Check Point Mobile VPN for ios

Similar documents
How to Connect with SSL Network Extender using a Certificate

SecuRemote for Windows 32-bit/64-bit

Remote Access Clients for Windows 32/64-bit

How To Configure OCSP

How To Import New Client MSI Files and Upgrade Profiles

Endpoint Security webrh

How To Configure IPSO as a DHCP Server

SmartWorkflow R Administration Guide. 29 May Classification: [Restricted]

How to Configure ClusterXL for L2 Link Aggregation

How To Troubleshoot VPN Issues in Site to Site

Endpoint Security Client

Check Point GO R75. Release Notes. 21 December Classification: [Public]

Remote Access Clients for Windows 32-bit/64-bit

Remote Access Clients for Windows 32-bit/64-bit

Data Loss Prevention. R75.40 Hotfix. Getting Started Guide. 3 May Classification: [Protected]

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

Endpoint Security Release Notes

Security Gateway Virtual Edition

R Release Notes. 6 March Classification: [Protected] [Restricted] ONLY for designated groups and individuals

Security Gateway for OpenStack

Check Point GO R75. User Guide. 14 November Classification: [Public]

Endpoint Security. E80.30 Localized Version. Release Notes

Security Gateway Virtual Edition

Endpoint Security webrh

Security Acceleration Module

Certificate Enrollment for the Atlas Platform

VSEC FOR OPENSTACK R80.10

Endpoint Security Client

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

VPN-1 Power VSX VSX NGX R65 HFA 10. Release Notes

How To Configure and Tune CoreXL on SecurePlatform

How to Set Up External CA VPN Certificates

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

Mavenir Systems Inc. SSX-3000 Security Gateway

Digital Certificates. About Digital Certificates

PKI Configuration Examples

How To Install SecurePlatform with PXE

Security Gateway 80 R Administration Guide

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Table of Contents. VMware AirWatch: Technology Partner Integration

Configuring the VPN Client

Table of Contents HOL-1757-MBL-6

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

This chapter describes how to configure digital certificates.

ClusterXL R Administration Guide. 3 March Classification: [Protected]

NCP Secure Managed Android Client Release Notes

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

How to Set Up VPN Certificates

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Data Loss Prevention R71. Release Notes

Quality of Service R75.40VS. Administration Guide. 15 July Classification: [Protected]

REMOTE ACCESS IPSEC. Course /14/2014 Global Technology Associates, Inc.

Endpoint Security Client. User Guide Version R71

VPN R76. Administration Guide. 27 August Classification: [Protected]

Security Management Server. Administration Guide Version R70

Parallels Remote Application Server

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Remote Desktop Services Deployment Guide

HTTPS--HTTP Server and Client with SSL 3.0

Sophos Firewall Configuring SSL VPN for Remote Access

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

IKEv2 Roadwarrior VPN. thuwall 2.0 with Firmware & 2.3.4

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Check Point Document Security

Remote Desktop Services. Deployment Guide

How To Install IPSO 6.2

HP FlexFabric 5700 Switch Series

NCP Secure Client Juniper Edition Release Notes

SmartView Monitor R75. Administration Guide

Check Point R75 Management Essentials Part 2. Check Point Training Course. Section Heading Index. Module 1 Encryption... 3

UNT System Campus VPN Guide

NCP Secure Client Juniper Edition (Win32/64) Release Notes

HPE ilo mobile app for ios

Special Hotfix for R75.40VS

Table of Contents 1 IKE 1-1

Integrating AirWatch and VMware Identity Manager

R Release Notes. 18 August Classification: [Public]

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Performance Pack. Administration Guide Version R70. March 8, 2009

VPN-1 Power/UTM. Administration guide Version NGX R

Data Sheet. NCP Secure Enterprise macos Client. Next Generation Network Access Technology

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

AWS Remote Access VPC Bundle

NeoAccel NeoAccel Management Console: Gateway Gateway Administration version version 2.3

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

CertAgent. Certificate Authority Guide

Barracuda Networks NG Firewall 7.0.0

AnyConnect on Mobile Devices

User Manual. SSV Remote Access Gateway. Web ConfigTool

Data Sheet. NCP Exclusive Remote Access Mac Client. Next Generation Network Access Technology

Q&As Check Point Certified Security Administrator

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

HOSTED EXCHANGE SETTING UP ON SMARTPHONES & TABLETS

NCP Secure Entry macos Client Release Notes

Transcription:

Check Point Mobile VPN for ios Administration Guide 10 July 2012 Classification: [Protected]

2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?id=17624 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 10 July 2012 Updated VPN Site Settings (on page 20) 19 June 2012 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on Check Point Mobile VPN for ios Administration Guide).

Contents Important Information... 3 Introduction... 5 Installing Check Point Mobile VPN for ios on the Security Gateway... 6 Licensing Check Point Mobile VPN for ios... 6 Configuring the R75.40 Security Gateway... 6 R75.40 Optional Configuration... 8 Configuring the R71.50 Security Gateway...10 R71.50 Optional Configuration...14 Authenticating with an External CA...16 Trusting an OPSEC Certified CA...16 Configuring an External CA...17 Configuring Route All Traffic...18 Configuring the VPN Client... 19 Downloading the Application...19 Creating and Configuring the VPN Site...19 Manually Configuring the VPN Site...19 VPN Site Settings...20 Sending Logs...20 Using the API for a VPN Site...20 Introduction...20 Configuring the URL...21 Creating a New VPN Site...21 Connecting to a VPN Site...22 Disconnecting from a VPN Site...23 Creating a QR Code...23 QR Code URL Parameters...23 Using the iphone Configuration Utility...25 Configuring the VPN Profile...25 Custom Data Fields...25

Chapter 1 Introduction The Check Point Mobile VPN for ios application offers full layer-3 VPN tunnel for Apple iphone and ipad running ios 5.0 or later. It allows secure communication from any application running on those handheld devices to the organization. This guide explains how to configure the Security Gateway and install the client application on ios devices. Related Documentation To see Known Limitations and Resolved Issues for Check Point Mobile VPN for ios, see the Check Point Mobile VPN for ios Release Notes. Check Point Mobile VPN for ios Administration Guide 5

Chapter 2 Installing Check Point Mobile VPN for ios on the Security Gateway In This Chapter Licensing Check Point Mobile VPN for ios 6 Configuring the R75.40 Security Gateway 6 Configuring the R71.50 Security Gateway 10 Authenticating with an External CA 16 Configuring Route All Traffic 18 Licensing Check Point Mobile VPN for ios You must have a license for the Mobile Access Software Blade. The Software Blade comes with an introductory license. This license can be used for 30 days from the first time that you install a policy on an enabled Mobile Access Software Blade. The introductory license is a floating license and lets up to 10 users connect their devices to the Security Gateway. You can go to the Support Center and extend the 30 day introductory license to let up to 50 users connect to the Security Gateway. To get a license: 1. Go to the Check Point Support Center and log into your account. 2. Open the My Products page. 3. Select the Mobile Access license. 4. Click License. 5. Install the license on the Mobile Access Security Gateway manually or with SmartUpdate. Configuring the R75.40 Security Gateway Use SmartDashboard to configure an R75.40 Security Gateway to support Check Point Mobile VPN for ios. To configure Check Point Mobile VPN for ios on an R75.40 Security Gateway: 1. Open SmartDashboard. 2. Right-click the Security Gateway and select Edit. The Check Point Gateway - General Properties window opens. 3. Make sure that the IPsec VPN Software Blade is enabled. 4. Select IPsec VPN > VPN Advanced. 5. Make sure that Support NAT transversal is selected. 6. Select IPsec VPN > Remote Access and configure these settings. a) From Allocated port, select VPN1_IPSEC_encapsulation. b) Select Support Visitor Mode. Check Point Mobile VPN for ios Administration Guide 6

Installing Check Point Mobile VPN for ios on the Security Gateway c) From Service, select https. 7. Select IPsec VPN > Authentication and configure the Authentication Method. For more information about configuring authentication methods, see the R75.40 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk67581). For more information about configuring the certificate authentication method, see Known Limitation 00874317 in the Check Point Mobile VPN for ios Release Notes. 8. Select IPsec VPN > Office Mode and configure these settings. a) Select Allow Office Mode to all users or a group. b) Click Optional Parameters. Check Point Mobile VPN for ios Administration Guide 7

The IP Pool Optional Parameters window opens. Installing Check Point Mobile VPN for ios on the Security Gateway c) Configure these settings, DNS servers DNS suffixes IP lease duration 9. Select IPsec VPN > VPN Clients. 10. Select SSL Network Extender and SecureClient Mobile. 11. Click OK. 12. Install the policy on the Security Gateway. R75.40 Optional Configuration You can also configure these authentication and encryption settings for the Security Gateway. To configure optional settings: 1. On the menu bar, select Policy > Global Properties. Check Point Mobile VPN for ios Administration Guide 8

Installing Check Point Mobile VPN for ios on the Security Gateway a) Select Remote Access > SecureClient Mobile and configure the value for Re-authenticate user every. For more information about Session Timeout see the R75.40 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk67581). b) Select Remote Access > VPN - Authentication and Encryption and click Advanced. The Encryption Properties window opens. c) Click IPSEC Security Association (Phase 2). Check Point Mobile VPN for ios Administration Guide 9

d) In User Encryption properties, configure the settings. Installing Check Point Mobile VPN for ios on the Security Gateway 2. Click OK. For more information about Encryption Algorithm see the R75.40 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk67581). 3. Install the policy on the Security Gateway. Configuring the R71.50 Security Gateway Use SmartDashboard to configure a R71.50 Security Gateway to support Check Point Mobile VPN for ios. To configure Check Point Mobile VPN for ios on a R71.50 Security Gateway: 1. Open SmartDashboard 2. Right-click the Security Gateway and select Edit. The Check Point Gateway - General Properties window opens. 3. Make sure that the IPsec VPN Software Blades is enabled. 4. Select IPsec VPN > Remote Access and configure these settings. a) Select Support NAT traversal mechanism (UDP encapsulation). b) Select Support Visitor Mode. Check Point Mobile VPN for ios Administration Guide 10

Installing Check Point Mobile VPN for ios on the Security Gateway c) From Service, select https. 5. Select Authentication and configure the Enabled Authentication Schemes. For more information about configuring authentication methods, see the R71 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk69720). For more information about configuring the certificate authentication method, see Known Limitation 00874317 in the Check Point Mobile VPN for ios Release Notes. 6. Select IPsec VPN > Office Mode and configure these settings. a) Select Allow Office Mode to all users or a group. b) Click Optional Parameters. Check Point Mobile VPN for ios Administration Guide 11

The IP Pool Optional Parameters window opens. Installing Check Point Mobile VPN for ios on the Security Gateway c) Configure these settings, DNS servers DNS suffixes IP lease duration 7. Select IPsec VPN > VPN Clients. 8. Select SSL Network Extender and SecureClient Mobile. 9. Click OK. 10. On the menu bar, select Policy > Global Properties. Check Point Mobile VPN for ios Administration Guide 12

Installing Check Point Mobile VPN for ios on the Security Gateway a) Select Remote Access > SecureClient Mobile and configure the value for Re-authenticate user every. For more information about Session Timeout see the R71 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk69720). For more information about configuring the Session Timeout for SSL, see Known Limitation 00848021 in the Check Point Mobile VPN for ios Release Notes. b) Select Remote Access > VPN - Authentication and Encryption and click Advanced. The Encryption Properties window opens. c) Click the IPSEC Security Association (Phase 2) tab. Check Point Mobile VPN for ios Administration Guide 13

d) In User Encryption properties, configure the settings. Installing Check Point Mobile VPN for ios on the Security Gateway 11. Click OK. For more information about Encryption Algorithm see the R71 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk69720). 12. Install the policy on the Security Gateway. R71.50 Optional Configuration You can also configure these authentication and encryption settings for the Security Gateway. To configure optional settings: 1. On the menu bar, select Policy > Global Properties. Check Point Mobile VPN for ios Administration Guide 14

Installing Check Point Mobile VPN for ios on the Security Gateway a) Select Remote Access > SecureClient Mobile and configure the value for Re-authenticate user every. For more information about Session Timeout see the R71 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk69720). For more information about configuring the Session Timeout for SSL, see Known Limitation 00848021 in the Check Point Mobile VPN for ios Release Notes. b) Select Remote Access > VPN - Authentication and Encryption and click Advanced. The Encryption Properties window opens. c) Click the IPSEC Security Association (Phase 2) tab. Check Point Mobile VPN for ios Administration Guide 15

d) In User Encryption properties, configure the settings. Installing Check Point Mobile VPN for ios on the Security Gateway 2. Click OK. For more information about Encryption Algorithm see the R71 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk69720). 3. Install the policy on the Security Gateway. Authenticating with an External CA You can use SmartDashboard to configure the Security Gateway to use an external CA (Certificate Authority) to authenticate Check Point Mobile VPN for ios. Make sure that the external CA follows these guidelines: Client certificate subject uses a full DN, and not only a CN. The certificates must use a user template with the IKE public key property with the LDAP branch. Note - To learn how to configure an internal CA, see the VPN Administration Guide for the Security Gateway version. Trusting an OPSEC Certified CA The CA certificate has to be supplied and saved to the disk in advance. Note - In case of SCEP automatic enrollment, you can skip this stage and fetch the CA certificate automatically after configuring the SCEP parameters. The CA's Certificate must be retrieved either by downloading it using the CA options on the Servers and OSPEC Applications tab, or by obtaining the CA's certificate from the peer administrator in advance. Then define the CA object according to the following steps: Check Point Mobile VPN for ios Administration Guide 16

1. Open Manage > Servers and OPSEC Applications. The Servers and OPSEC Application window opens. 2. Choose New > CA. Select Trusted or Subordinate. The Certificate Authority Properties window opens. Installing Check Point Mobile VPN for ios on the Security Gateway 3. Enter a Name for the CA object, in the Certificate Authority Type drop-down box select the OPSEC PKI. 4. On the OPSEC PKI tab: For automatic enrollment, select automatically enroll certificate. From the Connect to CA with protocol, select the protocol used to connect with the certificate authority, either SCEP, CMPV1 or CMPV2. Note - For entrust 5.0 and later, use CMPV1 5. Click Properties. If you chose SCEP as the protocol, in the Properties for SCEP protocol window, enter the CA identifier (such as example.com) and the Certification Authority/Registration Authority URL. If you chose cmpv1 as the protocol, in the Properties for CMP protocol - V1 window, enter the appropriate IP address and port number. (The default port is 829). If you chose cmpv2 as the protocol, in the Properties for CMP protocol -V2 window, decide whether to use direct TCP or HTTP as the transport layer. Note - If Automatic enrollment is not selected, then enrollment will have to be performed manually. 6. Choose a method for retrieving CRLs from this CA. If the CA publishes CRLs on HTTP server choose HTTP Server(s). Certificates issued by the CA must contain the CRL location in an URL in the CRL Distribution Point extension. If the CA publishes CRL on LDAP server, choose LDAP Server(s). In this case, you must define an LDAP Account Unit as well. See the Security Management Server Administration Guide for more details about defining an LDAP object. Make sure that CRL retrieval is checked in the General tab of the LDAP Account Unit Properties window. Certificates issued by the CA must contain the LDAP DN on which the CRL resides in the CRL distribution point extension. 7. Click Get. 8. If SCEP is configured, it will try to connect to the CA and retrieve the certificate. If not, browse to where you saved the peer CA certificate and select it. VPN reads the certificate and displays its details. Verify the certificate's details. Display and validate the SHA-1 and MD5 fingerprints of the CA certificate. 9. Click OK. Configuring an External CA To configure an external CA: 1. From SmartDashboard, select Manage > Users and Administrators. The Manage > Users and Administrators window opens. 2. Select Standard_User and click Edit. The User Template Properties window opens. 3. Click Encryption. 4. Select IKE and click Edit. The IKE Phase 2 Properties window opens. 5. Make sure that Public Key is selected. 6. Click OK. 7. From the menu bar, select Manage > Servers and OPSEC Applications. The Servers and OPSEC Applications window opens. Check Point Mobile VPN for ios Administration Guide 17

8. Edit the LDAP account settings. The LDAP Account Unit window opens. 9. Click Authentication. 10. Select Use user template and Standard_User. 11. Click OK and then Close. Installing Check Point Mobile VPN for ios on the Security Gateway Configuring Route All Traffic To configure the Route All Traffic settings: 1. Open SmartDashboard 2. Right-click the Security Gateway and select Edit. The Check Point Gateway - General Properties window opens. 3. Select IPsec VPN > Remote Access. 4. Select Allow VPN clients to route traffic through this gateway. 5. Click OK. 6. On the menu bar, select Policy > Global Properties. 7. Select Remote Access > SecureClient Mobile. 8. From Route all traffic to gateway, select Yes. 9. Click OK. Check Point Mobile VPN for ios Administration Guide 18

Chapter 3 Configuring the VPN Client In This Chapter Downloading the Application 19 Creating and Configuring the VPN Site 19 Manually Configuring the VPN Site 19 Using the API for a VPN Site 20 Creating a QR Code 23 Using the iphone Configuration Utility 25 Downloading the Application Download the Check Point Mobile VPN application from the Apple App Store. Creating and Configuring the VPN Site Check Point Mobile VPN for ios supports different procedures to create and configure the VPN site. Use the procedure that is the most convenient for your users. Manual Configuration: Use the application to manually configure the VPN site settings. VPN Site API: Create a URL that configures the settings for the VPN site. QR Code: The application can read a QR code with the URL to create the VPN site. iphone Configuration Utility: Use the iphone configuration utility to send the VPN site settings to all the users. Manually Configuring the VPN Site To configure the VPN site settings in the application: 1. If necessary, open the New Site screen. a) Tap Sites. b) Tap +. The New Site screen opens. 2. Configure these settings for the VPN site. Name - name of VPN site. Server - IP address or host name 3. Tap Create. The Verify Server message opens. 4. Tap Yes to accept the certificate and fingerprint. The Authentication screen opens. 5. Select the Authentication Method. Check Point Mobile VPN for ios Administration Guide 19

Configuring the VPN Client VPN Site Settings These are the VPN site settings that users can manually configure in the application. To configure the VPN site settings: 1. From the login screen, touch Sites. The Site List screen opens. 2. Touch the arrow for the VPN site. The settings for that VPN site are shown. Authentication Method Username and password Check Point or LDAP password. Certificate Authenticate using an x509 certificate. Certificates can be: Enrolled Installed by email Installed from the Internet Installed using iphone configuration utility RSA SecureID token Authenticate using an RSA SecureID. Challenge response Authenticate using the challenge and response procedure. Automatic Reconnect On When connectivity is broken, the application tries to reconnect as long as there is network available. Off When connectivity is broken, the application tries to reconnect for 120 seconds. After this time, the application disconnects from the VPN site. You can select the Off setting to use less battery on the device. Connect On-Demand This feature configures the VPN site to automatically create a VPN tunnel for specific domain names. Connect On-demand is only available when Certificate Authentication is enabled. Select Connect On-demand to enable this feature. VPN Tunnel Type You can switch the VPN tunnel type between IPsec and SSL for the Check Point Mobile VPN for ios client: To switch the VPN tunnel type: 1. In the site settings screen, swipe up. The VPN tunnel types are shown. 2. Select IPsec or SSL. 3. Swipe down. Sending Logs To send logs to customer support: 1. Open the application. 2. Tap About. 3. Tap Send Logs. Using the API for a VPN Site Introduction The VPN API lets you control the application to: Check Point Mobile VPN for ios Administration Guide 20

Create a VPN site Connect and disconnect to a VPN site Configuring the VPN Client To use the VPN API, create a URL that can be integrated into HTTP web sites, configuration emails and 3rd party applications. Sample URL that creates a VPN site using the VPN site API Tap this URL in an ios device with Check Point Mobile VPN for ios. The application creates a new VPN site with these settings: cpvpn:///?name=demo&host=idemo.checkpoint.com&user=john+doe VPN site name - demo Host - idemo.checkpoint.com User name - John Doe Configuring the URL The API URL is made of these segments: Mandatory segment- The app identifier: cpvpn:///? Fields paired with values, each two pairs are separated by the & character. Do not use spaces, use the + character. Example: John+Doe Assign a value to the field with the = character. Example: name=idemo Creating a New VPN Site Use these parameters to configure the settings for the VPN site. Mandatory Parameters Parameter Description name host The name of the site that is shown to the user. The address of the host. Example: idemo.checkpoint.com Optional Parameters Parameter Description Default Value user Login name for the user. No value fingerprint Fingerprint that is used for server validation. No value cn CN for server validation. No value tun Possible values: kmp (IPsec tunnel) or snx (SSL tunnel) kmp Check Point Mobile VPN for ios Administration Guide 21

Parameter Description Default Value auth Authentication method. The valid values are: username (user name and password method) RSA (RSA SecureID) Certificate PinPad (Keypad for PIN code) KeyFob (Security token key fob) Challenge (Challenge and response method) port Port to use 443 username Configuring the VPN Client url remoteactions After each connection to the VPN site, this URL is opened. Enables using the VPN site API. Valid values: yes or no No value No Parameters for Certificate Authentication These parameters can be used for VPN sites that use certificate authentication. Parameter Description Default Value regkey Activation key that enrolls a certificate No value ondemand domainalways domainnever domainifneeded Valid values: yes no askuser An array of hosts to which ios connects only using a VPN tunnel. Example: domainalways="example1.com+example2.com+idemo.com" Hosts that are exceptions to the domainalways parameters. ios never tries to connect to these hosts using a VPN tunnel. Example: domainnever="help.example1.com+products.example1.com" An array of hosts that ios first tries to connect without using a VPN tunnel. If the first connection fails, ios tries to connect using a regular connection. Example: domainifneeded="example1.com+idemo.com" No Connecting to a VPN Site The connect action attempts to connect to the site. If more authentication is necessary, the login screen for the site is shown. Important - This action is only enabled if the remoteactions field was set to yes when site was created. Example: cpvpn://?connect&sitename=mysite&url=www.urltolaunchafterconnect.com Check Point Mobile VPN for ios Administration Guide 22

The connect action is identified by the field connect. This field is not assigned a value. Parameters for the connect action: sitename - (Mandatory) The name of the site that is in the Sites list in the VPN Client. Configuring the VPN Client url - (Optional) A one-time response URL that is launched when the application connects to the site. Disconnecting from a VPN Site This action is only enabled if the remoteactions field was set to yes when the site was created. The disconnect action disconnects the device from the site. Important - This action is only enabled if the remoteactions field was set to yes when site was created. Example: cpvpn://?disconnect&sitename=mysite&url=www.urltolaunchafterdisconnect.com The disconnect action is identified by the field disconnect. This field is not assigned a value. Parameters for the connect action: sitename - (Mandatory) The name of the site that is in the Sites list in the VPN Client. url - (Optional) A one-time response URL that is launched when the application disconnects to the site. Creating a QR Code A QR code is a URL that is encoded in a QR image. The application has a built-in QR scanner that can read the URL and create a VPN site. You can create a QR code so that users can easily create VPN sites on their ios handheld devices. For more about the VPN settings that you can use in the URL, see QR Code URL Parameters (on page 23). To create a QR code using the QR Code Tool: 1. Download the QR Code Tool (http://supportcontent.checkpoint.com/solutions?id=sk69540). 2. From the CLI, run the command cpqrcodegen. These are the mandatory parameters for the command: name='<name>' host='host' file='file'. This is a sample script that creates a QR code PNG file. cpqrcodegen name='demo' host='idemo.checkpoint.com' user='john Doe' file=phoenixqr.png remote actions=yes To create a QR code using a QR code generator: 1. Create a URL for the VPN site. 2. Use a QR code generator to create a QR image of the URL. QR Code URL Parameters Mandatory Parameters Parameter name host file Description The name of the site that is shown to the user. The address of the host. Example: idemo.checkpoint.com The PNG file name of the QR Code image that is created. Example: mysite.png Check Point Mobile VPN for ios Administration Guide 23

Optional Parameters Parameter Description Default Value user Login name for the user. No value fingerprint Fingerprint that is used for server validation. No value cn CN for server validation. No value Configuring the VPN Client tun Possible values: kmp (IPsec tunnel) or snx (SSL tunnel) kmp auth Authentication method. The valid values are: username (user name and password method) RSA (RSA SecureID) Certificate PinPad (Keypad for PIN code) KeyFob (Security token key fob) Challenge (Challenge and response method) port Port to use 443 username url remoteactions After each connection to the VPN site, this URL is opened. Enables using the VPN site API. Valid values: yes or no No value No Parameters for Certificate Authentication These parameters can be used for VPN sites that use certificate authentication. Parameter Description Default Value regkey Activation key that enrolls a certificate No value ondemand domainalways domainnever domainifneeded Valid values: yes no askuser An array of hosts to which the client always tries to connect. Example: domainalways = "example1.com example2.com checkpoint.com" An array of hosts to which the client never tries to connect. Example: domainnever = "example1.com example2.com checkpoint.com" An array of hosts to which the client tries to connect when necessary. Example: domainifneeded = "example1.com example2.com checkpoint.com" No Check Point Mobile VPN for ios Administration Guide 24

Configuring the VPN Client Using the iphone Configuration Utility Configuring the VPN Profile You can configure the VPN site using the iphone configuration utility. You can download this utility from Apple iphone Support Enterprise. When configuring a VPN Profile, use the Configuration Profile section and select the VPN tab. Configure these parameters: Connection Name - Name of the site Connection Type - Set to custom SSL Identifier - Set to: com.checkpoint.checkpoint-vpn.vpnplugin Server - Hostname or IP address for the server. Account - User name or account for authenticating Custom Data - A list of fields and values are available here. See Custom Data Fields (on page 25). User Authentication - Choose certificate or password. If certificate was chosen for User Authentication we must also select a valid certificate in the Credential field. When using certificate as User Authentication you can enable VPN On Demand - select Enable VPN On Demand. Add Domains or hosts and select an action: Always establish, Never establish, Establish if needed. If password credentials are used, it is necessary to fill in the password field to authenticate the connection. Custom Data Fields These are the keys that can be used in the Custom Data screen: tuntype - possible values: kmp (IPsec tunnel) or snx (SSL tunnel) authtype - Possible values: p, t, or r p = password, t = keychain certificate, r = challenge and response Note - The authtype field should match the value selected in the User Authentication field. password - Password to connect to host, if password was chosen for User Authentication. cn - Server Host CN used for verifying VPN site certificate fingerprint - The fingerprint expected from host. user - default user name that is used to authenticate the connection. regkey - Activation key required to enroll a certificate. (Only when authentication method is by certificate) port - Port that the VPN connection uses url - A url to launch after each connection to the site remoteactions - Lets the VPN API to interact with this site. Possible values: yes and no Check Point Mobile VPN for ios Administration Guide 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback