EA program for the new Mobile Access portal

Can you expand on "Redesigned scan results"

Hey, 

this sounds great!
What is required on the client side, as you mentioned "Full support of mainstream browsers on all major platforms"?
Is Java still required or is it working without Java? So without Java the Java NPAPI Hotfix is also no longer required?

best regards

Thomas

Even with the MABDA hotfix (integrated into R80.40), we don't use NPAPI anymore.
However, Java is still used to deploy ESOD and/or SNX components.
Not sure if the EA gets rid of this requirement or not.

Previously, it was possible to see detailed ESOD Scanner report for a single category only. In the new portal we applied the "collapsible rows" pattern. And now the whole report is shown at one screen to provide you full picture why you are not compliant.

is it a new portal customization or it will combine a different approach to RemoteAccess solution with new features?

In other words I'm waiting a native integration with MFA cloud solution like Microsoft MFA o Google MFA.

I know I can achieve my dream changing parameter in GuiDBedit and so on, but I think it isn't a good solution.

I know my consideration sounds something wrong in this topic, but nowadays strong MFA solution is a requirement for security and a new portal without a new authentication method won't be appreciated from customers

The new design looks great, good job!

Is it now possbile to access a folder on the file share which has the name "Home"? This isn't possbile in the current mobile access portal unter files.

SNX works without Java on the client for Windows machines?

Gianluca_Giorda,

Using cloud identity provider is not just Mobile Access portal feature. This is infrastructural feature that can be used in different blades where authentication is required (IDA, MAB, etc.) The ability to communicate with external SAML Identity Providers (e.g. Okta, Ping Identity, Azure) via SAML protocol and grant user access according to the SAML assertion  has been added in R80.40. 

christopher,

Java is still required in order to launch any of on-demand client technologies (SSL Network Extender, Compliance Scan and Secure Workspace).  More information in sk113410.

Are there any news with the file share application?

Is it now possible to download more then one file at a time ?

Will there be support for Microsoft DFS ?

Wolfgang

I would think that adding SMBv2/v3 support with the newer Linux kernel would make that possible in R80.40, though I haven't tried it myself.

I apologize it this is a basic question, but can you elaborate on how this new Mobile Access Portal technology is different from the specifications defined in article sk113410 ?

Is the relevant hotfix already included in the Ongoing Take 38 for R80.40 ? 

Best regards, 

The hotfix mentioned in sk113410 is integrated into the R80.40 release without a JHF installed @Gilles_Lerat 

Anyone go ahead and use this? How's the migration process? Stability? 

I received the hotfix, but with no information to do the installation/migration. (cvpn_HOTFIX_R80_40_MABUI_HF_MAIN_GA_FULL.tgz)
I am in version R80.40 take 48 (cluster HA)

best regards,

Telion,

Unfortunately, the mentioned hotfix (cvpn_HOTFIX_R80_40_MABUI_HF_MAIN_GA_FULL.tgz) is not compatible with the R80.40 Jumbo 48. We are working on it. I'll provide links as soon as it is ready.

Hotfix installation is the same as other hotfixes installation. You just need to import the hotfix file using CPUSE. There is a comprehensive  SK92449 about CPUSE  . Please follow the instructions from (4-A-c) chapter.

I would like to inform that we’ve updated hotfixes with new Mobile Access Portal UI. Now they support installation on top of current GA Jumbos: R80.30 Jumbo take 196 and R80.40 Jumbo take 48.

Additionally we are announcing the Simplified Customization feature. Now it is very easily to change look&feel of Mobile Access portals to align it with brand identity of a partner or customer. Please contact me (@MaksimBahunou) or @AndreiR to get the instructions and a demo of customization package.

hello,

can we use the reCAPTCHA on the login page in R80.40?

thanks,

@MaksimBahunou  - can you expand on your comment on SAML support?  When I search SupportCenter for SAML, the only references I get are old ones for CloudConnector or the new CloudGuard SaaS.  There are no results returned for the gateway.

Further, attempting to use a web application that does use SAML through MAB doesn't work due to the way redirects are handled in Check Point.  At least not with Okta.  The modifications that CP attempts to make to the Okta JavaScript cause it to fail internal integrity checks and refuse to load in the browser.  The only way I've found to get them to work reliably is as a native application with SNX.

heath

👍

@Heath_H this is covered in the R80.40 Identity Awareness guide.
It's just another identity source that can be used.  https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_IdentityAwareness_AdminGuide...

@Gokhan_Pala 

Yes, reCAPTCHA is supported in R80.40. Please find the setup instructions in Mobile Access Admin guide, User Authentication chapter (https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_MobileAccess_AdminGuide/Cont...)

I tried to PM @MaksimBahunou, but got a message that I had hit my limit on PMs (maybe 6 in 2 weeks... ), so here are some things I've found in my testing:

1) The Disconnect for SNX doesn't refresh the browser, so you have no confirmation that it's actually disconnected until you manually refresh the browser.

2) I was unable to connect to SNX using Chrome on Win10 1903.  The ESOD ran fine and reported the results in the logs, but SNX never connects.  The progress bar goes across once or twice and then it goes back to the original screen with Connect button.  There is a weird error in the logs, with the following in the log:

version:"5"; access_status:"Denied"; cvpn_category:"SSL Network Extender"; description:"SNX connection failed"; product:"Connectra"; reason:"Error in disconnecting user"; reject_id:"01d3015b-647140-343c7a0a";

3) When connected to SNX (Chrome on macOS 10.15.5), it doesn't show the links that are configured for native applications.  It just has the message about having access to my usual applications.

4) I have 2 native applications.  One that I called "Full VPN" that has multiple IP ranges in the allowed list for all services, but requires a stricter ESOD compliance level and one that just has access to a couple IP addresses with a lesser compliance level.  When I connect with the Mac, it only complies with the lesser compliance level, as expected, and I see the correct logs for what checks failed, but the SNX agent still creates the routes for the Full VPN application subnets causing the machine to lose network connectivity because the firewall will block all traffic other than to the 2 IP addresses that are allowed.  This includes DNS (Office Mode is configured).  I understand the DNS setting, but why is it creating the static routes for the address ranges in the native application that the client isn't authorized to use?

netstat -rn| more | grep utun5
10                 172.16.10.1        UGSc         utun5       
15.182.250.105     172.16.10.1        UGHS         utun5       
63.169.21.68/31    172.16.10.1        UGSc         utun5       
168.189            172.16.10.1        UGSc         utun5       
172.16.10.1        172.16.10.2        UH           utun5       
192.168.250.250/31 172.16.10.1        UGSc         utun5  

---- Update -----

Additional information for the failure of SNX to launch on Win10, in the System event log:

Product: Check Point SSL Network Extender Service -- You do not have sufficient privileges to complete this installation.  Log on as an administrator and then retry this installation.

Does the Mobile Access Deployment Agent require that it be installed with local admin rights on the machine?  When I installed it with admin rights, I constantly get a pop-up in Chrome during the Enpoint Compliance Scanner process stating "You are disconnected, please login again.".  I haven't even logged into the MAB portal at this point. If I click Ok, it pops up again about 5 times in total before finally giving me a error message in the browser of:

Check Point Mobile Access Portal Agent internal error (code 70)

Hi @Heath_H 

Thank you a lot for such detailed and deep feedback. After we investigate all issues and I'll contact you.

Is there an updated UI hotfix for the latest Jumbo (Take 67)?  What are the plans for integration of the UI updates in a future JHF?

Hi @Heath_H,

Unfortunately, the hotfix with the New Portal does not support Jumbo 67. Since this is not GA content, we do not port it on top of new Jumbos unless there is strong justification for that. Please provide the motivation for the portfix. I will check when it can be done.

Other than the ability for me to continue testing any fixes you may develop for the issues I reported, I have no strong justification.  I upgraded my lab environment to Take 67 to validate if an issue I'm facing with IdP and Access Roles was still present (sadly, it still is) and to keep it in sync with the planned version we will be deploying to our production gateways over the next month or so.

Hi,

I would like to sign up for this EA, from where can I download the hotfix please? 

Also, is this still available on R80.40 Jumbo take 48 only?

@MaksimBahunou 
Hello we are interested in testing the new customization features. We run R80.40 Take 77.

Is there a possibility ? Any ETA on the final release ?

Hi @Linus 

The New Mobile Access portal is going to be released as a part of upcoming R81. The hotfix for R80.40 is still in EA state. 

So there have been no iterations on the UI updates to address any of the issues pointed out by the EA testers (like myself)?

That's a bit unusual for a EA/beta program... to only have one release before it goes to GA.

We're still struggling to get to R80.40, R81 is out of the question for us at this time.  Maybe this time next year, when it's been out and stable(ish) for a good while.

h

I don't know if we are planning to actually release this on top of R80.40.
I know making it available on top of R80.40 was an interim step to get some feedback before the public EA of R81.
R81 has definitely had more than one EA release (not all public).

@Sergio_Mateos Not sure we will release this additional versions of this hotfix now that R81 is released.
Your best bet is to upgrade.