In This Section: |
Enable or disable UserCheck directly on the Security Gateway. The DLP tab > Gateways window shows a list of Security Gateways with the DLP blade enabled.
Note -
|
To configure a Security Gateway for UserCheck:
The Gateway Properties window opens.
If the Main URL points to an external interface, set Accessibility > Edit to Through all interfaces or According to the firewall policy.
If users connect to the gateway remotely, set the internal interface of the gateway (on the Topology page) to be the same as the Main URL for the UserCheck portal.
Note - The Main URL field must be manually updated if:
By default the portal uses a certificate from the Check Point Internal Certificate Authority (ICA). This might generate warnings if the user's browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.
Even though DLP interactions are displayed in a secure (https) portal, the main URL for the UserCheck portal starts with http:// and is not secured by a certificate. You might consider using a valid certificate to secure the main portal URL when using UserCheck for DLP violations.
Note: If Including VPN encrypted interfaces is selected, add a Firewall rule that looks like this:
Source |
Destination |
VPN |
Service |
Action |
Any |
Gateway on which UserCheck client is enabled |
Any Traffic |
UserCheck |
Accept |
Note: The link will not be active until the UserCheck portal is up.
The Security Gateway has an internal persistence mechanism that preserves UserCheck notification data if the gateway or gateway cluster reboots. Records of a user answering or receiving notifications are never lost.
Usrchk
You can use the usrchk
command in the gateway command line to show or clear the history of UserCheck objects.
Description |
|
|||||||||
---|---|---|---|---|---|---|---|---|---|---|
Syntax |
usrchk [debug] [hits] [incidents] |
|||||||||
Parameters |
|
|
Examples:
usrchk hits list all
: usrchk hits clear user <username>
Notes:
user <username>
if:usrchk hits list all
to see the names of the interaction objects. Use the name of the interaction object as it is shown in the list.The UserCheck agent supports single sign on using the Kerberos network authentication protocol. Kerberos is the default authentication protocol used in Windows 2000 domains and above.
The Kerberos protocol is based on the idea of tickets, encrypted data packets issued by a trusted authority, in this case the Active Directory (AD). When a user logs in, the user authenticates to a domain controller that provides an initial ticket granting ticket (TGT). This ticket vouches for the user’s identity.
When the user needs to authenticate against the DLP gateway through the UserCheck agent, the agent presents this ticket to the domain controller and requests a service ticket (SR) for a specific resource (the DLP gateway). The UserCheck agent presents this service ticket to the gateway.
For more detailed information on Kerberos SSO, see:
Single Sign-On Configuration
SSO configuration has two steps:
Creating a user account and mapping it to a Kerberos principal name.
Creating an LDAP Account Unit and configuring it to support SSO.
The AD configuration involves:
Creating a new User Account
Mapping the User Account to a Kerberos Principle Name
This step uses the ktpass utility to create a Kerberos principal name that is used by both the gateway and the AD. A Kerberos principal name consists of a service name (for the DLP gateway that the UserCheck agent connect to) and the domain name to which the service belongs.
Ktpass is a command-line tool available in Windows 2000 and higher.
Retrieve the correct executable
You must install the correct ktpass.exe version on the AD. Ktpass.exe is not installed by default in Windows 2003.
The ktpass utility is already installed on your server in the Windows\System32 folder and you can run the command line. You need to open the command prompt as an administrator by right clicking it and selecting "run as an Administrator".
Use Ktpass
C:> ktpass -princ ckp_pdp/domain_name@DOMAIN_NAME -mapuser username@domain_name -pass password -out unix.keytab –crypto RC4-HMAC-NT
Important - Enter the command exactly as shown. It is case-sensitive. |
This is an example of running ktpass with these parameters:
Parameter |
Value |
---|---|
domain_name@DOMAIN_NAME |
corp.acme.com@CORP.ACME.COM |
username@domain_name |
ckpsso@corp.acme.com |
password |
qwe123@# |
The AD is ready to support Kerberos authentication for the Security Gateway.
The example above shows the ktpass syntax on Windows 2003. When using Windows 2008/2008 R2 Server, the ktpass syntax is slightly different. Parameters are introduced using a forward slash "/
" instead of a hyphen "-
".
Example (Windows 2008):
ktpass /princ ckp_pdp/corp.acme.com@CORP.ACME.COM /mapuser ckpsso@corp.acme.com /pass qweQWE!@# /out unix.keytab /crypto RC4-HMAC-NT
Authentication Failure
Authentication will fail if you have used the ktpass utility before for the same principal name (ckp_pdp/domain_name@DOMAIN_NAME) but with a different account.
If you have used the ktpass utility before:
ldifde -f check_SPN.txt -t 3268 -d "dc=corp,dc=acme,dc=com" -l servicePrincipalName -r "(servicePrincipalName=ckp_pdp*)" -p subtree
check_SPN.txt
file and verify that only one record is present.If multiple records exist, you must delete the different account or remove its association to the principal name.
Remove the association with the principle name by running:
settspn –D ckp_pkp/domain_name old_account name.
For example:
setspn –D ckp_pdp/corp.acme.com ckpsso
In SmartDashboard you need to configure an LDAP Account Unit to support SSO
To configure the account unit:
Select Servers and OPSEC Applications in the Objects Tree. Right-click Servers > New > LDAP Account Unit.
ckpsso
.LDAP over SSL is not supported by default. If you did not configure your domain controller to support LDAP over SSL, do it now or make sure this option is not selected.
On the UserCheck page, you can create, edit, and preview UserCheck interaction objects and their messages. It has these options:
Option |
Meaning |
---|---|
New |
Creates a new UserCheck object |
Edit |
Modifies an existing UserCheck object |
Delete |
Deletes an UserCheck object |
Clone |
Clones the selected UserCheck object. |
These are the default UserCheck messages:
Name |
Action Type |
Description |
---|---|---|
Inform User |
Inform |
Shows when the action for the rule is inform. It informs users what the company policy is for that site. |
Blocked Message |
Block |
Shows when a request is blocked. |
Ask User |
Ask |
Shows when the action for the rule is ask. It informs users what the company policy is for that site and they must click OK to continue to the site. |
Cancel Page |
Cancel |
Shows after a user gets an Inform or Ask message and clicks Cancel. |
Success Page |
Approve |
Shows information was sent according to the user's request. |
Successfully Discarded |
Discard |
Shows when the information was successfully discarded according to the user's request. |
Ask and Inform pages include a Cancel button that users can click to cancel the request.
You can preview each message page in these views:
Create a UserCheck Interaction object from the Rule Base or from the UserCheck page of the DLP tab. The procedure below shows how to create the object from the Rule Base.
To create a UserCheck object that includes a message:
If you selected New UserCheck, the UserCheck Interaction window opens on the Message page.
Note - The graphic must have a height and width of 176 x 52 pixels. |
Note - Right-clicking inside any of the text boxes gives you the option to Switch to HTML mode and enter HTML code directly. Switching to HTML mode closes the formatting toolbar. |
Variables are replaced with applicable values when the (Prevent, Ask, Inform) action occurs and the message shows. The Username can only be displayed if the Identity Awareness blade is enabled.
Not all emails clients can handle emails in rich text or HTML format. To accommodate such clients, you can configure the gateway to send emails without images.
To configure emails without images:
$FWDIR/conf/usrchkd.conf
send_emails_with_no_images
entry.true
.userchkd
process. The process is automatically restarted by the gateway. The new configuration will survive a gateway reboot.
Email notifications are now sent in both plain text and HTML formats. The user's email clients decides which format to show.
For each UserCheck Interaction object you can configure these options from the UserCheck Interaction window:
After you set the UserCheck interaction object language, you can translate the Portal OK and Cancel buttons to the applicable language. For more information, see: sk83700.
The DLP UserCheck predefined notifications are in only English by default. If necessary, you can add more languages manually.
To support more languages:
A tab for the language is added.