UserCheck Interaction Objects

In This Section: Configuring UserCheck Kerberos Single Sign On UserCheck Page Creating UserCheck Interaction Objects Plain Text Email Notifications More UserCheck Interaction Options Localizing and Customizing the UserCheck Portal

Configuring UserCheck

Configuring the Security Gateway for UserCheck

Enable or disable UserCheck directly on the Security Gateway. If users connect to the gateway remotely, set the internal interface of the gateway (on the Topology page) to be the same as the Main URL for the UserCheck portal.

Note - The Main URL field must be manually updated if:

• The Main URL field uses an IP address and not a DNS name
• You change the IPv4 address of the gateway to IPv6 or the opposite

To configure a Security Gateway for UserCheck:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click UserCheck.
3. Click Enable UserCheck for active blades.
4. In the Main URL field, select the primary URL for the web portal that shows the UserCheck notifications.
5. If the Main URL points to an external interface:
   1. In the Accessibility section, click Edit.
   2. In the Accessibility window, click the applicable setting:
   • Through all interfaces
   • According to the firewall policy
   1. Click OK.
6. If necessary, click Aliases to add URL aliases that redirect different hostnames to the Main URL.

   For example: Usercheck.mycompany.com The aliases must resolve to the portal's IP address on the corporate DNS server.

7. In the Certificate area, click Import to import a certificate that the portal uses to authenticate to the server.
8. In the Accessibility area, click Edit to configure interfaces on the gateway through which the portal can be accessed. These options are based on the topology configured for the gateway. Users are sent to the UserCheck portal if they connect:
   • According to the Firewall policy. Select this option if there is a rule that states who can access the portal.
   • Through all interfaces
   • Through internal interfaces (default)
     • Including undefined internal interfaces
     • Including DMZ internal interfaces
     • Including VPN encrypted interfaces (default)

   Note - If Including VPN encrypted interfaces is selected, add a Firewall rule that looks like this:

   Source	Destination	VPN	Service	Action
   Any	Gateway on which UserCheck client is enabled	Any Traffic	UserCheck	Accept

9. In the UserCheck Client area, select Activate UserCheck Client Support.
   • The UserCheck client enables user interaction notifications.
   • Click Download Client to download the installation file for the UserCheck client.

     Note: The link will not be active until the UserCheck portal is up.

10. Click OK.
11. Install policy.

UserCheck CLI

Usrchk

You can use the usrchk command in the gateway command line to show or clear the history of UserCheck objects.

Description	usrchk
Syntax	usrchk [debug] [hits] [incidents]

Parameters

Parameter	Description
debug	Controls debug messages
hits	Shows user incident options: list - Options to list user incidents all - List all existing incidents. user <username> - List incidents of a specified user. uci <name of interaction object> - List incidents of a specified UserCheck interaction object clear - Options to clear user incidents all - Clear all existing incidents user <username> - Clear incidents for a specified user uci <name of interaction object> - Clear incidents of a specified UserCheck interaction object db - user hits database options
incidents	Operations that can be done for incidents. For example: Expiring Sends emails to users about their expiring email violations

Examples:

• To show all UserCheck interaction objects, run: usrchk hits list all
• To clear the incidents for a specified user, run: usrchk hits clear user <username>

Notes:

• You can only run a command that contains user <username> if:
  • Identity Awareness is enabled on the gateway.
  • Identity Awareness is used in the same policy rules as UserCheck objects.
• To run a command that contains a specified UserCheck interaction object, first run usrchk hits list all to see the names of the interaction objects. Use the name of the interaction object as it is shown in the list.

Kerberos Single Sign On

The UserCheck agent supports single sign on using the Kerberos network authentication protocol. Kerberos is the default authentication protocol used in Windows 2000 domains and above.

The Kerberos protocol is based on the idea of tickets, encrypted data packets issued by a trusted authority, in this case the Active Directory (AD). When a user logs in, the user authenticates to a domain controller that provides an initial ticket granting ticket (TGT). This ticket vouches for the user’s identity.

When the user needs to authenticate against the DLP gateway through the UserCheck agent, the agent presents this ticket to the domain controller and requests a service ticket (SR) for a specific resource (the DLP gateway). The UserCheck agent presents this service ticket to the gateway.

For more detailed information on Kerberos SSO, see:

• http://web.mit.edu/Kerberos/
• http://technet.microsoft.com/en-us/library/bb742433.aspx

Single Sign-On Configuration

SSO configuration has two steps:

• AD Configuration

  Creating a user account and mapping it to a Kerberos principal name.

• SmartConsole Configuration

  Creating an LDAP Account Unit and configuring it to support SSO.

AD Configuration

The AD configuration involves:

• Creating a New User Account
• Mapping the User Account to a Kerberos Principle Name

Creating a new User Account

1. In Active Directory, open Active Directory Users and Computers (Start > Run > dsa.msc)
2. Add a new user account. You can choose any username and password. For example: a user account named ckpsso with the password 'qwe123!@#' to the domain corp.acme.com.
3. Clear User must change password at next logon and select Password Never Expires.

Mapping the User Account to a Kerberos Principle Name

This step uses the ktpass utility to create a Kerberos principal name that is used by both the gateway and the AD. A Kerberos principal name consists of a service name (for the DLP gateway that the UserCheck agent connect to) and the domain name to which the service belongs.

Ktpass is a command-line tool available in Windows 2000 and higher.

Retrieve the correct executable

You must install the correct ktpass.exe version on the AD. Ktpass.exe is not installed by default in Windows 2003.

• Windows 2003:
  1. Retrieve the correct executable for your service pack from the Microsoft Support site prior to installation. It is part of the Windows 2003 support tools. For example, AD 2003 SP2 requires support tools for 2003 sp2.
  2. Download the support.cab and suptools.msi files to a new folder on your AD server.
  3. Run the suptools.msi.
• ActiveDirectory 2008:

  The ktpass utility is already installed on your server in the Windows\System32 folder and you can run the command line. You need to open the command prompt as an administrator by right clicking it and selecting "run as an Administrator".

Use Ktpass

1. Open a command line to run the ktpass tool (Start > Run > cmd).
2. At the command prompt, run ktpass with this syntax:

   C:> ktpass -princ ckp_pdp/domain_name@DOMAIN_NAME -mapuser username@domain_name -pass password -out unix.keytab –crypto RC4-HMAC-NT

   Important - Enter the command exactly as shown. It is case-sensitive.

   This is an example of running ktpass with these parameters:

   Parameter	Value
   domain_name@DOMAIN_NAME	corp.acme.com@CORP.ACME.COM
   username@domain_name	ckpsso@corp.acme.com
   password	qwe123@#

The AD is ready to support Kerberos authentication for the Security Gateway.

The example above shows the ktpass syntax on Windows 2003. When using Windows 2008/2008 R2 Server, the ktpass syntax is slightly different. Parameters are introduced using a forward slash "/" instead of a hyphen "-".

Example (Windows 2008):

ktpass /princ ckp_pdp/corp.acme.com@CORP.ACME.COM /mapuser ckpsso@corp.acme.com /pass qweQWE!@# /out unix.keytab /crypto RC4-HMAC-NT

Authentication Failure

Authentication will fail if you have used the ktpass utility before for the same principal name (ckp_pdp/domain_name@DOMAIN_NAME) but with a different account.

If you have used the ktpass utility before:

1. On the AD server, run:

   ldifde -f check_SPN.txt -t 3268 -d "dc=corp,dc=acme,dc=com" -l servicePrincipalName -r "(servicePrincipalName=ckp_pdp*)" -p subtree

2. Open the check_SPN.txt file and verify that only one record is present.

   If multiple records exist, you must delete the different account or remove its association to the principal name.

   Remove the association with the principle name by running:

   settspn –D ckp_pkp/domain_name old_account name.

   For example:

   setspn –D ckp_pdp/corp.acme.com ckpsso

Configuring SmartConsole for DLP SSO

Configure the object in SmartConsole for an LDAP Account Unit to support SSO.

To create a host object for the AD server:

1. In SmartConsole, click Objects > Object Explorer (Ctrl+E).
2. Click New > Host.
3. Configure the settings for the host.
4. Click OK and publish the changes.

To configure the LDAP account unit:

1. From the Object Explorer, click New > Server > LDAP Account Unit.
2. In the General tab of the LDAP Account Unit Properties window, enter these settings:
   1. Enter the Name.
   2. In Profile, select Microsoft_AD.
   3. In the Domain field, enter the domain name.

      Best Practice - Configure this field for account units that you want to use for Identity Awareness. This setting does not affect other LDAP Account Units.

   4. Select CRL retrieval and User management.
3. Click Active Directory SSO configuration.
4. In the Active Directory SSO configuration window, configure these settings:
   1. Select Use Kerberos Single Sign On.
   2. Enter the Domain Name.
   3. Enter the Account Name and Password for the AD account.
   4. Do not change the default settings for Ticket encryption method.
   5. Click OK.
5. Configure these settings in the Servers tab:
   1. Click Add.
   2. In Host, select the host object for the AD server.
   3. Enter the Login DN of the user (added in the AD) for LDAP operations.
   4. Enter the Password and confirm it.
   5. In the Check Point Gateways are allowed to section, make sure that Read data from this server is selected.
6. Click the Encryption tab, and configure these settings:
   1. Click Use Encryption (SSL).
   2. Click Fetch.
   3. Click OK.

   Note - LDAP over SSL is not supported by default. If you have not configured your domain controller to support LDAP over SSL, either skip step 6 or configure your domain controller to support LDAP over SSL.

7. Click the Objects Management tab, and configure these settings:
   1. In the Manage objects on field, select the host object for the AD server
   2. Click Fetch Branches to configure the branches in use.
   3. Set the number of entries supported.
8. Click the Authentication tab, and configure these settings:
   1. In the Users's default values section, click Default authentication scheme.
   2. Select Check Point Password.
9. Click OK and publish the changes.

UserCheck Page

On the UserCheck page, you can create, edit, and preview UserCheck interaction objects and their messages. It has these options:

Option	Meaning
New	Creates a new UserCheck object
Edit	Modifies an existing UserCheck object
Delete	Deletes an UserCheck object
Clone	Clones the selected UserCheck object.

These are the default UserCheck messages:

Name	Action Type	Description
Inform User	Inform	Shows when the action for the rule is inform. It informs users what the company policy is for that site.
Blocked Message	Block	Shows when a request is blocked.
Ask User	Ask	Shows when the action for the rule is ask. It informs users what the company policy is for that site and they must click OK to continue to the site.
Cancel Page	Cancel	Shows after a user gets an Inform or Ask message and clicks Cancel.
Success Page	Approve	Shows information was sent according to the user's request.
Successfully Discarded	Discard	Shows when the information was successfully discarded according to the user's request.

Ask and Inform pages include a Cancel button that users can click to cancel the request.

You can preview each message page in these views:

• Regular view - How the message shows in a web browser on a PC or laptop
• Mobile Device - How the message shows in a web browser on a mobile device
• Email - How the message shows in email
• Agent - How the message shows in the agent

Creating UserCheck Interaction Objects

Create a UserCheck Interaction object from the Rule Base or from the UserCheck page of the DLP tab. The procedure below shows how to create the object from the Rule Base in SmartDashboard.

Note - You can only edit DLP UserCheck objects in SmartDashboard. You cannot create or edit them in SmartConsole.

To create a UserCheck object that includes a message:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Policy.

   The Action column uses these interaction modes:

   • Inform user - Show an informative message users. Users can continue to the application or cancel the request.
   • Ask user - Show a message to users that asks them if they want to continue with the request or not. To continue with the request, the user is expected to supply a reason.
   • Prevent - Show a message to users and block the application request.
3. Right-click the cell for the rule and select the interaction mode > New.

   You can also double-click an existing interaction mode to edit it.

   The UserCheck Interaction window opens on the Message page.

4. Enter a name for the UserCheck object and, optionally, a comment.
5. Select a language (English is the default) from the Languages tabs.
6. Click Add logo to add a graphic, such as company logo.

   Note - The graphic must have a height and width of 176 x 52 pixels.

7. Click the text box adjacent to the picture and enter title text for the message.
8. In the page title, message subject, and message body text boxes, enter the message content. You can:
   1. Use the formatting toolbar to change text color, alignment, add or remove bullets.
   2. Insert field variables for:
      • Username
      • Original URL
      • Source IP
      • Incident ID
      • Violation protocol
      • Email subject / File name
      • Matched Rules Notifications

      Variables are replaced with applicable values when the (Prevent, Ask, Inform) action occurs and the message shows. The Username can only be displayed if the Identity Awareness blade is enabled.

   3. Use the Insert User Input variable to add a:
      • Confirm checkbox - Users select a checkbox to continue
      • Textual Input - Users can enter an explanation for their activity or other text according to the instructions. Edit the default text in the Textual Input box based on your business needs.
      • Wrong report category - Users can click a link to report that an incorrect category was included in the message. Use this field with the Category variable.
9. Optional: Click Preview in browser to see the results in your default browser.
10. Click OK.
11. Click Save and then close SmartDashboard.
12. From SmartConsole, Install Policy.

Plain Text Email Notifications

Not all emails clients can handle emails in rich text or HTML format. To accommodate such clients, you can configure the gateway to send emails without images.

To configure emails without images:

1. On the DLP gateway, open this file for editing:

   $FWDIR/conf/usrchkd.conf

2. Locate the send_emails_with_no_images entry.
3. Change the value to true.
4. Save and close the file.
5. Kill the userchkd process.

   The process is automatically restarted by the gateway. The new configuration will survive a gateway reboot.

   Email notifications are now sent in both plain text and HTML formats. The user's email clients decides which format to show.

More UserCheck Interaction Options

For each UserCheck Interaction object you can configure these options from the UserCheck Interaction window:

• Message - Modify the message text.
• Languages - Select a default language for the message.
• Fallback Action - For DLP, the fallback action is derived from the original action. If the original action is:
  • Ask - The fallback is Block
  • Inform - The fallback is Detect
• Conditions - Select actions that must occur before users can access the application. Select one or more of these options:
  • User accepted and selected the confirm checkbox - This applies if the UserCheck message contains a checkbox (Insert User Input > Confirm Checkbox). Users must accept the text shown and select the checkbox before they can access the application.
  • User filled some textual input - This applies if the UserCheck message contains a text field (Insert User Input > Textual Input). Users must enter text in the text field before they can access the application. For example, you might require that users enter an explanation for use of the application.

Localizing and Customizing the UserCheck Portal

After you set the UserCheck interaction object language, you can translate the Portal OK and Cancel buttons to the applicable language. For more information, see: sk83700.

The DLP UserCheck predefined notifications are in only English by default. If necessary, you can add more languages manually.

To support more languages for UserCheck:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click UserCheck.
3. Select a UserCheck interaction object and click Edit.
4. In the Message pane, click Languages.
5. From the list, select the applicable language.
6. Click OK.

   A tab for the language is added.

7. Enter the necessary text and click OK.