Session Settings

To configure the Mobile Access policy:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. > Manage & Settings view, click Blades.

  2. In the Mobile Access section, click Capsule Workspace Settings.

  3. Make sure the Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. blade in at least one Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

  4. Go to the Shared Policies view > in the section Shared Policies click Mobile Access.

  5. To configure the Mobile Access policy, click the Policy page or the Profiles Policy page.

Simultaneous Logins to the Mobile Access Portal

Having a single user logged in to Mobile Access more than once, from two different locations for example, is a potential security issue.

Simultaneous login prevention enables a Security Gateway to automatically disconnect a remote user who is logged more than once.

When simultaneous login prevention is enabled, and a user's authentication information used to log in from two different computers, only the later login is considered legitimate, and the earlier session is logged out.

Note - The Simultaneous Login is not supported for the SNX client when the Office Mode Method is configured to allocate IP addresses from the $FWDIR/conf/ipassignment.conf file. See sk176343.

Configuring Simultaneous Login Prevention

Simultaneous login prevention is configured in SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. from the Mobile Access tab by selecting Additional Settings > Session.

The options are:

  • User is allowed several simultaneous logins to the Portal

    Simultaneous login detection is enabled. This is the default option.

  • User is allowed only a single login to the portal

    Inform user before disconnecting his previous session (option is not selected)

    The earlier user is disconnected and the later user is allowed. The earlier user is logged out.

    For Mobile Access Portal users, the following message appears:

    Your Mobile Access session has timed out. would you like to sign in again now?

    The later user is not informed that an earlier user is logged in.

  • User is allowed only a single login to the portal (option selected)

    Inform user before disconnecting his previous session(option selected).

    The later user is informed that an earlier user is logged in, and is given the choice of canceling the login and retaining the existing session, or logging in and terminating the existing session. If the existing session is terminated, the user is logged out with the message:

    Your Mobile Access session has timed out. would you like to sign in again now?

Tracking Simultaneous Logins

To track simultaneous login events, select All Events in the Tracking section of the Additional Settings > Session page.

When the Security Gateway disconnects a user, the Security Gateway records a log of the disconnection, containing the connection information of both logins.

All disconnect and connect events create a corresponding entry in the traffic log.

These values of the authentication status field relate to simultaneous logins:

  • Success - User successfully logged in. Existing active sessions were terminated.

  • Inactive - User successfully authenticated, but existing sessions need to be terminated prior to logging on.

  • Disconnected - An existing user session has been terminated because the same user has logged on to another session.

Simultaneous Login Issues

These issues may arise in connection with simultaneous login:

For Endpoint Connect users, Mobile Access does not prevent simultaneous login. This is equivalent to the User can have several simultaneous logins to the portal option. An Endpoint Connect user cannot log out another user with the same user name, and cannot be logged out by another user with the same user name.

When you select the option User can have only a single simultaneous login to the portal and do not select the option Inform user before disconnecting previous sessions, SecureClient Mobile users can be logged off by another user, and can log off other users.

However, the Inform user before disconnecting his previous session option does not work, because no message can be sent to those users. User can be logged off, but cannot log off other users.

  1. When a session is disconnected by another user and SSL Network Extender application mode client is being used, the SSL Network Extender window remains open, while the session is disconnected. Similarly, when a session is disconnected by another user and Secure Workspace is being used, Secure Workspace remains open, while the session is disconnected.

  2. When a session is disconnected by another user and Citrix is being used, the Citrix window remains open, while the session is disconnected.

  3. All current sessions are deleted when changing the section from User can have only a single login to the Portal to User is allowed several simultaneous logins to the Portal.

Session Timeouts

After the authentication, remote users work in a Mobile Access session until they log out or the session terminates.

Security best practices provide for limiting the length of active and inactive Mobile Access sessions to prevent abuse of secure remote resources.

Note - Mobile Access uses the system time to keep track of session timeouts. Changing the system time may disrupt existing session timeouts. Therefore, it is recommended to change the system time during low activity hours.

Mobile Access provides two types of session timeouts, both of which are configured in SmartDashboard from the Mobile Access tab by selecting Additional Settings > Session.

  • Re-authenticate users every is the maximum session time. When this period is reached, the user must log in again.

    The default value is 60 minutes. Changing this timeout affects only future sessions, not current sessions.

  • Disconnect idle sessions after is the disconnection time-out if the connection remains idle.

    The default value is 15 minutes. When users connect via SSL Network Extender, this timeout does not apply.

For Capsule Clients:

  1. In SmartConsole,from the left taskbar, click Security Policies.

  2. Click Blades.

  3. In the Mobile Access section, click the Capsule Workspace Settings button.

    The Capsule Workspace Settings menu opens.

  4. Open the Profiles tab.

  5. Do one of these:

    • To create a new Mobile Profile, right click inside the table > click New.

    • To edit an existing Mobile Profile, right click on the table row that contains the profile > click Edit...

    The Mobile Profile window opens.

  6. Open the Security tab.

  7. In the Access Settings section, configure the applicable values in the Session timeout field (example: "2 Hours").

  8. Click OK.

  9. Install policy.

Roaming

The Roaming option allows users to change their IP addresses during an active session.

Note - SSL Network Extender users can always change IP address while connected, regardless of the Roaming setting.

Tracking

Configure Mobile Access to log session activity, including login attempts, logouts, timeouts, activity states and license expiration warnings.

Securing Authentication Credentials

Having multiple users on the same machine accessing the Mobile Access Portal can be a security hazard. A user logged in to the Mobile Access Portal can open a new browser window and get the access of the earlier session. Then the user can browse directly to the Mobile Access Portal without entering the login credentials again.

To make sure authentication credentials are not stolen by others, recommend to users that they log off or close all browser windows when done using a browser.