File Shares

A file share is a collection of files, made available across the network by means of a protocol that enables actions on files, including opening, reading, writing, and deleting files across the network.

Configuring File Shares

To create a new File Share Application:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Objects > Object Explorer (Ctrl+E).

2. Click New Custom Application/Site > Mobile Application > File Share.

   The File Share Application window opens.

File Share Application - General Properties Page

Go to the General Properties page of the File Share Application object. Name is the name of the SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. object.

File Share Application - Authorized Locations Page

1. Go to the Authorized Locations page of the File Share Application object.

   This page lets you configure the file shares that users are authorized to access. These settings take effect whenever a user attempts access, no matter what interface is used, whether by manually typing a path in the portal, browsing using the file viewer, clicking a user-defined file favorite, or clicking the predefined file favorite path defined by the administrator in the Link in Portal page.

2. Fill in the fields on the page:

   • Servers are the machine(s) or DNS Name(s) on which the file server is hosted. Choose either a single Host or DNS name, or Multiple hosts.

   • Allow access to any file share gives the users access to all locations on the file server defined in Servers.

   • Allow access to specific file shares restricts user access to specific shares. For example My_Share. Use only the name of a share, such as My_share, $$user, or My_share$, without any slashes. Do not specify a sub-directory inside a share. The $$user variable represents the name of the currently logged-in user. This variable provides personalized authorization for users. If $$user is defined as a file share, then if the user currently logged-in is alice, she will be allowed access to the share called alice that was defined on the server, such as \\myserver\alice.

   If you configure two or more overlapping file share applications (for example, one for Any Share and one for a specific share on the same host), the application settings that are in effect are undefined.

File Share Application - Link in Portal Page

This page allows you to configure one predefined favorite link. This link is displayed in the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Portal. By clicking the link the user is able to directly access the specified path. Note that you must authorize access to this location in the Authorized Locations page.

1. Go to the Link in Portal page of the File Share Application object.

2. Fill in the fields on the page:

   • Add a link to this file share in the Mobile Access Portal - If you do not enter a link, users will be able to access the application by manually typing its link in the portal, but will not have a pre-configured link to access it.

   • Link text (multi-language) - Shows in the Mobile Access Portal. It can include $$user, which represents the user name of the currently logged-in user. If more than one link is configured with the same (case insensitive) name, only one of them will be shown in the portal.

   • Path - The full file path that the link will attempt to access, specified using UNC syntax. It can be either a location of a share, or any path under the share. Can include $$user, which represents the user name of the currently logged-in user. For example, a path that is defined as \\host\Pub\users\$$user appears for user alice as \\host\Pub\users\alice and for user Bob as \\host\Pub\users\Bob.

     Note - The host defined here is the same host that is defined in the Authorized Locations page. The IP address of the host is resolved by the DNS Server that is defined on Mobile Access (not by the Mobile Access management).

   • Tooltip (multi-language) - Gives additional information. It can include $$user, which represents the user name of the currently logged-in user. The text appears automatically when the user holds the cursor over the link. It disappears when the user clicks a mouse button or moves the cursor away from the link.

File Share Application - Single Sign-On Page

To configure Single Sign On:

1. Go to the Single Sign On page of the File Share Application object.

2. Select Turn on single Sign On for this application.

3. Configure the sign on method for the application. The default option is:

   Prompt the users for their credentials and store them for future use

File Share Application - Protection Level Page

1. Go to the Protection Level page of the File Share Application object.

2. Fill in the fields on the page:

   Security Requirements for Accessing this Application allows you to:

   • Allow access to this application to any endpoint machine that complies with the security requirements of the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.

   • Make access to the application conditional on the endpoint being compliant with the selected Endpoint Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Profile

Completing the Configuration of the File Share Application

1. Open SmartConsole.

2. From the left navigation panel, click Security Policies.

3. In the Shared Policies section, click Mobile Access > Policy.

   The Mobile Access Policy screen opens.

4. Make rules to associate:

   • User groups.

   • Applications that the users in those user groups are allowed to access.

   • Install On are the Mobile Access Security Gateways and Clusters that users in those user groups are allowed to connect to.

5. Click Save and then close SmartDashboard.

6. In SmartConsole, install the policy.

Using the $$user Variable in File Shares

You can configure personalized user locations that use the login name of the currently logged in user. To do this, use the Mobile Access Applications wherever you need to specify the name of the user. The $$user variable is resolved during the Mobile Access session to the login name of the currently logged-in user.

For example, a UNC file path that is defined as \\host\Pub\$$user is resolved for user Alice as \\host\Pub\Alice and for user Bob as \\host\Pub\Bob.