Link Translation

Background

Link Translation is the process by which Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. converts internal URLs to public URLs that are valid on the Internet. In this way internal resources become accessible through all internet browsers.

Mobile Access converts HTTP requests into secure HTTPS requests and changes the port to 443. To accomplish this, Mobile Access translates the source URL into an HTTPS URL that routes traffic to its destination through the Mobile Access Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The translated URL is returned to the browser and is shown to users.

Mobile Access supports different methods of Link Translation:

  • Path Translation (PT) - The default method that works with most web applications.

  • URL Translation (UT) - The original link translation method, maintained for backward compatibility.

  • Hostname Translation (HT) - This method is faster and supports a wider range of Web applications than PT. It requires additional configuration and a certificate.

  • Client-side Link Translation - Works on the end user's browser through the Mobile Access browser plugin OR on a Wrapped Mobile application. It translates each request sent through Mobile Access on the client side.

How Translated URLs Appear in a Browser

A translated URL appears to users in their browser differently, for the different Link Translation methods.

Method

Translated http://www.example.com/path

UT

https://ssl.example.com/Web/path,CVPNHost=www.example.com,CVPNProtocol=http

HT

https://c-ds1q-itfgppae7oq.ssl.example.com/path

Note that the seemingly random character string, c-ds1q-itfgppae7oq, represents the destination URL.

PT

https://ssl.example.com/PT/http://www.example.com/path

Client-side

https://ssl.example.com/PT/http://www.example.com/path

SmartDashboard Configuration of Link Translation

You can configure Link Translation to meet the requirements of the application (a web application or a Citrix service) or of the Security Gateway through which the applications are accessed. For example, you can configure one Mobile Access application to work with URL Translation, while all other applications supplied by the Security Gateway use Path Translation.

  • You can set the default Link Translation method for all applications of a Security Gateway - Only applications that have a different method configured will not use the default method.

  • You can set the default Link Translation method for an application - This Web application uses the selected method, even if another method is default on the Security Gateways.

  • You can configure which domains are translated.

Configuring Path Translation (PT)

Path Translation (PT) is selected by default for newly installed Security Gateways.

To configure PT as default method for Security Gateways:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., right-click the Security Gateway and select Edit.

    The Security Gateway properties window opens and shows the General Properties page.

  2. From the navigation tree, click Mobile Access > Link Translation.

  3. Under Supported Translation Methods, make sure that Path Translation (always supported) is selected.

  4. Under Default Translation Method, select Path Translation.

  5. Click OK.

To configure PT as default method for an application:

  1. In SmartConsole, click Objects > Object Explorer (Ctrl+E).

  2. Search for the Mobile Access application.

  3. Double-click the application.

    The Web Application window opens.

  4. Click Additional Settings > Link Translation.

    The Link Translation page of the Mobile Access application opens.

  5. Select Use the following method > Path Translation.

  6. Click OK and close the Web Application window

  7. Install the policy.

Configuring URL Translation (UT)

URL Translation is supported by all versions of Security Gateways.

To configure UT as default method for Security Gateways:

  1. In SmartConsole, right-click the Security Gateway and select Edit.

    The Security Gateway properties window opens and shows the General Properties page.

  2. From the navigation tree, click Mobile Access > Link Translation.

  3. Under Supported Translation Methods, make sure that URL Translation (always supported) is selected.

  4. Under Default Translation Method, select URL Translation.

  5. Click OK.

To configure UT as default method for an application:

  1. In SmartConsole, click Objects > Object Explorer (Ctrl+E).

  2. Search for the Mobile Access application.

  3. Double-click the application.

    The Web Application window opens.

  4. Click Additional Settings > Link Translation.

    The Link Translation page of the Mobile Access application opens.

  5. Click URL Translation.

  6. Click OK.

  7. Install the policy.

Using Hostname Translation

Hostname Translation enhances security by replacing the destination host name with a seemingly random character string in the URL, as it appears in the client browser.

You must configure the DNS server to resolve wildcard hostnames, to enable HT.

Important - If the DNS server is not configured to resolve wildcard Mobile Access host names, users will be unable to connect to Mobile Access, because the portal changes to a sub-domain: portal.ssl.example.com.

If you use Hostname Translation as your method for link translation, users must enter an FQDN as the portal URL and not an IP address.

Configuring Hostname Translation (HT)

To configure the DNS server for HT:

  1. Add a record to the DNS server, to resolve Mobile Access sub-domains to the Mobile Access IP address: *.domain

    For example, assume ssl.example.com is the Security Gateway. Configure the DNS to resolve *.ssl.example.com to the Security Gateway IP address. This wildcard includes all sub-domains of the parent domain, such as a.ssl.example.com and b.ssl.example.com.

  2. Define the parent domain (ssl.example.com) as a separate DNS record, to resolve Mobile Access IP address.

    This lets users access the Mobile Access Portal directly, with its FQDN.

  3. Server Certificates.

To configure HT as default method for Security Gateways:

  1. In SmartConsole, right-click the Security Gateway and select Edit.

    The Security Gateway properties window opens and shows the General Properties page.

  2. From the navigation tree, click Mobile Access > Portal Settings.

    If this message appears, clear Hostname Translation, for now:

    Hostname Translation requires Portal URL to be defined in the following format: 'https://hostname/'

  3. In Main URL, enter the portal URL of the Mobile AccessSecurity Gateway.

  4. From the navigation tree, click Link Translation.

  5. Under Supported Translation Methods, click Hostname Translation.

  6. Under Default Translation Method, select Hostname Translation.

  7. Click OK.

  8. Install the policy.

To configure HT as default method for an application:

  1. In SmartConsole, click Objects > Object Explorer (Ctrl+E).

  2. Search for the Mobile Access application.

  3. Double-click the application.

    The Web Application window opens.

  4. Click Additional Settings > Link Translation.

    The Link Translation page of the Mobile Access application opens.

  5. Select Use the following method > Hostname Translation.

  6. Click Advanced Hostname Translation Settings.

  7. Select the HTTP Cookies Handling mode:

    • On the gateway - Default. All HTTP cookies that are sent to clients by internal Web servers are stored on Mobile Access, and are not passed on to the client's browser.

    • On the endpoint machine - If the default setting causes the JavaScript (from the internal servers that run on the client browser) that handles HTTP cookies to fail, select this option. Mobile Access passes HTTP cookies to the browser.

  8. Click OK and close the Web Application window.

  9. Install the policy.

Hostname Translation Limitations

Mobile Access Portal provides optimal support for Outlook Web Access 2013 / 2016 with the Host-name Translation (HT) method, and only when 'cookies on the endpoint machine' is enabled. The Path Translation (PT) method is partially supported, while the URL Translation (UT) method is not supported.

Link Translation Domains

A Link Translation domain for Web applications:

  • Improves connectivity to external sites. For example, links to external sites displayed in emails are not broken, because they are not translated by Mobile Access.

  • Reduces the load on the Mobile Access machine, thereby increasing performance.

  • Saves the administrator the trouble of defining all external content as Web applications.

Configuring Link Translation Domains in Legacy SmartDashboard

Configure which domains use link translation in Legacy SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. > Mobile Access tab > Additional Settings > Link Translation > Link Translation Domains.

To manually configure domains to translate:

  1. In the Mobile Access tab > Additional Settings > Link Translation > Link Translation Domains area, select Manually configure domains to translate.

  2. Click Add Domain to add a whole domain or host (URL) to be translated.

  3. Click Add Exception to configure a part of a domain or host within a domain that will not be translated.

  4. Install policy.

Link Translation Domains

The options are:

  • Translate all domains - This is the default behavior. Link translation is active for all traffic.

  • Manually configure domains to translate - Add internal domains to the list. Only domains on the list are translated. You can also add exceptions from within a domain. We recommend that you use this setting to improve performance. To keep communication secure, make sure all internal domains are on the list.

  • Do not translate any domain - This is relevant for companies that do not have internal domains.

Link Translation with Wrapped Applications

With Client-Side Link Translation with wrapped applications, Check Point Mobile App clients are responsible for link translation for specified, wrapped applications. These applications are wrapped in a security container that gives them secure access to network resources and prevents data leakage.

Wrapped applications are only available with mobile devices and do not show in the Mobile Access Portal.

To use Client-Side Link Translation with wrapped applications, see the App Wrapping Guide.

Link Translation Issues

These Link Translation configuration tips apply to Web applications.

  • For Web sites that use ActiveX and streaming media, configure Mobile Access Web applications to Allow caching of all content. This is configured in the Protection Level page of the Web application.

  • Domain cookies created in JavaScript are not supported. For example, if you create a cookie with this JavaScript code:

    document.cookie=Name=Value; domain=.example.com,

    The client browser cannot send the cookie to Mobile Access and the Web server if Mobile Access is not located under the domain .example.com.

    Note that domain cookies created in HTTP headers are supported, if they are not manipulated by JavaScript code.

  • With Hostname Translation, the URL shown in the client browser is:

    https://<Obscured Destination Host Name>.<Mobile Access FQDN>/path

    The maximum number of characters in each part of the host name (between https:// and the /path) is limited to 63 (see RFC 1034). Therefore, the entire internal host name, including the protocol and the port, Mobile Access Applications.

  • Hostnames displayed in client browsers appear as a seemingly random character string, instead of the complete destination path.

  • If you sign out from Outlook Web Access, Domino Web Access (iNotes), or Microsoft SharePoint, the Mobile Access session can become disconnected.