- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi All,
In the last two months, we heard from many customers that they have employees that need an easy RDP access (clientless) to on-premise workstations, and configuring Guacamole is a pain in the ass (Active directory schema need to be extended, performance issue and many other issues)
So, we have integrated most of it into the Mobile access blade and the only external component that is required is the guacd daemon which is taking care of translating between RDP protocol to guacamole protocol and this part can be deployed very easily.
Watch the movie to see the user experience and the configuration steps.
If you want to take part in this EA just drop me a message.
The feature is supported on R81 VSX too.
Hi Shay,
I have a customer who is interested in this (in fact I think I will have a couple )
Please PM me to get started.
Thanks
Hi,
Looks nice, however it is for r80.30 with 2.6 and I was expecting it will be for R80.40 or at least gateway with new kernel...
If login to portal uses different password (MFA, certificate etc), and AD credentials being used for RDP. Upon changing AD password, is MAB going to prompt to enter new password?
Will the EA be coming to 80.40? We're currently running 80.10 and planning to upgrade to 80.40, completely skipping 80.30.
Also, will the setup get simplified? For example, the ability to run guacd on the gateway directly vs needing another Linux server?
If we will decide to port the HF to the GA, the configuration would be done from the SmartConsole.
The Guacd would still need to run as an external container.
Hi,
1. On the first time the user clicks the RDP link, he is going to be asked if he wants to reuse the credentials he used to login to the MAB portal or to provide different credentials, which would also be saved.
You can see this behavior at the end of the video.
2. As this HF is currently an EA and we are evaluating customer satisfaction, we have developed it to support only on R80.30 with Kernel 2.6 and Jumbo 155.
Based on the feedbacks and the number of requests we would get, we would decide if we are going to put efforts on porting this HF to the GA version.
Your request has been counted 🙂
Hi Shay, I'm trying to find out if this has moved into a supported mode in R81 or has been dropped. I have a customer case where this would solve the problems they are having.
It is included in R81 mobile access admin guide.
It was confirmed during one webiner this feature is now GA in R81.
Hi Shay,
per our discussion here are the questions that I have about this:
I do have some questions that I wanted to ask of you/developers.
Any feedback would be appreciated.
1. MAB can be configured to authenticate users against Azure AD ,it supported from R80.40.
2. In MAB, browsing directly to a portal link uses the clientless option, while clicking the 'Connect' button invokes SNX.
Clicking on a link within SNX's category initiates a layer-3 VPN connection.
3. Currently we don't have any sizing information for Guacamole. ( if you deploy it on public cloud ,the solution is to use autoscale/vmss/mig)
4. SMS OTP ('DynamicID') is supported by MAB. The other two methods aren't directly integrated with MAB's portal, but MAB may support them if they can be configured as a . standard authentication server with multi-challenge authentication.
5. MAB's Guacamole support is fully integrated into R81 GA.
Hi Shay, thank you for the responses. It helps out with the implementation that I'm working on.
As part of this, I'm wondering about the configuration of the of the web application object itself (by the way, the very light blue header with white text makes it hard to read what it is).
In the authorized locations portion, multiple servers can be selected which could be very useful depending on configuration.
The question then becomes how do you specify the ip address for the multiple servers in the "Link in Portal" portion?
http://guacamole?host=*.*.*.*&port=22 ?
Appreciate some feedback on this.
As for any other application type (esp. Web applications), the management doesn't support setting multiple favorites.
End-users can set favorites for themselves if they'd like to.
If the goal is setting up a different machine for each user, which also enforces access control, you could use the '$custom' macro instead.
end users setting favorites themselves is not really a scalable solution. Workaround could be to push favorites to all of the users beforehand, but if I correctly remember favorites are stored in some database file, which probably cannot be modified or amended easily.
Hi Shay,
Can it be done on R80.40 ?
If it's still EA, where can I signup ?
P.S. the video also states that all the (install) commands will be posted somewhere, where can I find those ?
Hi Shay,
We have deployed R81 in VSX mode and we use virtual systems as our external firewalls where we will enable RA VPN and Mobile Access.
Is this feature clientless RDP supported supported in R81 VSX ?
Kind Regards,
Konstantinos
The feature is supported on R81 VSX too.
Hi Shay,
Has anyone deployed this successfully with the client with providing the RDP being a Windows 7 Enterprise desktop?
It's working well against W10 and various flavors of Server and a client.
The situation is when clicking the start button on the RDP host through the sslvpn portal connection, it drops the connection. Some applications work without an issue on the rdp host (chrome, IE, wireshark) but others cause it to crash, and the connection cannot be re-established until you connect in with a windows to windows RDP session and close the offending window. Then you can reconnect (and bump the windows to windows RDP session.
I've had a case open for a couple of weeks on this (and it's been escalated), and was trying to see if anyone else has experienced this and found a solution.
Thank you,
Paul G, CCSM
Try to play with the following attributes to see whether they have any effect:
If not, we could try tracing the connection, but if the crash is on the Windows 7 side, it sounds like it's Windows' fault.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY