9 April 2012 Administration Guide Mobile Access R75.40 Classification: [Protected] © 2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=13949 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk67581). Revision History Date Description 09 April 2012 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Mobile Access R75.40 Administration Guide). Contents Important Information 3 Introduction to Mobile Access 9 Mobile Access Applications 9 Mobile Access Management 10 SSL Network Extender 10 SSL Network Extender Network Mode 10 SSL Network Extender Application Mode 10 Commonly Used Concepts 10 Authentication 11 Authorization 11 Endpoint Compliance Scanner 11 Secure Workspace 11 Protection Levels 11 Session 11 Mobile Access Security Features 11 Server Side Security Highlights 12 Client Side Security Highlights 12 User Workflow 12 Signing In 13 First time Installation of ActiveX and Java Components 13 Language Selection 13 Initial Setup 14 Accessing Applications 14 Check Point Remote Access Solutions 15 Providing Secure Remote Access 15 Types of Solutions 15 Client-Based vs. Clientless 15 Secure Connectivity and Endpoint Security 16 Remote Access Solution Comparison 16 Summary of Remote Access Options 17 Mobile Access Web Portal 17 SSL Network Extender 18 SecuRemote 18 Check Point Mobile for Windows 18 Endpoint Security VPN 18 Endpoint Security Suite 19 Check Point Mobile for iPhone and iPad 19 Check Point Mobile for Android 19 Check Point GO 19 Getting Started with Mobile Access 20 Recommended Deployments 20 Simple Deployment 20 Deployment in the DMZ 21 Cluster Deployment 23 Basic SmartDashboard Configuration 23 Mobile Access Wizard 24 Setting up the Mobile Access Portal 24 Configuring Mobile Access Policy 24 Preparing for Handheld Devices 25 Applications for Clientless Access 26 Protection Levels 26 Using Protection Levels 26 Defining Protection Levels 27 Web Applications 27 Web Applications of a Specific Type 28 Configuring Web Applications 28 Link Translation 34 Link Translation Domain 38 Web Application Features 39 File Shares 41 File Share Viewers 41 Configuring File Shares 41 Using the $$user Variable in File Shares 43 Citrix Services 44 Citrix Deployments Modes - Unticketed and Ticketed 44 Configuring Citrix Services 45 Web Mail Services 47 Web Mail Services User Experience 48 Incoming (IMAP) and Outgoing (SMTP) Mail Servers 48 Configuring Mail Services 48 Native Applications 49 DNS Names 49 DNS Names and Aliases 50 Where DNS Name Objects are Used 50 Defining the DNS Server used by Mobile Access 50 Configuring DNS Name Objects 50 Using the Login Name of the Currently Logged in User 50 Single Sign On 52 Supported SSO Authentication Protocol 52 HTTP Based SSO 52 HTTP Based SSO Limitation 53 Web Form Based SSO 53 Application Requirements for Easy Configuration 54 Web Form Based SSO Limitations 54 Application and Client Support for SSO 54 Mobile Access Client Support for SSO 55 Basic SSO Configuration 55 Basic Configuration of Web Form SSO 56 Advanced Configuration of SSO 56 Configuring Advanced Single Sign On 56 Configuring Login Settings 57 Advanced Configuration of Web Form SSO 58 Sign In Success or Failure Detection 58 Credential Handling 59 Manually Defining HTTP Post Details 59 Kerberos Authentication Support 59 Native Applications for Client-Based Access 61 VPN Clients 61 SSL Network Extender 62 SSL Network Extender Network Mode 62 SSL Network Extender Application Mode 62 Configuring VPN Clients 64 Office Mode 65 Configuring Office Mode 65 IP Pool Optional Parameters 66 Configuring SSL Network Extender Advanced Options 66 Deployment Options 66 Encryption 66 Launch SSL Network Extender Client 66 Endpoint Application Types 67 Application Installed on Endpoint Machine 67 Application Runs Via a Default Browser 67 Applications Downloaded-from-Gateway 67 Configuring Authorized Locations per User Group 69 Ensuring the Link Appears in the End-User Browser 69 Configuring a Simple Native Application 69 General Properties 69 Authorized Locations 69 Applications on the Endpoint Computer 69 Completing the Native Application Configuration 70 Configuring an Advanced Native Application 70 Configuring Connection Direction 70 Multiple Hosts and Services 71 Configuring the Endpoint Application to Run Via a Default Browser 71 Automatically Starting the Application 71 Making an Application Available in Application Mode 72 Automatically Running Commands or Scripts 72 Protection Levels for Native Applications 73 Protection Levels in R71 and Higher Gateways 73 Defining Protection Levels 74 Adding New Downloaded-from-Gateway Endpoint Applications 75 Downloaded-from-Gateway Application Requirements 75 Adding a New Application 75 Example: Adding a New SSH Application 76 Example: Adding a New Microsoft Remote Desktop Profile 77 Configuring Downloaded-from-Gateway Endpoint Applications 79 Configuring the Telnet Client (Certified Application) 80 Configuring the SSH Client (Certified Application) 80 Configuring the TN3270 Client (Certified Application) 81 Configuring the TN5250 Client (Certified Application) 81 Configuring the Remote Desktop Client (Add-On Application) 81 Configuring the PuTTY Client (Add-On Application) 83 Configuring the Jabber Client (Add-On Application) 83 Configuring the FTP Client (Add-On Application) 83 Mobile Access for Smartphone and Handheld Devices 85 Authentication for Handheld Devices 85 Initializing Cient Certificates 85 ActiveSync Applications 86 Configuring ActiveSync Applications 86 Policy Requirements for ActiveSync Applications 87 User Access to ActiveSync Applications 87 ESOD Bypass for Mobile Apps 87 System Specific Configuration 87 iPhone/iPad Configurations 87 Android Configurations 88 Instructions for End Users 91 iPhone/iPad End User Configuration 91 Android End User Configuration 91 Advanced Gateway Configuration for Handheld Devices 93 User Authentication in Mobile Access 96 User Authentication to the Mobile Access Portal 96 Configuring Authentication 96 How the Gateway Searches for Users 97 Two-Factor Authentication with DynamicID 97 How DynamicID Works 98 The SMS Service Provider 98 SMS Authentication Granularity 98 Basic DynamicID Configuration for SMS or Email 98 Advanced Two-Factor Authentication Configuration 101 Configuring Resend Verification and Match Word 102 Two-Factor Authentication per Gateway 103 Two-Factor Authentication per Application 104 Two-Factor Authentication for Certain Authentication Methods 104 Session Settings 105 Session Timeouts 105 Roaming 105 Tracking 106 Securing Authentication Credentials 106 Simultaneous Logins to the Portal 106 Endpoint Security On Demand 108 Endpoint Compliance Enforcement 108 Endpoint Compliance Policy Granularity 108 Endpoint Compliance Licensing 109 Endpoint Compliance Policy Rule Types 109 Endpoint Compliance Logs 111 Configuring Endpoint Compliance 112 Planning the Endpoint Compliance Policy 112 Using the ICSInfo Tool 114 Creating Endpoint Compliance Policies 114 Configuring Endpoint Compliance Settings for Applications and Gateways . 115 Configuring Advanced Endpoint Compliance Settings 117 Configuring Endpoint Compliance Logs 118 Assign Policies to Gateways and Applications 118 Excluding a Spyware Signature from a Scan 118 Preventing an Endpoint Compliance Scan Upon Every Login 119 Endpoint Compliance Scanner End-User Workflow 119 Endpoint Compliance Scanner End-User Experience 120 Using Endpoint Security On Demand with Unsupported Browsers 120 Completing the Endpoint Compliance Configuration 121 Secure Workspace 122 Enabling Secure Workspace 123 Applications Permitted by Secure Workspace 124 SSL Network Extender in Secure Workspace 127 Secure Workspace Policy Overview 127 Configuring the Secure Workspace Policy 128 Secure Workspace End-User Experience 131 Endpoint Compliance Updates 135 Working with Automatic Updates 135 Performing Manual Updates 136 Advanced Password Management Settings 137 Password Expiration Warning 137 Managing Expired Passwords 137 Configuring Password Change After Expiration 137 Mobile Access Blade Configuration and Settings 139 Interoperability with Other Blades 139 IPS Blade 139 Anti-Virus and Anti-malware Blade 140 IPsec VPN Blade 141 Portal Settings 141 Portal Accessibility Settings 141 Portal Customization 142 Localization Features 143 Alternative Portal Configuration 144 Concurrent Connections to the Gateway 144 Server Certificates 144 Obtaining and Installing a Trusted Server Certificate 144 Viewing the Certificate 147 Web Data Compression 147 Configuring Data Compression 147 Using Mobile Access Clusters 148 The Sticky Decision Function 148 How Mobile Access Applications Behave Upon Failover 148 Troubleshooting Mobile Access 150 Troubleshooting Web Connectivity 150 Troubleshooting Outlook Web Access 150 Troubleshooting OWA Checklist 150 Unsupported Feature List 151 Common OWA problems 151 Troubleshooting Authentication with OWA 151 Troubleshooting Authorization with OWA 152 Troubleshooting Security Restrictions in OWA 153 Troubleshooting Performance Issues in OWA 153 Saving File Attachments with OWA 155 Troubleshooting File Shares 155 Troubleshooting Citrix 156 Troubleshooting Citrix Checklist 156 Index 157 Mobile Access Administration Guide R75.40 | 9 Chapter 1 Introduction to Mobile Access Check Point Mobile Access blade is a simple and comprehensive remote access solution that delivers exceptional operational efficiency. It allows mobile and remote workers to connect easily and securely from any location, with any Internet device to critical resources while protecting networks and endpoint computers from threats. Combining the best of remote access technologies in a software blade provides flexible access for endpoint users and simple, streamlined deployment for IT. This software blade option simply integrates into your existing Check Point gateway, enabling more secure and operationally efficient remote access for your endpoint users. The data transmitted by remote access is decrypted and then filtered and inspected in real time by Check Point’s award-winning gateway security services such as antivirus, intrusion prevention and web security. The Mobile Access blade also includes in- depth authentications, and the ability to check the security posture of the remote device. This further strengthens the security for remote access. In This Chapter Mobile Access Applications 9 Mobile Access Management 10 SSL Network Extender 10 Commonly Used Concepts 10 Mobile Access Security Features 11 User Workflow 12 Mobile Access Applications Mobile Access provides the remote user with access to the various corporate applications, including, Web applications, file shares, Citrix services, Web mail, and native applications.  A Web application can be defined as a set of URLs that are used in the same context and that is accessed via a Web browser, for example inventory management, or HR management.  A file share defines a collection of files, made available across the network by means of a protocol, such as SMB for Windows, that enables actions on files, such as opening, reading, writing and deleting files across the network.  Mobile Access supports Citrix client connectivity to internal XenApp servers.  Mobile Access supports Web mail services including:  Built-in Web mail: Web mail services give users access to corporate mail servers via the browser. Mobile Access provides a front end for any email server that supports the IMAP and SMTP protocols.  Other Web-based mail services, such as Outlook Web Access (OWA) and IBM Lotus Domino Web Access (iNotes). Mobile Access relays the session between the client and the OWA server.  iPhone and iPad support  Access to Web applications  Access to email, calendar, and contacts  Two-factor authentication with client certificate and user name/password  SSL Network Extender support for MacOS 10.6 (Snow Leopard) as part of Check Point Mobile Access  Mobile Access supports any native application, via SSL Network Extender. A native application is any IP-based application that is hosted on servers within the organization. When a user is allowed to use a Introduction to Mobile Access Mobile Access Administration Guide R75.40 | 10 native application, Mobile Access launches SSL Network Extender and allows users to employ native clients to connect to native applications, while ensuring that all traffic is encrypted. Remote users initiate a standard HTTPS request to the Mobile Access gateway, authenticating via user name/password, certificates, or some other method such as SecurID. Users are placed in groups and these groups are given access to a number of applications. For information about Web applications, file shares, Citrix services, Web mail see Applications for Clientless Access. For information about native applications, see Native Applications for Client-Based Access (on page 61). Mobile Access Management  Mobile Access enabled gateways are managed by the Security Management Server that manages all Check Point gateways.  All Mobile Access related configuration can be performed from the Mobile Access tab of SmartDashboard.  Mobile Access users are shown in SmartConsole, along with real-time counters, and history counters for monitoring purposes.  Mobile Access supports SNMP. Status information regarding Check Point products can be obtained using a regular SNMP Network Management Station (NMS) that communicates with SNMP agents on Mobile Access gateways. See "Working with SNMP Management Tools" in the R75.40 Security Management Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk67581). SSL Network Extender The SSL Network Extender client makes it possible to access native applications via Mobile Access. SSL Network Extender is downloaded automatically from the Mobile Access portal to the endpoint machines, so that client software does not have to be pre-installed and configured on users' PCs and laptops. SSL Network Extender tunnels application traffic using a secure, encrypted and authenticated SSL tunnel to the Mobile Access gateway. SSL Network Extender Network Mode The SSL Network Extender Network Mode client provides secure remote access for all application types (both Native-IP-based and Web-based) in the internal network via SSL tunneling. To install the Network Mode client, users must have administrator privileges on the client computer. After installing the client, an authenticated user can access any authorized internal resource that is defined on Mobile Access as a native application. The user can access the resource by launching the client application, either directly from the desktop or from the Mobile Access portal. SSL Network Extender Application Mode The SSL Network Extender Application Mode client provides secure remote access for most application types (both Native (IP-based) and Web-based) in the internal network via SSL tunneling. Most TCP applications can be accessed in Application Mode. The user does not require administrator privileges on the endpoint machine. After the client is installed the user can access any internal resource that is defined on Mobile Access as a native application. The application must be launched from the Mobile Access portal and not from the user's desktop. Commonly Used Concepts This section briefly describes commonly used concepts that you will encounter when dealing with Mobile Access. [...]... reaches the Mobile Access gateway Mobile Access Administration Guide R75.40 | 21 Getting Started with Mobile Access Another leg of the Mobile Access gateway can lead directly to the LAN In this setup, traffic does not have to go back through the firewall before reaching the LAN Figure 3-3 Mobile Access Deployment in the DMZ with LAN Connection Example Mobile Access Administration Guide R75.40 | 22... Simple Mobile Access Deployment with One Security Gateway Mobile Access Administration Guide R75.40 | 20 Getting Started with Mobile Access Deployment in the DMZ When a Mobile Access enabled Security Gateway is placed in the DMZ, traffic initiated both from the Internet and from the LAN to Mobile Access is subject to firewall restrictions By deploying Mobile Access in the DMZ, the need to enable direct access. .. Check Point Support Center (sk67820) Mobile Access Administration Guide R75.40 | 19 Chapter 3 Getting Started with Mobile Access In This Chapter Recommended Deployments Basic SmartDashboard Configuration Mobile Access Wizard Setting up the Mobile Access Portal Configuring Mobile Access Policy Preparing for Handheld Devices 20 23 24 24 24 25 Recommended Deployments Mobile Access can be deployed in a variety... that the Mobile Access gateway will accept from remote users Do this in Gateway Properties > Mobile Access > Authentication Mobile Access Wizard The Mobile Access Wizard lets you quickly allow selected remote users access to internal web applications, through a web browser or mobile phone application Going through the wizard: 1 Mobile Access Methods - Select whether users can access the Mobile Access. .. out, or the session ends due to a time-out Mobile Access Security Features Greater access and connectivity demands a higher level of security The Mobile Access security features may be grouped as server side security and client side security Mobile Access Administration Guide R75.40 | 11 Introduction to Mobile Access Server Side Security Highlights Mobile Access enabled gateways are fully integrated... select Mobile Access Note - The Mobile Access blade can only be enabled on Security Gateways running on the SecurePlatform Operating System 2 When you enable the Mobile Access blade:  You are automatically given a 30 day trial license for 10 users  The Mobile Access Wizard opens Follow the instructions to configure remote access to your network 3 Configure your firewall access rules to permit Mobile Access. .. For easier end user access, it is recommended that the Security Gateway accept HTTP (TCP/80) traffic  Mobile Access requires access to DNS servers in most scenarios  The Security Gateway may need access to: WINS servers, LDAP, RADIUS, or ACE servers for authentication, an NTP server for clock synchronization Mobile Access Administration Guide R75.40 | 23 Getting Started with Mobile Access 4 Configure... setup Access applications Mobile Access Administration Guide R75.40 | 12 Introduction to Mobile Access Signing In Using a browser, the user types in the URL, assigned by the system administrator, for the Mobile Access gateway Note - Some popup blockers can interfere with aspects of portal functionality You should recommend to users that they configure popup blockers to allow pop-ups from Mobile Access. .. Remote Access Solution Comparison Details of the newest version for each client and a link for more information are in sk67820 (http://supportcontent.checkpoint.com/solutions?id=sk67820) Mobile Access Administration Guide R75.40 | 16 Check Point Remote Access Solutions Name Supported Operating Systems Mobile Access Web Portal Windows, Linux, Clientless Mac SSL SSL Network Extender for Mobile Access. .. to configure However, you can add objects to a rule quickly and configure more detailed properties at a different time Mobile Access Administration Guide R75.40 | 24 Getting Started with Mobile Access To create rules in the Mobile Access Rule Base: 1 In the Policy page of the Mobile Access tab, click one of the add rule buttons 2 In the Users column, click the + sign, or right-click and select Add Users . when dealing with Mobile Access. Introduction to Mobile Access Mobile Access Administration Guide R75. 40 | 11 Authentication All remote users accessing the Mobile Access portal must. (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Mobile Access R75. 40 Administration Guide) . Contents Important Information 3 Introduction to Mobile Access 9 Mobile Access Applications 9 Mobile Access Management. Index 157 Mobile Access Administration Guide R75. 40 | 9 Chapter 1 Introduction to Mobile Access Check Point Mobile Access blade is a simple and comprehensive remote access solution