|
|
|
In This Section: |
Enable or disable UserCheck directly on the Security Gateway. If users connect to the gateway remotely, set the internal interface of the gateway (on the Topology page) to be the same as the Main URL for the UserCheck portal.
Note - The Main URL field must be manually updated if:
To configure a Security Gateway for UserCheck:
The gateway window opens and shows the General Properties page.
For example: Usercheck.mycompany.com
Note - If Including VPN encrypted interfaces is selected, add a Firewall rule that looks like this:
Source |
Destination |
VPN |
Service |
Action |
Any |
Gateway on which UserCheck client is enabled |
Any Traffic |
UserCheck |
Accept |
Note: The link will not be active until the UserCheck portal is up.
Usrchk
You can use the usrchk
Description |
|
|---|---|
Syntax |
usrchk [debug] [hits] [incidents] |
Parameters
Parameter |
Description |
debug |
Controls debug messages |
hits |
Shows user incident options: list - Options to list user incidents
clear - Options to clear user incidents
db - user hits database options |
incidents |
Operations that can be done for incidents. For example:
|
Examples:
usrchk hits list all: usrchk hits clear user <username>Notes:
user <username> usrchk hits list allThe UserCheck agent supports single sign on using the Kerberos network authentication protocol. Kerberos is the default authentication protocol used in Windows 2000 domains and above.
The Kerberos protocol is based on the idea of tickets, encrypted data packets issued by a trusted authority, in this case the Active Directory (AD). When a user logs in, the user authenticates to a domain controller that provides an initial ticket granting ticket (TGT). This ticket vouches for the user’s identity.
When the user needs to authenticate against the DLP gateway through the UserCheck agent, the agent presents this ticket to the domain controller and requests a service ticket (SR) for a specific resource (the DLP gateway). The UserCheck agent presents this service ticket to the gateway.
For more detailed information on Kerberos SSO, see:
Single Sign-On Configuration
SSO configuration has two steps:
Creating a user account and mapping it to a Kerberos principal name.
Creating an LDAP Account Unit and configuring it to support SSO.
The AD configuration involves:
Creating a new User Account
Mapping the User Account to a Kerberos Principle Name
This step uses the ktpass utility to create a Kerberos principal name that is used by both the gateway and the AD. A Kerberos principal name consists of a service name (for the DLP gateway that the UserCheck agent connect to) and the domain name to which the service belongs.
Ktpass is a command-line tool available in Windows 2000 and higher.
Retrieve the correct executable
You must install the correct ktpass.exe version on the AD. Ktpass.exe is not installed by default in Windows 2003.
The ktpass utility is already installed on your server in the Windows\System32 folder and you can run the command line. You need to open the command prompt as an administrator by right clicking it and selecting "run as an Administrator".
Use Ktpass
C:> ktpass -princ ckp_pdp/domain_name@DOMAIN_NAME -mapuser username@domain_name -pass password -out unix.keytab –crypto RC4-HMAC-NT
|
Important - Enter the command exactly as shown. It is case-sensitive. |
This is an example of running ktpass with these parameters:
Parameter |
Value |
|---|---|
domain_name@DOMAIN_NAME |
corp.acme.com@CORP.ACME.COM |
username@domain_name |
ckpsso@corp.acme.com |
password |
qwe123@# |
The AD is ready to support Kerberos authentication for the Security Gateway.
The example above shows the ktpass syntax on Windows 2003. When using Windows 2008/2008 R2 Server, the ktpass syntax is slightly different. Parameters are introduced using a forward slash "/-
Example (Windows 2008):
ktpass /princ ckp_pdp/corp.acme.com@CORP.ACME.COM /mapuser ckpsso@corp.acme.com /pass qweQWE!@# /out unix.keytab /crypto RC4-HMAC-NT
Authentication Failure
Authentication will fail if you have used the ktpass utility before for the same principal name (ckp_pdp/domain_name@DOMAIN_NAME) but with a different account.
If you have used the ktpass utility before:
ldifde -f check_SPN.txt -t 3268 -d "dc=corp,dc=acme,dc=com" -l servicePrincipalName -r "(servicePrincipalName=ckp_pdp*)" -p subtree
check_SPN.txtIf multiple records exist, you must delete the different account or remove its association to the principal name.
Remove the association with the principle name by running:
settspn –D ckp_pkp/domain_name old_account name.
For example:
setspn –D ckp_pdp/corp.acme.com ckpsso
Configure the object in SmartConsole for an LDAP Account Unit to support SSO.
To create a host object for the AD server:
To configure the LDAP account unit:
Best Practice - Configure this field for account units that you want to use for Identity Awareness. This setting does not affect other LDAP Account Units.
Note - LDAP over SSL is not supported by default. If you have not configured your domain controller to support LDAP over SSL, either skip step 6 or configure your domain controller to support LDAP over SSL.
On the UserCheck page, you can create, edit, and preview UserCheck interaction objects and their messages. It has these options:
Option |
Meaning |
|---|---|
New |
Creates a new UserCheck object |
Edit |
Modifies an existing UserCheck object |
Delete |
Deletes an UserCheck object |
Clone |
Clones the selected UserCheck object. |
These are the default UserCheck messages:
Name |
Action Type |
Description |
|---|---|---|
Inform User |
Inform |
Shows when the action for the rule is inform. It informs users what the company policy is for that site. |
Blocked Message |
Block |
Shows when a request is blocked. |
Ask User |
Ask |
Shows when the action for the rule is ask. It informs users what the company policy is for that site and they must click OK to continue to the site. |
Cancel Page |
Cancel |
Shows after a user gets an Inform or Ask message and clicks Cancel. |
Success Page |
Approve |
Shows information was sent according to the user's request. |
Successfully Discarded |
Discard |
Shows when the information was successfully discarded according to the user's request. |
Ask and Inform pages include a Cancel button that users can click to cancel the request.
You can preview each message page in these views:
Create a UserCheck Interaction object from the Rule Base or from the UserCheck page of the DLP tab. The procedure below shows how to create the object from the Rule Base in SmartDashboard.
Note - You can only edit DLP UserCheck objects in SmartDashboard. You cannot create or edit them in SmartConsole.
To create a UserCheck object that includes a message:
SmartDashboard opens and shows the DLP tab.
The Action column uses these interaction modes:
You can also double-click an existing interaction mode to edit it.
The UserCheck Interaction window opens on the Message page.
Note - The graphic must have a height and width of 176 x 52 pixels.
Variables are replaced with applicable values when the (Prevent, Ask, Inform) action occurs and the message shows. The Username can only be displayed if the Identity Awareness blade is enabled.
Not all emails clients can handle emails in rich text or HTML format. To accommodate such clients, you can configure the gateway to send emails without images.
To configure emails without images:
$FWDIR/conf/usrchkd.conf
send_emails_with_no_imagestrueuserchkdThe process is automatically restarted by the gateway. The new configuration will survive a gateway reboot.
Email notifications are now sent in both plain text and HTML formats. The user's email clients decides which format to show.
For each UserCheck Interaction object you can configure these options from the UserCheck Interaction window:
After you set the UserCheck interaction object language, you can translate the Portal OK and Cancel buttons to the applicable language. For more information, see: sk83700.
The DLP UserCheck predefined notifications are in only English by default. If necessary, you can add more languages manually.
To support more languages for UserCheck:
SmartDashboard opens and shows the DLP tab.
A tab for the language is added.
The UserCheck client is installed on endpoint computers to communicate with the gateway and show UserCheck interaction notifications to users.
It works with these Software Blades:
DLP - Notifications of DLP incidents can be sent by email (for SMTP traffic) or shown in a popup from the UserCheck client in the system tray (for SMTP, HTTP and FTP).
Users select an option in the notification message to respond in real-time.
For DLP, administrators with full permissions or the View/Release/Discard DLP messages permission can also send or discard incidents from the SmartConsole Logs & Monitor Logs view.
Workflow for installing and configuring UserCheck clients:
See UserCheck Client Requirements in the R80.10 Release Notes.
Enable UserCheck and the UserCheck client on the gateway in the Properties window of the gateway object in SmartConsole. This is necessary to let clients communicate with the gateway.
To enable UserCheck and the UserCheck client on the gateway:
The gateway window opens and shows the General Properties page.
This enables UserCheck notifications from the gateway.
This enables UserCheck notifications from the client.
In an environment with UserCheck clients, the gateway acts as a server for the clients. Each client must be able to discover the server and create trust with it.
To create trust, the client makes sure that the server is the correct one. It compares the server fingerprint calculated during the SSL handshake with the expected fingerprint. If the server does not have the expected fingerprint, the client asks the user to manually confirm that the server is correct.
Here is a summary of the methods that you can use for clients to discover and trust the server. More details are described later in this section.
|
Requires AD |
Manual User Trust (one time) Required? |
Multi- |
Client Remains Signed? |
Still works after Gateway Changes |
Level |
Recommended for... |
|---|---|---|---|---|---|---|---|
File name based |
No |
Yes |
No |
Yes |
No |
Very Simple |
Single Security Gateway deployments |
AD based |
Yes |
No |
Yes |
Yes |
Yes |
Simple |
Deployments with AD that you can modify |
DNS based |
No |
Yes |
Partially (per DNS server) |
Yes |
Yes |
Simple |
Deployments without AD With an AD you cannot change, and a DNS that you can change |
Remote registry |
No |
No |
Yes |
Yes |
Yes |
Moderate |
Where remote registry is used for other purposes |
This option is the easiest to deploy, and works out-of-the-box. It requires that users manually click Trust to trust the server the first time they connect. You can use this option if your deployment has only one Security Gateway with the relevant Software Blades.
How does it work?
When a user downloads the UserCheck client, the address of the Security Gateway is inserted in the filename. During installation, the client finds if there is a different discovery method configured (AD based, DNS based, or local registry). If no method is configured, and the gateway can be reached, it is used as the server. In the UserCheck Settings window, you can see that the server you connect to is the same as the Security Gateway in the UserCheck client filename.
Users must manually make sure that the trust data is valid, because the filename can be easily changed.
You can manually change the name of the MSI file before it is installed on a computer. This connects the UserCheck client to a different gateway.
To rename the MSI file:
Where GWname - is the DNS name of the gateway.
Optional: Use UserCheck_~GWname-port.msi
Where port is the port number of notifications. For example, UserCheck_~mygw-18300.msi.
|
Notes - The prefix does not have to be "UserCheck". The important part of the syntax is underscore tilde (_~), which indicates that the next string is the DNS of the gateway. If you want to add the port number for the notifications to the client from the gateway, the hyphen (-) indicates that the next string is the port number. |
If your client computers are members of an Active Directory domain and you have administrative access to this domain, you can use the Distributed Configuration tool to configure connectivity and trust rules.
The Distributed Configuration tool has three windows:
To enable Active Directory based configuration for clients:
From the command line on that computer, run the client configuration tool with the AD utility.
For example, on a Windows 7 computer:
"C:\Users\<user name>\Local Settings\Application Data\Checkpoint\UserCheck\UserCheck.exe" -adtool
The Check Point UserCheck - Distributed Configuration tool opens.
By default, your AD username is shown. If you do not have administrator permissions, click Change user and enter administrator credentials.
The Identity Server Configuration window opens.
The identity of the AD Server for the UserCheck client is written in the Active Directory and given to all clients.
|
Note - The entire configuration is written under a hive named Check Point under the Program Data branch in the AD database that is added in the first run of the tool. Adding this hive does not affect other AD based applications or features. |
If you use the Distributed Configuration tool and you configure the client to Automatically discover the server, the client fetches the rule lists. Each time it must connect to a server, it tries to match itself against a rule, from top to bottom.
When the tool matches a rule, it uses the servers shown in the rule, according to the priority specified.
The configuration in this example means:
‘192.168.0.1 – 192.168.0.255’US-GW1BAK-GS2US-GW1‘UK-SITE’UK-GW1UK-GW2BAK-GS2BAK-GS2Use the Add, Edit and Remove buttons to change the server connectivity rules.
The Trusted Gateways window shows the list of servers that are trusted - no messages open when users connect to them.
You can add, edit or delete a server. If you have connectivity to the server, you can get the name and fingerprint. Enter its IP address and click Fetch Fingerprint in the Server Trust Configuration window. If you do not have connectivity to the server, enter the same name and fingerprint that is shown when you connect to that server.
If you configure the client to Automatic Discovery (the default), it looks for a server by issuing a DNS SRV query for the address of the gateway (the DNS suffix is added automatically). You can configure the address in your DNS server.
To configure DNS based configuration on the DNS server:
To configure Load Sharing for the Security Gateway, create multiple SRV records with the same priority.
To configure High Availability, create multiple SRV records with different priorities.
|
Note - If you configure AD based and DNS based configuration, the results are combined according to the specified priority (from the lowest to highest). |
To troubleshoot issues in DNS based configuration, you can see the SRV records that are stored on the DNS server.
To see SRV records on the DNS server:
Run:
C:\> nslookup> set type=srv> checkpoint_dlp._tcp
The result is:
|
If you have a way to deploy registry entries to your client computers, for example, Active Directory or GPO updates, you can deploy the Security Gateway addresses and trust parameters before you install the clients. Clients can then use the deployed settings immediately after installation.
To configure the remote registry option:
HKEY_CURRENT_USERHKEY_CURRENT_USERDefaultGatewayDefaultGatewayEnabledTo get the MSI file:
|
Important - Before you can download the client msi file, the UserCheck portal must be up. The portal is up only after a Policy installation. |
After configuring the clients to connect to the gateway, install the clients on the user machines. You can use any method of MSI or EXE mass deployment and installation that you choose. For example, you can send users an email with a link to install the client. When a user clicks the link, the MSI file automatically installs the client on the computer.
Alternatively, users can download the installation package from the regular DLP UserCheck notifications.
To install the client for all user accounts on a Windows computer, see sk96107.
The installation is silent and generally, no reboot is required.
When the client is first installed, the tray icon indicates that it is not connected. When the client connects to the gateway, the tray icon shows that the client is active.
The first time that the client connects to the gateway, it asks for verification from the user and approval of the fingerprint.
Best Practices:
If UserCheck for DLP is enabled on the gateway, users are required to enter their username and password after the client installs.
Example of message to users about the UserCheck client installation (for DLP):
Dear Users,
Our company has implemented a Data Loss Prevention automation to protect our confidential data from unintentional leakage. Soon you will be asked to verify the connection between a small client that we will install on your computer and the computer that will send you notifications.
This client will pop up notifications if you try to send a message that contains protected data. It might let you to send the data anyway, if you are sure that it does not violate our data-security guidelines.
When the client is installed, you will see a window that asks if you trust the DLP server. Check that the server is SERVER NAME and then click Trust.
In the next window, enter your username and password, and then click OK.
|
Note - If the UserCheck client is not connected to the gateway, the behavior is as if the client was never installed. Email notifications are sent for SMTP incidents and the Portal is used for HTTP incidents. |
You can see and edit Check Point users from Users and Administrators in the navigation tree.
To enable Check Point password authentication:
SmartConsole Configuration
UserCheck Client Configuration
Ask your users to configure their UserCheck client:
If users require assistance to troubleshoot issues with the UserCheck client, you can ask them to send you the logs.
To configure the client to generate logs:
The Settings window opens.
To send UserCheck logs from the client:
The Status window opens.
The default email client opens, with an archive of the collected logs attached.