Mobile Access - Check Point Software

1 4 March 2014 Administration Guide Mobile Access R76 Classification: [Protected] 2014 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point . While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS and FAR TRADEMARKS: Refer to the Copyright page ( ) for a list of our trademarks.

2 Refer to the Third Party copyright notices ( ) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent Software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: ( ) To learn more, visit the Check Point Support Center ( ). For more about this release, see the R76 home page ( ). Revision History Date Description 04 March 2014 Updated Kerberos configuration ("Kerberos Authentication Support" on page 55) Updated Anti-Virus and Anti-malware Blade (on page 136) and added Enabling Traditional Anti-Virus (on page 137) 19 february 2013 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation.

3 Please help us by sending your comments on Mobile Access R76 Administration Guide). Contents Important Information .. 3 Introduction to Mobile Access .. 9 Mobile Access Applications .. 9 Mobile Access Management .. 10 SSL Network Extender .. 10 SSL Network Extender Network 10 SSL Network Extender Application Mode .. 10 Commonly Used Concepts .. 10 Authentication .. 11 Authorization .. 11 Endpoint Compliance Scanner .. 11 Secure W orkspace .. 11 Protection Levels .. 11 11 Mobile Access Security Features .. 12 Server Side Security Highlights .. 12 Client Side Security Highlights .. 12 User W orkflow for Mobile Access 12 Signing 13 First time Installation of ActiveX and Java Components .. 13 Language Selection .. 13 Initial Setup.

4 14 Accessing Applications .. 14 Security Gateway Portals .. 14 Check Point Remote Access Solutions .. 15 Providing Secure Remote 15 Types of Solutions .. 15 Client-Based vs. Clientless .. 15 Secure Connectivity and Endpoint Security .. 16 Remote Access Solution Comparison .. 16 Summary of Remote Access Options .. 17 Mobile Access W eb Portal .. 17 SSL Network Extender .. 18 SecuRemote .. 18 Check Point Mobile for Windows .. 18 Endpoint Security VPN .. 18 Endpoint Security VPN for Mac .. 19 Endpoint Security Suite .. 19 Check Point Mobile for iPhone and iPad .. 19 Check Point Mobile VPN for iOS Devices .. 19 Check Point Mobile for Android .. 20 Check Point GO .. 20 Getting Started with Mobile 21 Recommended Deployments .. 21 Simple Deployment.

5 21 Deployment in the DMZ .. 22 Cluster Deployment .. 22 SmartDashboard Toolbar .. 22 Basic SmartDashboard Configuration .. 23 Sample Mobile Access W orkflow .. 23 Mobile Access Wizard .. 24 Setting up the Mobile Access 25 Configuring Mobile Access Policy .. 25 Preparing for Check Point Mobile .. 26 Preparing for Mobile VPN .. 26 Preparing for Desktop Clients .. 27 Applications for Clientless Access .. 28 Protection Levels .. 28 Using Protection Levels .. 28 Defining Protection Levels .. 29 Web Applications .. 29 Web Applications of a Specific 29 Configuring W eb Applications .. 30 Link Translation .. 33 Link Translation Domain .. 37 Web Application Features .. 38 File Shares .. 40 File Share Viewers .. 40 Configuring File Shares .. 40 Using the $$user Variable in File Shares.

6 42 Citrix Services .. 42 Citrix Deployments Modes - Unticketed and Ticketed .. 42 Configuring Citrix Services .. 43 Web Mail Services .. 45 Web Mail Services User 45 Incoming (IMAP) and Outgoing (SMTP) Mail Servers .. 45 Configuring Mail Services .. 46 Native Applications .. 47 DNS Names .. 47 DNS Names and Aliases .. 47 Where DNS Name Objects are Used .. 47 Defining the DNS Server used by Mobile Access .. 47 Configuring DNS Name Objects .. 48 Using the Login Name of the Currently Logged in User .. 48 Single Sign On .. 49 Supported SSO Authentication Protocol .. 49 HTTP Based 49 HTTP Based SSO Limitation .. 50 Web Form Based 50 Application Requirements for Easy Configuration .. 51 Web Form Based SSO Limitations .. 51 Application and Client Support for SSO.

7 51 Mobile Access Client Support for SSO .. 52 Basic SSO 52 Basic Configuration of W eb Form 52 Advanced Configuration of SSO .. 52 Configuring Advanced Single Sign On .. 53 Configuring Login Settings .. 53 Advanced Configuration of W eb Form SSO .. 54 Sign In Success or Failure Detection .. 54 Credential Handling .. 54 Manually Defining HTTP Post Details .. 55 Kerberos Authentication Support .. 55 Native Applications for Client-Based Access .. 57 Accessing Native Applications .. 57 SSL Network Extender .. 57 SSL Network Extender Network 58 SSL Network Extender Application Mode .. 58 Configuring VPN 60 Office Mode .. 60 Configuring Office Mode .. 61 IP Pool Optional Parameters .. 62 Configuring SSL Network Extender Advanced Options.

8 62 Deployment Options .. 62 Encryption .. 62 Launch SSL Network Extender Client .. 62 Endpoint Application Types .. 63 Application Installed on Endpoint Machine .. 63 Application Runs Via a Default Browser .. 63 Applications Downloaded-from-Gateway .. 63 Configuring Authorized Locations per User Group .. 64 Ensuring the Link Appears in the End-User Browser .. 65 Configuring a Simple Native Application .. 65 General Properties .. 65 Authorized Locations .. 65 Applications on the Endpoint Computer .. 65 Completing the Native Application 66 Configuring an Advanced Native Application .. 66 Configuring Connection Direction .. 66 Multiple Hosts and Services .. 66 Configuring the Endpoint Application to Run Via a Default Browser .. 67 Automatically Starting the Application.

9 67 Making an Application Available in Application Mode .. 67 Automatically Running Commands or Scripts .. 68 Protection Levels for Native Applications .. 69 Defining Protection Levels .. 70 Adding Downloaded-from-Gateway Endpoint Applications .. 70 Downloaded-from-Gateway Application Requirements .. 70 Adding a New Application .. 70 Example: Adding a New SSH Application .. 71 Example: Adding a New Microsoft Remote Desktop Profile .. 73 Configuring Downloaded-from-Gateway Endpoint Applications .. 75 Configuring the Telnet Client (Certified Application) .. 75 Configuring the SSH Client (Certified Application) .. 75 Configuring the TN3270 Client (Certified Application).. 76 Configuring the TN5250 Client (Certified Application).. 76 Configuring the Remote Desktop Client (Add-On Application).

10 76 Configuring the PuTTY Client (Add-On Application) .. 77 Configuring the Jabber Client (Add-On Application) .. 77 Configuring the FTP Client (Add-On Application) .. 78 Exchange Mail Applications for Smartphones and 79 Secure Container Mail Applications .. 79 ActiveSync Applications .. 80 Policy Requirements for ActiveSync Applications .. 81 Mobile Access for Smartphones and Tablets .. 82 Overview of Mobile Access for Smartphones and Tablets .. 82 Certificate Authentication for Handheld Devices .. 82 Managing Client Certificates .. 82 Creating Client Certificates .. 83 Creating Templates for Certificate Distribution .. 84 Managing Mobile Settings .. 85 Creating and Editing Mobile Profiles .. 85 Passcode Profiles .. 85 ESOD Bypass for Mobile Apps.