Secure Workspace

Important - Starting 01 February 2024, Check Point is announcing the Feature Deprecation and End-of-Support dates for the Secure Workspace feature within the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.. See sk181968.

Secure Workspace is a security solution that allows remote users to connect to enterprise network resources safely and securely. The Secure Workspace virtual workspace provides a secure environment on endpoint computers that is segregated from the "real" workspace.

No data is allowed to leave this secure environment except through the Mobile Access Portal. Secure Workspace users cannot access any applications, files, system tools, or other resources from the virtual workspace unless they are explicitly permitted by the Secure Workspace policy.

Administrators can easily configure Secure Workspace policy to allow or prevent activity according to enterprise requirements.

Secure Workspace creates an encrypted folder called My Secured Documents on the virtual desktop that contains temporary user files. It deletes this folder and all other session data when the session terminates.

After Secure Workspace is enabled, configure a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to either require all users to connect to the Mobile Access Portal through Secure Workspace, or to give users the option of connecting through Secure Workspace or from their endpoint computers.

Prerequisites for Secure Workspace

Check Point Portal Agent (Active X component) and SSL Network Extender must be installed on the endpoint computer.

Enabling Secure Workspace

To enable Secure Workspace for an Mobile Access Security Gateway:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

   SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. opens and shows the Mobile Access tab.

2. From the navigation tree, click Endpoint Security on Demand > Secure Workspace.

3. To configure the Secure Workspace policy, click Edit policy.

   For details, see the "Configuring the Secure Workspace Policy" section.

4. Click Save and then close SmartDashboard.

5. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The Security Gateway window opens and shows the General Properties page.

6. From the navigation tree, click Mobile Access > Check Point Secure Workspace.

7. To enable Secure Workspace on the Security Gateway, click This gateway supports access to applications from within the Secure Workspace.

8. Select the options to define the behavior of Secure Workspace when a user logs in to the Mobile Access Portal:

   • Allow user to choose whether to use Check Point Secure Workspace

   • Users must use Check Point Secure Workspace

   • User must use Check Point Secure Workspace only if the following Endpoint Compliance policy is not satisfied - This option lets you to set a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that if a certain Endpoint Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. policy is not satisfied by the client connecting to the Security Gateway, the client must use Secure Workspace. If the Endpoint Compliance policy is satisfied, using Secure Workspace is optional.

9. Select the Endpoint Compliance Policy that is enforced on the Security Gateway. If the criteria of the selected policy are not satisfied, the client connecting must use Secure Workspace.

10. Click OK.

11. In SmartConsole, install policy.

Configuring Advanced Secure Workspace Settings

In the Endpoint Security on Demand > Secure Workspace page, in the Advanced Secure Workspace Settings section, click Edit. The Advanced Secure Workspace Settings window opens.

In this window you can decide whether or not to allow access to the Security Gateway and applications if Secure Workspace is not supported on the endpoint operating system.

To configure advanced operating system-specific settings, see sk34989.

Configuring Platform-Based Bypass Per OS in Secure Workspace

If you want to let some endpoint operating systems to bypass Secure Workspace requirements, you must select the Allow access option in the Advanced Secure Workspace Settings window.

To configure different rules on endpoints with different operating systems, see sk34989.

Platform-Based Bypass Per Protection Level in Secure Workspace

Configuring Secure Workspace Settings per Protection Level allows you to configure "Platform-Based Bypass" per application.

By default all Advanced Secure Workspace Settings are taken from the SmartDashboard configuration, in the Advanced Secure Workspace Settings page.

Enabling Platform Based Bypass per Protection Level

To configure different access permissions for various Protection Levels for Secure Workspace, from the CLI run:

cvpnd_settings set useISWRelaxedModeInProtectionLevel true

To return to the default setting, change true to false in the above command.

Configuring the Protection Levels that are Bypassed

In the Mobile Access tab of SmartDashboard, under Additional Settings > Protection Levels, is a list of Protection Levels. From this page you can edit the Authentication and Endpoint Security settings that are required for applications assigned to each Protection Level. You can also create new Protection Levels. If you select, Applications using this protections level can only be accessed from within Check Point Secure Workspace, all applications assigned to that Protection level will only be accessed from within Secure Workspace.

However, if you want to allow access to an application only from Secure Workspace, but you also need to accommodate the user connecting from an endpoint that does not support Secure Workspace (such as an iPhone), then:

1. Create or use a Protection Level named ESOD_Relaxed_PL which enforces Endpoint Compliance Policy policy1.

2. Assign the Protection Level to the application.

3. Configure the Protection Level as "Bypassed".

   To configure different access permissions for various Protection Levels for Secure Workspace, from the Mobile Access CLI, in expert mode, run:

   cvpnd_settings listAdd ISWRelaxedModeProtectionLevelNames ESOD_Relaxed_PL

You can add other Protection Levels as well.

Restoring a Protection Level from being Bypassed for Secure Workspace

1. Run:

   cvpnd_settings listRemove ISWRelaxedModeProtectionLevelNames

2. Follow the on-screen instructions.

Finalize the Configuration for Secure Workspace

1. Restart the Mobile Access services by running cvpnrestart.

   If the Mobile Access Security Gateway is part of a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., make the same change on each cluster member Security Gateway that is part of a cluster..

2. In SmartDashboard, assign the Protection Levels to the applications.

3. Install the policy.

Applications Permitted by Secure Workspace

In its default configuration, Secure Workspace allows access to a limited group of applications. This is usually sufficient for most end-users working with the Mobile Access Portal and retrieving information from network hosts.

See sk114454 for the list of supported applications.

SSL Network Extender in Secure Workspace

When using SSL Network Extender inside Secure Workspace, Secure Workspace traffic and traffic from outside the Secure Workspace are encrypted.

Secure Workspace Policy Overview

Secure Workspace controls access to applications and directories on endpoint computers based on the Secure Workspace policy.

Each Mobile Access Security Gateway has its own Secure Workspace policy. The policy:

• Grants or denies permission for users to run applications.

• Allows applications to save files to specific files and directories.

• Defines general portal protection security settings and user experience behavior.

You can add to the list of Approved Applications, and can add, edit, or delete applications from the list.

You can define locations where the application is allowed to save files that remain after Secure Workspace shuts down. These locations are called Allowed Save locations. There is no need to define locations for files that are not needed after Secure Workspace shuts down. Temporary files are deleted when the Secure Workspace is closed.

Secure Workspace includes a built-in Firewall that lets you define Outbound Firewall Rules. These are the IP addresses and ports that approved applications are allowed to access. By default, desktop applications are allowed to access all addresses and ports.

Note that settings for the approved applications, save locations, and Outbound Firewall Rules are independent. For example, the save locations are not restricted to a particular application, and similarly, Outbound Firewall Rules apply to all applications.

Configuring the Secure Workspace Policy

The Secure Workspace policy determines the permitted activities and behavior that end users will experience when working in Secure Workspace.

To configure the Secure Workspace Policy:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

   SmartDashboard opens and shows the Mobile Access tab.

2. From the navigation tree, click Endpoint Security on Demand > Secure Workspace.

3. Configure the Secure Workspace policy, click Edit policy.

   The Secure Workspace Settings window opens.

4. Fill in the fields in the tabs described in the next sections.

General Settings

Self Protection

• Enable Secure Workspace Self Protection - Best Practice is to select this to add driver-level protection for Secure Workspace and prevent attempts to tamper with the environment.

  This requires administrative privileges and the User Access Control (UAC) prompt might show during the Secure Workspace startup.

  • Prevent Secure Workspace startup if the Self Protection driver fails to install - When selected, Secure Workspace can only start if the Self Protection driver is successfully installed.

SSL Network Extender

• Allow SSL Network Extender connections only from within Secure Workspace - Select this option to use corporate resources from within Secure Workspace only. Use this if your organizational security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. requires access to corporate resources from within a clean, segregated environment, and with a strict set of allowed applications.

Data Protection

• Prevent the host PC from printing secure documents - Users cannot print documents from Secure Workspace.

• Prevent copying clipboard content to the host PC - Users cannot copy content from inside Secure Workspace to paste or save it outside of Secure Workspace.

Application Control Settings

• Enable Reputation Services to validate the integrity of allowed applications in the Applications Table - When a user starts an application that is not an Approved Application, Secure Workspace contacts Check Point Reputation Services to ask if the application is legitimate. Reputation Services returns one of three responses: The application is trusted, the application is untrusted, or the application is unknown. Configure the Secure Workspace policy to handle Reputation Services responses:

  • Allow Trusted only

  • Allow Trusted and Unknown

Application Table

Approved applications show on the Secure Workspace desktop, and are allowed to run on endpoint computers. You can add, edit, or remove applications from the list.

Configuring Applications in the Application Table

• To add an application: Click Add Application.

• To remove an application: Click Remove.

• To edit the information for the application: Click the application Display Name in the table.

When you add a new application or edit an application, you can include this information:

• Display Name (required)- The name of the approved application as it shows on the desktop.

• Executable File (required) - The path and filename for the application selected. .

  Enter the path in one of these formats:

  • Absolute path in this format: <disk>:\<folder_path>\<binary_name>. Secure Workspace allows the endpoint to run the binary from specified location only. The full path is necessary if the location of the program does not appear in the PATH.

  • File name, for example: \<binary_name>. Secure Workspace allows the endpoint to run the binary with the specified name from all locations on the disk. Use if the location appears in the PATH.

  • Path with environment variable, for example: <path_with_env_variable>\<binary_name>. Secure Workspace resolves the environment variable on the endpoint, and uses its value as part of the path to the executable.

• Executable Original File Name (optional) - Enter this if you also select an Executable Vendor Name, so Secure Workspace can make sure that the application certificate meets the requirement. The original filename shows in the details of the application's certificate.

• Executable Vendor Name (optional) - When a vendor is selected, Secure Workspace checks the application's certificate to make sure that it is signed by this vendor. The same application is blocked with a different vendor.

• File hash (optional) - Enter the MD5 or SHA256 signature of the application. You can add multiple hashes, for example, one for each version of the application.

• Select the hash type that you use: MD5 or SHA256.

• Comment (optional) - Add a comment that describes the application.

• Add shortcut to Start Menu (optional) - Select to add a shortcut to the application to the Start Menu in the Secure Workspace. The shortcut is only added if the application exists on the client computer. You can also enter a command line argument to run as a shortcut.

• Add shortcut to Desktop (optional) - Select to add a shortcut to the application to the Desktop in Secure Workspace. The shortcut is only added if the application exists on the client computer. You can also enter a command line argument to run as a shortcut.

Vendor Control Settings

You can configure which applications users can access from Secure Workspace. If a vendor is trusted then all applications from this vendor are trusted. See sk114526 for the vendors trusted by default. You cannot add a vendor to the list.

• To block a vendor: Clear the checkbox for the vendor.

• To allow a vendor: Select the checkbox for the vendor.

Allowed Save Locations

Allowed Save locations are locations where applications are allowed to save files that remain after Secure Workspace shuts down. There is no need to define locations for temporary files that can be deleted after Secure Workspace shuts down.

To add an allowed save location:

1. In the Allowed Save locations tab, click Add Location.

2. In the window that opens enter:

   • Name - A descriptive name of the location.

   • Path - The complete path to the location.

   • Description (optional) - A longer description.

3. Click Save Location.

Outbound Firewall Rules

Outbound Firewall Rules define which IP addresses and ports approved applications are allowed to access when they make outbound connections.

These options are available:

• Localhost Connection. Do not allow connection to application on host PC - When selected Secure Workspace users can only use applications in Secure Workspace and cannot access the host PC. When cleared, users can access the host PC when Secure Workspace is active, but can only save things in the defined locations.

• Accept Rules - Select a rule in the table to enable it. Clear a rule in the table to disable it. Only connections that match enabled rules are allowed. The default rules are:

  • Everywhere - Allows desktop applications to access all addresses and ports.

  • Localhost connection - Required for Internet Explorer. Not recommended to delete.

Best practice is to use the default rules. You can delete the default rules and replace them with more restrictive rules, but do so carefully.

Virtual Registry Rules

You can add custom rules to the Secure Workspace virtual registry. Contact Check Point support for more information about this feature.

User Experience Settings

In the User Experience settings, configure what users see and how they interact with Secure Workspace.

General

• Prevent Host PC/ Secure Workspace desktop switching - Users cannot switch between the host PC and Secure Workspace environments. Access to the regular desktop is only allowed if Secure Workspace is closed.

• Display welcome window - When selected, "Welcome to Secure Workspace" is shown to users. Select if it always shows or if users can disable it.

• Disable "Run" option in Start menu inside Secure Workspace - Users cannot run programs with the Run command from the Start menu in Secure Workspace.

• Hide all system drives - Local drives are hidden when in Secure Workspace.

• Prevent to start browser inside Secure Workspace - Disable the automatic launch of an internet browser in Secure Workspace after Secure Desktop is started. As a result SSL Network Extender does not start and automatically establish a VPN tunnel.

Desktop Background - Change the Secure Workspace desktop background picture and its position.

Display Start dialog - Show a Start window that you customize.

Configuring a Secure Workspace Policy per Security Gateway

A Secure Workspace policy that is configured in SmartDashboard applies to all Mobile Access Security Gateways. To configure a Secure workspace policy for each Security Gateway, see sk34939.

Integration with Endpoint Security Reputation Service

Secure Workspace can work together with the Check Point Endpoint Security Reputation Services to check whether an application that is not an approved application is legitimate. Reputation Services identifies programs according to their filename and MD5 hash.

For details of the Endpoint Security Reputation Services, see your version of the R82 Harmony Endpoint Security Server Administration Guide. If you use Reputation Services, the sequence of Secure Workspace is:

1. The user selects a program to run in Secure Workspace.

2. Secure Workspace checks the policy. If the program is not allowed by the Secure Workspace policy, program execution is blocked.

3. If the program is allowed by the policy, Secure Workspace queries Reputation Services about the program.

4. Reputation Services returns one of three responses about the application: Trusted, Untrusted, or Unknown.

5. Secure Workspace allows or blocks the application according to the Reputation Services responses, as defined in the policy:

   • Allow Trusted only.

   • Allow Trusted and Unknown.

Secure Workspace End-User Experience

This section provides an overview of the Secure Workspace workflow.

Disabling Internet Explorer Protected Mode

If users use Internet Explorer to open the Mobile Access Portal on Windows Vista or higher, they must disable Internet Explorer Protected Mode. If Protected Mode is not disabled, SSL VPN might run, but they can have unexpected errors.

On Windows 7 and higher, protected mode is enabled by default. You can see that it is enabled:

• In the Internet Options > Security tab. See that Enable Protected Mode is selected.

• In the bottom right of the Internet Explorer browser window, it says Protected Mode On.

If Endpoint Security on Demand is configured on the Security Gateway, the scan detects that Protected mode is on and instruction to disable Protected Mode open.

If Endpoint Security on Demand is not configured on the Security Gateway, users are not alerted that they must disable Protected Mode. However they must do the same steps to disable Protected Mode so that they can access the SSL VPN portal without problems.

To disable Protected mode for the SSL VPN Portal:

In Internet Explorer, select Tools > Internet Options.

1. In the Internet Options window, select the Security tab.

2. In the Security tab, select Trusted Sites and clear the Enable Protected Mode checkbox.

3. Click Sites.

4. In the Trusted sites window:

   1. Click Add.

   2. In Add this website to the zone, enter the web address of the SSL VPN portal.

      The portal web address shows in the Websites area of the window.

5. Click Close.

6. Click OK.

All users must do these steps even if they do not get the instructions automatically. After these steps, close all Internet Explorer windows. The next time you open Internet Explorer, Protected Mode is off.

Logging on to the Mobile Access Portal Using Secure Workspace

Secure Workspace initializes when a user logs on to the Mobile Access Portal. If the administrator has configured the Mobile Access Security Gateway to require Secure Workspace, this occurs automatically. If the administrator has configured the Security Gateway to allow users to choose whether or not to use Endpoint Security on Demand, an option appears on the Login screen.

Working with the Secure Workspace Virtual Desktop

The Secure Workspace virtual desktop looks and feels like a normal Windows desktop.

The principal difference is that Secure Workspace only allows users to work with a limited number of pre-approved applications and files and, by default, does not allow users to print, customize the desktop or perform any system configuration activities. Since most users only use Secure Workspace to work with the Mobile Access Portal, these functions are rarely needed.

Start Menu and Taskbar

The virtual desktop Start menu and taskbar function in the same manner their "real" counterparts do. Configuration settings in the Secure Workspace policy determine which shortcuts and options are available to users.

Allowing Users to Save Files to the "Real" Desktop

Users occasionally need to download and save files from resources behind the Mobile Access Security Gateway to "real" desktop folders. Conversely remote users may need to upload files to the corporate network from the endpoint computer.

To allow this, the administrator must configure the Secure Workspace policy to allow endpoints to switch between the secure and regular desktops. This is accomplished in the User Experience Settings section of the Secure Workspace policy editor.

Accessing Files and Applications on the Endpoint Computer

Generally, users can access files and run applications in Secure Workspace in the same manner as on the "real" desktop. Since, by default, users have read-only (access) privileges to all folders and files, they can freely navigate the file system using Windows Explorer. When attempting to run a program or open a file for which a user does not have Secure Workspace permission, an error message appears.

Likewise, if a user attempts to save a file to a "real" desktop folder without Secure Workspace permissions, an error message appears.

Accessing Endpoint Applications in Secure Workspace

When SSL Network Extender network mode users initiate a Secure Workspace session, permitted Endpoint Applications are available in the virtual desktop as follows:

An Endpoint Application defined in the Native Application as...	... is available to Users as a
Path and executable name (already installed)	Shortcut in the Windows Start menu.
Runs via default browser	Shortcut on the desktop.
Downloaded-from-Mobile Access application	Link in the Mobile Access Portal.

Note - During a Secure Workspace session, SSL Network Extender cannot toggle between the Network Mode and the Application Mode. User can change the mode, but must start a new Secure Workspace session after doing so.

Switching Between Secure Workspace and the "Real" Desktop

You can switch back and forth between the Secure Workspace virtual workspace and the "real" desktop at any time. To do so, click the lock icon, located in the tray area of the taskbar.

Exiting Secure Workspace

To exit Secure Workspace:

1. From the Windows Start menu, select Close Secure Workspace.

   A confirmation and reminder to save open files appears.

2. Click Yes, close it now to continue closing Secure Workspace.

Troubleshooting Secure Workspace

Secure Workspace logs are automatically saved in %temp%\IswTmp\Logs when the environment variable ISWLOG is set to 0 (zero). If you have issues with Secure Workspace, you can examine these logs or send them to Check Point technical support.

If an application stops working, a Secure Workspace window opens to help you send technical information to Check Point. Users can manually open this window if a process hangs or they experience instability.

To collect technical information:

1. Press the Ctrl+Alt+End keys.

   A Secure Workspace window opens to help you send technical information to Check Point.

2. Fill in the required information and click Collect and Send.

3. Send the file to Check Point support.

Endpoint Compliance Updates

Check Point provides Endpoint Compliance updates. You can download Endpoint Security on Demand updates from the Mobile Access tab in SmartDashboard.

You can configure Endpoint Security on Demand to retrieve updates automatically according to a defined schedule or you can manually download and install the updates.

Working with Automatic Updates

You can periodically check for and automatically download Endpoint Compliance updates. You can choose to download updates from the Check Point Download Center or you can install updates previously downloaded to your Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Note - Before performing an Endpoint Security on Demand update, install a policy at least once.

To configure automatic updates:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

   SmartDashboard opens and shows the Mobile Access tab.

2. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance Updates.

3. In the Update Configuration section, click Configure.

   The Automatic Updates window opens.

4. On the Activation tab, click Enter User Center credentials.

5. Enter your User Center email address and password.

6. Click the Endpoint Security on Demand tab.

7. Configure these update settings:

   1. To install updates from the Download Center, select the Check Point website option.

   2. To install updates from your Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., select the My local Security Management Server option. If you want to install updates from the Download Center when the Security Management Server is unavailable, enable the indicated option.

   3. Select the interval, in minutes, after which Endpoint Security on Demand checks for available downloads.

8. In the Tracking Configuration tab, select the various tracking options from the lists. You can select logging events or a variety of alert types.

9. If there is a proxy server between the Security Management Server and the User Center, select the Proxy tab, and enter the proxy host name or IP address, and the proxy port number (for example: 8080).

10. Click OK to complete the definition.

11. Click Save.

12. Close SmartDashboard.

13. In SmartConsole, install policy.

Performing Manual Updates

To perform a manual Endpoint Security on Demand update:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

   SmartDashboard opens and shows the Mobile Access tab.

2. From the navigation tree, click Endpoint Security on Demand > Endpoint Compliance Updates.

3. Click Update Databases Now.

4. Enter your Check Point User Center credentials and click Next.

5. Choose the All supporting gateways option to download to all available Mobile Access Security Gateways. Alternatively, choose the Select option to select specific Mobile Access Security Gateways for update, and then select the applicable Mobile Access Security Gateways in the left-hand list and then click Add.

6. Click Finish. A progress bar appears during the download.

7. Click Save.

8. Close SmartDashboard.

9. In SmartConsole, install policy.