Print Download PDF Send Feedback

Previous

Next

Capsule Docs

In This Section:

Overview of Capsule Docs

Prerequisites for Capsule Docs

Using Capsule Docs

Configuring Capsule Docs Policy Rules

Working with External Users

Troubleshooting Capsule Docs Reverse Proxy

Capsule Docs Recovery

The Capsule Docs Software Blade, managed by an on-premises Security Management Server, lets organizations protect and share documents safely within the organization and with business partners, and manage the organizational Capsule Docs policy, monitoring, and deployment through SmartEndpoint.

Overview of Capsule Docs

Check Point Capsule Docs provides these benefits:

Control the parties that can access the data

Protect data stored on untrusted servers and shared via untrusted channels

See full audit trail for data access

Access protected documents easily from your platform of choice

Full Integration with Organizational Active Directory

You must configure all prerequisites before you can work with Capsule Docs.

Prerequisites for Capsule Docs

This picture gives an overview of the different components required for a Capsule Docs deployment as part of an Endpoint Security environment:

ID

Description

 

ID

Description

A

Internal Network

 

B

DMZ

1

Management Server

 

6

Reverse Proxy

2

Active Directory Server

 

C

External Network

3

SMTP Server

 

7

Public-facing DNS Server

4

Internal users

 

8

Mobile users

5

Management Console

 

9

External users

Notes:

To share protected documents externally, you must have an SMTP server and configure a Reverse Proxy.

Workflow for Capsule Docs Configuration

Before you configure Capsule Docs policy in SmartEndpoint:

  1. Enable the Endpoint Policy Management Software Blade on the Endpoint Security Management Server.
  2. Configure the Active Directory server as the primary DNS server.
  3. Configure the Directory Scanner.
  4. Prepare the Reverse Proxy.
  5. Configure an email server.
  6. Configure Single Sign-on with Active Directory.

Configuring the Primary DNS server

To configure the Active Directory server as the primary DNS server in Gaia:

  1. In the Portal, Network Management navigation tree menu, select Hosts and DNS.
  2. Enter the IP address of the Active Directory server as the Primary DNS Server.
  3. Click Apply.

To configure the Active Directory server as the primary DNS server in Windows:

  1. In the Control Panel window, go to Network and Internet > Network and Sharing Center > Change adapter settings.
  2. Right-click the server network interface and select Properties.

    The Connection Properties window opens.

  3. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
  4. In the window that opens, enter the IP address of the Active Directory server as the Preferred DNS server.
  5. Click OK.
  6. Click Close.

Configuring the Directory Scanner

See Active Directory Scanner for instructions on how to to configure the Directory Scanner.

Preparing the Reverse Proxy

The Reverse Proxy makes sure that requests from mobile devices and Capsule Docs clients that do not have internal network access reach the Endpoint Security Server.

If you use a Security Gateway as the Capsule Docs Reverse Proxy, do the procedures in this section. Alternatively, you can configure a third party server, for example an Apache Server, as a Reverse Proxy Server. See sk102973 to use a third party server as a Reverse Proxy Server.

To prepare the Security Gateway for the Capsule Docs Reverse Proxy you must:

To enable the Mobile Access Software Blade on the Security Gateway:

  1. In SmartConsole, double click the Security Gateway object.
  2. In the properties window that opens, select Mobile Access in the Software Blades section.

    The Mobile Access Configuration wizard opens.

  3. Click Cancel, if you want to use the Security Gateway as a reverse proxy only.

    The Mobile Access Policy is created, but has no rules in it.

  4. Click OK.
  5. In the main menu, go to Policy > Install.
  6. Select the Security Gateway to install policy only on the Security Gateway.

    During policy installation, a warning shows: The Mobile Access Policy does not contain any rules. You can ignore this.

  7. Click OK.

To configure the Capsule Docs proxy on the Security Gateway:

  1. On the gateway, run:

    ReverseProxyCLI add application capsule_docs <public_server_name> <capsule_docs_server>

    Where:

    • <public_server_name> is the Capsule Docs Server public name, configured in SmartEndpoint. This hostname should be resolved to the Reverse Proxy Gateway, for example: capsuledocs.externalsite.com
    • <capsule_docs_server> is the Capsule Docs Server internal hostname OR IP address, for example: capsuledocs.internalsite.com OR 1.1.1.1
  2. Follow the on-screen instructions.

    Make sure that the output of Please wait.. Calculating your internal Host (host) IP addresses is the IP address of the internal server and that no warnings are shown.

  3. Run : ReverseProxyCLI apply config

    Make sure the command output is :Finished applying configuration successfully.

    If warnings are shown you must resolve the problems before you continue.

You can also enable Single Sign-on for Capsule Workspace with Capsule Docs users.

To enable Single Sign-on for Capsule Workspace Capsule Docs users:

  1. In SmartConsole, click Security Policies.
  2. Click Shared Policies > Mobile Access.
  3. Click Open Mobile Access Policy in SmartDashboard.
  4. In the SmartDashboard Mobile Access tab, from the navigation tree, select Applications > Web Applications.

    The list of all Web Applications shows.

  5. Click New.

    The Web Application window opens.

  6. In the General Properties screen, enter the Name of the new Capsule Docs Web Application
  7. In the Authorized Locations screen, select the Endpoint Security Management Server Host or the DNS name of the Endpoint Security Management Server.

    If it does not show in the drop-down menu, click Manage > New, select Host or DNS Name, and configure the new Endpoint Security Management Server.

  8. In Directories section of the Authorized Locations screen, select Allow access to specific directories, and add new directories:
    1. Click New.
    2. In the window that opens, type in the directory path.
    3. Click OK.

    The new directories are:

    • /eps/client/services/DirectoryService
    • /eps/client/services/EpsCommonService
    • /eps/mobile/getDocumentKey
    • /eps/mobile/login
    • /policy
  9. In Services section of the Authorized Locations screen, select https as the Default. Clear http.
  10. In the Link in Portal screen, configure these settings:
    1. Select Add a link to this Web application in the Mobile Access portal.
    2. In the Link text field, enter a label for the link. This does not affect users.
    3. Enter the URL https://<Endpoint Security Management ServerIP or DNS IP address>
    4. In the Tooltip field, enter the external name of the Endpoint Security Management Server exactly as it is configured on the Endpoint Security Management Server.
  11. In the Additional Settings > Single Sign-on screen, configure these settings:
    1. Select Turn on Single Sign-on for this application.
    2. Select Advanced for When a user signs in to this application.
    3. Click Edit.
    4. In the window that opens, select This application reuses the portal credentials. If authentication fails, Mobile Access prompts users and stores their credentials.
    5. Click OK.
    6. Click Edit in the Login Settings section.
    7. In the window that opens, select The users of this application belong to the following Windows domain, and enter the users' domain name.
    8. Click OK.
  12. In the Additional Settings > Link Translation screen, select Using the following method and Path Translation.

    Note - on gateway objects, Path Translation is supported by default.

  13. Click OK.
  14. Install Policy.

    Note - To grant access to an application for the Capsule Workspace users, you must add a Single Sign-on access rule to the Capsule Workspace policy.

Configuring a Mail Server for Capsule Docs

To send protected documents to external users, you must configure your email server. Two types of email servers are supported:

To configure the email server:

  1. In SmartEndpoint, select Manage > Email Server Settings > Configure Settings.
  2. In the Email Server Settings window, enter the email server host name or IP address.
  3. Select the Port number for the email server (default = 25).
  4. If the email server requires an SSL connection, select Enable SSL Encryption.
  5. If email server authentication is necessary, select User authentication is required and enter the credentials.
  6. Click Send Test Email to make sure that you can successfully access the email server.
  7. In the window that opens, enter an email address that the test will be sent to and click Send.
    • If the verification succeeds, an email is sent to the email address entered and a Success message shows in the Email Server Settings window.
    • If the verification fails, an Error message shows in the Email Server Settings window. Correct the parameters errors or resolve network connectivity issues. Stand on the Error message to see a description of the issue.
  8. Click OK to save the email server settings and close the window.

Troubleshooting issues with email settings

If the email server does not send alerts and email server authentication is not necessary do these steps:

  1. In SmartEndpoint, select Manage > Email Server Settings > Configure Settings.
  2. In the Email Server Settings window select User authentication is required.

    Configure these parameters :

    • Port - Leave the default (25).
    • User Name - Enter a fictitious email address. This address will show as the sender of email alerts.
    • Password - Enter a fictitious password. This is not used.
  3. Optional: Trigger an alert to test the email server.

Single Sign-on with Active Directory

For managed clients to seamlessly authenticate to Capsule Docs with users' AD credentials, enable Single Sign-on with Active Directory authentication.

The default setting is Do not allow Single Sign-on with Active Directory.

To enable Single Sign-on with Active Directory:

  1. Prepare the Active Directory server for authentication. Use the instructions in Configuring Active Directory for Authentication.
  2. Configure the authentication settings in SmartEndpoint. Use the instructions in Configuring Global Authentication. To enable Capsule Docs Single Sign-on, it is not necessary to select Work in authenticated mode. We recommended that you do not select this option during the evaluation and lab stage.
  3. Save.
  4. In SmartEndpoint, Policy tab, in the Capsule Docs policy rules, select Allow Single Sign-on with Active Directory.
  5. Install policy in SmartEndpoint.

Using Capsule Docs

When users create a new document in a supported application, the protection settings of their default Capsule Docs community are applied to the document. Users can change the settings through the Capsule Docs menu.

In some MS Office versions, the menu shows in the upper-right corner of documents. In others it shows in the Home tab.

Based on the Capsule Docs policy that you configure, users can:

To learn more, see the Capsule Docs User Guide for your client release.

Configuring Capsule Docs Policy Rules

For each Action in a rule, select an option, which defines the Action behavior. You can select a predefined Action option or select New to define a custom Action option.

Right-click an Action and select Edit or Edit Shared Action to change the Action behavior.

Changes to policy rules are enforced only after you install the policy.

Actions with the icon apply to all of the organization.

Organization Settings

The Organization Settings define the name of the organization and the name of the Public or External Server. This is the domain name that leads to the reverse proxy server or gateway.

Note - The Public Server Name should be configured one time and not changed.

Active Classifications

Define the Capsule Docs classifications in use and the permissions associated with them.

Also define the permissions of document Authors. By default the permissions are set to be based on the classifications assigned to individual documents or higher. However, you can change them as necessary. A document can have multiple authors. Classification based means that the setting for the Author is the same as what is defined for the Classification.

To create a new classification:

To delete a classification:

To change the order of the classifications that end-users see in the Capsule Docs menu:

For each Classification, define its properties and permissions in the table. For more details about the options see sk105076.

Column

Description

Icon

Select the icon that users see in protected documents.

Classification Name

Give the classification a descriptive name.

Applied On

  • All Users - The same definitions of the classification apply to All Users.
  • Separate Internal and External Users - There are different permissions for each classification, one for Internal and one for External users. When you select this, a second row opens for the classification.

Encrypted

  • Yes - Documents with this classification are encrypted and marked with a pink lock.
  • No - Documents are classified but not encrypted. There is no user list and all users can access the document. All permissions except Unprotect and Change Classification are changed to Yes automatically.

Edit

Can users edit the document: Yes or No.

Modify Users

Can users add or remove users and groups: Yes or No.

Change Classification

Can users change the classification of a document: Yes or No.

Unprotect

Can users make a document unprotected: Ask, Yes, or No. If Ask is selected, users must give a reason if they choose to unprotect a document.

Mobile Access

Can the document be accessed through Capsule Docs on mobile devices: Yes or No.

Print

Can users print the document: Yes or No.

Screen Capture

Can users take screenshots of the document: Ask, Yes, or No. If Ask is selected, users must give a reason that they require screenshots.

Copy Paste

Can users copy from the document and paste in their device: Yes or No.

Markings

Double-click to change the selection. Select a header, footer, or watermark with the Classification Name to include in the document. Different markings are supported for different document types.

Email Domains for Sharing Documents

Email Domains for sharing documents Defines permissions for new user registration, based on email domains. Each domain can be defined as either Internal or External. There are two default domains that cannot be edited or deleted:

You can add more Internal or External Non AD Scanned Domains, and set the permissions to add New Users from them:

Automatic Protection

Define the default encryption behavior for new documents:

You can also manually select or clear these options in the Properties of the Action:

Initial Protection Configuration

Define the default protection settings that are assigned to newly protected documents. Users with the required permissions can edit these settings from the document.

The settings are:

To add and remove user groups that show in newly protected documents:

  1. Click the arrow and select Manage Groups to open the organizational tree and select one or more groups to add to the list.
  2. Select one or more groups from the list. These groups are added to the initial protection list that is automatically assigned to a document.

    All groups that show in the Protection Setting window are assigned to the document.

  3. To remove a group or user, select it from the list and click the X.

To configure which users or groups have Author permissions:

If the default classification does not have encryption:

All users can access it and the users and groups selected here only apply if the classification is changed to one with encryption.

Inviting Users

Set permissions for the ability to add new users to a document if they are not yet invited or registered. By default, all users in the internal domains have permission to the documents and do not require invitations.

The options are:

If you select Allow inviting users from any domains, you can also limit the users who can be invited to those from specified domains.

To limit the users who can be invited to a document:

  1. In a Capsule Docs rule, right-click the Inviting Users Action and select Edit Shared Action.
  2. In the bottom part of the Properties window, in the Permission to invite new users list, select Allow only from the following domains.
  3. Click Add to add domains to the list. Only users in domains on the list can be invited.

Client Access Settings

Configure Client access to protected documents.

Set the period of downtime, after which if the client does not get updated, the access to protected documents becomes blocked. You can also configure how often the client checks for updates.

Single Sign-on with Active Directory

This Action defines permissions for Single Sign-on with Active Directory. The default is Do not allow Single Sign-on with Active Directory.

Working with External Users

You can add external users who can access Capsule Docs protected documents in these ways:

The first time that an external user from a new domain is added to the system, a new folder is created for the domain in the Users and Computers tree under External Users.

External users are in one of these states, shown in the User Details:

An administrator can give an external user or domain internal permissions.

To give an external user the same permissions as an internal user:

Right-click on a user or domain from the Users and Computers tree and select Grant internal permission (for document use).

External users who have internal permissions are shown in the Capsule Docs internal users Virtual Group.

To revoke an external user:

Right-click on a user or domain from the Users and Computers tree and select Revoke user. The user is moved to the Revoked Users folder. You cannot delete external users.

Troubleshooting Capsule Docs Reverse Proxy

Traffic Logs

You can configure the Reverse Proxy to send traffic logs, which then can be reviewed in SmartLog, under Mobile Access logs.

To configure the Reverse Proxy to send traffic logs:

  1. In SmartConsole, click Security Policies.
  2. Click Shared Policies > Mobile Access.
  3. Click Open Mobile Access Policy in SmartDashboard.
  4. In SmartDashboard Mobile Access tab, go to Additional Settings > Logging.
  5. In the Tracking section of the configuration screen, select Log Access for Web Applications, and select events to log:
    • Unsuccessful access events
    • All access events
  6. Install Policy.

Identify Reverse Proxy logs by these criteria:

The Access section of the log can show:

Capsule Docs Recovery

Capsule Docs Recovery

The Capsule Docs Recovery Tool generates a master key that can open all documents in a situation of disaster recovery.

A new master key is valid for one year. Therefore we recommend that you generate a new master key every year. A notification shows in the SmartEndpoint Overview page when the master key is close to its expiration date. A new master key can open all documents that were created before its creation and up to one year afterwards.

To get the Capsule Docs Recovery Tool:

  1. In the SmartEndpoint, select Tools > Capsule Docs Recovery Tool.
  2. In the window that opens, create a Recovery Key Password and enter it twice.
  3. Click Save As and select a location where the Tool is saved in a zip file.
  4. If necessary, extract the tool and use the included instructions.