UserCheck Client

In This Section: UserCheck Client Overview UserCheck Requirements Enabling UserCheck Client Client and Gateway Communication Getting the MSI File Distributing and Connecting Clients Helping Users

UserCheck Client Overview

The UserCheck client is installed on endpoint computers to communicate with the gateway and show UserCheck interaction notifications to users.

It works with the Data Loss Prevention and Content Awareness Software Blades.

Notifications of incidents can be sent by email (for SMTP traffic) or shown in a popup from the UserCheck client in the system tray (for SMTP, HTTP and FTP).

UserCheck client adds the option to send notifications for applications that are not in a web browser, such as Skype, iTunes, or browser add-ons (such as radio toolbars). The UserCheck client can also work together with the UserCheck portal to show notifications on the computer itself when:

• The notification cannot be displayed in a browser, or
• The UserCheck engine determines that the notification will not be shown correctly in the browser.

Users select an option in the notification message to respond in real-time.

For Data Loss Prevention (DLP), administrators with full permissions or the View/Release/Discard DLP messages permission can also send or discard incidents from the SmartConsole Logs & Monitor > Logs view.

Workflow for installing and configuring UserCheck clients:

1. Configure how the clients communicate with the gateway and create trust with it.
2. Enable UserCheck and the UserCheck client on the gateway.
3. Download the UserCheck client MSI file.
4. Install the UserCheck client on the endpoint computers.
5. Make sure that the UserCheck clients can connect to the gateway and receive notifications.

UserCheck Requirements

See UserCheck Client Requirements in the R80.30 Release Notes.

Enabling UserCheck Client

Enable UserCheck and the UserCheck client on the gateway in the Properties window of the gateway object in SmartConsole. This is necessary to let clients communicate with the gateway.

To enable UserCheck and the UserCheck client on the gateway:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click UserCheck.
3. Select Enable UserCheck for active blades.

   This enables UserCheck notifications from the gateway.

4. In the UserCheck Client section, select Activate UserCheck Client support.

   This enables UserCheck notifications from the client.

5. Click OK and Install Policy.

Client and Gateway Communication

In an environment with UserCheck clients, the gateway acts as a server for the clients. Each client must be able to discover the server and create trust with it.

To create trust, the client makes sure that the server is the correct one. It compares the server fingerprint calculated during the SSL handshake with the expected fingerprint. If the server does not have the expected fingerprint, the client asks the user to manually confirm that the server is correct.

Here is a summary of the methods that you can use for clients to discover and trust the server. More details are described later in this section.

• File name based server configuration – If no other method is configured (default, out-of-the-box situation), all UserCheck clients downloaded from the portal are renamed to have the portal machine IP address in the filename. During installation, the client uses this IP address to connect to the gateway. Note that the user has to click Trust to manually trust the server.
• AD based configuration – If client computers are members of an Active Directory domain, you can deploy the server addresses and trust data using a dedicated tool.
• DNS SRV record based server discovery – Configure the server addresses in the DNS server. Note that the user has to click Trust to manually trust the server.
• Remote registry – All of the client configuration, including the server addresses and trust data reside in the registry. You can deploy the values before installing the client (by GPO, or any other system that lets you control the registry remotely). This lets you use the configuration when the client is first installed.

Option Comparison

	Requires AD	Manual User Trust (one time) Required?	Multi- Site	Client Remains Signed?	Still works after Gateway Changes	Level	Recommended for...
File name based	No	Yes	No	Yes	No	Very Simple	Single Security Gateway deployments
AD based	Yes	No	Yes	Yes	Yes	Simple	Deployments with AD that you can modify
DNS based	No	Yes	Partially (per DNS server)	Yes	Yes	Simple	Deployments without AD With an AD you cannot change, and a DNS that you can change
Remote registry	No	No	Yes	Yes	Yes	Moderate	Where remote registry is used for other purposes

File Name Based Server Discovery

This option is the easiest to deploy, and works out-of-the-box. It requires that users manually click Trust to trust the server the first time they connect. You can use this option if your deployment has only one Security Gateway with the relevant Software Blades.

How does it work?

When a user downloads the UserCheck client, the address of the Security Gateway is inserted in the filename. During installation, the client finds if there is a different discovery method configured (AD based, DNS based, or local registry). If no method is configured, and the gateway can be reached, it is used as the server. In the UserCheck Settings window, you can see that the server you connect to is the same as the Security Gateway in the UserCheck client filename.

Users must manually make sure that the trust data is valid, because the filename can be easily changed.

Renaming the MSI

You can manually change the name of the MSI file before it is installed on a computer. This connects the UserCheck client to a different gateway.

To rename the MSI file:

1. Make sure the gateway has a DNS name.
2. Rename the MSI using this syntax: UserCheck_~GWname.msi

   Where GWname - is the DNS name of the gateway.

   Optional: Use UserCheck_~GWname-port.msi

   Where port is the port number of notifications. For example, UserCheck_~mygw-18300.msi.

Notes - The prefix does not have to be "UserCheck". The important part of the syntax is underscore tilde (_~), which indicates that the next string is the DNS of the gateway. If you want to add the port number for the notifications to the client from the gateway, the hyphen (-) indicates that the next string is the port number.

Active Directory Based Configuration

If your client computers are members of an Active Directory domain and you have administrative access to this domain, you can use the Distributed Configuration tool to configure connectivity and trust rules.

The Distributed Configuration tool has three windows:

• Welcome - Describes the tool and lets you enter different credentials that are used to access the AD.
• Server configuration – Configure which Security Gateway the client connects to, based on its location.
• Trusted gateways – View and change the list of fingerprints that the Security Gateways consider secure.

To enable Active Directory based configuration for clients:

1. Download and install the UserCheck client MSI on a computer.

   From the command line on that computer, run the client configuration tool with the AD utility.

   For example, on a Windows 7 computer:

   "C:\Users\<user name>\Local Settings\Application Data\Checkpoint\UserCheck\UserCheck.exe" -adtool

   The Check Point UserCheck - Distributed Configuration tool opens.

2. In the Welcome page, enter the credentials of an AD administrator.

   By default, your AD username is shown. If you do not have administrator permissions, click Change user and enter administrator credentials.

3. In the Server Configuration page, click Add.

   The Identity Server Configuration window opens.

4. Select Default and then click Add.
5. Enter the IP address or Fully Qualified Domain Name (FQDN) and the port of the Security Gateway.
6. Click OK.

   The identity of the AD Server for the UserCheck client is written in the Active Directory and given to all clients.

Note - The entire configuration is written under a hive named Check Point under the Program Data branch in the AD database that is added in the first run of the tool. Adding this hive does not affect other AD based applications or features.

Server Configuration Rules

If you use the Distributed Configuration tool and you configure the client to Automatically discover the server, the client fetches the rule lists. Each time it must connect to a server, it tries to match itself against a rule, from top to bottom.

When the tool matches a rule, it uses the servers shown in the rule, according to the priority specified.

The configuration in this example means:

1. If the user is coming from ‘192.168.0.1 – 192.168.0.255’, then try to connect to US-GW1. If it is not available, try BAK-GS2 (it is only used if US-GW1 is not available, as its priority is higher).
2. If the user is connected from the Active Directory site ‘UK-SITE’, connect either to UK-GW1 or UK-GW2 (choose between them randomly, as they both have the same priority). If both of them are not available, connect to BAK-GS2.
3. If rules 1 and 2 do not apply, connect to BAK-GS2 (the default rule is always matched when it is encountered).

Use the Add, Edit and Remove buttons to change the server connectivity rules.

Trusted Gateways

The Trusted Gateways window shows the list of servers that are trusted - no messages open when users connect to them.

You can add, edit or delete a server. If you have connectivity to the server, you can get the name and fingerprint. Enter its IP address and click Fetch Fingerprint in the Server Trust Configuration window. If you do not have connectivity to the server, enter the same name and fingerprint that is shown when you connect to that server.

DNS Based Configuration

If you configure the client to Automatic Discovery (the default), it looks for a server by issuing a DNS SRV query for the address of the gateway (the DNS suffix is added automatically). You can configure the address in your DNS server.

To configure DNS based configuration on the DNS server:

1. Go to Start > All Programs > Administrative Tools > DNS.
2. Go to Forward lookup zones and select the applicable domain.
3. Go to the _tcp subdomain.
4. Right click and select Other new record.
5. Select Service Location, Create Record.
6. In the Service field, enter CHECKPOINT_DLP.
7. Set the Port number to 443.
8. In Host offering this server, enter the IP address of the Security Gateway.
9. Click OK.

To configure Load Sharing for the Security Gateway, create multiple SRV records with the same priority.

To configure High Availability, create multiple SRV records with different priorities.

Note - If you configure AD based and DNS based configuration, the results are combined according to the specified priority (from the lowest to highest).

Troubleshooting DNS Based Configuration

To troubleshoot issues in DNS based configuration, you can see the SRV records that are stored on the DNS server.

To see SRV records on the DNS server:

Run:

C:\> nslookup
> set type=srv
> checkpoint_dlp._tcp

The result is:

C:\> nslookup > set type=srv > checkpoint_dlp._tcp Server: dns.company.com Address: 192.168.0.17 checkpoint_dlp._tcp.ad.company.com SRV service location: priority = 0 weight = 0 port = 443 svr hostname = dlpserver.company.com dlpserver.company.com internet address = 192.168.1.212 >

Remote Registry

If you have a way to deploy registry entries to your client computers, for example, Active Directory or GPO updates, you can deploy the Security Gateway addresses and trust parameters before you install the clients. Clients can then use the deployed settings immediately after installation.

To configure the remote registry option:

1. Install the client on one of your computers. The agent installs itself in the user directory, and saves its configuration to HKEY_CURRENT_USER.
2. Connect manually to all of the servers that are configured, verify their fingerprints, and click Trust on the fingerprint verification dialog box.
3. Configure the client to manually connect to the requested servers (use the Settings window).
4. Export these registry keys (from HKEY_CURRENT_USER):
   1. SOFTWARE\CheckPoint\UserCheck\TrustedGateways (the entire tree)
   2. SOFTWARE\CheckPoint\UserCheck\
      1. DefaultGateway
      2. DefaultGatewayEnabled
5. Import the exported keys to the endpoint computers before you install the UserCheck client.

Getting the MSI File

To get the MSI file:

1. In SmartConsole, in the Gateways & Servers view, open the General Properties window of the gateway object.
2. From the navigation tree, select UserCheck.
3. In the UserCheck Client section, click Download Client.

   Important - Before you can download the client msi file, the UserCheck portal must be up. The portal is up only after a Policy installation.

Distributing and Connecting Clients

After configuring the clients to connect to the gateway, install the clients on the user machines. You can use any method of MSI or EXE mass deployment and installation that you choose. For example, you can send users an email with a link to install the client. When a user clicks the link, the MSI file automatically installs the client on the computer.

Alternatively, users can download the installation package from the regular DLP UserCheck notifications.

To install the client for all user accounts on a Windows computer, see sk96107.

The installation is silent and generally, no reboot is required.

When the client is first installed, the tray icon indicates that it is not connected. When the client connects to the gateway, the tray icon shows that the client is active.

The first time that the client connects to the gateway, it asks for verification from the user and approval of the fingerprint.

Best Practices:

• Let the users know this will happen.
• Use a server certificate that is trusted by the certificate authority installed on users' computers. Then users do not see a message that says: Issued by unknown certificate authority.

If UserCheck for DLP is enabled on the gateway, users are required to enter their username and password after the client installs.

Example of message to users about the UserCheck client installation (for DLP):

Dear Users,

Our company has implemented a Data Loss Prevention automation to protect our confidential data from unintentional leakage. Soon you will be asked to verify the connection between a small client that we will install on your computer and the computer that will send you notifications.

This client will pop up notifications if you try to send a message that contains protected data. It might let you to send the data anyway, if you are sure that it does not violate our data-security guidelines.

When the client is installed, you will see a window that asks if you trust the DLP server. Check that the server is SERVER NAME and then click Trust.

In the next window, enter your username and password, and then click OK.

Note - If the UserCheck client is not connected to the gateway, the behavior is as if the client was never installed. Email notifications are sent for SMTP incidents and the Portal is used for HTTP incidents.

UserCheck and Check Point Password Authentication

You can see and edit Check Point users from Users and Administrators in the navigation tree.

To enable Check Point password authentication:

SmartConsole Configuration

1. Open SmartConsole and open the Manage & Settings view.
2. Click Permissions & Administrators > Administrators, and select an existing user or create a new user.
3. In the General Properties page of the user, make sure that an email address is defined.
4. In the Authentication Properties page of the user, set Authentication Scheme to Check Point Password and enter the password and password confirmation.
5. Click OK.

UserCheck Client Configuration

Ask your users to configure their UserCheck client:

1. On the UserCheck client computer, right click the UserCheck icon in the Notification Area (next to the system clock).
2. Select Settings.
3. Click Advanced.
4. Select Authentication with Check Point user accounts defined internally in SmartConsole.

Helping Users

If users require assistance to troubleshoot issues with the UserCheck client, you can ask them to send you the logs.

To configure the client to generate logs:

1. Right-click the UserCheck tray icon and select Settings.

   The Settings window opens.

2. Click Log to and browse to a pathname where the logs are saved.
3. Click OK.

To send UserCheck logs from the client:

1. Right-click the UserCheck tray icon and select Status.

   The Status window opens.

2. Click Advanced and then click the Collect information for technical support link.

   The default email client opens, with an archive of the collected logs attached.

Blade Settings

To configure Global Properties, Inspection Settings and Advanced Settings for Blades:

1. In SmartConsole, go the Manage & Settings view.
2. Click Blades.

Inspection Settings

You can configure inspection settings for the Firewall:

• Deep packet inspection settings
• Protocol parsing inspection settings
• VoIP packet inspection settings

The Security Management Server comes with two preconfigured inspection profiles for the Firewall:

• Default Inspection
• Recommended Inspection

When you configure a Security Gateway, the Default Inspection profile is enabled for it. You can also assign the Recommended Inspection profile to the Security Gateway, or to create a custom profile and assign it to the Security Gateway.

To activate the Inspection Settings, install the Access Control Policy.

Note - In a pre-R80 SmartConsole, Inspection Settings are configured as IPS Protections.

Configuring Inspection Settings

To configure Inspection Settings:

1. In SmartConsole, go to the Manage & Settings > Blades view.
2. In the General section, click Inspection Settings.

   The Inspection Settings window opens.

You can:

• Edit inspection settings.
• Edit user-defined Inspection Settings profiles. You cannot change the Default Inspection profile and the Recommended Inspection profile.
• Assign Inspection Settings profiles to Security Gateways.
• Configure exceptions to settings.

To edit a setting:

1. In the Inspection Settings > General view, select a setting.
2. Click Edit.
3. In the window that opens, select a profile, and click Edit.

   The settings window opens.

4. Select the Main Action:
   • Default Action - preconfigured action
   • Override with Action - from the drop-down menu, select an action with which to override the default - Accept, Drop, Inactive (the setting is not activated)
5. Configure the Logging Settings

   Select Capture Packets, if you want to be able to examine packets that were blocked in Drop rules.

6. Click OK.
7. Click Close.

For advanced configuration of SYN attacks, please see sk120476.

To view settings for a certain profile:

1. In the Inspection Settings > General view, click View > Show Profiles.
2. In the window that opens, select Specific Inspection settings profiles.
3. Select profiles.
4. Click OK.

   Only settings for the selected profiles are shown.

You can add, edit, clone, or delete custom Inspection Settings profiles.

To edit a custom Inspection Settings profile:

1. In the Inspection Settings > Profiles view, select a profile.
2. Click Delete, to remove it, or click Edit to change the profile name, associated color, or tag.
3. If you edited the profile attributes, click OK to save the changes.

To add a new Inspection Settings profile:

1. In the Profiles view, click New.
2. In the New Profile window that opens, edit the profile attributes:
3. Click OK.

To assign an Inspection Settings profile to a Security Gateway:

1. In the Inspection Settings > Gateways view, select a gateway, and click Edit.
2. In the window that opens, select an Inspection Settings profile.
3. Click OK.

To configure exceptions to inspection settings:

1. In the Inspection Settings > Exceptions view, click New to add a new exception, or select an exception and click Edit to modify an existing one.

   The Exception Rule window opens.

2. Configure the exception settings:
   • Apply To - select the Profile to which to apply the exception
   • Protection - select the setting
   • Source - select the source Network Object, or select IP Address and enter a source IP address
   • Destination - select the destination Service Object
   • Service - select Port/Range, TCP or UDP, and enter a destination port number or a range of port numbers
   • Install On - select a gateway on which to install the exception
3. Click OK.

To enforce the changes, install the Access Control Policy.