Configuring an Advanced Native Application

Overview

A Native Application is any IP-based application that is hosted on servers within the organization, and requires an installed client on the endpoint. The client is used to access the application and encrypt all traffic between the endpoint and Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB..

Microsoft Exchange, Telnet, and FTP, are all examples of native application servers. Authorized users can use their native clients (for example, telnet.exe, ftp.exe, or Outlook) to access these internal applications from outside the organization.

A native application is defined by the:

  • Server hosting applications.

  • Services used by applications.

  • Connection direction (usually client to server, but can also be server to client, or client to client).

  • Applications on the endpoint (client) machines. These applications are launched on demand on the user machine when the user clicks a link in the user portal. They can be:

    • Already installed on the endpoint machine, or

    • Run via a default browser, or

    • Downloaded from Mobile Access.

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. R82 and higher, you can see the Native Applications in the Objects menu > Object Explorer > Applications/Categories > Custom Applications/Categories > Mobile Applications.

In SmartConsole R81.20 and lower, you can see the Native Applications in SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. > Applications > Native Applications.

Workflow

  1. Create a new Native Application.

    1. In SmartConsole, in the top right corner, click the Objects panel.

    2. Click New > More > Custom Application/Site > Mobile Application > Native Application.

      The Native Application window opens.

    1. In SmartConsole, from the left navigation panel, click Manage & Settings.

    2. In the top left panel, click Blades.

    3. In the Mobile Access section, click Configure in SmartDashboard.

      SmartDashboard opens and shows the Mobile Access tab.

    4. From the left navigation tree, click Applications > Native Applications.

    5. Click New.

      The Native Application window opens.

  2. Configure the new Native Application.

    1. In the Name field, enter the name for this object.

    2. Optional: In the Comment field, enter the applicable text.

    3. Follow the corresponding procedures below:

      In addition, see Protection Levels for Native Applications.

    4. Click OK to close the new Native Application object.

  3. Add the Native Application to the Mobile Access Policy

    1. From the left navigation panel, click Security Policies.

    2. In the Shared Policies section, in the Mobile Access section, click Policy.

    3. Add the Native Application object to the applicable Mobile Access Policy ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

    1. In SmartDashboard, from the left navigation tree, click Policy.

    2. Add the Native Application object to the applicable Mobile Access Policy rule.

    3. Save the changes in SmartDashboard.

    4. Close SmartDashboard.

  4. In SmartConsole, install the Access Control Policy.

Configuring Connection Direction

  1. Create a new Native Application or edit an existing Native Application.

  2. On the General Properties page, in the Advanced section, click Connection direction.

  3. In the Direction of communication from the connection initiator section, in the Connection direction field, select the applicable option:

    • Client to server

      This is the default option.

      When you create a client to server application and assign it to a user group, you enable users of the group to initiate a connection to the specified server.

      Example: Telnet.

    • Server to client

      When you create a server to client application, the specified server can initiate a connection to all SSL Network Extender or Secure Client Mobile users currently logged on to the Mobile AccessSecurity GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., regardless of their group association.

      Example: X11.

    • Client to client

      When you create a client to client Native Application and assign it to a user group, you enable users of that group to initiate a connection to all of the SSL Network Extender or Secure Client Mobile users currently logged on to Mobile Access, regardless of their user group association.

      Example: Running Remote Administration from one client to another.

      Note - A "Client to client" Native Application does not require configuration of a destination address.

  4. Click OK to close the new Advanced window.

  5. Click OK to close the new Native Application object.

Configuring Multiple Hosts and Services

The Native Application can reside on a range of hosts, which can be accessed by the native application clients. You can also specify more than one service that clients may use to communicate with the application.

Users of the native application can only access the specified locations using the specified services.

An authorized location ensures users of the Native Application can only access the specified locations using the specified services.

  1. Create a new Native Application or edit an existing Native Application.

  2. On the Authorized Locations page, select the applicable option.

    • If you selected Simple:

      This option allows you to select one object in each field.

      • In the Host/Address Range/Group field, select the applicable object (a Host, a Network Group, or an Address Range object), to which the Native Application requires access.

      • In the Service field, select the applicable Service object (or Service Group object) to configure ports, on which the hosted application listens for communication from application clients.

    • If you selected Advanced:

      This option allows you to select multiple server objects and multiple service objects. For example, it may not be possible to group the required hosts or services into a single Network Group object or Services Group objects.

      1. Click Edit.

        The Native Application Hosts window opens.

      2. In the Hosts panel, select the applicable objects (Host, Network Group, and Address Range objects).

      3. In the Services panel, select the applicable objects (Service, or Service Group objects).

      4. Click OK to close the Native Application Hosts window.

      5. Click OK to close the Native Application - Advanced window.

  3. Click OK to close the new Native Application object.

Configuring the Endpoint Application to Run Via a Default Browser

  1. Create a new Native Application or edit an existing Native Application.

  2. On the Endpoint Applications page, select Add a link to the applicable in the Mobile Access portal.

  3. Select Advanced.

  4. Click Edit.

    The Endpoint Applications - Advanced window opens.

  5. Click Add.

    The Edit Endpoint Application window opens.

  6. Select Run via default browser.

    This is used to define a link to any URL. The link appears in the Mobile Access Portal, and launches the current Web browser (the same browser as the Mobile Access Portal). The link can include $$user, which represents the user name of the currently logged-in user.

    This option has a similar user experience to a Web Application with a URL: The application is opened in a Web browser. However, Mobile Access Web applications perform Link Translation on the URL and encrypt the connection over SSL, while the "Run via default browser" option with SSL Network Extender does not perform link translation, and encrypts using SSL Network Extender. You may prefer to define a Native Application rather than a Web Application for convenience, or because some Web sites have problems working with Link Translation.

  7. Click OK to close the Edit Endpoint Application window.

  8. Click OK to close the Endpoint Applications - Advanced window.

  9. Click OK to close the new Native Application object.

Configuring Automatic Start of the Application

  1. Create a new Native Application or edit an existing Native Application.

  2. On the Endpoint Applications page, select Add a link to the applicable in the Mobile Access portal.

  3. Select Advanced.

  4. Click Edit.

    The Endpoint Applications - Advanced window opens.

  5. Click Add.

    The Edit Endpoint Application window opens.

  6. At the bottom of this page, click Advanced.

  7. In the Automatically Start this Application section, select the applicable options:

    • When SSL Network Extender is launched

      Configures a Native Application to run a program or command automatically, after connecting to SSL Network Extender (either Network Mode or Application Mode).

      When more than one Native Application is defined for automatic connection, the applications run in the alphabetical order of the names of the Native Applications.

    • When SSL Network Extender is disconnected

      Configures a Native Application to run a program or command automatically, after disconnecting from SSL Network Extender (either Network Mode or Application Mode).

      When more than one Native Application is defined for automatic connection disconnection, the applications run in the alphabetical order of the names of the Native Applications.

      Note - Do not select this option to launch applications that require connectivity to the organization in the SNX Application Mode. In the SNX Network Mode, automatic start of applications when SSL Network Extender is disconnected, works correctly.

  8. Click OK to close the Advanced window.

  9. Click OK to close the Edit Endpoint Application window.

  10. Click OK to close the Endpoint Applications - Advanced window.

  11. Click OK to close the new Native Application object.

Making a Native Application Available in the Application Mode

  1. Create a new Native Application or edit an existing Native Application.

  2. On the Endpoint Applications page, select Add a link to the applicable in the Mobile Access portal.

  3. Select Advanced.

  4. Click Edit.

    The Endpoint Applications - Advanced window opens.

  5. Click Add.

    The Edit Endpoint Application window opens.

  6. At the bottom of this page, click Advanced.

  7. In the SSL Network Extender Application Mode Compatibility section, select This endpoint application is supported when using SSL Network Extender in Application Mode.

    This option make an application available to Application Mode clients. Users that connect using the SSL Network Extender Application Mode client are able to see a link to the application and launch it.

    Important:

    • Use this option if the application works well in Application Mode.

    • If you do not select this option, then users who connect with Application Mode, do not see it in their list of applications.

  8. Click OK to close the Advanced window.

  9. Click OK to close the Edit Endpoint Application window.

  10. Click OK to close the Endpoint Applications - Advanced window.

  11. Click OK to close the new Native Application object.

Configuring Automatic Run of Commands or Scripts

It is possible to configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode).

Notes:

  • The user must have the appropriate privileges on the endpoint machine to run the commands.

  • When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications.

Use Case 1 - Automatically Map and Unmap a Network Drive

One example of how automatically running a command can be useful is to mount or unmount a network drive. Giving users access to network drives is a convenient way of providing access to internal resources. A drive can be mapped by configuring an application that invokes the Windows "net use" command.

It is possible to extend this ability by defining a dynamic add-on Downloaded-from-Gateway application that runs a script (batch file) containing a sequence of commands to execute on the endpoint machine. This script can be launched manually when the user clicks a link, or it can launch automatically after connecting to or disconnecting from SSL Network Extender.

Note - The "net use" command is available only for the SNX Network Mode.

  1. Create a new Native Application or edit an existing Native Application to map (mount) the drive.

  2. On the Endpoint Applications page, select Add a link to the applicable in the Mobile Access portal.

  3. Select Advanced.

  4. Click Edit.

    The Endpoint Applications - Advanced window opens.

  5. Click Add.

    The Edit Endpoint Application window opens.

  6. Select Already installed.

  7. In the Path and executable name field, enter:

    net.exe

  8. In the Parameters field, enter:

    use Drive_Letter: \\Server_Name\Share_Name

  9. At the bottom of this page, click Advanced.

  10. Select When SSL Network Extender is launched.

  11. Click OK to close the Advanced window.

  12. Click OK to close the Edit Endpoint Application window.

  13. Click OK to close the Endpoint Applications - Advanced window.

  14. Click OK to close the new Native Application object.

  1. Create a new Native Application or edit an existing Native Application to unmap (unmount) the drive.

  2. On the Endpoint Applications page, select Add a link to the applicable in the Mobile Access portal.

  3. Select Advanced.

  4. Click Edit.

    The Endpoint Applications - Advanced window opens.

  5. Click Add.

    The Edit Endpoint Application window opens.

  6. Select Already installed.

  7. In the Path and executable name field, enter:

    net.exe

  8. In the Parameters field, enter:

    use /DELETE Drive_Letter:

  9. At the bottom of this page, click Advanced.

  10. Select When SSL Network Extender is disconnected.

  11. Click OK to close the Advanced window.

  12. Click OK to close the Edit Endpoint Application window.

  13. Click OK to close the Endpoint Applications - Advanced window.

  14. Click OK to close the new Native Application object.

Use Case 2 - Automatically Run a Script (Batch File)

It is possible to define a new Downloaded-from-Gateway Endpoint Application (embedded application) that runs a script (batch file) automatically after connecting to or disconnecting from SSL Network Extender.

  1. Create a batch (script) file containing a sequence of commands.

  2. Define the batch file as a new Native Application for Client-Based Access.

  3. Create a new Native Application or edit an existing Native Application.

  4. On the Endpoint Applications page, select Add a link to the applicable in the Mobile Access portal.

  5. Select Advanced.

  6. Click Edit.

    The Endpoint Applications - Advanced window opens.

  7. Click Add.

    The Edit Endpoint Application window opens.

  8. At the bottom of this page, click Advanced.

  9. Select the applicable option(s):

    • When SSL Network Extender is launched.

    • When SSL Network Extender is disconnected.

    For explanations, see Configuring Automatic Start of the Application.

  10. Click OK to close the Advanced window.

  11. Click OK to close the Edit Endpoint Application window.

  12. Click OK to close the Endpoint Applications - Advanced window.

  13. Click OK to close the new Native Application object.