Configuring UserCheck

Enable or disable UserCheck directly on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. If users connect to the Security Gateway remotely, set the internal interface of the Security Gateway (on the Topology page) to be the same as the Main URL for the UserCheck Portal.

Step

Instructions

1

Go to the gateway editor, > UserCheck, and select Enable UserCheck for active blades.

2

In the UserCheck Web Portal section:

The Main URL field shows the primary URL for the web portal that shows the UserCheck notifications.

You can use the suggested Main URL or manually enter a different Main URL.

Note - The Main URL field contains an IP address and not a DNS name. Update the Main URL field If you change a Security Gateway's IPv4 address to IPv6 address, or the other way around, .

3

Optional:

Click Aliases to add URL aliases that redirect different hostnames to the Main URL. For example: Usercheck.mycompany.com

The aliases must be resolved to the portal IP address on the corporate DNS server.

4

In the Certificate section, click Import to import a certificate that the portal uses to authenticate to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICAClosed Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication.). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.

Note - After you download your certificate, you can click Replace to replace it with a different certificate, and click View to see the certificate information.

5

In the Accessibility section, click Edit to configure interfaces on the Security Gateway through which the portal can be accessed. These options are based on the topology configured for the Security Gateway. The topology must be configured.

If the Main URL is set to an external interface, you must set the Accessibility option to one of these:

6

UserCheck Client - The UserCheck Client is installed on Endpoint devices to communicate with the Security Gateway and show UserCheck Interaction notifications to users.

  • Activate UserCheck Client support - This enables UserCheck through the client.

  • Click Download Client to download the installation file for the UserCheck Client.

    Note - The link is not active until the UserCheck Portal is up.

For more information about installation and configuration of the UserCheck Client, see .

7

In the Mail Server section, configure a mail server for UserCheck. This server sends notifications to users that the Security Gateway cannot notify using other means, if the server knows the email address of the user. For example, if a user sends an email which matched on a rule, the Security Gateway cannot redirect the user to the UserCheck Portal because the traffic is not HTTP.

  • Use the default settings - Click the link to see which mail server is configured.

  • Use specific settings for this gateway - Select this option to override the default mail server settings.

  • Send emails using this mail server - Select a mail server from the list, or click New and define a new mail server.

8

Click OK.

9

If there is encrypted traffic through an internal interface, add a new rule to the Firewall Layer of the Access Control Policy.

Source

Destination

VPN

Services & Applications

Action

Any

Security Gateway on which UserCheck Client is enabled

Any

UserCheck

Accept

10

Install the Access Control Policy.

UserCheck CLI

See the R81 CLI Reference Guide - Chapter Security Gateway Commands - Section usrchk.