Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shay_Levin
Admin
Admin

Mobile Access Blade with Clientless RDP/SSH - Early Availability

Jump to solution

Hi All, 

In the last two months, we heard from many customers that they have employees that need an easy RDP access (clientless) to on-premise workstations, and configuring Guacamole is a pain in the ass (Active directory schema need to be extended, performance issue and many other issues)

So, we have integrated most of it into the Mobile access blade and the only external component that is required is the guacd daemon which is taking care of translating between RDP protocol to guacamole protocol and this part can be deployed very easily.

Watch the movie to see the user experience and the configuration steps.

If you want to take part in this EA just drop me a message.

1 Solution

Accepted Solutions
Shay_Levin
Admin
Admin

                The feature is supported on R81 VSX too.

View solution in original post

18 Replies
Darren_Fine
Collaborator

Hi Shay,

 

I have a customer who is interested in this (in fact I think I will have a couple )

 

Please PM me to get started.

 

Thanks

abihsot__
Advisor

Hi,

Looks nice, however it is for r80.30 with 2.6 and I was expecting it will be for R80.40 or at least gateway with new kernel...

If login to portal uses different password (MFA, certificate etc), and AD credentials being used for RDP. Upon changing AD password, is MAB going to prompt to enter new password?

 

Heath_H
Contributor

Will the EA be coming to 80.40?  We're currently running 80.10 and planning to upgrade to 80.40, completely skipping 80.30.

Also, will the setup get simplified?  For example, the ability to run guacd on the gateway directly vs needing another Linux server?

Shay_Levin
Admin
Admin

If we will decide to port the HF to the GA, the configuration would be done from the SmartConsole.

The Guacd would still need to run as an external container.

0 Kudos
Shay_Levin
Admin
Admin

Hi, 

1. On the first time the user clicks the RDP link, he is going to be asked if he wants to reuse the credentials he used to login to the           MAB portal or to provide different credentials, which would also be saved.

     You can see this behavior at the end of the video.

2. As this HF is currently an EA and we are evaluating customer satisfaction, we have developed it to support only on R80.30 with            Kernel 2.6 and Jumbo 155.

    Based on the feedbacks and the number of requests we would get, we would decide if we are going to put efforts on porting this       HF to the GA  version.

    Your request has been counted 🙂

 

Paul_Gademsky
Collaborator

Hi Shay, I'm trying to find out if this has moved into a supported mode in R81 or has been dropped.  I have a customer case where this would solve the problems they are having.

0 Kudos
RS_Daniel
Collaborator

It is included in R81 mobile access admin guide. 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_MobileAccess_AdminGuide/Topics-MAB...

It was confirmed during one webiner this feature is now GA in R81.

0 Kudos
Paul_Gademsky
Collaborator

Hi Shay,

per our discussion here are the questions that I have about this:

I do have some questions that I wanted to ask of you/developers.

 

  1. Can Azure AD be utilized for Active Directory connection (currently it's not synched to local AD2003, AD 2008, AD 2016 - They are in the process of migrating up to AD 2016)
  2. If clientless ssl and SNX are both configured, how does it differentiate when a user connects in as to which one they will use (assume it's based on the url)
  3. For the Apache server (CentOS8.3) running guacd, they are expecting to have an average of 140 users connecting concurrently, and a max of 250.  Do you have any feeling of how much of a server they would need to support this (HyperV, dedicated to only the guacamole docker)
  4. For the MFA(2FA)  they are looking at ( text message, Microsoft Authenticator, Duo)
  5. Currently they are on R80.30 with a separate Management Server and Endpoint server. I plan on bringing both of those and the gateway cluster up to R81 hfa 13. Anything that I need to be aware of with the Endpoint server and this integration?

Any feedback would be appreciated.

0 Kudos
Shay_Levin
Admin
Admin

1. MAB can be configured to authenticate users against Azure AD ,it supported from R80.40.

2. In MAB, browsing directly to a portal link uses the clientless option, while clicking the 'Connect' button invokes SNX.

    Clicking on a link within SNX's category initiates a layer-3 VPN connection.

3. Currently we don't have any sizing information for Guacamole.  ( if you deploy it on public cloud ,the solution is to use autoscale/vmss/mig)

4. SMS OTP ('DynamicID') is supported by MAB. The other two methods aren't directly integrated with MAB's portal, but MAB may support them if they can be configured as a             .  standard authentication server with multi-challenge authentication.

5. MAB's Guacamole support is fully integrated into R81 GA.

 

0 Kudos
Paul_Gademsky
Collaborator

Hi Shay, thank you for the responses. It helps out with the implementation that I'm working on.

As part of this, I'm wondering about the configuration of the of the web application object itself (by the way, the very light blue header with white text makes it hard to read what it is).

In the authorized locations portion, multiple servers can be selected which could be very useful depending on configuration.

The question then becomes how do you specify the ip address for the multiple servers in the "Link in Portal" portion?

http://guacamole?host=*.*.*.*&port=22    ?

Appreciate some feedback on this.

0 Kudos
Shay_Levin
Admin
Admin

As for any other application type (esp. Web applications), the management doesn't support setting multiple favorites.

End-users can set favorites for themselves if they'd like to.

If the goal is setting up a different machine for each user, which also enforces access control, you could use the '$custom' macro instead.

0 Kudos
abihsot__
Advisor

end users setting favorites themselves is not really a scalable solution. Workaround could be to push favorites to all of the users beforehand, but if I correctly remember favorites are stored in some database file, which probably cannot be modified or amended easily.

0 Kudos
Tim_Tielens
Contributor

Hi Shay,

Can it be done on R80.40 ?
If it's still EA, where can I signup ?

P.S. the video also states that all the (install) commands will be posted somewhere, where can I find those ?

0 Kudos
MikeB
Advisor
Hi Shay,
We have some clients who are very interested in participating in this EA. Please tell me how we can move forward
KonstantinosT
Participant

Hi Shay,

We have deployed R81 in VSX mode and we use virtual systems as our external firewalls where we will enable RA VPN and Mobile Access.

Is this feature clientless RDP supported supported in R81 VSX ?

 

Kind Regards,

Konstantinos

0 Kudos
Shay_Levin
Admin
Admin

                The feature is supported on R81 VSX too.

View solution in original post

Paul_Gademsky
Collaborator

Hi Shay,

  Has anyone deployed this successfully with the  client with providing the RDP being a Windows 7 Enterprise  desktop?

  It's working well against W10 and various flavors of Server and a client.

  The situation is when clicking the start button on the RDP host through the sslvpn portal connection, it drops the connection. Some applications work without an issue on the rdp host (chrome, IE, wireshark) but others cause it to crash, and the connection cannot be re-established until you connect in with a windows to windows RDP session and close the offending window. Then you can reconnect (and bump the windows to windows RDP session.

I've had a case open for a couple of weeks on this (and it's been escalated), and was trying to see if anyone else has experienced this and found a solution.

Thank you,

Paul G, CCSM

0 Kudos
Shay_Levin
Admin
Admin

Try to play with the following attributes to see whether they have any effect:

 

Shay_Levin_0-1620206001492.png

 

Shay_Levin_1-1620206001501.png

If not, we could try tracing the connection, but if the crash is on the Windows 7 side, it sounds like it's Windows' fault.

0 Kudos