Capsule Docs

In This Section: Overview of Capsule Docs Prerequisites for Capsule Docs Using Capsule Docs Configuring Capsule Docs Policy Rules Working with External Users Troubleshooting Capsule Docs Reverse Proxy Capsule Docs Recovery

The Capsule Docs Software Blade, managed by an on-premises Security Management Server, lets organizations protect and share documents safely within the organization and with business partners, and manage the organizational Capsule Docs policy, monitoring, and deployment through SmartEndpoint.

Overview of Capsule Docs

Check Point Capsule Docs provides these benefits:

Control the parties that can access the data

• Restrict access to individuals, groups or entire organizations.
• Use granular Classification model to assign different permissions for internal and external users.
• Control data distribution (Forward, Copy/Paste, Print).
• Choose contacts from your Outlook address book with whom you usually communicate.
• Prevent unintentional data loss with the help of UserCheck.
• Use Data Classification to classify documents without encryption.
• Set a document expiration date to limit when documents can be accessed.

Protect data stored on untrusted servers and shared via untrusted channels

• Each protected document remains protected even on untrusted servers.
• Prevent forwarding to unauthorized parties.
• Secure all created documents automatically.
• Set a document expiration date

See full audit trail for data access

• All actions on protected documents are logged and are available through the Logs view in SmartConsole.
• Follow paper trail for a single document.
• Audit distribution patterns for documents in an organization.
• Monitor access by external parties.

Access protected documents easily from your platform of choice

• Seamless integration with Microsoft Office and Adobe Acrobat on Windows platforms.
• Lightweight Windows Viewer that does not require administrative privileges or Microsoft Office or Adobe Acrobat clients installed.
• Access protected documents from proprietary Apps on Android, and iOS mobile devices.

Full Integration with Organizational Active Directory

• Users that are defined in the Active Directory are automatically provisioned to use Capsule Docs.
• User’s Active Directory account authentication is sufficient to access relevant protected documents.
• Customize Capsule Docs policy for different Users, Organizational Units and Groups.

You must configure all prerequisites before you can work with Capsule Docs.

Prerequisites for Capsule Docs

This picture gives an overview of the different components required for a Capsule Docs deployment as part of an Endpoint Security environment:

ID	Description		ID	Description
A	Internal Network		B	DMZ
1	Management Server		6	Reverse Proxy
2	Active Directory Server		C	External Network
3	SMTP Server		7	Public-facing DNS Server
4	Internal users		8	Mobile users
5	Management Console		9	External users

Notes:

• Management Server (1) - A Secondary Management Server and Endpoint Policy Servers can be used for redundancy and load balancing.
• Active Directory Server (2) - Each user account in the Active Directory must have a valid email address. This is usually populated automatically if Microsoft Exchange is configured. User authentication fails if there are two AD accounts with the same email address.
• SMTP Server (3) - Is only required if the organization shares data with external users
• SMTP Server (3) with encryption protocols SSL and TLS are supported.
• Reverse Proxy (6), and a Public-facing DNS Server (7) are only required if one or more of these conditions exist:
  • The organization shares data with external users.
  • Protected document are accessed from mobile devices that do not have access to internal resources.

  If these conditions do not exist, a DNS Server is still required but does not need to be accessible from external networks.

To share protected documents externally, you must have an SMTP server and configure a Reverse Proxy.

Workflow for Capsule Docs Configuration

Before you configure Capsule Docs policy in SmartEndpoint:

1. Enable the Endpoint Policy Management Software Blade on the Endpoint Security Management Server.
2. Configure the Active Directory server as the primary DNS server.
3. Configure the Directory Scanner.
4. Prepare the Reverse Proxy.
5. Configure an email server.
6. Configure Single Sign-on with Active Directory.

Configuring the Primary DNS server

To configure the Active Directory server as the primary DNS server in Gaia:

1. In the Portal, Network Management navigation tree menu, select Hosts and DNS.
2. Enter the IP address of the Active Directory server as the Primary DNS Server.
3. Click Apply.

To configure the Active Directory server as the primary DNS server in Windows:

1. In the Control Panel window, go to Network and Internet > Network and Sharing Center > Change adapter settings.
2. Right-click the server network interface and select Properties.

   The Connection Properties window opens.

3. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
4. In the window that opens, enter the IP address of the Active Directory server as the Preferred DNS server.
5. Click OK.
6. Click Close.

Configuring the Directory Scanner

See Active Directory Scanner for instructions on how to to configure the Directory Scanner.

Preparing the Reverse Proxy

The Reverse Proxy makes sure that requests from mobile devices and Capsule Docs clients that do not have internal network access reach the Endpoint Security Server.

If you use a Security Gateway as the Capsule Docs Reverse Proxy, do the procedures in this section. Alternatively, you can configure a third party server, for example an Apache Server, as a Reverse Proxy Server. See sk102973 to use a third party server as a Reverse Proxy Server.

To prepare the Security Gateway for the Capsule Docs Reverse Proxy you must:

• Enable the Mobile Access Software Blade on the Security Gateway.
• Configure the Reverse Proxy on the Security Gateway or server to point to the Endpoint Security Management Server.

  Note- Make sure the name of the Endpoint Security Management Server resolves correctly in DNS.

• For Gaia: If the Gaia portal of the Mobile Access Security Gateway is on https://<gateway ip>/ with a "/" at the end and on port 443, you must change the URL or port. For example, change the URL to https://<gateway ip>/gaia or change the port to 4434. Change the URL in the Gateway Properties tree select Platform Portal and change the Main URL. This change requires a policy installation.

  If you do not make this change, the Gaia portal will not be accessible.

To enable the Mobile Access Software Blade on the Security Gateway:

1. In SmartConsole, double click the Security Gateway object.
2. In the properties window that opens, select Mobile Access in the Software Blades section.

   The Mobile Access Configuration wizard opens.

3. Click Cancel, if you want to use the Security Gateway as a reverse proxy only.

   The Mobile Access Policy is created, but has no rules in it.

4. Click OK.
5. In the main menu, go to Policy > Install.
6. Select the Security Gateway to install policy only on the Security Gateway.

   During policy installation, a warning shows: The Mobile Access Policy does not contain any rules. You can ignore this.

7. Click OK.

To configure the Capsule Docs proxy on the Security Gateway:

1. On the gateway, run:

   ReverseProxyCLI add application capsule_docs <public_server_name> <capsule_docs_server>

   Where:

   • <public_server_name> is the Capsule Docs Server public name, configured in SmartEndpoint. This hostname should be resolved to the Reverse Proxy Gateway, for example: capsuledocs.externalsite.com
   • <capsule_docs_server> is the Capsule Docs Server internal hostname OR IP address, for example: capsuledocs.internalsite.com OR 1.1.1.1
2. Follow the on-screen instructions.

   Make sure that the output of Please wait.. Calculating your internal Host (host) IP addresses is the IP address of the internal server and that no warnings are shown.

3. Run : ReverseProxyCLI apply config

   Make sure the command output is :Finished applying configuration successfully.

   If warnings are shown you must resolve the problems before you continue.

You can also enable Single Sign-on for Capsule Workspace with Capsule Docs users.

To enable Single Sign-on for Capsule Workspace Capsule Docs users:

1. In SmartConsole, click Security Policies.
2. Click Shared Policies > Mobile Access.
3. Click Open Mobile Access Policy in SmartDashboard.
4. In the SmartDashboard Mobile Access tab, from the navigation tree, select Applications > Web Applications.

   The list of all Web Applications shows.

5. Click New.

   The Web Application window opens.

6. In the General Properties screen, enter the Name of the new Capsule Docs Web Application
7. In the Authorized Locations screen, select the Endpoint Security Management Server Host or the DNS name of the Endpoint Security Management Server.

   If it does not show in the drop-down menu, click Manage > New, select Host or DNS Name, and configure the new Endpoint Security Management Server.

8. In Directories section of the Authorized Locations screen, select Allow access to specific directories, and add new directories:
   1. Click New.
   2. In the window that opens, type in the directory path.
   3. Click OK.

   The new directories are:

   • /eps/client/services/DirectoryService
   • /eps/client/services/EpsCommonService
   • /eps/mobile/getDocumentKey
   • /eps/mobile/login
   • /policy
9. In Services section of the Authorized Locations screen, select https as the Default. Clear http.
10. In the Link in Portal screen, configure these settings:
    1. Select Add a link to this Web application in the Mobile Access portal.
    2. In the Link text field, enter a label for the link. This does not affect users.
    3. Enter the URL https://<Endpoint Security Management ServerIP or DNS IP address>
    4. In the Tooltip field, enter the external name of the Endpoint Security Management Server exactly as it is configured on the Endpoint Security Management Server.
11. In the Additional Settings > Single Sign-on screen, configure these settings:
    1. Select Turn on Single Sign-on for this application.
    2. Select Advanced for When a user signs in to this application.
    3. Click Edit.
    4. In the window that opens, select This application reuses the portal credentials. If authentication fails, Mobile Access prompts users and stores their credentials.
    5. Click OK.
    6. Click Edit in the Login Settings section.
    7. In the window that opens, select The users of this application belong to the following Windows domain, and enter the users' domain name.
    8. Click OK.
12. In the Additional Settings > Link Translation screen, select Using the following method and Path Translation.

    Note - on gateway objects, Path Translation is supported by default.

13. Click OK.
14. Install Policy.

    Note - To grant access to an application for the Capsule Workspace users, you must add a Single Sign-on access rule to the Capsule Workspace policy.

Configuring a Mail Server for Capsule Docs

To send protected documents to external users, you must configure your email server. Two types of email servers are supported:

• SMTP (default)
• FileSystem

To configure the email server:

1. In SmartEndpoint, select Manage > Email Server Settings > Configure Settings.
2. In the Email Server Settings window, enter the email server host name or IP address.
3. Select the Port number for the email server (default = 25).
4. If the email server requires an SSL connection, select Enable SSL Encryption.
5. If email server authentication is necessary, select User authentication is required and enter the credentials.
6. Click Send Test Email to make sure that you can successfully access the email server.
7. In the window that opens, enter an email address that the test will be sent to and click Send.
   • If the verification succeeds, an email is sent to the email address entered and a Success message shows in the Email Server Settings window.
   • If the verification fails, an Error message shows in the Email Server Settings window. Correct the parameters errors or resolve network connectivity issues. Stand on the Error message to see a description of the issue.
8. Click OK to save the email server settings and close the window.

Troubleshooting issues with email settings

If the email server does not send alerts and email server authentication is not necessary do these steps:

1. In SmartEndpoint, select Manage > Email Server Settings > Configure Settings.
2. In the Email Server Settings window select User authentication is required.

   Configure these parameters :

   • Port - Leave the default (25).
   • User Name - Enter a fictitious email address. This address will show as the sender of email alerts.
   • Password - Enter a fictitious password. This is not used.
3. Optional: Trigger an alert to test the email server.

Single Sign-on with Active Directory

For managed clients to seamlessly authenticate to Capsule Docs with users' AD credentials, enable Single Sign-on with Active Directory authentication.

The default setting is Do not allow Single Sign-on with Active Directory.

To enable Single Sign-on with Active Directory:

1. Prepare the Active Directory server for authentication. Use the instructions in Configuring Active Directory for Authentication.
2. Configure the authentication settings in SmartEndpoint. Use the instructions in Configuring Global Authentication. To enable Capsule Docs Single Sign-on, it is not necessary to select Work in authenticated mode. We recommended that you do not select this option during the evaluation and lab stage.
3. Save.
4. In SmartEndpoint, Policy tab, in the Capsule Docs policy rules, select Allow Single Sign-on with Active Directory.
5. Install policy in SmartEndpoint.

Using Capsule Docs

When users create a new document in a supported application, the protection settings of their default Capsule Docs community are applied to the document. Users can change the settings through the Capsule Docs menu.

In some MS Office versions, the menu shows in the upper-right corner of documents. In others it shows in the Home tab.

Based on the Capsule Docs policy that you configure, users can:

• Change document Classification
• Change Community
• Remove protection
• Add or remove users and groups
• Set a document expiration date (only document Authors can do this)
• Create Favorites lists of users and groups.

  Note - the Favorites lists can be used across the supported applications, to share the documents with different sets of users.

To learn more, see the Capsule Docs User Guide for your client release.

Configuring Capsule Docs Policy Rules

For each Action in a rule, select an option, which defines the Action behavior. You can select a predefined Action option or select New to define a custom Action option.

Right-click an Action and select Edit or Edit Shared Action to change the Action behavior.

Changes to policy rules are enforced only after you install the policy.

Actions with the icon apply to all of the organization.

Organization Settings

The Organization Settings define the name of the organization and the name of the Public or External Server. This is the domain name that leads to the reverse proxy server or gateway.

Note - The Public Server Name should be configured one time and not changed.

Active Classifications

Define the Capsule Docs classifications in use and the permissions associated with them.

Also define the permissions of document Authors. By default the permissions are set to be based on the classifications assigned to individual documents or higher. However, you can change them as necessary. A document can have multiple authors. Classification based means that the setting for the Author is the same as what is defined for the Classification.

To create a new classification:

• Click Create Classification.

To delete a classification:

• Click Revoke Classification.

To change the order of the classifications that end-users see in the Capsule Docs menu:

• Select a classification from the table and click the up and down arrows

For each Classification, define its properties and permissions in the table. For more details about the options see sk105076.

Column	Description
Icon	Select the icon that users see in protected documents.
Classification Name	Give the classification a descriptive name.
Applied On	All Users - The same definitions of the classification apply to All Users. Separate Internal and External Users - There are different permissions for each classification, one for Internal and one for External users. When you select this, a second row opens for the classification.
Encrypted	Yes - Documents with this classification are encrypted and marked with a pink lock. No - Documents are classified but not encrypted. There is no user list and all users can access the document. All permissions except Unprotect and Change Classification are changed to Yes automatically.
Edit	Can users edit the document: Yes or No.
Modify Users	Can users add or remove users and groups: Yes or No.
Change Classification	Can users change the classification of a document: Yes or No.
Unprotect	Can users make a document unprotected: Ask, Yes, or No. If Ask is selected, users must give a reason if they choose to unprotect a document.
Mobile Access	Can the document be accessed through Capsule Docs on mobile devices: Yes or No.
Print	Can users print the document: Yes or No.
Screen Capture	Can users take screenshots of the document: Ask, Yes, or No. If Ask is selected, users must give a reason that they require screenshots.
Copy Paste	Can users copy from the document and paste in their device: Yes or No.
Markings	Double-click to change the selection. Select a header, footer, or watermark with the Classification Name to include in the document. Different markings are supported for different document types.

Email Domains for Sharing Documents

Email Domains for sharing documents Defines permissions for new user registration, based on email domains. Each domain can be defined as either Internal or External. There are two default domains that cannot be edited or deleted:

• AD Scanned Domains - Defined as Internal and contains users added by the Active Directory scanner.
• Non AD Scanned Domains - Defined as External and contains users that are not configured in the Domain Configuration window.

You can add more Internal or External Non AD Scanned Domains, and set the permissions to add New Users from them:

• Can register after explicitly added to a document
• Can register without being explicitly added to a document
• Not allowed

Automatic Protection

Define the default encryption behavior for new documents:

• Enforce automatic protection for new documents
• Do not enforce automatic protection
• Suggest document protection when saving document

You can also manually select or clear these options in the Properties of the Action:

• Protect new documents created by internal users
• Suggest to protect when user saves document
• Suggest to protect when user performs Save As

Initial Protection Configuration

Define the default protection settings that are assigned to newly protected documents. Users with the required permissions can edit these settings from the document.

The settings are:

• Select the classification, for example, Restricted or Highly Restricted.

  The classifications and permissions shown are those configured in the Classifications and Permissions Action. You cannot edit them from this Action.

• Add and remove user groups that show in newly protected documents.
• Configure which users or groups have Author permissions. The Document Protector is the person who first protects the document. This person can have Author permissions but it is not required. One or more entities must have Author permissions.

To add and remove user groups that show in newly protected documents:

1. Click the arrow and select Manage Groups to open the organizational tree and select one or more groups to add to the list.
2. Select one or more groups from the list. These groups are added to the initial protection list that is automatically assigned to a document.

   All groups that show in the Protection Setting window are assigned to the document.

3. To remove a group or user, select it from the list and click the X.

To configure which users or groups have Author permissions:

• Right-click the Document Protector or a different user or group and select an option:
  • Remove as Document Author
  • Mark as Document Author

If the default classification does not have encryption:

All users can access it and the users and groups selected here only apply if the classification is changed to one with encryption.

Inviting Users

Set permissions for the ability to add new users to a document if they are not yet invited or registered. By default, all users in the internal domains have permission to the documents and do not require invitations.

The options are:

• Allow inviting users from any domain
• Do not allow inviting users

If you select Allow inviting users from any domains, you can also limit the users who can be invited to those from specified domains.

To limit the users who can be invited to a document:

1. In a Capsule Docs rule, right-click the Inviting Users Action and select Edit Shared Action.
2. In the bottom part of the Properties window, in the Permission to invite new users list, select Allow only from the following domains.
3. Click Add to add domains to the list. Only users in domains on the list can be invited.

Client Access Settings

Configure Client access to protected documents.

Set the period of downtime, after which if the client does not get updated, the access to protected documents becomes blocked. You can also configure how often the client checks for updates.

Single Sign-on with Active Directory

This Action defines permissions for Single Sign-on with Active Directory. The default is Do not allow Single Sign-on with Active Directory.

Working with External Users

You can add external users who can access Capsule Docs protected documents in these ways:

• A user adds an external user to a document.
• An external user downloads the Capsule Docs client and registers.
• An administrator adds a user or domain in SmartEndpoint. The administrator can add individual users or import users from a .csv file.
  • Right-click the External Users folder in the Users and Computers tree and select Capsule Docs > Add External Users.
  • In the Global Actions pane, select Add External Users.

The first time that an external user from a new domain is added to the system, a new folder is created for the domain in the Users and Computers tree under External Users.

External users are in one of these states, shown in the User Details:

• Invited - A user added the external user to a document but the new user did not register yet.
• Registered - The user downloaded the Capsule Docs client and registered with an email address.
• Revoked- The administrator revoked the user and the user cannot log in to Capsule Docs or see documents. Revoked users are in the Revoked Users folder. Administrators can Restore or Delete users from there.

An administrator can give an external user or domain internal permissions.

To give an external user the same permissions as an internal user:

Right-click on a user or domain from the Users and Computers tree and select Grant internal permission (for document use).

External users who have internal permissions are shown in the Capsule Docs internal users Virtual Group.

To revoke an external user:

Right-click on a user or domain from the Users and Computers tree and select Revoke user. The user is moved to the Revoked Users folder. You cannot delete external users.

Troubleshooting Capsule Docs Reverse Proxy

Traffic Logs

You can configure the Reverse Proxy to send traffic logs, which then can be reviewed in SmartLog, under Mobile Access logs.

To configure the Reverse Proxy to send traffic logs:

1. In SmartConsole, click Security Policies.
2. Click Shared Policies > Mobile Access.
3. Click Open Mobile Access Policy in SmartDashboard.
4. In SmartDashboard Mobile Access tab, go to Additional Settings > Logging.
5. In the Tracking section of the configuration screen, select Log Access for Web Applications, and select events to log:
   • Unsuccessful access events
   • All access events
6. Install Policy.

Identify Reverse Proxy logs by these criteria:

• Category: Mobile Access
• Application: Reverse Proxy

The Access section of the log can show:

• Allowed - Authorized URL - The Reverse Proxy allowed the URL request (only shows if the All access events logging option is configured)
• Denied - Unauthorized URL - The Reverse Proxy blocked the URL request. If this is a mistake, you can allow the URL.

  To allow a blocked URL:

  • In the command line, run: ReverseProxyCLI show applications
  • Under capsule_docs app in the Paths column, find the path that is unauthorized in the log.
• Failed - The Reverse Proxy failed to forward the request for the EPS with one of these messages:
  • Internal Server Error - The Endpoint Security Management Server aborted the connection with the gateway. Make sure the Endpoint Security Management Server is working.
  • Proxy not found -The given proxy host could not be resolved.
  • Can't resolve host name - The <capsule_docs_server> is the internal_host you configured in your capsule_docs application, you can see it under ReverseProxyCLI show applications in the Internal Server Name column.

    Your Endpoint Security Management Server is configured as a DNS name. Make sure that this hostname can be resolved from the gateway. To do this run nslookup on the host to see that the gateway can resolve it.

  • Internal host connection failed - Failed to connect to the internal server, make sure the server is up and running.
  • Invalid URL -The URL from the gateway to the Endpoint Security Management Server was not properly formatted.
  • SSL handshake failed -A problem occurred somewhere in the SSL/TLS handshake between the gateway and the Endpoint Security Management Server.
  • Server response was too slow - Operation timeout
  • Page not found
• Action that the Reverse Proxy took in relationship to this URL - Allowed, Denied, or Failed

Capsule Docs Recovery

Capsule Docs Recovery

The Capsule Docs Recovery Tool generates a master key that can open all documents in a situation of disaster recovery.

A new master key is valid for one year. Therefore we recommend that you generate a new master key every year. A notification shows in the SmartEndpoint Overview page when the master key is close to its expiration date. A new master key can open all documents that were created before its creation and up to one year afterwards.

To get the Capsule Docs Recovery Tool:

1. In the SmartEndpoint, select Tools > Capsule Docs Recovery Tool.
2. In the window that opens, create a Recovery Key Password and enter it twice.
3. Click Save As and select a location where the Tool is saved in a zip file.
4. If necessary, extract the tool and use the included instructions.