Well, third day deep diving into Mobile Access blade on R80.10 and here are the findings so far:
1. Mobile Portal does not work as intended. From Windows 10:
a. no native applications could be launched as SNX does not work using either Active-X or Java (at least on Windows 10 Pro).
b. no custom web applications appear in the portal as well, regardless of where they were defined in.
2. Multiple notification errors during policy installation or failure to install policy:
a. When GW rules are removed from the Mobile tab in SmartDashboard, still seeing:
b. When mobile blade is removed from the gateway and the rule referring to it adjusted by replacing the gateway with "Installation Targets", still seeing this:
3. Mobile blade FTW, displays "Check Point Mobile for Windows" as one of the options for Desktop Clients, while Capsule VPN is only associated with "Mobile Devices":
Endless re-naming of and re-purposing the names for different types of clients is mind boggling.
Any suggestions on how to make SSL VPN accessible, manageable and the portal to work as intended, regardless the version of the OS, browser etc.., preferably notifying users about any incompatibility issues and describing workarounds interactively?
Continuation of the previous post.
In a spirit of patience and perseverance, I've decided to take a look at the Jumbo HFA_Take70, that seem to contain the update for the Mobile Access blade:
With it deployed and caches of the browsers cleared, we are no further than we were: same missing mobile apps in the portal, same failure to install the SNX on the Windows 10, same missing compatibility notifications.
Following the breadcrumbs of SKs, links and redirects, arriving at this hotfix:
It being four months older than the Take 70, I would hope to see it included, but alas, it was not.
So with the hotfix installed, hope rekindled anew, going through the process again:
Now, when attempting to execute downloaded Mobile Access Deployment Agent:
And... that's it. We are greeted with all too familiar:
The hotfix has mentioned Chrome, so let's give it a try:
Upon clicking "Connect", we are prompted with:
After we are agreeing to "Trust server":
With "Continue Anyway" clicked:
And "Yes" and...:
No 
Needless to say, I've parked the planned demo for the client until some light could be shed on this uncooperative feature.
Your input is, as always, welcome.
Hi Vladimir,
I agree that so much customization is required on client machine for Mobile access SSL VPN. I have recently installed for one of customer. I had also issue with Windows 10 Laptop but here we have R77.30. Please install deployment version 7.01.0000, may be it will resolve the issue.
For more information refer below.
https://community.checkpoint.com/docs/DOC-2613-ssl-vpn-network-extender-issue
No dice:
This is the version that is installed on Windows 10. From Control Panel/Apps and Features:
When attempting to run the slimsvc.exe executable on Windows from "C:\Program Files (x86)\CheckPoint\SSL Network Extender", it is failing with redirect to:
I have spent much of today on the same mission as you: converting an R77.30 Mobile Blade policy to an R80.10 unified policy. Overall it went well, all VPN rules are migrated and this site now has the blissful situation of a list of rules, in one policy, using access roles, mixing radius, AD and local Check Point user groups and controlling which clients (SSL extender, Endpoint, mobile etc. as part of the role in the rule. We were particularly pleased to be able to define destinations and applications all in the access rule-base and to be able to use network objects rather than the 'IP ranges' that one was forced to define in the now very legacy mobile blade. Introducing all of this to a new end user administrator now make so much more sense, it really was a ridiculous situation we have been in for the last 5 or 6 years!
My next bit of fun will be to look at the mix of Identity Awareness, generic*, 3rd party radius, local groups and LDAP groups to see if the exciting new Multiple Authentication Clients Settings (there may be a need for an apostrophe or one fewer plural in that window title) can enable me to provide a more coherent authentication offering to the users.
Now, for their next trick, Check Point MUST MUST MUST deal with the ridiculous client-sprawl, crazy nomenclature and licencing hell to which you allude in your original post!
At this point there are two issues that we share:
1. All legacy mobile rules have been removed, yet I still get this on policy install just like yours:
I've been scouting about for anything in KB articles, documentation and here but I have found nothing about this. I am thinking that I'd like to remove the 'shared policy' entirely but a few docs have hinted that there are still Mobile Policy elements configured in the 'legacy' policy - that said, I cannot find out which or what!
2. Where do all the published applications go? Silicon Heaven perhaps?
In this case the screenshot is taken on a Windows 7 client using Internet Explorer.
So, any Chrome, Firefox, Windows 10 or Java concerns are moot at this point (IMHO).
Just in case anyone who is about to do this job is reading this and having a go without reading the documentation in detail the key to making the switch-over is this setting in the gateway (cluster) object:
For the record, this is my favorite new element of this, and worth all the pain...
All of the client types are available in here and we can simply pick nd choose which any given role (thus rule) will use - brilliant and not before time!
1. All legacy mobile rules have been removed, yet I still get this on policy install just like yours:
I've been scouting about for anything in KB articles, documentation and here but I have found nothing about this. I am thinking that I'd like to remove the 'shared policy' entirely but a few docs have hinted that there are still Mobile Policy elements configured in the 'legacy' policy - that said, I cannot find out which or what!
This is a UX bug, as was noted previously in this thread.
For the record, this is my favorite new element of this, and worth all the pain...
All of the client types are available in here and we can simply pick nd choose which any given role (thus rule) will use - brilliant and not before time!
Got to say, I was not aware of this one.
That said, it's been the SecuRemote days (pre Connectra/Mobile Access Blade) since I spent any serious time with the Remote Access features.
And agree: nice feature 
Yep, this feature is certainly nice. It would've been nicer if the Mobile Portal would've actually listed published applications
Can you, maybe, give a swift hmm.. poke to the R&D team responsible for it?
If it's any consolation, I'm now digging into this, trying to set it up.
I'm kind of at the same point: I can't get apps to show up in the Web Portal either.
One question: do you have explicit rules in your policy allowing access to these web apps?
i.e. something like:
Hi Vladimir Yakovlev and Dameon Welch Abernathy,
Please check section "Best Practices for Rule Order" in Mobile Access Admin Guide:
"In the Unified Access Control Policy, put Mobile Access rules that authorize applications above rules that contain a related service. For example, put a rule to allow a web application above a rule that allows or blocks HTTP/HTTPS. If the HTTP/HTTPS rule is first, the user will not see the Mobile Access Web application in the portal or in Capsule Workspace and will not be able to access it.
For example, this Rule Base allows Outlook Web Access (OWA), a web-based Mobile Access application. It also allows HTTPS traffic.
Correct way to allow the HTTPS service and also Mobile Access HTTPS applications:
Rule 2.1, that allows access to Mobile Access applications, including Outlook Web Access (OWA) on HTTPS, is above rule 3, which allows all HTTPS traffic.
If you put rule 3 to allow HTTPS above the Mobile Access rules, the user will not see the OWA Web application in the portal or in Capsule Workspace and will not be able to access it. To authorize a Mobile Access application, you must use a Mobile Access application in the Services & Applications column.
You can use HTTPS in the parent rule of the Mobile Access Inline Layer, but specify the Mobile Access application inside the Inline Layer. That way, the HTTPS traffic for OWA, for example, will match on the HTTPS rule, and will also match on the OWA App inside the Inline Layer. "
Also from the "Limitations for Mobile Access in the Unified Policy" section:
"If users do not meet the defined Protection Level requirements for an application, the application does not show for them. This is true in the Mobile Access portal and Capsule Workspace. (In the Legacy Mobile Access policy, the applications show but are disabled)."
I hope this may help you
Alexander Sazonov
EA
So this raises a question.
In my application, I have set the Security Requirements to be "This application relies on the security requirements of the gateway."
Which I assume means "if I can access the Web Portal, I can access this application."
I've also moved my rules up to the very top of the rulebase and there are rules below that would permit the traffic from the gateway to the destination server:
Funny enough, the SMB entry shows on the portal, but doesn't work because my Samba server isn't configured to allow NTLMv1 logins
Only the "Jekyll" web application doesn't show.
How can I debug this?
Alexander,
Thank you for bringing the sequencing to my attention.
I've tried following the steps described in the "Best Practice for Rule Order" document and, as Dameon did, build the policy from scratch placing pertinent rules on top:
Two apps that did show-up in the portal are the webapps configured with pointers to DNS names of the targets:
The one that is missing, was pointed to a dummy host object:
So, for now, the situation as I see it:
1. We cannot verify validity of the applications when creating them
2. We cannot verify validity of the MAB rules
3. There is a difference in treatment of DNS-based targets and Object-based targets
4. We cannot see "Native" applications in the portal, because we cannot launch SNX from Windows 10 (at least)
5. There is no mechanism in the portal that allow distribution of other (may be pre-configured) endpoint VPN clients
Dameon, can you tell me if you got any further with your tests?
Gaurav,
Thank you for the suggestions.
Unfortunately, portal customization is limited to the addition of the logo and the title:
The "Alternative Portal" option seemingly looks better, but it is limited to User Groups, rather than Client Types:
And the "Endpoint Security On Demand" does not contain Windows 10 as one of the OS options:
You may be onto something here, since we can try checking the registry keys for OS version, but while you can display the link to "remediation URL", you are not forcing the redirect to a different version of portal.
It is possible that I am missing something and, if you can post the details of how to achieve the desired effects, I will be grateful.
Regards,
Vladimir
Asaf,
Thank you for your reply.
According to the Check Point Remote Access Solutions , SNX is NOT listed as one of the options available for Windows 10:
* Firefox and Chrome compatibility – In order to use SNX from the SSLVPN portal, via Firefox and Chrome, one indeed must install the Mobile Access Deployment Agent HF.
Due to the scope of functionality introduced in this HF, it was not yet integrated to the Jumbo releases, we have concrete plans for this, but it will take a bit more time.
I've seen the Mobile Access Deployment Agent HF installing in Chrome, but not in Firefox.
* Web applications are not published in the SSLVPN portal: The way it works is, that the portal will show only applications the logged in user is authorized to. This means that after you defined the web application, you need to define a rule in the Mobile Access policy, which allows the application to the user.
In the Legacy Policy, navigate to the Policy tab and place a rule with a user group containing the intended user, and then in the same rule place the intended we application you want to publish for that user.
If you choose to use the Unified Policy, this is similar, just used an Access Role object (instead of a plan user group) as the source and place the application in the Applications column.
These are the rules in the lab I am working with:
The AccessRoleAnyClients object is configured: Any Network, Any User, Any Client.
The WebPortalClients object is configured: Any Network, Any User, WebPortalClients:
I understand that the combined brain power of the end users and TAC can make this work (eventually), the idea is to have the R&D process steered towards delivering something more streamlined than what we currently have.
Regards,
Vladimir
| User | Count |
|---|---|
| 7 | |
| 6 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 2 | |
| 2 |
Tue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 12 Nov 2024 @ 02:00 PM (CET)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - EMEATue 12 Nov 2024 @ 11:00 AM (EST)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (AMERICAS)Tue 12 Nov 2024 @ 02:00 PM (EST)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - AmericasTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 12 Nov 2024 @ 02:00 PM (CET)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - EMEATue 12 Nov 2024 @ 11:00 AM (EST)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (AMERICAS)Tue 12 Nov 2024 @ 02:00 PM (EST)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - AmericasWed 20 Nov 2024 @ 05:00 PM (CET)
Under the Hood: DO NOT Renew your WAF without watching THIS!!Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaSThu 21 Nov 2024 @ 02:00 PM (MST)
Denver North: Infinity External Risk Management and Harmony SaaSTue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management Workshop
