Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Champion
Champion

What is wrong with Mobile Access in R80.10?

Well, third day deep diving into Mobile Access blade on R80.10 and here are the findings so far:

1. Mobile Portal does not work as intended. From Windows 10:

a. no native applications could be launched as SNX does not work using either Active-X or Java (at least on Windows 10 Pro).

b. no custom web applications appear in the portal as well, regardless of where they were defined in.

2. Multiple notification errors during policy installation or failure to install policy:

a. When GW rules are removed from the Mobile tab in SmartDashboard, still seeing:

b. When mobile blade is removed from the gateway and the rule referring to it adjusted by replacing the gateway with "Installation Targets", still seeing this:

3. Mobile blade FTW, displays "Check Point Mobile for Windows" as one of the options for Desktop Clients, while Capsule VPN is only associated with "Mobile Devices":

Endless re-naming of and re-purposing the names for different types of clients is mind boggling.

Any suggestions on how to make SSL VPN accessible, manageable and the portal to work as intended, regardless the version of the OS, browser etc.., preferably notifying users about any incompatibility issues and describing workarounds interactively?  

42 Replies
Highlighted
Admin
Admin

LOL at Lies, Damn Lies, and Statistics in your rule Smiley Happy

Part of the reason CheckMates exists is to give R&D direct feedback on what needs improvement.

Clearly there are a few areas for improvement highlighted in this thread.

Highlighted

Yeah. This is the one area where Checkpoint really needs improvement as lots of dependency based on OS & versions. I have spent lot of time, SSL Network extender is working with IE but not working with any other browser.

0 Kudos
Reply
Highlighted
Contributor

Hi Vladimir,

I've been using Mobile Access R80.10, Unified mode on a customer and no worries with it so far.

The warning message about Legacy conflict it's a bug as it was mentioned above, but just for kicks I've setup a Mobile Web Application to add and show in the portal, easy actually.

Web App

I used Firefox to test, version 58.0.2

I'm also able to user SNX with no issues, Java version (build 1.8.0_161-b12), *update, didn't had issues on the first time wich installed the SNX in the process, but it's not loading anymore now, maybe because we need the new deployment like it was mentioned above. 

Still not running with latest recommended JHF_70

I'm very excited with Unification process and R80.10 Mobile Access Blade as proven successful and actually easier to understand/read, but the way to setup is indeed different from Legacy, Access User Roles vs Users Groups, no more native applications with annoying Address-Range in place of the NetworkObjects and Services, everything is put exactly as a firewall access rule.

Best regards,

Carlos

Carlos Santos
0 Kudos
Reply
Highlighted
Champion
Champion

I just found sk123037 After upgrade to R80.10, SNX authentication with certificate is failing - this looks like one of the issue i have read about here...

0 Kudos
Reply
Highlighted
Champion
Champion

It is not, but we can add it to the pile:)

0 Kudos
Reply
Highlighted
Contributor

Was any of above issues corrected in R80.20 HFA10 ?

Because I am still encountering them in a lab environment with R80.20 HFA10 clean install...not upgraded.

0 Kudos
Reply
Highlighted
Champion
Champion

Sal,

I did not yet get a chance to try it on R80.20, but will be happy if someone with the more recent experiences could share those here.

0 Kudos
Reply
Highlighted
Explorer

Any update on this? My Web applications are also not published on the portal.

Tried all the options but nothing works?

0 Kudos
Reply
Highlighted
Contributor

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Fixes the applications not showing up but it seem to publish to all users bypassing policy in mobile access...in my case want to publish only certain Apps to specific users...working on this issue to see if I can find a solution for it.

Another issue I have found is that some web web pages not rendering correctly and it may be due to CP Mobile FNB.js that is displaying in the same area....I wish there was some way to move it out of the way,

Highlighted
Contributor

Fixed publishing certain Apps to specific  users....thanks to Checkpoint support.

Had to remove all rules defined  in Dashboard Mobile Access, which is the "Legacy thingy" in a NON-unified policy.

Created similar rules in the UNIFIED policy....in the VPN access section with source "access control" objects defining specific users or AD users group....now users have access to APPS defined in the Service and Application portion of the  rule.

Still working on Web pages rendering incorrectly....in Link translation Methods....Have tried  Path Translation and URL translation without success.

Last thing to try HOSTNAME translation (must be supported by gateway)

0 Kudos
Reply
Highlighted
Participant

Hi Sal_Previtera,

I've the same issue of you, that you have just resolved.

Where I am wrong:

image.png

 

 

 

Parent Inline Layer 47: VPN_TERVI inline layer - only Mobile Access Blade 

AR_ANY_VPN_CLIENT_TEST: any network/any users/any machine/all specific Remote Client

Inline layer rules:

AR_USER_CAMBROSINI: any network/SPECIFIC USER/any machine/only MOBILE ACCESS PORTAL

AR_GG_TEST: any network/SPECIFIC USER/any machine/only MOBILE ACCESS PORTAL

AR_WEBPORTAL_CLIENT: any network/any users/any machine/only MOBILE ACCESS PORTAL

If I loged in with a specif user: AR_GG_TEST

I can see all the WEB APLLICATION, and not only the WorldClock

image.png

image.png

 

0 Kudos
Reply
Highlighted
Participant

Ok, solved. There was a missconfiguration in the Authentication method on the Mobile Access blade in the ClusterGateway. Now the Access Roles have the correct Users/Groups. Bye
0 Kudos
Reply
Highlighted
Contributor

Incorrect Rendering of pages was corrected by defining as Native application, in short web pages are hosted by the server directly instead of being proxy-ed.

Again thanks to Checkpoint support.

0 Kudos
Reply