CP Mobile VPN iOS Admin Guide

10 July 2012

Administration Guide

Check Point Mobile VPN for iOS

Classification: [Protected]

© 2012 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=17624

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

10 July 2012 Updated VPN Site Settings (on page 20)

19 June 2012 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Check Point Mobile VPN for iOS Administration Guide).

http://supportcontent.checkpoint.com/documentation_download?ID=17624

http://supportcenter.checkpoint.com/

mailto:[email protected]?subject=Feedback%20on%20Check%20Point%20Mobile%20VPN%20for%20iOS%20%20Administration%20Guide

mailto:[email protected]?subject=Feedback%20on%20Check%20Point%20Mobile%20VPN%20for%20iOS%20%20Administration%20Guide

Contents

Important Information ............................................................................................. 3 Introduction ............................................................................................................. 5 Installing Check Point Mobile VPN for iOS on the Security Gateway ................. 6

Licensing Check Point Mobile VPN for iOS ......................................................... 6 Configuring the R75.40 Security Gateway ........................................................... 6

R75.40 Optional Configuration ........................................................................ 8 Configuring the R71.50 Security Gateway ..........................................................10

R71.50 Optional Configuration .......................................................................14 Authenticating with an External CA .....................................................................16

Trusting an OPSEC Certified CA ...................................................................16 Configuring an External CA............................................................................17

Configuring Route All Traffic ...............................................................................18 Configuring the VPN Client .................................................................................. 19

Downloading the Application ..............................................................................19 Creating and Configuring the VPN Site ...............................................................19 Manually Configuring the VPN Site .....................................................................19

VPN Site Settings ..........................................................................................20 Sending Logs .................................................................................................20

Using the API for a VPN Site ..............................................................................20 Introduction ....................................................................................................20 Configuring the URL ......................................................................................21 Creating a New VPN Site ...............................................................................21 Connecting to a VPN Site ..............................................................................22 Disconnecting from a VPN Site ......................................................................23

Creating a QR Code ...........................................................................................23 QR Code URL Parameters ............................................................................23

Using the iPhone Configuration Utility ................................................................25 Configuring the VPN Profile ...........................................................................25 Custom Data Fields .......................................................................................25

Check Point Mobile VPN for iOS Administration Guide | 5

Chapter 1

Introduction The Check Point Mobile VPN for iOS application offers full layer-3 VPN tunnel for Apple iPhone and iPad running iOS 5.0 or later. It allows secure communication from any application running on those handheld devices to the organization. This guide explains how to configure the Security Gateway and install the client application on iOS devices.

Related Documentation

To see Known Limitations and Resolved Issues for Check Point Mobile VPN for iOS, see the Check Point Mobile VPN for iOS Release Notes.


Chapter 2

Installing Check Point Mobile VPN for iOS on the Security Gateway

In This Chapter

Licensing Check Point Mobile VPN for iOS 6

Configuring the R75.40 Security Gateway 6

Configuring the R71.50 Security Gateway 10

Authenticating with an External CA 16

Configuring Route All Traffic 18

Licensing Check Point Mobile VPN for iOS You must have a license for the Mobile Access Software Blade. The Software Blade comes with an introductory license. This license can be used for 30 days from the first time that you install a policy on an enabled Mobile Access Software Blade. The introductory license is a floating license and lets up to 10 users connect their devices to the Security Gateway. You can go to the Support Center and extend the 30 day introductory license to let up to 50 users connect to the Security Gateway.

To get a license:

1. Go to the Check Point Support Center and log into your account.

2. Open the My Products page.

3. Select the Mobile Access license.

4. Click License.

5. Install the license on the Mobile Access Security Gateway manually or with SmartUpdate.

Configuring the R75.40 Security Gateway Use SmartDashboard to configure an R75.40 Security Gateway to support Check Point Mobile VPN for iOS.

To configure Check Point Mobile VPN for iOS on an R75.40 Security Gateway:

1. Open SmartDashboard.

2. Right-click the Security Gateway and select Edit.

The Check Point Gateway - General Properties window opens.

3. Make sure that the IPsec VPN Software Blade is enabled.

4. Select IPsec VPN > VPN Advanced.

5. Make sure that Support NAT transversal is selected.

6. Select IPsec VPN > Remote Access and configure these settings.

a) From Allocated port, select VPN1_IPSEC_encapsulation.

b) Select Support Visitor Mode.



c) From Service, select https.

7. Select IPsec VPN > Authentication and configure the Authentication Method.

For more information about configuring authentication methods, see the R75.40 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk67581).

For more information about configuring the certificate authentication method, see Known Limitation 00874317 in the Check Point Mobile VPN for iOS Release Notes.

8. Select IPsec VPN > Office Mode and configure these settings.

a) Select Allow Office Mode to all users or a group.

b) Click Optional Parameters.

http://supportcontent.checkpoint.com/solutions?id=sk67581



The IP Pool Optional Parameters window opens.

c) Configure these settings,

DNS servers

DNS suffixes

IP lease duration

9. Select IPsec VPN > VPN Clients.

10. Select SSL Network Extender and SecureClient Mobile.

11. Click OK.

12. Install the policy on the Security Gateway.

R75.40 Optional Configuration

You can also configure these authentication and encryption settings for the Security Gateway.

To configure optional settings:

1. On the menu bar, select Policy > Global Properties.



a) Select Remote Access > SecureClient Mobile and configure the value for Re-authenticate user every.

For more information about Session Timeout see the R75.40 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk67581).

b) Select Remote Access > VPN - Authentication and Encryption and click Advanced.

The Encryption Properties window opens.

c) Click IPSEC Security Association (Phase 2).




d) In User Encryption properties, configure the settings.

For more information about Encryption Algorithm see the R75.40 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk67581).

2. Click OK.


Configuring the R71.50 Security Gateway Use SmartDashboard to configure a R71.50 Security Gateway to support Check Point Mobile VPN for iOS.

To configure Check Point Mobile VPN for iOS on a R71.50 Security Gateway:

1. Open SmartDashboard



3. Make sure that the IPsec VPN Software Blades is enabled.

4. Select IPsec VPN > Remote Access and configure these settings.

a) Select Support NAT traversal mechanism (UDP encapsulation).

b) Select Support Visitor Mode.




c) From Service, select https.

5. Select Authentication and configure the Enabled Authentication Schemes.

For more information about configuring authentication methods, see the R71 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk69720).

For more information about configuring the certificate authentication method, see Known Limitation 00874317 in the Check Point Mobile VPN for iOS Release Notes.

6. Select IPsec VPN > Office Mode and configure these settings.

a) Select Allow Office Mode to all users or a group.

b) Click Optional Parameters.




The IP Pool Optional Parameters window opens.

c) Configure these settings,

DNS servers

DNS suffixes

IP lease duration

7. Select IPsec VPN > VPN Clients.

8. Select SSL Network Extender and SecureClient Mobile.

9. Click OK.





For more information about Session Timeout see the R71 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk69720).

For more information about configuring the Session Timeout for SSL, see Known Limitation 00848021 in the Check Point Mobile VPN for iOS Release Notes.



c) Click the IPSEC Security Association (Phase 2) tab.





For more information about Encryption Algorithm see the R71 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk69720).

11. Click OK.


R71.50 Optional Configuration

You can also configure these authentication and encryption settings for the Security Gateway.

To configure optional settings:






For more information about Session Timeout see the R71 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk69720).

For more information about configuring the Session Timeout for SSL, see Known Limitation 00848021 in the Check Point Mobile VPN for iOS Release Notes.



c) Click the IPSEC Security Association (Phase 2) tab.





For more information about Encryption Algorithm see the R71 VPN Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk69720).

2. Click OK.


Authenticating with an External CA You can use SmartDashboard to configure the Security Gateway to use an external CA (Certificate Authority) to authenticate Check Point Mobile VPN for iOS.

Make sure that the external CA follows these guidelines:

Client certificate subject uses a full DN, and not only a CN.

The certificates must use a user template with the IKE public key property with the LDAP branch.

Note - To learn how to configure an internal CA, see the VPN Administration Guide for the Security Gateway version.

Trusting an OPSEC Certified CA

The CA certificate has to be supplied and saved to the disk in advance.

Note - In case of SCEP automatic enrollment, you can skip this stage and fetch the CA certificate automatically after configuring the SCEP parameters.

The CA's Certificate must be retrieved either by downloading it using the CA options on the Servers and OSPEC Applications tab, or by obtaining the CA's certificate from the peer administrator in advance.

Then define the CA object according to the following steps:




1. Open Manage > Servers and OPSEC Applications.

The Servers and OPSEC Application window opens.

2. Choose New > CA.

Select Trusted or Subordinate.

The Certificate Authority Properties window opens.

3. Enter a Name for the CA object, in the Certificate Authority Type drop-down box select the OPSEC PKI.

4. On the OPSEC PKI tab:

For automatic enrollment, select automatically enroll certificate.

From the Connect to CA with protocol, select the protocol used to connect with the certificate authority, either SCEP, CMPV1 or CMPV2.

Note - For entrust 5.0 and later, use CMPV1

5. Click Properties.

If you chose SCEP as the protocol, in the Properties for SCEP protocol window, enter the CA identifier (such as example.com) and the Certification Authority/Registration Authority URL.

If you chose cmpV1 as the protocol, in the Properties for CMP protocol - V1 window, enter the appropriate IP address and port number. (The default port is 829).

If you chose cmpV2 as the protocol, in the Properties for CMP protocol -V2 window, decide whether to use direct TCP or HTTP as the transport layer.

Note - If Automatic enrollment is not selected, then enrollment will have to be performed manually.

6. Choose a method for retrieving CRLs from this CA.

If the CA publishes CRLs on HTTP server choose HTTP Server(s). Certificates issued by the CA must contain the CRL location in an URL in the CRL Distribution Point extension.

If the CA publishes CRL on LDAP server, choose LDAP Server(s). In this case, you must define an LDAP Account Unit as well. See the Security Management Server Administration Guide for more details about defining an LDAP object.

Make sure that CRL retrieval is checked in the General tab of the LDAP Account Unit Properties window.

Certificates issued by the CA must contain the LDAP DN on which the CRL resides in the CRL distribution point extension.

7. Click Get.

8. If SCEP is configured, it will try to connect to the CA and retrieve the certificate. If not, browse to where you saved the peer CA certificate and select it.

VPN reads the certificate and displays its details. Verify the certificate's details. Display and validate the SHA-1 and MD5 fingerprints of the CA certificate.

9. Click OK.

Configuring an External CA

To configure an external CA:

1. From SmartDashboard, select Manage > Users and Administrators.

The Manage > Users and Administrators window opens.

2. Select Standard_User and click Edit.

The User Template Properties window opens.

3. Click Encryption.

4. Select IKE and click Edit.

The IKE Phase 2 Properties window opens.

5. Make sure that Public Key is selected.

6. Click OK.

7. From the menu bar, select Manage > Servers and OPSEC Applications.

The Servers and OPSEC Applications window opens.



8. Edit the LDAP account settings.

The LDAP Account Unit window opens.

9. Click Authentication.

10. Select Use user template and Standard_User.

11. Click OK and then Close.

Configuring Route All Traffic To configure the Route All Traffic settings:

1. Open SmartDashboard



3. Select IPsec VPN > Remote Access.

4. Select Allow VPN clients to route traffic through this gateway.

5. Click OK.


7. Select Remote Access > SecureClient Mobile.

8. From Route all traffic to gateway, select Yes.

9. Click OK.


Chapter 3

Configuring the VPN Client

In This Chapter

Downloading the Application 19

Creating and Configuring the VPN Site 19

Manually Configuring the VPN Site 19

Using the API for a VPN Site 20

Creating a QR Code 23

Using the iPhone Configuration Utility 25

Downloading the Application Download the Check Point Mobile VPN application from the Apple App Store.

Creating and Configuring the VPN Site Check Point Mobile VPN for iOS supports different procedures to create and configure the VPN site. Use the procedure that is the most convenient for your users.

Manual Configuration: Use the application to manually configure the VPN site settings.

VPN Site API: Create a URL that configures the settings for the VPN site.

QR Code: The application can read a QR code with the URL to create the VPN site.

iPhone Configuration Utility: Use the iPhone configuration utility to send the VPN site settings to all the users.

Manually Configuring the VPN Site To configure the VPN site settings in the application:

1. If necessary, open the New Site screen.

a) Tap Sites.

b) Tap +.

The New Site screen opens.

2. Configure these settings for the VPN site.

Name - name of VPN site.

Server - IP address or host name

3. Tap Create.

The Verify Server message opens.

4. Tap Yes to accept the certificate and fingerprint.

The Authentication screen opens.

5. Select the Authentication Method.



VPN Site Settings

These are the VPN site settings that users can manually configure in the application.

To configure the VPN site settings:

1. From the login screen, touch Sites.

The Site List screen opens.

2. Touch the arrow for the VPN site.

The settings for that VPN site are shown.

Authentication Method

Username and password – Check Point or LDAP password.

Certificate – Authenticate using an x509 certificate. Certificates can be:

Enrolled

Installed by email

Installed from the Internet

Installed using iPhone configuration utility

RSA SecureID token – Authenticate using an RSA SecureID.

Challenge response – Authenticate using the challenge and response procedure.

Automatic Reconnect

On – When connectivity is broken, the application tries to reconnect as long as there is network available.

Off – When connectivity is broken, the application tries to reconnect for 120 seconds. After this time, the application disconnects from the VPN site.

You can select the Off setting to use less battery on the device.

Connect On-Demand

This feature configures the VPN site to automatically create a VPN tunnel for specific domain names. Connect On-demand is only available when Certificate Authentication is enabled.

Select Connect On-demand to enable this feature.

VPN Tunnel Type

You can switch the VPN tunnel type between IPsec and SSL for the Check Point Mobile VPN for iOS client:

To switch the VPN tunnel type:

1. In the site settings screen, swipe up.

The VPN tunnel types are shown.

2. Select IPsec or SSL.

3. Swipe down.

Sending Logs

To send logs to customer support:

1. Open the application.

2. Tap About.

3. Tap Send Logs.

Using the API for a VPN Site

Introduction

The VPN API lets you control the application to:



Create a VPN site

Connect and disconnect to a VPN site

To use the VPN API, create a URL that can be integrated into HTTP web sites, configuration emails and 3rd party applications.

Sample URL that creates a VPN site using the VPN site API

Tap this URL in an iOS device with Check Point Mobile VPN for iOS. The application creates a new VPN site with these settings:

cpvpn:///?name=demo&host=idemo.checkpoint.com&user=John+Doe

VPN site name - demo

Host - idemo.checkpoint.com

User name - John Doe

Configuring the URL

The API URL is made of these segments:

Mandatory segment- The app identifier: cpvpn:///?

Fields paired with values, each two pairs are separated by the & character.

Do not use spaces, use the + character. Example: John+Doe

Assign a value to the field with the = character. Example: name=idemo

Creating a New VPN Site

Use these parameters to configure the settings for the VPN site.

Mandatory Parameters

Parameter Description

name The name of the site that is shown to the user.

host The address of the host. Example: idemo.checkpoint.com

Optional Parameters

Parameter Description Default Value

user Login name for the user. No value

fingerprint Fingerprint that is used for server validation. No value

cn CN for server validation. No value

tun Possible values: kmp (IPsec tunnel) or snx

(SSL tunnel)

kmp




auth Authentication method. The valid values are:

username (user name and password

method)

RSA (RSA SecureID)

Certificate

PinPad (Keypad for PIN code)

KeyFob (Security token key fob)

Challenge (Challenge and response

method)

username

port Port to use 443

url After each connection to the VPN site, this URL is opened.

No value

remoteActions Enables using the VPN site API. Valid values: yes

or no

No

Parameters for Certificate Authentication

These parameters can be used for VPN sites that use certificate authentication.


regKey Activation key that enrolls a certificate No value

onDemand Valid values:

yes

no

askUser

No

domainAlways An array of hosts to which iOS connects only using a VPN tunnel. Example: domainAlways="example1.com+example2.com+idemo.com"

domainNever Hosts that are exceptions to the domainAlways parameters. iOS never

tries to connect to these hosts using a VPN tunnel. Example: domainNever="help.example1.com+products.example1.com"

domainIfNeeded An array of hosts that iOS first tries to connect without using a VPN tunnel. If the first connection fails, iOS tries to connect using a regular connection. Example: domainIfNeeded="example1.com+idemo.com"

Connecting to a VPN Site

The connect action attempts to connect to the site. If more authentication is necessary, the login screen for the site is shown.

Important - This action is only enabled if the remoteActions field was set to yes when site

was created.

Example: cpvpn://?connect&siteName=MySite&url=www.URLToLaunchAfterConnect.com



The connect action is identified by the field connect. This field is not assigned a value.

Parameters for the connect action:

siteName - (Mandatory) The name of the site that is in the Sites list in the VPN Client.

url - (Optional) A one-time response URL that is launched when the application connects to the site.

Disconnecting from a VPN Site

This action is only enabled if the remoteActions field was set to yes when the site was created.

The disconnect action disconnects the device from the site.

Important - This action is only enabled if the remoteActions field was set to yes when site

was created.

Example: cpvpn://?disconnect&siteName=MySite&url=www.URLToLaunchAfterDisconnect.com

The disconnect action is identified by the field disconnect. This field is not assigned a value.

Parameters for the connect action:

siteName - (Mandatory) The name of the site that is in the Sites list in the VPN Client.

url - (Optional) A one-time response URL that is launched when the application disconnects to the

site.

Creating a QR Code A QR code is a URL that is encoded in a QR image. The application has a built-in QR scanner that can read the URL and create a VPN site. You can create a QR code so that users can easily create VPN sites on their iOS handheld devices.

For more about the VPN settings that you can use in the URL, see QR Code URL Parameters (on page 23).

To create a QR code using the QR Code Tool:

1. Download the QR Code Tool (http://supportcontent.checkpoint.com/solutions?id=sk69540).

2. From the CLI, run the command cpQRCodeGen.

These are the mandatory parameters for the command: name='<name>' host='host'

file='file'.

This is a sample script that creates a QR code PNG file.

cpQRCodeGen name='demo' host='idemo.checkpoint.com' user='John Doe'

file=phoenixQR.png remote actions=yes

To create a QR code using a QR code generator:

1. Create a URL for the VPN site.

2. Use a QR code generator to create a QR image of the URL.

QR Code URL Parameters

Mandatory Parameters

Parameter Description

name The name of the site that is shown to the user.

host The address of the host. Example: idemo.checkpoint.com

file The PNG file name of the QR Code image that is created. Example: mySite.png




Optional Parameters


user Login name for the user. No value

fingerprint Fingerprint that is used for server validation. No value

cn CN for server validation. No value

tun Possible values: kmp (IPsec tunnel) or snx

(SSL tunnel)

kmp

auth Authentication method. The valid values are:

username (user name and password

method)

RSA (RSA SecureID)

Certificate

PinPad (Keypad for PIN code)

KeyFob (Security token key fob)

Challenge (Challenge and response

method)

username

port Port to use 443

url After each connection to the VPN site, this URL is opened.

No value

remoteActions Enables using the VPN site API. Valid values: yes

or no

No

Parameters for Certificate Authentication

These parameters can be used for VPN sites that use certificate authentication.


regKey Activation key that enrolls a certificate No value

onDemand Valid values:

yes

no

askUser

No

domainAlways An array of hosts to which the client always tries to connect. Example: domainAlways = "example1.com example2.com

checkpoint.com"

domainNever An array of hosts to which the client never tries to connect. Example: domainNever = "example1.com example2.com

checkpoint.com"

domainIfNeeded An array of hosts to which the client tries to connect when

necessary. Example: domainIfNeeded = "example1.com example2.com checkpoint.com"



Using the iPhone Configuration Utility

Configuring the VPN Profile

You can configure the VPN site using the iPhone configuration utility. You can download this utility from Apple iPhone Support Enterprise.

When configuring a VPN Profile, use the Configuration Profile section and select the VPN tab.

Configure these parameters:

Connection Name - Name of the site

Connection Type - Set to custom SSL

Identifier - Set to: com.checkpoint.CheckPoint-VPN.vpnplugin

Server - Hostname or IP address for the server.

Account - User name or account for authenticating

Custom Data - A list of fields and values are available here. See Custom Data Fields (on page 25).

User Authentication - Choose certificate or password.

If certificate was chosen for User Authentication we must also select a valid certificate in the Credential field.

When using certificate as User Authentication you can enable VPN On Demand - select Enable VPN On Demand.

Add Domains or hosts and select an action: Always establish, Never establish, Establish if needed.

If password credentials are used, it is necessary to fill in the password field to authenticate the connection.

Custom Data Fields

These are the keys that can be used in the Custom Data screen:

tuntype - possible values: kmp (IPsec tunnel) or snx (SSL tunnel)

authType - Possible values: p, t, or r

p = password, t = keychain certificate, r = challenge and response

Note - The authType field should match the value selected in the User Authentication

field.

password - Password to connect to host, if password was chosen for User Authentication.

cn - Server Host CN used for verifying VPN site certificate

fingerprint - The fingerprint expected from host.

user - default user name that is used to authenticate the connection.

regKey - Activation key required to enroll a certificate. (Only when authentication method is by certificate)

port - Port that the VPN connection uses

url - A url to launch after each connection to the site

remoteActions - Lets the VPN API to interact with this site. Possible values: yes and no

CP Mobile VPN iOS Admin Guide

Documents

Transcript of CP Mobile VPN iOS Admin Guide