Web Remote Help

Administrators can use the built in Remote Help Users can be denied access to their Full Disk Encryption-protected computers or Media Encryption & Port Protection-protected devices for many different reasons. Remote Help can help users in these types of situations. The user contacts the Help Desk or specified administrator and follows the recovery procedure. or online portal on the Endpoint Security Management Server A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data., or create a dedicated server for the online web portal.

Administrators can authenticate to the web portal with these authentication methods:

Check Point Password login (default)- Configure this in SmartEndpoint A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies.
Active Directory Password - See Configuring SSL Support for AD Authentication
Dynamic Token
RADIUS or TACACS+ Authentication Server

Turning on Web Remote Help on Endpoint Security Management Server

You must turn on the Web Remote Help in SmartEndpoint before you can use it.

To turn on the Web Remote Help:

In SmartEndpoint, go to Manage > Endpoint Servers.

The Endpoint Servers window opens.
Double-click on the name of a server in the list.
Select Endpoint Remote Help Server.
Click Next.
Install Database.

When you turn on or turn off the Web Remote Help, the Endpoint Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. restarts and all connections with client computers and SmartEndpoint sessions get disconnected.

Configuring the Length of the Remote Help Response

Administrators can configure how many characters are in the Remote Help response that users must enter. The default length is 30 characters.

To change the length of the Remote Help response:

In the Policy tab, Full Disk Encryption rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., double-click the Pre-boot Protection action.
In the Pre-boot Protection Properties window, click Advanced Pre-boot Settings.
In the Advanced Pre-boot Settings window, Remote Help area, select a Remote Help response length.
Click OK.
Click OK.
Install policy.

Logging into Web Remote Help portal

You can log into Web Remote Help portal using one of these methods:

Password Login
Token Login

Password Login is the default method and shows when you first connect to the portal. The link in the right bottom corner of the Endpoint Security Web Remote Help window lets you toggle between the two login methods.

To login using Password Login method:

Enter a User Name and select a domain name from the Domains list.

Notes -
- You can set the user name in UPN format, for example: UserName@example.com
- Domain name for the internal users is internal-users
Enter the Password.
Click Log In.

To login using Token Login method:

Enter a User Name and select a domain name from the Domains list.

Notes -

You can set the user name in UPN format, for example: UserName@ExampleCompany.com
Domain name for the internal users is internal-users

Click Next.
Enter the Challenge string into your token.
Enter the Response generated by the X.99 Token.
Click Login.

Configuring a Standalone Web Remote Help Server

You can use the built in Remote Help or online portal on the Endpoint Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., or create a dedicated, standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. server for the online web portal.

To configure a standalone Remote Help Server:

In SmartEndpoint, go to Manage > Endpoint Servers.

The Endpoint Server window opens.
Click New.
Select an Endpoint Security Management Server.
In the window that opens, select Endpoint Security Management Server.
Enter Server Name and IP Address.
Select a color (optional).
Enter a comment (optional).
Click Next.
Create SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust between the Primary Endpoint Security Management Server and the Remote Help sever:
1. Enter the same SIC Activation Key as the one you entered in the Check Point Configuration Tool.
2. Click Initialize to create a state of trust between the Endpoint Security Management Servers.
3. If trust creation fails, click Test SIC Status to see troubleshooting instructions.
4. If you have to reset the SIC, click Reset, reset the SIC on the Remote Help server, then click Initialize.
5. Click Next.
Install Database on all servers.

Managing Web Remote Help Accounts

You can do these web Remote Help account management actions:

Add a web Remote Help account

Disable a Remote Help account
Delete a web Remote Help account
Edit a web Remote Help account
Search for an existing web Remote Help account

Adding a Web Remote Help Account

In SmartEndpoint, go to Manage > Web Remote Help Accounts.

The Web Remote Help Accounts window opens.
Click New.

The Web Remote Help Account wizard opens.
Select a User type:
- Existing User/Group - AD user or group
- Local User - Check Point user
Click Next.

Configure login credentials:

User type & Authentication	Credentials
Existing user with AD authentication	In the User/Group Name field, select the user from the drop down list, or browse the Active directory (AD) tree to select a user. Alternatively, enter the name of the user from the AD (auto-complete field). In Authentication credentials, select Active Directory credentials.
Existing user with Token authentication	In the User/Group Name field, select the user from the drop down list, or browse the AD tree to select a user. Alternatively, enter the name of the user from the AD (auto-complete field). In Authentication credentials, select Token. Click Select. Select a token. Click OK.
Existing User with RADIUS or TACACS+ Authentication	In the User/Group Name field, select the user from the drop down list, or browse the AD tree to select a user. Alternatively, enter the name of the user from the AD (auto-complete field). In Authentication credentials, select Authentication Server. Click Select. In the Authentication Servers window, Click Add. In the Create New Authentication Server window, enter the Server Name. It can be any name. Enter the IPv4 Address or IPv6 Address of the RADIUS or TACACS+ server. If the IPv4 or IPv6 address are not known or are dynamic, enter the Domain Name (for example radius.example.com). Select the Authentication Type. Either RADIUS or TACACS+ Enter the Port number. If not specified, the default port are used. RADIUS: By default, the Endpoint Security Management Server listens for RADIUS traffic on UDP port 1812. This is the standard port for RADIUS authentication, as defined by the IETF in RFCs 2865 and 2866. However, by default, many access servers use ports 1645 for authentication requests. TACACS+: By default, the Endpoint Security Management Server listens for TACACS traffic on TCP port 49. TACACS is defined in RFC 1492, and uses either TCP or UDP port 49 by default. In the Secret Key field, enter the secret key Click OK.
Local user with fixed password authentication	In the Logon Name field, enter the login name of a user. In Authentication credentials, enter a Password.
Local user with Token authentication	In the Logon Name field, enter the login name of a user. In Authentication credentials, select Token. Click Select. Select a token. Click OK.
AD Group/OU with AD Authentication	In the User/Group Name field, select the group from the drop down list, or browse the AD tree to select a group. Alternatively, enter the name of a group from the AD (auto-complete field). In Authentication credentials, select Active Directory credentials. Note - Token authentication is not supported for AD Group/OU.

Click Next.
Set the expiration date (optional):
1. Select Expiration.
2. Select a Start Date.
3. Select an Expiration Date.
Set the location, if necessary:
1. In the Account Details section, click Add.
2. Enter a location or select one from the list.
Click Finish.

Configuring SSL Support for AD Authentication

To use Remote Help with AD password, it is necessary for the Remote Help server to connect to the domain controller with SSL.

To configure SSL Support:

Get an SSL certificate from your Domain Controller.
Import the SSL certificate to the Endpoint Security Management Server. See sk84620 for how to install the Domain Controller certificate on the Remote Help server.
Run this CLI command on the Endpoint Security Management Server to activate the SSL connection:

$UEPMDIR/system/install/wrhAuthConfig

Note - Web Remote Help works with LDAPS or LDAP authentication only. Mixed mode is not supported.