This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2023-05-31 09:13 AM
Jump to solution

Mobile Access - restrict SNX with role based access

Hello,

I have our Mobile Access portal up and running, and I'm trying to restrict the SNX/Native Application portion to only users belonging to specific AD groups, and published web applications to others.

 

Right now, anyone with portal access also has Native Application/SNX access. I believe this is an issue with the way our Policy is configured. 

 

If I wanted to restrict the Native Applications menu to only users with a specific AD role, what would that policy line look like?

 

here's a basic example of some CN's for what I'd want each group to access:

 

2023-05-31_12h06_49.png

 

I've been looking at CP_R81_MobileAccess_AdminGuide.pdf for guidance, and can restrict web Apps, but not the native apps.

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority
‎2023-05-31 12:29 PM
Jump to solution

@NorthernNetGuy this is normal behaviour with unified policy and mentioned in Limitations for Mobile Access in the Unified Policy 

The Native Applications Connect button always shows in the Mobile Access Portal when SSL Network Extender is enabled“

You can restrict the access but the button will be always there.

Using the „old“ way with MobileAccess policy in SmartDashboard you can make the connect button invisible to users without rights to access. But then you loose the better features of the unified policy.

View solution in original post

(1)
13 Replies
the_rock
Legend
Legend
‎2023-05-31 11:37 AM
Jump to solution

Does it not give you option below in the rule?

Andy

 

Screenshot_1.png

0 Kudos
NorthernNetGuy
Advisor
‎2023-05-31 11:40 AM
In response to the_rock
Jump to solution

Ah I should have specified that I'm using the unified access policy (and r81.20)

0 Kudos
the_rock
Legend
Legend
‎2023-05-31 11:48 AM
In response to NorthernNetGuy
Jump to solution

A kk : - ). Let me test it in the lab and see. I also have R81.20

Andy

0 Kudos
NorthernNetGuy
Advisor
‎2023-05-31 11:59 AM
In response to the_rock
Jump to solution

Here's a screenshot of what the policy looks like that might help with identifying my issue. I've added in rule 10-12 to try and expand the portal usage, while rule 13-14 was created by our checkpoint PS during initial deployment.

My main goal is to just remove the "connect" button, or the entire native apps section, for users that don't require it.

2023-05-31_14h53_49.png

Thanks for the help!

 

0 Kudos
the_rock
Legend
Legend
‎2023-05-31 12:04 PM
In response to NorthernNetGuy
Jump to solution

Would you mind sharing whats in that group under services in rule 12.1 and 12.2, specifically one that ends with -RDP? I ask because based on what you mentioned, appears rule 12.1 has been hit 1M times and 12.2 only 174 times, just not sure in what time period though.

Andy

0 Kudos
NorthernNetGuy
Advisor
‎2023-05-31 12:14 PM
In response to the_rock
Jump to solution

Ah... They reference different AD roles, however they also reference the same remote access client profile:

 

2023-05-31_15h14_28.png

0 Kudos
the_rock
Legend
Legend
‎2023-05-31 12:22 PM
In response to NorthernNetGuy
Jump to solution

Sorry, I meant under services/applications column, not access role. I want to see if it works in my lab. Please blur out any sensitive info.

Andy

0 Kudos
NorthernNetGuy
Advisor
‎2023-05-31 12:30 PM
In response to the_rock
Jump to solution

Ah that's my fault for not reading correctly!

12.1 is an internaly hsoted web application that acts as an RDP proxy:

2023-05-31_15h25_23.png

2023-05-31_15h25_57.png

 

12.2 launches the clients mstsc

2023-05-31_15h27_36.png

 

I've found that even if the user isn't in the AD group for 12.2, they still see the native application/connect button, just not quick launch link of the mstsc

0 Kudos
the_rock
Legend
Legend
‎2023-05-31 12:32 PM
In response to NorthernNetGuy
Jump to solution

I was literally about to send you the same link  @Wolfgang found, but he "beat" me to it : - )

I suppose it would be a limitation based on that paragraph.

Andy

Wolfgang
Authority
Authority
‎2023-05-31 12:29 PM
Jump to solution

@NorthernNetGuy this is normal behaviour with unified policy and mentioned in Limitations for Mobile Access in the Unified Policy 

The Native Applications Connect button always shows in the Mobile Access Portal when SSL Network Extender is enabled“

You can restrict the access but the button will be always there.

Using the „old“ way with MobileAccess policy in SmartDashboard you can make the connect button invisible to users without rights to access. But then you loose the better features of the unified policy.

(1)
NorthernNetGuy
Advisor
‎2023-05-31 12:40 PM
In response to Wolfgang
Jump to solution

Well that is unfortunate. It would make a big difference in clarifying things for my users, and making the portal more flexible.

I feel like this should be a reasonable feature request, so I suppose that will be in my next steps.

In the mean time, other that needing to manage the legacy portal from the smartview, am I going to lose much by going to the legacy policy?

0 Kudos
the_rock
Legend
Legend
‎2023-05-31 12:44 PM
In response to NorthernNetGuy
Jump to solution

In the words of CP Sales person who talked about this recently on a call, best way to put is that unified MA policy is way more scalable than legacy. I totally get that point.

0 Kudos
the_rock
Legend
Legend
‎2023-05-31 01:59 PM
In response to NorthernNetGuy
Jump to solution

I think its pretty much same link @Wolfgang provided

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_MobileAccess_AdminGuide/Topics-MAB...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events