Name of the user to connect as.

      • -p - Password for the above user.

      • -s - Shell to launch when the session is started.

      • -t - Port to connect to (useful if you are using an SSH tunnel, for example).

      • -T - Override the window title.

      Description

      Downloaded-from-Mobile Access Client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services. Communicates using Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. Runs on Java 1.1 up (optimized for 1.4), and works on Linux, Windows and Mac.

      Home page

      http://properjavardp.sourceforge.net

    • Supported Platforms

      Windows only

      Parameters field

      Optional. Leaving the Parameters field empty leads PuTTY Client to open in full graphical mode.

      Parameters usage

      [[-ssh | -telnet | -rlogin | -raw] [user@]server [port]]

      Description

      An implementation of Telnet and SSH for Win32 platforms, including an Xterm terminal emulator.

      Home page

      http://www.eos.ncsu.edu/remoteaccess/putty.html

    • Supported Platforms

      All platforms. Endpoint machines must have Java 1.4 or higher.

      Parameters field

      Ignored

      Description

      Downloaded-from-Gateway Jabber Client is an instant messenger based on the Jabber protocol

      Runs on every computer with at least Java 1.4.

      Home page

      http://jeti.jabberstudio.org

    • Supported Platforms

      All endpoint machines must have Java 1.4 or higher.

      Parameters field

      Ignored

      Description

      Graphical Java network and file transfer client. Supports FTP using its own FTP API and various other protocols like SMB, SFTP, NFS, HTTP, and file I/O using third party APIs, includes many advanced features such as recursive directory up/download, browsing FTP servers while transferring files, FTP resuming and queuing, browsing the LAN for Windows shares, and more.

      Home page

      http://j-ftp.sourceforge.net

  7. Configure Native Applications for Client-Based Access.