Print Download PDF Send Feedback

Previous

Next

Remote Help

In This Section:

Overview of Remote Help

Web Remote Help

Giving Remote Help to Full Disk Encryption Users

Media Encryption & Port Protection Remote Help Workflow

Disabling Remote Help

User-Bound Remote Help

Overview of Remote Help

Users can be denied access to their Full Disk Encryption-protected computers or Media Encryption & Port Protection-protected devices for many different reasons. They might have forgotten their password or entered the incorrect password too many time. In the worst case scenario, a hacker might have tried access the computer or device.

Remote Help can help users in these types of situations. The user contacts the Help Desk or specified administrator and follows the recovery procedure.

Note - An Endpoint Security administrator can give Remote Help only if you enable Remote Help in the OneCheck User Settings policy.

Administrators can supply Remote Help through SmartEndpoint or through an online web portal.

There are two types of Full Disk Encryption Remote Help:

Web Remote Help

Administrators can use the built in Remote Help or online portal on the Endpoint Security Management Server, or create a dedicated server for the online web portal.

A dedicated server for the online web portal is supported on Gaia servers.

Administrators can authenticate to the web portal with these authentication methods:

Turning on Web Remote Help on Endpoint Security Management Server

You must turn on the Web Remote Help in SmartEndpoint before you can use it.

To turn on the Web Remote Help:

  1. In SmartEndpoint, go to Manage > Endpoint Servers.

    The Endpoint Server window opens.

  2. Double-click on the name of an existing server on the list.
  3. Select Remote Help Server.
  4. Click Next.
  5. Install Database.

When you turn on or turn off the Web Remote Help, the Endpoint Security Management Server restarts and all connections with client computers and SmartEndpoint sessions get disconnected.

Configuring the Length of the Remote Help Response

Administrators can configure how many characters are in the Remote Help response that users must enter. The default length is 30 characters.

To change the length of the Remote Help response:

  1. In the Policy tab, Full Disk Encryption rule, double-click the Pre-boot Protection action.
  2. In the Pre-boot Protection Properties window, click Advanced Pre-boot Settings.
  3. In the General Pre-boot Settings window, Remote Help area, select a Remote Help response length.
  4. Click OK.
  5. Click OK.
  6. Install policy.

Logging into Web Remote Help portal

You can log into Web Remote Help portal using one of these methods:

Password Login is the default method and shows when you first connect to the portal. The link in the right bottom corner of the Endpoint Security Web Remote Help window lets you toggle between the two login methods.

To login using Password Login method:

  1. Enter a User Name and select a domain name from the Domains list.

    Notes -

    • You can set the user name in UPN format, for example: UserName@ExampleCompany.com
    • Domain name for the internal users is internal-users
  2. Enter the Password.
  3. Click Log In.

To login using Token Login method:

  1. Enter a User Name and select a domain name from the Domains list.

    Notes -

    • You can set the user name in UPN format, for example: UserName@ExampleCompany.com
    • Domain name for the internal users is internal-users
  2. Click Next.
  3. Enter the Challenge string into your token.
  4. Enter the Response generated by the X.99 Token.
  5. Click Login.

Configuring a Standalone Web Remote Help Server

You can configure a standalone Web server for Remote Help. This is supported on Gaia servers.

To configure a Standalone Remote Help Server:

  1. In SmartEndpoint, go to Manage > Endpoint Servers.

    The Endpoint Server window opens.

  2. Click New.
  3. Select an Endpoint Security Management Server.
  4. In the window that opens, select Endpoint Security Management Server.
  5. Enter Server Name and IP Address.
  6. Select a color (optional).
  7. Enter a comment (optional).
  8. Click Next.
  9. Create SIC trust between the Primary Endpoint Security Management Server and the Remote Help sever:
    1. Enter the same SIC Activation Key as the one you entered in the Check Point Configuration Tool.
    2. Click Initialize to create a state of trust between the Endpoint Security Management Servers.
    3. If trust creation fails, click Test SIC Status to see troubleshooting instructions.
    4. If you have to reset the SIC, click Reset, reset the SIC on the Remote Help server, then click Initialize.
    5. Click Next
  10. Install Database on all servers.

Managing Web Remote Help Accounts

You can do these web Remote Help account management actions:

Adding a Web Remote Help Account

To add a web Remote Help account:

  1. In SmartEndpoint, go to Manage > Web Remote Help Accounts.

    The Web Remote Help Accounts window opens.

  2. Click New.

    The Web Remote Help Account wizard opens.

  3. Select a User type:
    • Existing User/Group - AD user or group
    • Local User - Check Point user
  4. Click Next.
  5. Configure login credentials:

    User type & Authentication

    Credentials

    Existing user with AD authentication

    a. In the Login field, type the name of a user from the AD (auto-complete field).

    b. In the Login Method, select AD Authentication.

    Existing user with Token authentication

    a. In the Login field, type the name of a user from the AD (auto-complete field).

    b. In the Login Method, select Token.

    c. Click Select.

    d. Select a token.

    e. Click OK.

    Local user with fixed password authentication

    a. In the Login field, type the login name of a user.

    b. In the Login Method, select Password.

    Local user with Token authentication

    a. In the Login field, type the login name of a user.

    b. In the Login Method, select Token.

    c. Click Select.

    d. Select a token.

    e. Click OK.

    AD Group/OU with AD Authentication

    a. In the Login field, type the name of a group from the AD (auto-complete field).

    b. In the Login Method, select AD Authentication.

    Note - Token authentication is not supported for AD Group/OU.

  6. Click Next.
  7. Set the expiration date (optional):
    1. Select Expiration.
    2. Select a Start Date.
    3. Select an Expiration Date.
  8. Set the location, if necessary:
    1. In the Account Details section, click Add.
    2. Enter a location or select one from the list.
  9. Click Finish.

To disable the Web Remote Help account:

Select Disable remote help account. When you create a new account, it is enabled by default.

Editing a Web Remote Help Account

To edit a web Remote Help account:

  1. In SmartEndpoint, go to Manage > Web Remote Help Accounts.

    The Web Remote Help Accounts window opens.

  2. Select an existing account from the list.
  3. Click Edit.

    The Web Remote Help Account Configuration window opens.

  4. Change the configuration as necessary.

    Note - you cannot change the type of an existing account.

Deleting a Web Remote Help Account

To delete a web Remote Help account:

  1. In SmartEndpoint, go to Manage > Web Remote Help Accounts.

    The Web Remote Help Accounts window opens.

  2. Select an existing account from the list.
  3. Click Delete.
  4. Click OK.

Searching for an Existing Web Remote Help Account

To search for an existing web Remote Help account:

  1. In SmartEndpoint, go to Manage > Web Remote Help Accounts.

    The Web Remote Help Accounts window opens.

  2. In the search box, type in the name of an account.

    List of results shows.

Configuring SSL Support for AD Authentication

To use Remote Help with AD password, it is necessary for the Remote Help server to connect to the domain controller with SSL.

To configure SSL Support:

  1. Get an SSL certificate from your Domain Controller.
  2. Import the SSL certificate to the Endpoint Security Management Server. See sk84620 for how to install the Domain Controller certificate on the Remote Help server.
  3. Run this CLI command on the Endpoint Security Management Server to activate the SSL connection:

    $UEPMDIR/system/install/wrhAuthConfig

Note - Web Remote Help works with LDAPS or LDAP authentication only. Mixed mode is not supported.

Giving Remote Help to Full Disk Encryption Users

Use this challenge/response procedure to give access to users who are locked out of their Full Disk Encryption protected computers.

To give Full Disk Encryption Remote Help assistance from the SmartEndpoint:

  1. Select Tools > Remote Help > User Logon Preboot Remote Help.

    The User Logon Preboot Remote Help window opens.

  2. Select the type of assistance the end-user needs:
    1. One Time Login -Gives access as an assumed identity for one session without resetting the password.
    2. Remote password change - This option is for users who have forgotten their fixed passwords.
  3. In the User Name field, click Browse and select the user in the Select a Node window.
  4. Select the locked computer in the Device Name list.
  5. Click Generate Response.
  6. Tell the user to enter the Response One (to user) text string in the Remote Help window on the locked computer.

    The endpoint computer shows a challenge code.

  7. In the Challenge (from user) field, enter the challenge code that the user gives you.
  8. Click Generate Response.

    Remote Help authenticates the challenge code and generates a response code.

  9. Tell the user to enter the Response Two (to user) text string in the Remote Help window on the locked computer.
  10. Make sure that the user changes the password or has one-time access to the computer before ending the Remote Help session.

To give Full Disk Encryption Remote Help assistance from the web portal:

  1. Go to https://<Endpoint Security Management Server IP>/webrh.
  2. Enter your User Name and Password to log in to the portal. Administrators must have permission to provide Remote Help.
  3. Select FDE.
  4. Select the type of assistance the end-user needs:
    1. One Time Login -Gives access as an assumed identity for one session without resetting the password.
    2. Remote password change - This option is for users who have forgotten their fixed passwords.
  5. In the User Name enter the User's name.
  6. Select the locked computer in the Device Name list.
  7. Click Get Response One.
  8. Tell the user to enter the Response One (to user) text string in the Remote Help window on the locked computer.

    The endpoint computer shows a challenge code.

  9. In the Challenge (from user) field, enter the challenge code that the user gives you.
  10. Click Get Response Two.

    Remote Help authenticates the challenge code and generates a response code.

  11. Tell the user to enter the Response Two (to user) text string in the Remote Help window on the locked computer.
  12. Make sure that the user changes the password or has one-time access to the computer before ending the Remote Help session.

Media Encryption & Port Protection Remote Help Workflow

Media Encryption & Port Protection lets administrators recover removable media passwords remotely using a challenge/response procedure. Always make sure that the person requesting Remote Help is an authorized user of the storage device before you give assistance.

To recover a Media Encryption & Port Protection password with Remote Help assistance from the SmartEndpoint:

  1. Select Tools > Remote Help > Media Encryption Remote Help.

    The Media Encryption & Port Protection Remote Help window opens.

  2. In the User Logon Name field, select the user.
  3. In the Challenge field, enter the challenge code that the user gives you. Users get the Challenge from the Endpoint Security client.
  4. Click Generate Response.

    Media Encryption & Port Protection authenticates the challenge code and generates a response code.

  5. Give the response code to the user.
  6. Make sure that the user can access the storage device successfully.

To recover a Media Encryption & Port Protection password with Remote Help assistance from the web portal:

  1. Go to https://<Endpoint Security Management Server IP>/webrh.
  2. Enter your User Name and Password to log in to the portal. Administrators must have permission to give Remote Help.
  3. Select ME.
  4. In the User Name field, enter the name of the user.
  5. In the Challenge field, enter the challenge code that the user gives you. Users get the Challenge from the Endpoint Security client.
  6. Click Generate Response.

    Media Encryption & Port Protection authenticates the challenge code and generates a response code.

  7. Give the response code to the user.
  8. Make sure that the user can access the storage device successfully.

Disabling Remote Help

To disable Remote Help:

  1. In the Media Encryption & Port Protection Policy window, in the Encrypt Removable Media area, click Advanced Settings.

    The Media Encryption page opens.

  2. In the Offline Mode Settings expand the Advanced Settings area.
  3. Clear the Allow users to recover their password using remote help option.

User-Bound Remote Help

User-bound Remote Help lets you do remote help for a user, Offline Group, or an organization without an exact device name. A special user is created for this purpose.

Note - User-bound Remote Help is less secure than regular Remote Help because the same key for Remote Help is distributed to all machines assigned to the specified user account.

To create a new Pre-boot user for User-bound Remote Help:

  1. Use the procedure in Creating Pre-boot Users.
  2. In the Account Details window, select Do not use device information for Full Disk Encryption Remote Help.