Configuring Mobile Access to Network Resources

Sample Mobile Access Workflow

This is a high-level workflow to configure remote access to Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. applications and resources.

Use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to enable the Mobile Access Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..
Follow the steps in the Mobile Access Configuration wizard to configure these settings:
1. Select mobile clients.
2. Define the Mobile Access Portal.
3. Define applications, for example Outlook Web App.
4. Connect to the AD server for user information.
Select the policy type:
- The default is to use the Legacy Policy, configured in the Mobile Access tab in SmartConsole.
- To include Mobile Access in the Unified Access Control Policy, select this in Gateway Properties > Mobile Access.
Add rules to the Policy:
- For Legacy Policy: Add rules in SmartConsole. Select Security Policies > Shared Policies> Mobile Access > Open Mobile Access Policy in SmartConsole
- For Unified Access Control Policy: Add rules in SmartConsole > Security Policies Access Control Policy.
Configure the authentication settings in Gateway Properties > Mobile Access > Authentication.
Install the Access Control Policy on the Security Gateway.

Users can access mobile applications through the configured Mobile Access Portal with the defined authentication method.
Optional: Give secure access to users through the Capsule Workspace app with certificate authentication.
1. In the Security Gateway object > Mobile Access > Authentication, click Settings, and select Require client certificate.
2. Use the Certificate Creation and Distribution Wizard (in the Security Policies view > Client Certificates > New).
3. Users download the Capsule Workspace app.
4. Users open the Capsule Workspace app and enter the Mobile Access Site Name and necessary authentication, such as user name and password.

Enable Mobile Access	Configure settings in Mobile Access wizard	Select the policy type and add rules to policy	Update the Authentication settings

Users can access internal resources	Users download app, open it, and enter settings	Generate a certificate for the clients	Install the Access Control Policy

Sample Mobile Access Deployment

This is a sample deployment of a Mobile Access Security Gateway with an AD and Exchange server in the internal network.

Item	Description
1	Mobile devices
2	Mobile Access tunnels
3	Internet (external networks)
4	Mobile Access Security Gateway
5	Internal network resources, AD and Exchange servers

In this sample Mobile Access deployment, a mobile device uses a Mobile Access tunnel to connect to the internal network. The Mobile Access Security Gateway decrypts the packets and authenticates the user. The connection is allowed and the mobile device connects to the internal network resources.

Using the Mobile Access Configuration Wizard

This procedure describes how to enable and configure the Mobile Access Software Blade on a Security Gateway with the Configuration wizard. For this sample configuration, the AD user group Mobile Access contains all the users that are allowed to connect to the internal network. The deployment is based on the Sample Mobile Access Deployment.

This configuration lets these clients connect to internal resources:

Android and iOS mobile devices
Windows and Mac computers
Internet browsers can open a SSL Network Extender connection to the internal network

To configure Mobile Access:

In SmartConsole, go to Gateways & Servers and double-click the Security Gateway object.

The General Properties window opens.
In the General Properties > Network Security section, select Mobile Access.

The Mobile Access page of the Mobile Access Configuration Wizard opens.
Configure the Security Gateway to allow connections from the Internet and mobile devices. Select these options:
- Web
- Mobile Devices - Select the required options.
- Desktops/Laptops -Select the required options.
Click Next.

The Web Portal page opens.
Enter the primary URL for the Mobile Access Portal.

The default is: https://<IPv4 Address of Security Gateway>/sslvpn
Click Next.

The Applications page opens.
Configure the applications to show:
1. In Web Applications, make sure Demo web application (World Clock) is selected.
2. In Mail/Calendar/Contacts, enter the domain for the Exchange server and select:
  - Mobile Mail (including push mail notifications)
  - ActiveSync Applications
  - Outlook Web App
  The Mobile Access Portal shows links to the Demo web and Outlook Web App applications. The client on the mobile device shows links to the other applications.
Click Next.

The Active Directory page opens.
Select the AD domain and enter the user name and password.
Click Connect.

The Security Gateway makes sure that it can connect to the AD server.
Click Next.

The Users page opens.

Click Add and then select the group Mobile Access.
Click Next and then click Finish.

The Mobile Access Configuration Wizard closes.
Click OK.

The Gateway Properties window closes.

Allowing Mobile Connections

The Mobile Access Configuration Wizard enables and configures the Mobile Access Software Blade. It is necessary to add Firewall rules to allow connections from the VPN clients on the computers and devices. Create a Host Node object for the Exchange server, all of the other objects are predefined.

Name	Source	Destination	VPN	Service	Action	Install On	Track
Mobile Access Users	Any	ExchngSrvr	RemoteAccess	HTTP HTTPS MSExchange	Accept	Mobile Access GW	Log

All connections from the RemoteAccess VPN community to the Exchange server are allowed. These are the only protocols that are allowed: HTTP, HTTPS, and MS Exchange. This rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is installed on Security Gateway in the MobileAccessGW group.

Defining Access to Applications

Use the Security Policies page in SmartConsole to define rules that let users access Mobile Access applications. The applications that are selected in the Configuration Wizard are automatically added to this page. You can also create and edit the rules that include these SmartConsole objects:

Users and user groups
Mobile Access applications
Mobile Access Security Gateways

Activating Single Sign-On

Enable the SSO (Single Sign-On) feature to let users authenticate one time for applications that they use during Mobile Access sessions. The credentials that users enter to log in to the Mobile Access Portal can be re-used automatically to authenticate to different Mobile Access applications. SSO user credentials are securely stored on the Mobile Access Security Gateway for that session and are used again if users log in from different remote devices. After the session is completed, the credentials are stored in a database file.

By default, SSO is enabled on new Mobile Access applications that use HTTP. Most Web applications authenticate users with specified Web forms. You can configure SSO for an application to use the authentication credentials from the Mobile Access Portal. It is not necessary for users to log in again to each application.