SSL VPNR71Administration Guide24 June 2010

More InformationThe latest version of this document is ion download?ID 10322For additional technical information about Check Point visit Check Point Support ckCheck Point is engaged in a continuous effort to improve its documentation.Please help us by sending your comments(mailto:cp techpub [email protected]?subject Feedback on SSL VPN R71 Administration Guide). 2010 Check Point Software Technologies Ltd.All rights reserved. This product and related documentation are protected by copyright and distributed underlicensing restricting their use, copying, distribution, and decompilation. No part of this product or relateddocumentation may be reproduced in any form or by any means without prior written authorization of CheckPoint. While every precaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein are subject to changewithout notice.RESTRICTED RIGHTS LEGEND:Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR52.227-19.TRADEMARKS:Please refer to our Copyright page ( for a list of our trademarks.Please refer to our Third Party copyright notices ( party copyright.html) for alist of relevant copyrights.

ContentsIntroduction to SSL VPN .6Overview of SSL VPN . 6SSL VPN Applications . 6SSL VPN Management . 7SSL Network Extender . 7SSL Network Extender Network Mode . 7SSL Network Extender Application Mode. 7Commonly Used Concepts . 7Authentication . 8Authorization . 8Endpoint Compliance Scanner. 8Secure Workspace . 8Protection Levels . 8Session . 9SSL VPN Security Features . 9Server Side Security Highlights. 9Client Side Security Highlights . 9User Workflow .10Signing In.10First time Installation of ActiveX and Java Components .10Language Selection .11Initial Setup .11Accessing Applications .11Getting Started with SSL VPN .12Recommended Deployments .12Simple Deployment .12Deployment in the DMZ .13Cluster Deployment .15Basic SmartDashboard Configuration .15The SSL VPN Wizard .16Setting up the SSL VPN Portal .17Managing Access to Applications .17Configuring SSL VPN Policy .18Applications for Clientless Access .20Introduction to Applications.20Protection Levels .20Using Protection Levels .20Defining Protection Levels .21Web Applications .21SSL VPN Web Applications .22Web Applications of a Specific Type .22Configuring Web Applications .22Link Translation .28Link Translation Domain .31Web Application Features .32File Shares .35File Share Viewers .35Configuring File Shares .35Using the user Variable in File Shares .38Citrix Services .38Citrix Deployments Modes - Unticketed and Ticketed .38Configuring Citrix Services .39

Web Mail Services .42Web Mail Services User Experience .42Incoming (IMAP) and Outgoing (SMTP) Mail Servers .42Configuring Mail Services .42Native Applications .44DNS Names .44DNS Names and Aliases .44Where DNS Name Objects are Used .44Defining the DNS Server used by SSL VPN .44Configuring DNS Name Objects .45Using the Login Name of the Currently Logged in User .45Single Sign On .45Supported SSO Authentication Protocol .46HTTP Based SSO .46Web Form Based SSO .47Application and Client Support for SSO .48Basic SSO Configuration .48Advanced Configuration of SSO .50Advanced Configuration of Web Form SSO .51Kerberos Authentication Support .53Introduction to Native Applications .54VPN Clients .54Configuring VPN Clients .57Configuring SSL Network Extender Advanced Options .59Endpoint Application Types.60Configuring a Simple Native Application .62Configuring an Advanced Native Application .63Protection Levels for Native Applications .66Protection Levels in R71 and Higher Gateways .66Configuring Downloaded-From-SSL VPN Endpoint Applications .67Adding a New Downloaded-From-SSL VPN Endpoint Application .72User Authentication in SSL VPN .77User Authentication to the SSL VPN Portal .77Configuring Authentication .78Two-Factor Authentication with DynamicID .78How DynamicID Works .79The SMS Service Provider .79SMS Authentication Granularity .80Basic DynamicID Configuration for SMS or Email .80Advanced Two-Factor Authentication Configuration .82Configuring Resend Verification and Match Word .84Two-Factor Authentication per Gateway .85Two-Factor Authentication per Application .85Two-Factor Authentication for Certain Authentication Methods .86Session Settings.86Session Timeouts .87Roaming .87Tracking .87Securing Authentication Credentials .87Simultaneous Logins to the Portal.87Advanced Password Management Settings .89Password Expiration Warning .89Managing Expired Passwords .89Endpoint Security On Demand .91Endpoint Compliance Enforcement .91Endpoint Compliance Policy Granularity .91Endpoint Compliance Licensing .92Endpoint Compliance Policy Rule Types.92Endpoint Compliance Logs .94

Configuring Endpoint Compliance .95Planning the Endpoint Compliance Policy .95Using the ICSInfo Tool .97Creating Endpoint Compliance Policies .97Configuring Endpoint Compliance Settings for Applications and Gateways .98Configuring Advanced Endpoint Compliance Settings by Operating System100Configuring Endpoint Compliance Logs .101Assign Policies to Gateways and Applications .101Excluding a Spyware Signature from a Scan .101Preventing an Endpoint Compliance Scan Upon Every Login .102Endpoint Compliance Scanner End-User Workflow .102Endpoint Compliance Scanner End-User Experience .103Using Endpoint Security On Demand with Unsupported Browsers.103Completing the Endpoint Compliance Configuration .104Secure Workspace .105Enabling Secure Workspace .106Applications Permitted by Secure Workspace .107SSL Network Extender in Secure Workspace .110Secure Workspace Policy Overview .110Configuring the Secure Workspace Policy .111Secure Workspace End-User Experience .113Endpoint Compliance Updates .114Working with Automatic Updates .115Performing Manual Updates .115SSL VPN Blade Configuration and Settings . 116Interoperability with Other Blades .116IPS Blade.116Anti-virus and Anti-malware Blade .118IPSec VPN Blade.118SSL VPN Portal Settings .118Localization Features .119Alternative Portal Configuration .120SSL VPN Server Certificates .120Obtaining and Installing a Trusted Server Certificate .120SSL VPN Self-Signed Certificates.123Viewing SSL VPN Certificate Details .124Web Data Compression .124Configuring Data Compression .124Using SSL VPN Clusters .125The Sticky Decision Function .125How SSL VPN Applications Behave Upon Failover .125Troubleshooting SSL VPN . 127Troubleshooting Web Connectivity .127Troubleshooting Outlook Web Access .127Troubleshooting OWA Checklist .127Unsupported Feature List .128Common OWA problems .128Troubleshooting Authentication with OWA .128Troubleshooting Authorization with OWA .129Troubleshooting Security Restrictions in OWA .130Troubleshooting Performance Issues in OWA.131Saving File Attachments with OWA.133Troubleshooting File Shares .133Troubleshooting Citrix .133Troubleshooting Citrix Checklist .133

Chapter 1Introduction to SSL VPNIn This ChapterOverview of SSL VPNSSL VPN ApplicationsSSL VPN ManagementSSL Network ExtenderCommonly Used ConceptsSSL VPN Security FeaturesUser Workflow66777910Overview of SSL VPNCheck Point SSL VPN blade is a simple and comprehensive remote access solution that deliversexceptional operational efficiency. It allows mobile and remote workers to connect easily and securely fromany location, with any Internet device to critical resources while protecting networks and endpoint computersfrom threats. Combining the best of remote access technologies in a software blade provides flexible accessfor endpoint users and simple, streamlined deployment for IT.This software blade option simply integrates into your existing Check Point gateway, enabling more secureand operationally efficient remote access for your endpoint users. The data transmitted by remote access isdecrypted and then filtered and inspected in real time by Check Point’s award-winning gateway securityservices such as antivirus, intrusion prevention and web security. The SSL VPN blade also includes in-depthauthentications, and the ability to check the security posture of the remote device. This further strengthensthe security for remote access.SSL VPN ApplicationsSSL VPN provides the remote user with access to the various corporate applications, including, Webapplications, file shares, Citrix services, Web mail, and native applications. A Web application can be defined as a set of URLs that are used in the same context and that isaccessed via a Web browser, for example inventory management, or HR management. A file share defines a collection of files, made available across the network by means of a protocol, suchas SMB for Windows, that enables actions on files, such as opening, reading, writing and deleting filesacross the network. SSL VPN supports Citrix client connectivity to internal XenApp servers. SSL VPN supports Web mail services including: Built-in Web mail: Web mail services give users access to corporate mail servers via the browser.SSL VPN provides a front end for any email server that supports the IMAP and SMTP protocols. Other Web-based mail services, such as Outlook Web Access (OWA) and IBM Lotus Domino WebAccess (iNotes). SSL VPN relays the session between the client and the OWA server.SSL VPN supports any native application, via SSL Network Extender. A native application is any IPbased application that is hosted on servers within the organization. When a user is allowed to use anative application, SSL VPN launches SSL Network Extender and allows users to employ native clientsto connect to native applications, while ensuring that all traffic is encrypted.Page 6

SSL VPN ManagementRemote users initiate a standard HTTPS request to the SSL VPN gateway, authenticating via username/password, certificates, or some other method such as SecurID. Users are placed in groups and thesegroups are given access to a number of applications.For information about Web applications, file shares, Citrix services, Web mail see Applications for ClientlessAccess on page 20.For information about native applications, see Native Applications for Client-Based Access on page 134.SSL VPN Management SSL VPN enabled gateways are managed by the Security Management Server that manages all CheckPoint gateways. All SSL VPN related configuration can be performed from the SSL VPN tab of SmartDashboard. SSL VPN users are shown in SmartConsole, along with real-time counters, and history counters formonitoring purposes. SSL VPN supports SNMP. Status information regarding Check Point products can be obtained using aregular SNMP Network Management Station (NMS) that communicates with SNMP agents on SSL VPNgateways. See "Working with SNMP Management Tools" in the Security Management ServerAdministration Guide.SSL Network ExtenderThe SSL Network Extender client makes it possible to access native applications via SSL VPN.SSL Network Extender is downloaded automatically from the SSL VPN portal to the endpoint machines, sothat client software does not have to be pre-installed and configured on users' PCs and laptops. SSLNetwork Extender tunnels application traffic using a secure, encrypted and authenticated SSL tunnel to theSSL VPN gateway.SSL Network Extender Network ModeThe SSL Network Extender Network Mode client provides secure remote access for all application types(both Native-IP-based and Web-based) in the internal network via SSL tunneling. To install the NetworkMode client, users must have administrator privileges on the client computer.After installing the client, an authenticated user can access any authorized internal resource that is definedon SSL VPN as a native application. The user can access the resource by launching the client application,either directly from the desktop or from the SSL VPN portal.SSL Network Extender Application ModeThe SSL Network Extender Application Mode client provides secure remote access for most applicationtypes (both Native (IP-based) and Web-based) in the internal network via SSL tunneling. Most TCPapplications can be accessed in Application Mode. The user does not require administrator privileges on theendpoint machine.After the client is installed the user can access any internal resource that is defined on SSL VPN as a nativeapplication. The application must be launched from the SSL VPN portal and not from the user's desktop.Commonly Used ConceptsThis section briefly describes commonly used concepts that you will encounter when dealing with SSL VPN.Introduction to SSL VPNPage 7

Commonly Used ConceptsAuthenticationAll remote users accessing the SSL VPN portal must be authenticated by one of the supportedauthentication methods. As well as being authenticated through the internal database, remote users mayalso be authenticated via LDAP, RADIUS, ACE (SecurID), or certificates. Two factor authentication with aDynamicID one time password can also be configured.AuthorizationAuthorization determines if and how remote users access the internal applications on the corporate LAN. Ifthe remote user is not authorized, he/she will not be granted access to the services provided by the SSLVPN gateway.After being authenticated, the user will attempt to use an application. To access a particular application, theuser must be authorized to do so. The user must belong to a group that has been granted access to thegiven application. In addition, the user must satisfy the security requirements of the application, such asauthentication method and endpoint health compliance.For more information, refer to Managing Access to Applications (on page 17)Endpoint Compliance ScannerThe Check Point Endpoint Security On Demand scanner enforces endpoint compliance by scanning theendpoint to see if it complies with a pre-defined endpoint compliance policy. For example, an endpointcompliance policy would make sure that the endpoint clients has updated Anti-virus and an active firewall. Ifthe endpoint is compliant with the endpoint compliance policy, the user is allowed to access the portal.When end users access the SSL VPN Portal for the first time, an ActiveX component scans the clientcomputer. If the client computer successfully passes the scan the user is granted access to the SSL VPNportal. The scan results are presented both to the SSL VPN gateway and to the end user.When Endpoint Security on Demand detects a lack of security, it either rejects the connection or allows theuser to choose whether or not to proceed, according to the Endpoint Compliance policies. The systemadministrator defines policies that determine which types of threats to detect and what action to take upontheir detection.For more information, refer to Endpoint Compliance Enforcement on page 91.Secure WorkspaceEnd-users can utilize Check Point's proprietary virtual desktop that enables data protection during usersessions, and enables cache wiping, after the sessions have ended. Secure Workspace protects allsession-specific data accumulated on the client side. It uses protected disk space and file encryption tosecure files created during the access session. Afterwards, it cleans the protected session cache,eliminating any exposure of proprietary data that would have been inadvertently left on public PCs.For more information, refer to Secure Workspace on page 105.Protection LevelsProtection Levels balance between connectivity and security. The Protection Level represents a securitycriterion that must be satisfied by the remote user before access is given. For example, an application mayhave a Protection Level, which requires users to satisfy a specific authentication method. Out of the box,SSL VPN has three pre-defined Protection Levels — Permissive, Normal, and Restrictive. It is possible toedit Protection Level settings, and define new Protection Levels.For more information, refer to Protection Levels on page 20.Introduction to SSL VPNPage 8

SSL VPN Security FeaturesSessionOnce authenticated, remote users are assigned a SSL VPN session. The session provides the context inwhich SSL VPN processes all subsequent requests until the user logs out, or the session ends due to atime-out.For more information refer to Session Settings on page 86.SSL VPN Security FeaturesGreater access and connectivity demands a higher level of security. The SSL VPN security features may begrouped as server side security and client side security.Server Side Security HighlightsSSL VPN enabled gateways are fully integrated with and benefit from the same security features as otherSecurity Gateways. In addition, SSL VPN gateways have numerous security features to enable secureremote access. The following list outlines the security highlights and enhancements available on SSL VPNgateways:1. IPS: Protects organizations from all known, and most unknown network attacks using intelligent securitytechnology.The Web Intelligence component of IPS enables protection against malicious code transferred in Webrelated applications: worms, various attacks such as Cross Site Scripting, buffer overflows, SQLinjections, Command injections, Directory traversal, and HTTP code inspection.For more information, see the IPS Administration Guide.2. IPS Service: Downloads new defense mechanisms to the IPS console, and brings existing defensemechanisms up-to-date.3. Anti-virus: Many Anti-virus settings enabled on the Security Gateway also apply to SSL VPN traffic,preventing viruses from reaching end users and the enterprise.4. Granular authorization policy: Limits which users are granted access to which applications byenforcing authentication, encryption, and client security requirements.5. Web Application support over HTTPS: All traffic to Web-based applications is encrypted usingHTTPS. Access is allowed for a specific application set rather than full network-level access.6. Encryption: SSL Network Extender, used by SSL VPN, encrypts traffic using the 3DES or the RC4encryption algorithm.Client Side Security HighlightsThe following list outlines the security highlights and enhancements available on the client side:1. Endpoint Compliance for SSL VPN on the endpoint machine: Prevents threats posed by endpointclients that do not have updated protection , for example, updated anti- virus and firewall applications.For more information, refer to Endpoint Compliance Enforcement on page 91.2. Secure Workspace protects all session-specific data, accumulated on the client s

SSL VPN Management Introduction to SSL VPN Page 7 Remote users initiate a standard HTTPS request to the SSL VPN gateway, authenticating via user name/password, certificates, or some other method such as SecurID.