topic Re: Mobile Access - restrict SNX with role based access in SASE and Remote Access

Mobile Access - restrict SNX with role based access

NorthernNetGuy — Wed, 31 May 2023 16:13:18 GMT

Hello,

I have our Mobile Access portal up and running, and I'm trying to restrict the SNX/Native Application portion to only users belonging to specific AD groups, and published web applications to others.

Right now, anyone with portal access also has Native Application/SNX access. I believe this is an issue with the way our Policy is configured.

If I wanted to restrict the Native Applications menu to only users with a specific AD role, what would that policy line look like?

here's a basic example of some CN's for what I'd want each group to access:

I've been looking at CP_R81_MobileAccess_AdminGuide.pdf for guidance, and can restrict web Apps, but not the native apps.

Re: Mobile Access - restrict SNX with role based access

the_rock — Wed, 31 May 2023 18:37:26 GMT

Does it not give you option below in the rule?

Andy

Re: Mobile Access - restrict SNX with role based access

NorthernNetGuy — Wed, 31 May 2023 18:40:48 GMT

Ah I should have specified that I'm using the unified access policy (and r81.20)

Re: Mobile Access - restrict SNX with role based access

the_rock — Wed, 31 May 2023 18:48:46 GMT

A kk : - ). Let me test it in the lab and see. I also have R81.20

Andy

Re: Mobile Access - restrict SNX with role based access

NorthernNetGuy — Wed, 31 May 2023 18:59:28 GMT

Here's a screenshot of what the policy looks like that might help with identifying my issue. I've added in rule 10-12 to try and expand the portal usage, while rule 13-14 was created by our checkpoint PS during initial deployment.

My main goal is to just remove the "connect" button, or the entire native apps section, for users that don't require it.

Thanks for the help!

Re: Mobile Access - restrict SNX with role based access

the_rock — Wed, 31 May 2023 19:06:47 GMT

Would you mind sharing whats in that group under services in rule 12.1 and 12.2, specifically one that ends with -RDP? I ask because based on what you mentioned, appears rule 12.1 has been hit 1M times and 12.2 only 174 times, just not sure in what time period though.

Andy

Re: Mobile Access - restrict SNX with role based access

NorthernNetGuy — Wed, 31 May 2023 19:14:48 GMT

Ah... They reference different AD roles, however they also reference the same remote access client profile:

Re: Mobile Access - restrict SNX with role based access

the_rock — Wed, 31 May 2023 19:22:46 GMT

Sorry, I meant under services/applications column, not access role. I want to see if it works in my lab. Please blur out any sensitive info.

Andy

Re: Mobile Access - restrict SNX with role based access

Wolfgang — Wed, 31 May 2023 19:29:50 GMT

@NorthernNetGuy this is normal behaviour with unified policy and mentioned in Limitations for Mobile Access in the Unified Policy

„The Native Applications Connect button always shows in the Mobile Access Portal when SSL Network Extender is enabled“

You can restrict the access but the button will be always there.

Using the „old“ way with MobileAccess policy in SmartDashboard you can make the connect button invisible to users without rights to access. But then you loose the better features of the unified policy.

Re: Mobile Access - restrict SNX with role based access

NorthernNetGuy — Wed, 31 May 2023 19:30:08 GMT

Ah that's my fault for not reading correctly!

12.1 is an internaly hsoted web application that acts as an RDP proxy:

12.2 launches the clients mstsc

I've found that even if the user isn't in the AD group for 12.2, they still see the native application/connect button, just not quick launch link of the mstsc

Re: Mobile Access - restrict SNX with role based access

the_rock — Wed, 31 May 2023 19:32:38 GMT

I was literally about to send you the same link @Wolfgang found, but he "beat" me to it : - )

I suppose it would be a limitation based on that paragraph.

Andy

Re: Mobile Access - restrict SNX with role based access

NorthernNetGuy — Wed, 31 May 2023 19:40:07 GMT

Well that is unfortunate. It would make a big difference in clarifying things for my users, and making the portal more flexible.

I feel like this should be a reasonable feature request, so I suppose that will be in my next steps.

In the mean time, other that needing to manage the legacy portal from the smartview, am I going to lose much by going to the legacy policy?

Re: Mobile Access - restrict SNX with role based access

the_rock — Wed, 31 May 2023 19:44:39 GMT

In the words of CP Sales person who talked about this recently on a call, best way to put is that unified MA policy is way more scalable than legacy. I totally get that point.

Re: Mobile Access - restrict SNX with role based access

the_rock — Wed, 31 May 2023 20:59:31 GMT

I think its pretty much same link @Wolfgang provided

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_MobileAccess_AdminGuide/Topics-MABG/Mobile-Access-and-Unified-Access-Policy.htm