Configuring CheckPoint Mobile Access Blade

The CheckPoint Mobile Access software blade is an SSL-VPN which allows a user’s PC, Smartphone or tablet connectivity to the corporate network. Most new CheckPoint appliances (2200, 4000 series etc) are licensed with the Mobile Access blade as standard. This post provides information on getting started and configuring the basics.

Configuring Mobile Access

Open SmartDashboard and create a new firewall rule permitting inbound HTTPS to the firewall. NOTE – This rules needs to be above the Stealth rule, otherwise the traffic will be dropped

Modify the properties of the firewall object and select “Mobile Access”

The “Mobile Access Configuration” wizard should automatically appear

Tick “Web Portal” and untick “Smartphone Application”, click Next

Define the “Portal URL”, click Next

For testing select “Demo application: World Clock….” click Next

Create a new connection to Active Directory or select an existing connection, click Connect

Once a connection is successfully established, click Next

Select from existing users an Active Directory group or user, click Next then Finish

From SmartDashboard select “Users” tab and browse the structure to confirm connectivity

Once confirmed install the Policy

Configuring a link to a Remote Desktop Connection

In SmartDashboard click the “Mobile Access” tab

Expand “Applications”, click “Native Applications” and click “New”

Provide a descriptive name e.g. “Remote_Desktop”

Click “Authorised Locations”

Select “Simple” and define the host/address range object and service to allow be permitted access

Click “Endpoint Applications”

Tick “Add a link…..” and select “Advanced” and edit

Tick “Add a link….” and enter a description for the “Link text”

Click “Downloaded from Mobile Access” and select from the drop down box “Remote Desktop client (add-on application”

Define the parameters as the ip address of the PC/Server. Click OK

Click Policy and create a new rule

Select the user as “Administrator” and the application as the rdp object previously created

Install the Policy on the firewall

Testing from a client computer

From a workstation open Internet Explorer and enter the “Portal URL” defined previously e.g https://10.10.10.1/sslvpn

Enter a valid username of a standard user who is a member of the “VPN_Access” domain group

If successful you will be presented with a web application link to the World Clock

Sign Out and Sign-in again as an administrator

The Administrator has permission to access the “Remote_Desktop” application and a link will appear for “Native Applications”

Click Connect (the first connection will prompt to install the relevant components)

Once successfully connected the pop-up box will display the link to the rdp session previously created.

This is the very basics of configuring the Mobile Access, there are far more options which could be explored in further posts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s