7.4 Mobile Access Blade
Key Takeaways
- The Mobile Access blade provides clientless SSL VPN via the portal at https://<Gateway_IP>/sslvpn plus on-demand SNX and Capsule Workspace clients.
- MAB does not use a VPN community; applications are published in the Mobile Access tab and matched by Access Control rules.
- Secure Workspace was deprecated in February 2024 — flag it as deprecated on the exam.
- MAB and the IPsec VPN blade can coexist on the same gateway and integrate with IPS, Anti-Virus, and MDM enforcement.
Mobile Access Software Blade
The Mobile Access Software Blade (MAB) is Check Point's SSL VPN solution, providing clientless browser access plus on-demand and mobile-client access for managed and unmanaged devices. Where the IPsec VPN blade is for full-tunnel client-based access, MAB is for the helpdesk technician who needs OWA from a hotel iPad, the contractor who should not get a managed client, and the executive who needs a quick RDP session from an internet café. MAB runs over TLS (TCP 443) so it works from almost any network that allows web browsing.
Access Methods
| Method | Description |
|---|---|
| Mobile Access Portal | Clientless web portal at https://<Gateway_IP>/sslvpn — bookmarks for web apps, file shares, RDP/SSH (Guacamole-based, R81+) |
| SSL Network Extender (SNX) | On-demand Layer 3 VPN client downloaded from the portal; runs in the browser |
| Capsule Workspace | Mobile app for iOS/Android; SSL VPN with corporate container |
| Capsule Connect / Capsule VPN | Mobile IPsec or SSL clients for iOS/Android |
| Endpoint Compliance Scanner (ESOD) | Pre-connect endpoint compliance scan |
Key Features
- Multi-factor authentication: DynamicID, RADIUS, SecurID, SAML, certificates.
- Protection Levels: Permissive, Normal, Restrictive — granular control over what endpoint features (file share, clipboard, printing) are allowed per user group.
- MDM Cooperative Enforcement: deny access to devices that fail MDM checks.
- Secure Workspace: virtual desktop environment (Check Point deprecated this in February 2024 — know the deprecation for the exam).
- Integration: MAB works alongside the IPsec VPN blade on the same gateway and shares IPS (Web Intelligence auto-enabled) and Anti-Virus/Anti-Malware protections.
Configuration Workflow
- Enable the Mobile Access Software Blade on the Security Gateway.
- From SmartConsole, open Gateway Properties → Mobile Access and configure the portal settings, certificate, and authentication.
- Define User Groups and assign Protection Levels.
- Create applications (web, file share, RDP/SSH, custom) in the Mobile Access tab.
- Configure the Access Control policy to allow traffic from the MAB gateway to internal servers; VPN column is not used because MAB is not a community-based VPN.
- Install policy and test by browsing to
https://<Gateway_IP>/sslvpn.
Office Mode and MAB
Office Mode can be configured with either the Mobile Access blade or the IPsec VPN blade. When MAB users get Office Mode IPs, return traffic to the SSL VPN pool routes correctly back through the gateway. This is mandatory if you want SNX clients to reach internal subnets that do not have a default route back to the gateway. The portal URL is published on the gateway's interface and uses a server certificate; production deployments should replace the default certificate with one signed by a trusted CA.
Link Selection
For gateways with multiple external IPs (cluster VIPs, DAIP, multi-homed), MAB uses Link Selection to publish the right gateway IP for clients to connect to. You can configure Link Selection by interface, by gateway, by a specific IP, or by a dynamic DNS name. This is the MAB equivalent of choosing which peer IP a site-to-site tunnel negotiates to.
Differences from IPsec Remote Access
| Aspect | IPsec VPN blade | Mobile Access blade |
|---|---|---|
| Transport | IPsec (UDP 500/4500, ESP) | SSL/TLS (TCP 443) |
| Client | Endpoint Security VPN, Mobile for Windows, SecuRemote | Browser, SNX, Capsule Workspace |
| Configuration object | Remote Access community | Mobile Access applications + portal |
| Use case | Full corporate-equivalent access for managed clients | Clientless and mobile access for unmanaged devices |
Common MAB Troubleshooting
- Portal unreachable: check that the MAB blade is enabled, that TCP 443 reaches the gateway, and that the gateway certificate is valid. Also confirm Link Selection publishes an IP that the client can route to.
- SNX fails to download: usually a browser/java policy block or a certificate mismatch; verify the gateway certificate is trusted by the client.
- Authentication works but no resources show: check the user group's application assignments and Protection Level.
- MAB logs are not on the gateway: MAB generates its own logs under the Mobile Access blade in SmartConsole; filter on
blade:"Mobile Access".
MAB Licensing and Multi-Domain
MAB requires a Mobile Access Software Blade license on the Security Gateway. On Multi-Domain Security Management (MDM), the blade is enabled per Domain and the portal is published per Security Gateway — there is no single global portal. The same SmartEvent and Log Server infrastructure that handles IPsec logs handles MAB logs. For high-throughput MAB deployments you can also enable the Mobile Access SuperNode feature, which scales the SNX session capacity of a single gateway beyond the default limit. For the CCSA exam, however, the key facts are: MAB is licensed per gateway, configured per gateway, and integrated with IPS, Anti-Virus, and Identity Awareness.
Exam Traps
- MAB does not use the VPN column — there is no "Mobile Access community" object. Applications are published in the Mobile Access tab and matched by an Access Control rule that permits the gateway to the internal server.
- Secure Workspace is deprecated as of Feb 2024. If a question offers it as a current feature, the right answer is to flag the deprecation.
- SNX is on-demand and downloaded from the portal; it is not pre-installed like Endpoint Security VPN.
- MAB and IPsec VPN blades can run on the same gateway concurrently — they are not either/or.
Which URL do users browse to in order to reach the clientless Mobile Access portal on an R82 gateway?
Which statement about the Mobile Access blade on R82 is correct?