Client and Gateway Communication

In an environment with UserCheck Clients, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. acts as a server for the clients. Each client must be able to discover the server and create trust with it.

To create trust, the client makes sure that the server is the correct one. It compares the server fingerprint calculated during the SSL handshake with the expected fingerprint. If the server does not have the expected fingerprint, the client asks the user to manually confirm that the server is correct.

Here is a list of the methods that you can use for clients to discover and trust the server.

Option Comparison

1. File name based server configuration

   If no other method is configured (default, out-of-the-box situation), all UserCheck Clients downloaded from the portal are renamed to have the portal machine IP address in the filename. During installation, the client uses this IP address to connect to the Security Gateway. Note that the user has to click Trust to manually trust the server.

   Explanation

   This option is the easiest to configure, and works out-of-the-box. It tells users to manually click Trust to trust the server the first time they connect. You can use this option if your configuration has only one Security Gateway with the relevant Software Blades.

   How does it work?

   When a user downloads the UserCheck Client, the address of the Security Gateway is inserted in the filename. During installation, the client finds if there is a different discovery method configured (AD based, DNS based, or local registry). If no method is configured, and the Security Gateway can be reached, it is used as the server. In the UserCheck Settings window, you can see that the server you connect to is the same as the Security Gateway in the UserCheck Client filename.

   Users must manually make sure that the trust data is valid, because the filename can be easily changed.

   Renaming the MSI

   You can manually change the name of the MSI file before it is installed on a computer.

   This connects the UserCheck Client to a different Security Gateway.

   1. Make sure the Security Gateway has a DNS name.

   2. Rename the MSI using this format:

      UserCheck_~GWname.msi

      Where GWname - is the DNS name of the Security Gateway.

      Optional format:

      UserCheck_~GWname-port.msi

      Where port is the port number of notifications.

      For example:

      UserCheck_~mygw-18300.msi

   Notes: The prefix does not have to be "UserCheck". The important part of the format is underscore tilde (_~), which indicates that the next string is the DNS of the Security Gateway. If you want to add the port number for the notifications to the client from the Security Gateway, the hyphen (-) indicates that the next string is the port number.

2. Active Directory Based Configuration

   If client computers are members of an Active Directory domain, you can configure the server addresses and trust data using a dedicated tool.

   Explanation

   If your client computers are members of an Active Directory domain and you have administrative access to this domain, you can use the Distributed Configuration tool to configure connectivity and trust rules.

   The Distributed Configuration tool has three windows:

   • Welcome - Describes the tool and lets you enter different credentials that are used to access the AD.

   • Server configuration - Configure which Security Gateway the client connects to, based on its location.

   • Trusted Security Gateways - View and change the list of fingerprints that the Security Gateways consider secure.

   To enable Active Directory based configuration for clients:

   1. Download and install the UserCheck Client MSI on a computer.

      From the command line on that computer, run the client configuration tool with the AD utility.

      For example, on a Windows 7 computer:

      "C:\Users\%USERNAME%\Local Settings\Application Data\Checkpoint\UserCheck\UserCheck.exe" -adtool

      The Check Point UserCheck - Distributed Configuration tool opens.

   2. In the Welcome page, enter the credentials of an AD administrator.

      By default, your AD username is shown. If you do not have administrator permissions, click Change user and enter administrator credentials.

   3. In the Server Configuration page, click Add.

      The Identity Server Configuration window opens.

   4. Select Default and then click Add.

   5. Enter the IP address or Fully Qualified Domain Name (FQDN) and the port of the Security Gateway.

   6. Click OK.

      The identity of the AD Server for the UserCheck Client is written in the Active Directory and given to all clients.

   Note - The entire configuration is written under a hive named Check Point under the Program Data branch in the AD database that is added in the first run of the tool. Adding this hive does not affect other AD based applications or features.

   Server Configuration Rules

   If you use the Distributed Configuration tool and you configure the client to Automatically discover the server, the client fetches the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. lists. Each time it must connect to a server, it tries to match itself against a rule, from top to bottom.

   When the tool matches a rule, it uses the servers shown in the rule, according to the priority specified.

   The configuration in this example means:

   1. If the user is coming from '192.168.0.1 - 192.168.0.255', then try to connect to US-GW1.

      If it is not available, try BAK-GS2 (it is only used if US-GW1 is not available, as its priority is higher).

   2. If the user is connected from the Active Directory site 'UK-SITE', connect either to UK-GW1 or UK-GW2 (select between them randomly, as they both have the same priority). If both of them are not available, connect to BAK-GS2.

   3. If rules 1 and 2 do not apply, connect to BAK-GS2 (the default rule is always matched when it is encountered).

   Use the Add, Edit and Remove buttons to change the server connectivity rules.

   Trusted Gateways

   The Trusted Gateways window shows the list of servers that are trusted - no messages open when users connect to them.

   You can add, edit or delete a server. If you have connectivity to the server, you can get the name and fingerprint. Enter its IP address and click Fetch Fingerprint in the Server Trust Configuration window. If you do not have connectivity to the server, enter the same name and fingerprint that is shown when you connect to that server.

3. DNS SRV Record Based Server Discovery

   Configure the server addresses in the DNS server. Note that the user has to click Trust to manually trust the server.

   Explanation

   If you configure the client to Automatic Discovery (the default), it looks for a server by issuing a DNS SRV query for the address of the Security Gateway (the DNS suffix is added automatically). You can configure the address in your DNS server.

   To configure DNS based configuration on the DNS server:

   1. Go to Start > All Programs > Administrative Tools > DNS.

   2. Go to Forward lookup zones and select the applicable domain.

   3. Go to the _tcp subdomain.

   4. Right-click and select Other new record.

   5. Select Service Location, Create Record.

   6. In the Service field, enter CHECKPOINT_DLP.

   7. Set the Port number to 443.

   8. In Host offering this server, enter the IP address of the Security Gateway.

   9. Click OK.

   To configure Load Sharing for the Security Gateway, create multiple SRV records with the same priority.

   To configure High Availability, create multiple SRV records with different priorities.

   Note - If you configure AD based and DNS based configuration, the results are combined according to the specified priority (from the lowest to highest).

   Troubleshooting DNS Based Configuration

   To troubleshoot issues in DNS based configuration, you can see the SRV records that are stored on the DNS server.

   To see SRV records on the DNS server:

   Run:

   C:\> nslookup  > set type=srv  > checkpoint_dlp._tcp

   Example result:

   C:\> nslookup  > set type=srv  > checkpoint_dlp._tcp Server: dns.company.com Address: 192.168.0.17 checkpoint_dlp._tcp.ad.company.com SRV service location:           priority = 0           weight = 0           port = 443           svr hostname = dlpserver.company.com dlpserver.company.com internet address = 192.168.1.212 >

Remote Registry

All of the client configuration, including the server addresses and trust data reside in the registry. You can configure the values before installing the client (by GPO, or any other system that lets you control the registry remotely). This lets you use the configuration when the client is first installed.

Explanation

If you have a way to configure registry entries to your client computers, for example, Active Directory or GPO updates, you can configure the Security Gateway addresses and trust parameters before you install the clients. Clients can then use the configured settings immediately after installation.

To configure the remote registry option:

1. Install the client on one of your computers. The agent installs itself in the user directory, and saves its configuration to HKEY_CURRENT_USER.

2. Connect manually to all of the servers that are configured, verify their fingerprints, and click Trust on the fingerprint verification dialog box.

3. Configure the client to manually connect to the requested servers (use the Settings window).

4. Export these registry keys:

   1. The entire tree:

      HKEY_CURRENT_USER\SOFTWARE\CheckPoint\UserCheck\Trusted Gateways

   2. The branch:

      HKEY_CURRENT_USER\SOFTWARE\CheckPoint\UserCheck\

      1. The key:

         Default Gateway

      2. The key:

         DefaultGatewayEnabled

5. Import the exported keys to the endpoint computers before you install the UserCheck Client.