Endpoint Security webRH - Check Point Software...Endpoint Security webRH uses a hierarchical management structure for Remote Help helpdesk staff. Administrators can use the webRH Organizational

31 January 2012

Administration Guide

Endpoint Security webRH

3.0 HFA 3

Classification: [Protected]

© 2012 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=13662

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

31 January 2012 Added Unlocking an Account (on page 25)

18 January 2012 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Endpoint Security webRH 3.0 HFA 3 Administration Guide).

http://supportcontent.checkpoint.com/documentation_download?ID=13662

http://supportcenter.checkpoint.com/

mailto:[email protected]?subject=Feedback%20on%20Endpoint%20Security%20webRH%203.0%20HFA%203%20Administration%20Guide

mailto:[email protected]?subject=Feedback%20on%20Endpoint%20Security%20webRH%203.0%20HFA%203%20Administration%20Guide

Contents

Important Information ............................................................................................. 3 Introduction to Endpoint Security webRH ............................................................ 6

The Concept of Remote Help .............................................................................. 6 The Challenge of Encryption ........................................................................... 6 The webRH Solution ....................................................................................... 6

Helpdesk Structure .............................................................................................. 6 End-User Products with webRH Function ............................................................ 7 Related Documentation ....................................................................................... 7

Managing Endpoint Security webRH ..................................................................... 8 Endpoint Security webRH and Organizational Units ............................................ 8 User Types .......................................................................................................... 8 Primary Administration Tasks .............................................................................. 9 Logging in to Endpoint Security webRH ............................................................... 9 Working with Organizational Units (OUs) ............................................................. 9

Creating OUs .................................................................................................10 Viewing OU Properties ...................................................................................11 Deleting OUs .................................................................................................12

Managing Authentication Tokens ........................................................................13 Importing Tokens ...........................................................................................13 Creating New Tokens ....................................................................................14 Deleting Tokens .............................................................................................15

Creating Accounts ..............................................................................................16 Creating Active Directory Accounts ................................................................16 Creating Local Endpoint Security webRH Accounts .......................................21 Creating Token User Accounts ......................................................................22

Managing User Accounts....................................................................................23 Editing User Accounts ....................................................................................23 Deleting User Accounts .................................................................................24 Activating an Account ....................................................................................24 Unlocking an Account ....................................................................................25

Configuring Endpoint Security webRH Settings ..................................................25 Managing Licenses.............................................................................................26

Obtaining Check Point Licenses ....................................................................27 Viewing Imported Licenses ............................................................................27 Importing License Files ..................................................................................27 Replacing an Old License ..............................................................................29

Changing Your Password ...................................................................................29 Working with Profiles ........................................................................................... 31

Introduction to Profiles ........................................................................................31 Creating and Deploying webRH Profiles .............................................................31

General Instructions for Creating webRH Profiles ..........................................31 Downloading webRH Profiles .........................................................................32 Pointsec PC Module Profiles ..........................................................................33 Pointsec PC 6 Module Profiles .......................................................................37 Pointsec Protector Module Profiles ................................................................39 Pointsec Media Encryption Module Profiles ...................................................40 Pointsec Mobile Module Profiles ....................................................................42

Remote Help .......................................................................................................... 44 Verifying User Identities ......................................................................................44 Providing Remote Help .......................................................................................44

Pointsec PC Module Remote Help .................................................................44 Pointsec PC 6 Module Remote Help ..............................................................46

Pointsec Protector Module Remote Help .......................................................48 Pointsec Media Encryption Module Remote Help ..........................................49

Removing Pointsec Mobile from Devices ............................................................50 Log Files in webRH ............................................................................................... 51

Introduction ........................................................................................................51 Viewing the Logs ................................................................................................51 Exporting Logs to Files .......................................................................................53 Deleting Logs .....................................................................................................54 Configuring Logs ................................................................................................55

Token Information................................................................................................. 56 About Dynamic Tokens ......................................................................................56 Supported Token File Formats ...........................................................................56 Format Requirements for .csv Token Files .........................................................57

Format Specification ......................................................................................57 Examples .......................................................................................................57

Index ...................................................................................................................... 59

Endpoint Security webRH Administration Guide 3.0 HFA 3 | 6

Chapter 1

Introduction to Endpoint Security webRH

In This Chapter

The Concept of Remote Help 6

Helpdesk Structure 6

End-User Products with webRH Function 7

Related Documentation 7

The Concept of Remote Help In the encryption solutions managed by Endpoint Security webRH, users are granted access to their computers or other media devices using passwords or dynamic tokens.

The Challenge of Encryption

Encrypting the data in your organization provides a necessary layer of security and protection. The challenge of data encryption is that users can forget passwords and cannot find dynamic tokens. This challenge means that users cannot access encrypted data on their computer or media device.

The webRH Solution

Endpoint Security webRH is the answer to the challenge of locked devices with encrypted data. Administrators and helpdesk staff can use webRH to remotely grant access to encrypted computers or media devices. Install these two components to use the webRH solution, webRH profile on the client and webRH software on the server.

You must deploy Endpoint Security webRH profile on the device to supply Remote Help. If a device locked before this profile is deployed, you cannot supply Remote Help to that user. For example, users cannot log in to their devices because they forgot or cannot use their Full Disk Encryption credentials. It is necessary to use the Full Disk Encryption management console to supply Remote Help, you cannot use Endpoint Security webRH to unlock the devices.

webRH Workflow

1. The helpdesk staff verifies the identity of the user.

2. The user supplies the user name and the webRH challenge.

3. webRH generates a response for the user.

4. The user enters the webRH response and the device is unlocked.

Helpdesk Structure Endpoint Security webRH uses a hierarchical management structure for Remote Help helpdesk staff. Administrators can use the webRH Organizational Units (OUs) to group helpdesk staff members together. The OUs can then be added to the profiles to let all members of that OU supply Remote Help to users. You can change the OU membership to reorganize the helpdesk staff.

Introduction to Endpoint Security webRH


If necessary, Endpoint Security webRH lets you create localized helpdesk groups. These groups can be configured to only supply support to their location. Higher level groups can supply regional support that covers multiple physical locations.

End-User Products with webRH Function Endpoint Security webRH can be used to supply Remote Help for a number of Check Point products. To supply Remote Help, it is necessary to install the Endpoint Security webRH framework and the relevant Endpoint Security webRH modules.

Table 1-1 webRH Modules for each end-user product

To supply Remote Help for this product ...

Use this Endpoint Security webRH module:

Pointsec PC 6.x and 7

Pointsec PC Module Full Disk Encryption for Windows

Full Disk Encryption for Mac (version 3.1 or later)

Endpoint Security Media Encryption

Pointsec Protector Module

Note - All the products using the Pointsec Protector module are different versions of the same product. The current name is Endpoint Security Media Encryption.

Pointsec Protector

Disknet Pro

Pointsec Media Encryption

File Encryption Pointsec Media Encryption Module

Related Documentation For the hardware and system requirements and the latest information on the Endpoint Security webRH framework, see the Endpoint Security webRH 3.0 HFA 3 Release Notes.

For information on how to install Endpoint Security webRH, see the Endpoint Security webRH 3.0 Installation Guide.


Chapter 2

Managing Endpoint Security webRH

In This Chapter

Endpoint Security webRH and Organizational Units 8

User Types 8

Primary Administration Tasks 9

Logging in to Endpoint Security webRH 9

Working with Organizational Units (OUs) 9

Managing Authentication Tokens 13

Creating Accounts 16

Managing User Accounts 23

Configuring Endpoint Security webRH Settings 25

Managing Licenses 26

Changing Your Password 29

Endpoint Security webRH and Organizational Units For creating a hierarchal framework, Endpoint Security webRH uses the concept of Organizational Units (OUs). In Endpoint Security webRH, use the OUs to create groups of helpdesk staff in an organizational hierarchy.

These are the OU levels and their hierarchy.

Global (top level)

Regional

Local (lowest level)

User Types There are three types of user accounts for managing other accounts and supplying Remote Help:



Type of user Description

Administrators Administrators can create, edit and delete other accounts. They can also provide Remote Help to users of protected devices in their OU and all subordinate OUs.

Initial administrators, who must be added during installation, by default have permission to provide Remote Help to all users in the organization, and to manage all administrator and helpdesk accounts.

The initial administrator accounts can be edited by all global (top-level) administrators added later.

Helpdesk Helpdesk users are associated with an OU and can provide Remote Help to all users of protected devices in that OU and all subordinate OUs.

Helpdesk users cannot manage user accounts.

Self-help Self-help users are used only if the self-help API is used. Ask your Check Point representative for more information.

Only Local Endpoint Security webRH and Token User accounts can be designated as Self-help users.

Primary Administration Tasks The primary Endpoint Security webRH administration tasks are as follows:

Managing organizational unit (OU) groups

Adding/deleting tokens for helpdesk staff and administrators

Managing helpdesk staff and administrators

Creating and deploying Endpoint Security webRH profiles to protected devices

Reviewing and exporting log files.

Logging in to Endpoint Security webRH Only users with Administrator and Help desk privileges can log in to the Endpoint Security webRH web portal. Self help users cannot use the web portal.

To log in and be authenticated:

1. Start your browser and go to Endpoint Security webRH, for example: http://localhost/webRH/login/index.asp

2. Enter your user name and password.

If the user login method is an untrusted domain controller, you must use this format for the user name,

username@domain controller (domain.com).

3. Select the domain for the user.

4. Click Log in.

The Welcome window opens.

Working with Organizational Units (OUs) There are three different levels of OUs: global, regional and local. You can manage regional and local OUs directly. Regional OUs correspond to the second level while local OUs are the lowest level.

Whenever an OU is created, it must be assigned to a parent OU; for example, a regional OU would be assigned to the global OU (chosen during installation), and a local OU would be assigned to a regional OU.

Once created, an OU’s properties cannot be edited - it can only be removed. This establishes the hierarchy in Endpoint Security webRH.



Creating OUs

To create an OU:

1. In the left-hand menu, click Organizational Units. The ADMINISTRATION - Organizational Units web page opens:

2. To create an OU, click Create.

The following page opens:

3. Enter the OU name and select its hierarchy level: regional or local. The first OU that you enter must be a regional OU. Click Next.



The following web page opens:

4. Here you select the parent OU. If the group is regional, only the organization’s top OU will be available. For a local group, all regional level OUs will be available. Click Save to create this OU.

The following dialog box opens:

5. Click OK. Repeat these steps to create all OUs that are needed in your organization.

Viewing OU Properties

Viewing an OU allows you to see its properties, including members in the OU and all child OUs.

To view an OU:

1. On the ADMINISTRATION - Organizational Units web page, click View. The following web page opens:

2. Click an OU to view its properties.



The OU’s properties are displayed, for example:

The following table explains the OU properties:

Property Explanation

Name Name given to OU when it was created.

OU Level Type of OU: Global, Regional or Local.

Parent OU OU immediately above the current one.

Accounts in the OU Lists all accounts that are members of this OU. Accounts listed here will be able to provide Remote Help for any device in this OU or child OU.

Clicking on the Edit link will open the Edit User page ("Managing User Accounts" on page 23).

Deleting OUs

Be careful when deleting an OU. All child OUs and accounts in and under the OU will also be deleted. Move any helpdesk accounts you want to keep to another OU before you delete the current OU.

It is not possible to delete the Global OU.



To delete an OU:

1. On the ADMINISTRATION - Organizational Units web page, click Delete. The following web page opens, displaying all OUs:

2. Click on the name of the OU you want to delete. The following dialog box opens:

3. Click OK to remove the OU.

Managing Authentication Tokens You can configure the helpdesk or administrator accounts to use dynamic tokens instead of passwords to log in to Endpoint Security webRH.

Note - This guide uses the Check Point X9.9 token generator.

1. Create or import the dynamic tokens into the Endpoint Security webRH database.

2. Assign the dynamic tokens to the applicable users.

3. The users log in to Endpoint Security webRH using the token challenge and response.

To view the tokens in Endpoint Security webRH:

1. In the navigation menu, click Tokens.

The Administration - Tokens window opens.

2. Click View.

The Tokens - View window opens.

Click Cancel to close the window.

Importing Tokens

Use the Tokens - Import window to import a file with dynamic tokens to Endpoint Security webRH.

To import token information:



2. Click Import.

The Tokens - Import window opens.



3. Click Browse.

Windows Explorer opens.

4. Select the file with the dynamic tokens and click Open.

5. Enter the password for the file and click Next.

A confirmation window opens.

6. Click OK to continue.

The Tokens Import window opens and shows the import results.

Creating New Tokens

Use the Tokens - Create window to create new dynamic tokens for Endpoint Security webRH users. Create new tokens for a token program that lets you enter the token key.

After creating a token, make sure that the challenge and response work correctly. See Testing Tokens (on page 15).

Note - If you use the Check Point X9.9 Token program, do not create tokens in Endpoint Security webRH. Create the tokens in X9.9 and then import them to Endpoint Security webRH. See Importing Tokens (on page 13).

To create token entries in Endpoint Security webRH:



2. Click Create.

The Tokens - Create window opens.

3. Configure these settings for the new dynamic token.

a) In Serial number, enter the name or number that identifies this token.

b) In Token key, enter the key sequence for this dynamic token.

c) In Token encryption method, select DES or 3DES.

DES - Key length 14 characters

3DES - Key length 42 characters

4. Configure the challenge and response settings for the dynamic token.

a) In Challenge type, select ASCII or Hexadecimal.

b) In Challenge length, select the number of characters that Endpoint Security webRH generates for the token challenge.

c) In Response type, select Decimal or Friendly.



d) In Response length, select the number of characters that the token generates for the response to log in to Endpoint Security webRH.

5. Click Save.

The dynamic token is added to Endpoint Security webRH.

Testing Tokens

After you create a new dynamic token, test the challenge and response for the token. Make sure that a user can log in to Endpoint Security webRH with this token.

To make sure that a dynamic token works:

1. From the Tokens - Create window, click Test Token.

The Token Test window opens.

2. Copy the Challenge string to the token program.

The token program generates a response.

3. In Response, enter the challenge string.

4. Click Test Token.

The Result is shown.

Result OK - The token works correctly.

Result failed - The token does not work. Confirm that the settings and parameters for the token are correct.

Deleting Tokens

Use the Tokens - Delete window to delete tokens from Endpoint Security webRH. Only administrators with Global permissions are able to delete tokens. You cannot delete a token that is assigned to a user.

To delete a token entry:

1. On the ADMINISTRATION - Tokens web page, click Delete. The following web page opens:

2. All token entries are listed. Click Delete to remove a token entry.

The following dialog box opens:



3. Click OK to remove the token information from Endpoint Security webRH.

Creating Accounts All Endpoint Security webRH users are assigned to an OU in the Endpoint Security webRH database. Users can supply Remote Help to all devices in their OU and all subordinate OUs. A user with Administrator privileges can manage all accounts in their OU and subordinate OUs.

You can enter the email address for all Endpoint Security webRH users. This email address is only used as general information. Endpoint Security webRH does not send emails to the users.

For more information about the privileges for the Endpoint Security webRH users, see User Types (on page 8).

Creating Active Directory Accounts

Use the Accounts window to create Endpoint Security webRH user accounts for users in the Active Directory database. These users log in to Endpoint Security webRH with their Active Directory user names and passwords.

Note - For Endpoint Security webRH on a Windows 2003 server, make sure that SP2 or later is installed.

You can search the Active Directory for a user or group name. The Active Directory search is limited to users and groups in the local domain of the COM+ users that were configured during the installation process.

User Accounts

Use the Active Directory account option to add a user from the Active Directory to the Endpoint Security webRH database. See Using Advanced LDAP Search ("Using Advanced Search" on page 19) for more information about searching the Active Directory.

To create an Endpoint Security webRH user account for an Active Directory user:

1. In the navigation menu, click Accounts.

The Administration - Accounts window opens.

2. Click Create.



The Accounts - Create window opens.

3. Configure these parameters for the new user account.

a) In User type, select the privileges for the user.

b) In Login method, select Active Directory account.

c) In Object type, select User.

4. Enter the Active Directory user name.

In User name, enter the Active Directory user name and domain. For example, [email protected].

Search for the user name in the Active Directory.

(i) In User name, enter the Active Directory search string.

(ii) Click Search.

The AD search result window opens.

(iii) Select the user and click Close.

User name shows the Active Directory user name.

5. Optional: Configure these account settings.

a) In Organizational Unit, select the OU assigned to this user.

b) In E-mail, enter the email address of the user.

c) Click Show Calendar, to change the dates when this account is active.

6. In the Available Remote Help Module section, select the modules for which the user can supply remote help.

7. Click Save.

A confirmation message opens.

8. Click OK.



Group Accounts

Use the Active Directory account option to add an Active Directory group to the Endpoint Security webRH database. All users in the group can access the Endpoint Security webRH web portal. In addition, new Active Directory users that belong to this group can log in to the Endpoint Security webRH.

See Using Advanced LDAP Search ("Using Advanced Search" on page 19) for more information about searching the Active Directory.

To create an Endpoint Security webRH account for an Active Directory group:



2. Click Create.

3. The Accounts - Create window opens.


a) In User type, select the privileges for the group.

b) In Login method, select Active Directory account.

c) In Object type, select Group.

5. Enter the Active Directory group name.

In Group name, enter the Active Directory group name and domain. For example, domain\group.

Search for the group name in the Active Directory.

(i) In Group name, enter the Active Directory search string.

(ii) Click Search.

The AD search result window opens.

(iii) Select the group and click Close.

Group name shows the Active Directory group name.


a) In Organizational Unit, select the OU assigned to this group.

b) In E-mail, enter the email address of the group.

c) Click Show Calendar, to change the dates when this group is active.



7. In the Available Remote Help Module section, select the modules for which the group can supply remote help.

8. Click Save.


9. Click OK.

Using Advanced Search

Use the Search base feature to limit the Active Directory search parameters. You can also use the regular search feature to refine the LDAP search string.

To search within a specific LDAP OU:

1. From the Accounts Create window, select Search Base.

The LDAP:// search field opens.

2. In LDAP://, enter the LDAP search string.

For example, use this format for the search string to search within the OU ou_name.

ou=ou_name.

dc=domain.

Sample search string for the OU ou_name in the domain security.company.com:

ou=ou_name,dc=security,dc=company,dc=com.

3. Click Search.



The AD search results window opens and shows the users or groups that match the search parameters.

Adding Accounts from an Untrusted Domain

The Untrusted Domain option lets you add users from an Active Directory in a different forest to the local domain forest. In the DNS server that the Endpoint Security webRH server uses, configure a new stub zone for the untrusted domain.

The domain controller administrator account must have permissions to search the untrusted domain. Before you create a stub zone, make sure that:

The Endpoint Security webRH server can ping the IP address of the untrusted domain.

Global Catalog is enabled in the NTDS settings of the local and the untrusted domain.

To create a user account from an untrusted domain:



2. Click Create.




3. Enter the login details for the administrator account for the untrusted domain.

a) In DC admin name, enter the administrator account user name.

Use this format for the DC admin name, admin@domain. For example,

[email protected].

b) In DC password, enter the administrator account password.

4. Configure the other settings for a user or group account.

User Accounts (on page 16)

Group Accounts (on page 18)

Creating Local Endpoint Security webRH Accounts

Use the webRH local account option, to create new users that are not part of the Active Directory. These users log in to Endpoint Security webRH using a user name and password that are unique for Endpoint Security webRH.

To create a local Endpoint Security webRH user account:



2. Click Create.




3. Configure these settings for the new user account.


b) In Login method, select webRH local account.

c) In Object type, select User.

4. Enter the User name and Password.


a) To make this user choose a new password, select User must change password at next logon.

b) In Organizational Unit, select the OU assigned to this user.

c) In E-mail, enter the email address of the user.

d) Click Show Calendar, to change the dates when this account is active.


7. Click Save.


8. Click OK.

Creating Token User Accounts

Use the X9.9 Token option to create new users that use the dynamic token challenge and response to log in to Endpoint Security webRH. Select one of the dynamic tokens in the Endpoint Security webRH database and assign it to the user. For more information about managing dynamic tokens, see Managing Authentication Tokens (on page 13).

To create a dynamic token Endpoint Security webRH user account:



2. Click Create.






b) In Login method, select X9.9 Token.

c) In User name, enter the user name for this account.

4. In Token, select the dynamic token assigned to this account.


a) In Organizational Unit, select the OU assigned to this user.

b) In E-mail, enter the email address of the user.

c) Click Show Calendar, to change the dates when this account is active.


7. Click Save.


8. Click OK.

Managing User Accounts

Editing User Accounts

Use the Accounts - Edit window to change the settings for an Endpoint Security webRH user. You cannot edit the username for a user account. To change the username, you must delete the account and create a new one.

If it is necessary to edit a user account to delete a token, make sure that you change the Login method to Active Directory account or webRH local account.

To edit an existing user account:


The ADMINISTRATION - Accounts web page opens.

2. Click Edit.

The Accounts - Edit window opens.

3. From the group or user, click Edit.

The user details are displayed.

4. Edit the settings.

5. Click Save.




6. Click OK.

Deleting User Accounts

Use the Delete window to delete Endpoint Security webRH user accounts. You can delete an account from the Endpoint Security webRH database. You can also make an account inactive and prevent the user from logging in to Endpoint Security webRH.

Note - Deleting a user account does not delete the token entry associated with the account.

To delete a user account:



2. Click Delete.

The Delete window opens.

3. For the user account, click Delete.


4. Click OK.

The account is removed.

To make an account inactive:



2. Click Edit.

The Edit window opens.

3. For the user account, click Edit.


4. From Expire date, click Show Calendar.

The calendar opens.

5. Select a date that is earlier than the current date.

Click Close.

6. Click Save.


7. Click OK.

The account is inactive.

Activating an Account

Use the Edit window to activate an account that is inactive and cannot log in to Endpoint Security webRH.

To activate an account:



2. Click Edit.


3. For the user account, click Edit.


4. From Expire date, click Show Calendar.

The calendar opens.

5. Select a date that is after the current date.

Click Close.

6. Click Save.




7. Click OK.

The account is activated.

Unlocking an Account

Users that fail to enter the correct password multiple times can be locked-out of Endpoint Security webRH. Use the Accounts - Edit window to unlock an account and let the user log in to webRH. User accounts that log in to Endpoint Security webRH with Active Directory are never locked-out.

Use the webRH Settings window to configure the maximum number of failed login attempts. For more information, see Configuring Endpoint Security webRH Settings (on page 25).

To unlock a user account:



2. Click Edit.

The Accounts - Edit window opens.

3. From the locked user, click Edit.

The user details are displayed.

4. Clear the Account is locked setting.

5. Click Save.


6. Click OK.

Configuring Endpoint Security webRH Settings Use the webRH Settings window to configure these settings:

Passwords

Web portal session length

Syslog settings

To configure Endpoint Security webRH settings:

1. From the navigation menu, click webRH Settings.

The webRH Settings window opens.

2. Configure the Endpoint Security webRH settings.

3. Click Save.


4. Click OK.

Table 2-2 webRH settings


Minimum Password Length Minimum number of characters for a password.

Minimum Password Age Minimum number of days that a password must be used before the user can change it.

Maximum Password Age Maximum number of days a password can be used until the user must change it.

Password History Length History length of previously used password, preventing old passwords from being reused.




Password Complexity When enabled, new passwords must meet these requirements:

Passwords must have at least six characters.

The user name cannot be used as part of the password.

Password must include at least three of these rules:

Uppercase letter

Lowercase letter

Number

Special characters (!, @, #, and so on)

Session Timeout When enabled, the user is logged out from the web portal after the number of inactive Minutes.

Show logout timer When enabled, the web portal shows how much time remains before the user is logged out.

Minutes Maximum number of inactive minutes.

Size of images in webRH Select to use normal or lightweight images in webRH. Lightweight mode displays fewer images.

Account Lockout Threshold Select the maximum number of failed login attempts for users before they are locked out of webRH. An administrator can unlock an account.

To disable the account lockout feature, select Do not lock accounts.

Syslog Logging When enabled, logs are sent to the Syslog server.

Important: On the Syslog server, the administrator must open a UDP/TCP port for external logging.

Protocol Select the Syslog communication protocol.

Server Address Enter the IP address for the Syslog server.

Server Port Enter the UDP/TCP port that is defined on the Syslog server.

Message Prefix Enter a prefix that is added to the webRH records in Syslog.

Time Zone Offset Select the time zone offset for the webRH server. The offset value is necessary for webRH servers that are physically located in different time zones.

Error Facility Select the Syslog error facility.

Notice Facility Select the Syslog notice facility.

Managing Licenses To use your new Check Point product, you will need a license. Once you have obtained licenses from Check Point, you can import them into Endpoint Security webRH.



Obtaining Check Point Licenses

For information on how to obtain licenses from Check Point, please see the User Center (http://usercenter.checkpoint.com).

Here you can sign in using your user credentials, or sign up for a user account which you need in order to access information on Check Point products and services.

Once you have signed in, click Getting Started to learn about how to generate licenses and start taking advantage of the other User Center resources.

Viewing Imported Licenses

To view the imported licenses:

1. On the left menu, click Licenses. The following web page opens:

2. Click View. A web page displaying the imported license(s) opens:

Importing License Files

You can import license files to be used with Endpoint Security webRH.

http://usercenter.checkpoint.com/



To import a license file:

1. On the left menu, click Licenses. The following web page opens:

2. Click Import. The following web page opens:

3. Select license type:

Table 2-3 Select license type

If you want to use a ... Do this:

Check Point license file Select Check Point license file and browse to the file you want to import.

Pointsec legacy license Select Legacy license and enter the legacy Pointsec serial number.

Click Next.



A new page opens, informing you that the license was successfully imported:

4. To import another file, click Back in the message and repeat step 3. To view imported licenses, click View.

Replacing an Old License

If you want to replace an old license with a new one, simply import the new license ("Importing License Files" on page 27). Your software installation will then continue to function without interruption even when the old license becomes invalid.

You cannot delete licenses, just add new ones.

Changing Your Password If you use a local webRH account (not your AD account) when authenticating to Endpoint Security webRH, you can easily change your password.

Note - If you are an administrator, you can change other users’ passwords by editing their accounts. ("Editing User Accounts" on page 23)

To change your password:

1. In the left-hand menu panel, click Change Password.

Note - The Change Password menu item is only available if webRH local account" is the login method selected for your account.



The change password page opens:

2. Enter the current password.

3. Enter the new password and confirm it. If the password does not comply with the complexity rules, you will be informed of this.

Click Save. Your password has now been changed.


Chapter 3

Working with Profiles

In This Chapter

Introduction to Profiles 31

Creating and Deploying webRH Profiles 31

Introduction to Profiles This chapter explains how to create, configure and download Endpoint Security webRH profiles.

To be able to provide users of encrypted devices with Remote Help using Endpoint Security webRH, you must create and deploy an Endpoint Security webRH profile onto the users’ devices. Depending on the webRH module used, the profile is either deployed

directly onto the device

or

via the ordinary profile management tool for the encryption software.

Once the Endpoint Security webRH profile has been deployed, helpdesk staff can provide Remote Help to users of those devices.

Creating and Deploying webRH Profiles For most modules, you configure the settings when creating the profile. The exception is the Pointsec PC Module, where you configure the settings first, and then create the profile.

After creating the profile, you must download it and then deploy it, either directly to the end-user device, or via a profile management tool used for the relevant end-user encryption product.

General Instructions for Creating webRH Profiles

This section describes the general procedure for initiating the creating of an Endpoint Security webRH profile. In the following sections, there is detailed information on each module.

Note - For the Pointsec PC module, you must configure settings for the profile ("Pointsec PC Module Profiles" on page 33) first.



To create a webRH profile:

1. From the left menu, click Profiles. The ADMINISTRATION - Profiles web page opens:

2. Click Create.

The Module Selection web page opens, for example:

Note - What modules are shown here depends on which ones have been installed.

Downloading webRH Profiles

Once you have created one or more webRH profiles, you must download them from the server in order to deploy them onto end-user devices.



To download a profile:

1. On the ADMINISTRATION - Profiles page, click Download. The Profiles - Download web page opens, for example:

2. All the webRH profiles you have created are displayed. Click Download for the relevant profile to download the profile to a local computer, and save it in a secure location.

Pointsec PC Module Profiles

Configuring Pointsec PC Module Profiles

This section explains how to configure the Pointsec PC Module response length and algorithm settings for Pointsec PC Module users. When you have configured settings, you can create a profile ("Creating Pointsec PC Module Profiles" on page 34).

To configure settings:

1. On the Endpoint Security webRH main page, from the left menu, select Module Settings and then click on Pointsec PC.



The MODULE SETTINGS - Pointsec PC Module page opens:

You can configure the following settings:

Table 3-4 Configurable settings

Setting Explanation

Response length default value Select the level of security you want to use when Endpoint Security webRH generates a response.

Response length changeable Select if it should be possible to change the response length when:

Providing Remote Help

•Creating a profile

Available algorithms Select which algorithm(s) should be available when creating a profile.

1. When you have configured the settings you require, click Save. When prompted, click OK to confirm that you want to save the settings.

The settings are used when creating profiles ("Creating Pointsec PC Module Profiles" on page 34) and when providing Remote Help ("Remote Help" on page 44).

Creating Pointsec PC Module Profiles

The following section explains how to create a webRH profile for the Pointsec PC Module.


1. From the left menu, click Profiles. The ADMINISTRATION - Profiles web page opens.

2. Click Create. The Module Selection web page opens.



3. Select Pointsec PC. The available Pointsec PC Module settings are displayed:

4. Enter the following information to create the profile:

Table 3-5 Enter information to create profile

Field Explanation

Organizational Unit Specify which organizational unit to include in the profile.

When this profile is used, it will be possible to supply Remote Help to client computers within the specified OU and its sub-OUs only.

Algorithm Specify which algorithm is to be used in the channel/response procedure when this profile is used.

Response length Specify the response length to be used in the channel/response procedure when this profile is used.

Profile name Enter the name of the profile being created. This will be used for the file name.

Authentication information

Name: Enter a user name to be used when opening this profile in the Pointsec Admin program.

This is useful if you want to merge this Endpoint Security webRH profile with the ordinary Pointsec PC profile before deploying on the client computers.

Password: Enter the password to be used when opening this profile in the Pointsec Admin program.



Field Explanation

Confirm Password: Confirm the password.

Profile password

Password: Enter the password which is used when the profile is downloaded automatically directly to the client computers.

The same password must be set in the Pointsec PC profile deployed on the client computers. If the same password is not set in both this webRH profile and in Pointsec PC, the webRH profile will not be deployed. For more information, see the Endpoint Security webRH Administrator’s Guide.

Confirm Password: Confirm the password

Pointsec PC Serial No Enter the Pointsec PC serial number for the computers on which you will deploy this profile.

5. Once you have entered the information, click Create. The following dialog box opens:

6. Click OK to create the profile. Another page opens, informing you that the profile was successfully created and stored in the database.

7. Click Download to download and save the profile ("Downloading webRH Profiles" on page 32).

The next step is to deploy the profile to Pointsec PC-protected workstations.

Deploying Pointsec PC Module Profiles

Once you have created a webRH profile for the Pointsec PC Module, you can deploy it to Pointsec PC-protected workstations.

Deploying the webRH profile entails downloading it from the Endpoint Security webRH database and placing it in the Pointsec PC work directory.

To deploy the Endpoint Security webRH profile:

1. On the workstation where you want to deploy the webRH profile, copy it to the Pointsec PC work

directory. The default location for the Work directory is: Program Files\Pointsec\Pointsec for

PC\Work.

Note - Ensure that the Pointsec PC Management Console is not running on the workstation when you place the profile in the Work directory. If the Management Console is running, the profile may not be deployed correctly.

Pointsec PC automatically deploys the profile and removes it from the Work directory.

Note - To ensure that the profile has been deployed correctly, you can start the Pointsec PC Management Console and check that the WEBRH group has been added.

Note - If a profile has not been successfully deployed, you must create a new profile in Endpoint Security webRH and deploy it again. You cannot reuse profiles.

2. Repeat step 1 on every Pointsec PC-protected workstation on which you want to deploy the profile.



Once deployed, users can receive one-time logon and remote password change help from helpdesk staff and Pointsec PC administrators using Endpoint Security webRH.

Pointsec PC 6 Module Profiles

About Pointsec PC 6 Module profiles

Pointsec PC 6 module profiles are used to supply Remote Help to the following end-user products:

Pointsec PC 6

Full Disk Encryption for Windows

Full Disk Encryption for Mac

Creating Pointsec PC 6 Module Profiles

The following section explains how to create a webRH profile for the Pointsec PC 6 module.

Note - You can only use the webRH profile to update an existing Pointsec PC 6 or Full Disk Encryption profile on the end-users’ computers.




3. Click Pointsec PC 6. The following web page opens:


Table 3-6 Enter Profile Information

Field Explanation


Challenge length Set the length of the challenge to be generated when providing Remote Help.

Default value: Do not set

Minimum value: 10 character challenge

Maximum value: 20 character challenge



Field Explanation

Group authority level Set the group authority level required when deploying this profile.

Nine is the highest group authority level, and zero is the lowest.

For more information on group authority levels, please see the Endpoint Security webRH 6 Administrator’s Guide.

Profile version Select the version of Endpoint Security webRH 6 for which you want to create a profile.

For Full Disk Encryption for Windows and for Full Disk Encryption for Mac, use profile version 6.3.1.


Profile password Enter the profile password.

This password must be the same as the update validation password in the Endpoint Security webRH 6 or Full Disk Encryption profile already deployed on the device. Otherwise, the webRH profile will not be deployed.

Note - After changing the update validation password on a client machine, a new webRH profile containing the new password must be deployed to that machine, too.

Confirm password Confirm the password.


6. Click OK to create the profile. Another page opens, informing you that the profile was successfully created and stored in the database.

7. Download ("Downloading webRH Profiles" on page 32) and save the profile.

The next step is to deploy the profile to Endpoint Security webRH-protected workstations.

Deploying Pointsec PC 6 Module Profiles

Once you have created and downloaded a webRH profile, you can deploy it to Pointsec PC 6 or Full Disk Encryption-protected workstations as an update profile.

How to deploy update profiles is described in the Administrator’s Guide for the relevant product (Pointsec PC 6, Full Disk Encryption for Windows or Full Disk Encryption for Mac).

Note - To ensure that the profile has been deployed correctly, you can start the Pointsec PC 6 or Full Disk Encryption Management Console and check that the WEBRH group has been added.



Note - If a profile has not been successfully deployed, you must create a new profile in Endpoint Security webRH and deploy it again. You cannot reuse profiles.

Once the profile has been deployed on end-user computers, users can receive one-time logon and remote password change help from helpdesk staff and administrators using Endpoint Security webRH.

Pointsec Protector Module Profiles

About Pointsec Protector Module profiles

Pointsec Protector module profiles are used to supply Remote Help to the following end-user products:

Endpoint Security Media Encryption

Pointsec Protector

Disknet Pro

Note - All the products using the Pointsec Protector module are different versions of the same product. The current name is Endpoint Security Media Encryption.

Creating Pointsec Protector Module Profiles

The following section explains how to create a webRH profile for the Pointsec Protector Module.




3. Click Pointsec Protector. The following web page opens:


Table 3-7 Enter Profile Information

Field Explanation




Field Explanation


Profile password Enter the profile password.

Confirm password Confirm the password


6. Click OK to create the webRH profile. Another page opens, informing you that the profile was successfully created and stored in the database.


The next step is to deploy the webRH profile to Pointsec Protector-protected workstations.

Deploying Pointsec Protector Module Profiles

This section describes how to deploy a webRH profile for the Pointsec Protector module to end-user computers.

To deploy a Pointsec Protector profile:

1. Import the webRH profile for the Pointsec Protector Module into the Pointsec Protector Administration Console when creating an ordinary Pointsec Protector profile.

2. Deploy the ordinary Pointsec Protector profile, containing the webRH profile, onto end-user workstations.

Once this has been done, users can receive Remote Help from helpdesk staff and Endpoint Security webRH administrators using Endpoint Security webRH.

Pointsec Media Encryption Module Profiles

Creating Pointsec Media Encryption Module Profiles

To create a profile:





3. Click Pointsec Media Encryption. The following web page opens:


Table 3-8 Create profile

Field Explanation

Organizational Unit Specify which OU (and parent OUs) to add to the profile.

Profile Name The name of the profile being created. This will be used for the file name.

Password Enter the password that will be used when importing the profile into the Pointsec PC Linux Edition profile in Pointsec Administration Console.

Confirm password Confirm the password


6. Click OK to create the profile. The profile is saved in the database.

7. Click Download to download the profile ("Downloading webRH Profiles" on page 32) and save it to a secure location.

Deploying Pointsec Media Encryption Module Profiles

Once the Pointsec Media Encryption Module profile has been downloaded and saved to a safe location, it must be imported into a Pointsec Media Encryption profile in Pointsec Administration Console.

In order for webRH to function on the clients, the webRH profile must be imported into all Pointsec Media Encryption update profiles.

Note - Always start the creation of an update profile from the current installation profile, to be certain that no settings are overwritten.

For more information on update profiles and Pointsec Administration Console, see the Pointsec Media Encryption Administrator’s Guide.



Pointsec Mobile Module Profiles

Creating Pointsec Mobile Module Profiles

The following section explains how to create a webRH profile for the Pointsec Mobile module.


1. From the left menu, click Profiles. The ADMINISRATON - Profiles web page opens.


3. Click Pointsec Mobile. The following web page opens:


Table 3-9 Create a profile

Field Explanation

Organizational Unit Specify which OU (and parent OUs) to add to the profile.

Profile Name The name of the profile being created. This will be used for the file name.

Password Enter the password that is used to authenticate and open the profile.

Confirm Password Confirm the password




6. Click OK to create the profile. The following page opens:


Deploying Pointsec Mobile Module Profiles

Once the webRH profile has been downloaded and saved to a secure location, it must be imported into a Pointsec Mobile profile for PDAs or smartphones in Pointsec Administration Console, the administration tool used for deploying ordinary Pointsec Mobile profiles.

To enable the administrator to provide users of PDAs and smartphones with Remote Help via Endpoint Security webRH, the webRH profile must be imported into all PDA and smartphone update profiles.

Note - Always start the creation of an update profile from the current installation profile, to be certain that no settings are overwritten.

For more information on update profiles administrated via Pointsec Administration Console, see the documentation accompanying the relevant Pointsec Mobile product for PDAs or smartphones.


Chapter 4

Remote Help This chapter suggests ways of verifying users and explains how to provide Remote Help to end-users.

In This Chapter

Verifying User Identities 44

Providing Remote Help 44

Removing Pointsec Mobile from Devices 50

Verifying User Identities Before you provide Remote Help to a user, you must be sure that the user is actually authorized to access the computer. You can do this in a number of ways, for example:

Use predetermined questions and answers that only legitimate users have access to

Keep a list of sample questions to ask, such as the user’s name and favorite color, partner’s middle name, brand of car, etc. Some of the questions could have randomized, fixed answers, for example, when asked about his/her favorite pet, the user could answer "clouds", not "cat".

Store the questions and answers in a separate database that is accessible to all Remote Help administrators.

Use voice verification software

Use security software to extract unique vocal characteristics of the caller and compare them with the user’s recorded voiceprint.

Providing Remote Help Depending which encryption product the end-user is using, you can provide different kinds of help. For this reason, the section is divided into sub-sections describing the help procedure for each Endpoint Security webRH module.

Pointsec PC Module Remote Help

For the Pointsec PC module, two types of Remote Help are available:

Remote Password Change for users who have forgotten their fixed passwords

One Time Logon for users who usually use dynamic tokens or smart cards but do not have access to them at the moment.

To provide Remote Help to users of Pointsec PC:

1. Once you have verified that the user is legitimate, log on to Endpoint Security webRH and select Remote Help.

2. If you have more than one Pointsec module installed in Endpoint Security webRH, a list of products for which you can provide Remote Help is displayed.

Remote Help


Select Pointsec PC. The REMOTE HELP- Pointsec PC page opens:

3. Enter the following information:

Table 4-10 Enter Remote Help information

Field Explanation

User name: Enter the name of the account the user is using.

Challenge Ask the user for the challenge displayed on his or her computer, and enter it here.

Algorithm Select type of encryption algorithm to be used for encryption of the response.

Response If allowed in your Pointsec PC Module webRH profile, enter the length of the response Endpoint Security \webRH will generate.

Remote Password Change Select this option for users who have forgotten their fixed passwords.

One-time Login Select this option for users who usually use dynamic passwords or smart cards but do not have access to them at the moment.

Remote Help


4. Click Get Response. A response is generated:

5. Read the response to the user, and ask the user to enter it into the Response field.

Ensure that the user successfully changes his or her password or gains one-time access to the computer before ending the Remote Help session.

Pointsec PC 6 Module Remote Help

You can provide the following types of Remote Help to users of workstations protected by Pointsec PC 6 and Full Disk Encryption:

Remote Password Change for users who have forgotten their fixed passwords

One Time Logon for users who usually use dynamic passwords or smart cards but do not have access to them at the moment.

To provide Remote Help to users of Pointsec PC 6 or Full Disk Encryption:

1. Once you have verified that the user is legitimate, log on to Endpoint Security webRH and select Remote Help.

2. If you have more than one Pointsec module installed in Endpoint Security webRH, a list of products for which you can provide Remote Help is displayed. Select Pointsec PC 6. The REMOTE HELP- Pointsec PC 6 Module page opens:

3. Enter the following information:

Remote Help


Table 4-11 Remote Help Information

Field Explanation

Type of end-user assistance: Select the type of Remote Help required:

Remote password change - for users who have forgotten their fixed passwords

One-time logon - for users who usually use dynamic passwords or smart cards but do not have access to them at the moment.

End-user account name: Enter the name of the account the user is using.

4. Click Get Response. Response One is generated:

5. Read Response One to the user and then ask the user to enter it into the Response One field and press the Tab button.

6. Endpoint Security webRH generates a challenge. Ask the user to read you the challenge. Enter the challenge and click Get Response. Endpoint Security webRH generates and displays Response Two:

7. Read Response Two to the user. Ensure that the user successfully changes his or her password or gains one-time access to the computer before ending the Remote Help session.

Remote Help


Pointsec Protector Module Remote Help

To provide Remote Help to users of Pointsec Protector:

1. Verify that the user is legitimate. Log on to Endpoint Security webRH and select Remote Help.

2. Click Pointsec Protector.

The challenge page opens:

3. Enter the user name of the media owner and the challenge generated by Endpoint Security \webRH. Click Get Response.

Endpoint Security \webRH generates and displays the response:

4. Read the response to the user.

Tip - Use the phonetic alphabet when reading out the response to the user.

When reading the response to the user, it is often a great help to use the phonetic alphabet to avoid mistakes or confusion. The Pointsec Protector module makes this easier for you; simply select the relevant language in the drop-down list, and the letters in the response will be displayed as words according to the selected phonetic alphabet.

Remote Help


For example, if you select English, the response will be displayed like this:

Ensure that the user successfully accesses his or her device before ending the Remote Help session.

Pointsec Media Encryption Module Remote Help

To provide Remote Help for users of Pointsec Media Encryption:

1. Verify that the user is legitimate. Log on to Endpoint Security webRH and select Remote Help. Click Pointsec Media Encryption. The challenge page opens:

2. Enter the challenge generated by Pointsec Media Encryption and click Get Response.

Endpoint Security webRH generates and displays the response.

3. Read the response to the user. Ensure that the users successfully access their devices and change their passwords before ending the Remote Help session.

Remote Help


Removing Pointsec Mobile from Devices With Pointsec Mobile module, you can also help users remove Pointsec Mobile from their devices, if allowed by the profile deployed on the device.

To help a user to remove Pointsec Mobile from a device:

1. Verify that the user is legitimate ("Verifying User Identities" on page 44).

2. Ask the user to initiate removal of the Pointsec Mobile product installed on his or her device. See the documentation accompanying the relevant product for more information.

3. Log on to Endpoint Security webRH and select Remote Help. The following web page opens:

4. Click Pointsec Mobile. The challenge page opens:

5. Select Remove Pointsec, enter the challenge generated by the device and click Get Response.

Endpoint Security webRH generates and displays the response.

6. Ask the user to enter the response into the device and tap OK. Pointsec Mobile decrypts the information on the device and removes itself from the device.


Chapter 5

Log Files in webRH

In This Chapter

Introduction 51

Viewing the Logs 51

Exporting Logs to Files 53

Deleting Logs 54

Configuring Logs 55

Introduction A general requirement in any security product is the ability to log the actions of users in the system.

Endpoint Security Endpoint Security webRH logs Remote Help events and allows administrators to export the log files to comma-delimited text files for further analysis.

This means that your organization can track the actions of helpdesk staff, establishing an audit trail that can be added to other centralized auditing systems.

You can also configure Endpoint Security webRH internal errors that are stored in the Windows Event Viewer and user actions stored in the webRH database to be sent to the Syslog Server. See Configuring Endpoint Security webRH Settings (on page 25).

Syslog Limitations

Log messages will not be buffered on the webRH server. This means that if the Syslog server is down or not available for any reason, all log messages will be lost.

Pointsec for PC 5 Module Settings: log messages for these settings will not be generated due to end of life of this release.

Viewing the Logs All administrators - global, regional and local - can view logs.

Log Files in webRH


To view the log:

1. From the left menu, click Logs. The ADMINISTRATION - Logs web page opens:

2. Click View.

The Logs - View web page opens, for example:

Log Files in webRH


3. Select the type and range of view you want and click View.

This web page shows detailed information about actions recorded by Endpoint Security webRH.

Categories include the date and time of an action, the action itself, the user account associated with the action and the OU the account belongs to.

By default, 100 log entries are displayed per page.

Exporting Logs to Files Only global and regional administrators can export logs.

Log Files in webRH


To export the log:

1. On the ADMINISTRATION - Logs page, click Export. The Logs - Export web page:

2. Select the type of export you want and click Export.

3. In the File Download dialog box, select Save this file to disk. Choose where to store the Endpoint Security webRH log file and click Save.

When the information has been exported, a new entry is created in the log stating that the log was successfully exported and who exported it.

Deleting Logs Only global (top-level) administrators can delete logs.

To delete logs:

1. On the ADMINISTRATION - Logs page, click Delete. The following page opens:

2. Select the type of deletion to perform and click Delete.

3. In the dialog box which opens, click OK to confirm that you want to delete the specified logs.

When the deletion is complete, an entry in the log will be created stating who performed the deletion and what type of deletion it was.

Log Files in webRH


Configuring Logs Only global (top-level) administrators can configure logs.

To configure logs:

1. On the ADMINISTRATION - Logs page, click Configure. The following page opens:

All selected actions on this web page will create a log entry in the database when the event occurs.

2. Select and deselect the options to modify the actions logged. Click Save to save your changes.


Chapter 6

Token Information

In This Chapter

About Dynamic Tokens 56

Supported Token File Formats 56

Format Requirements for .csv Token Files 57

About Dynamic Tokens You can configure the helpdesk or administrator accounts to use dynamic tokens instead of passwords for authentication to Endpoint Security webRH. To do so, you need to create or import dynamic tokens into the Endpoint Security webRH database. The tokens can then be assigned to helpdesk staff or administrators, if they are to use a token to authenticate themselves to Endpoint Security webRH.

You can add tokens ("Managing Authentication Tokens" on page 13) at any time after the installation. Either enter information about one token at a time, or import a file which contains information for many tokens.

This appendix contains information on the required format for the token files which can be imported, and what encryption methods are used for the encryption of the response mechanism used.

Supported Token File Formats The following formats are supported for the dynamic tokens used by administrators and helpdesk staff when they authenticate themselves to Endpoint Security webRH:

Table 6-12 Supported token formats

Token file format

Response encryption method

Comment

.imp The method used to encrypt the response is determined by the password length (or token key length, if you create one token at the time):

Key length: 14 -> Encryption method: DES

Key length: 42 -> Encryption method: 3DES

An encryption key needs to be entered

before the .imp file is imported.

The token information in the .imp file is

encrypted either with AES or Blowfish.

Note - .imp files can be created in and

exported from the Check Point X9.9 Token application included in your Endpoint Security software package. You can also use the hardware token of your choice.

.dat The .dat file is produced from Secure Computing Card Programmer

.csv You can create your own .csv file. The

information it contains must be separated by semi colons. For required formats and examples, see ("Format Requirements for .csv Token Files" on page 57) .

Token Information


Format Requirements for .csv Token Files If you want to create your own file containing the dynamic token information, it needs to have the format specified here.

The file ending must be .csv. The encryption method is determined by the token key length.

Format Specification

The contents of the file must have the following format:

token_name;token_key;response_format;challenge_format;response_length;challen

ge_length;

This table shows details for the components:

Table 6-13 Token file format

Component Required format

Token key 14 characters (for DES encryption)

or

42 characters (for 3DES encryption)

Response format Friendly

or

Decimal

Challenge format Ascii

or

Hex

Response and challenge length

A number between 8 and 16

Examples

DES encryption

V73874;C7C678504807E4;Friendly;Hex;8;8;

3DES encryption

V73874;C7C678504807E4C7C678504807E4C7C678504807E4;Friendly;Hex;16;16;

Index 3

3DES encryption • 57

A

About Dynamic Tokens • 56 About Pointsec PC 6 Module profiles • 37 About Pointsec Protector Module profiles • 39 Activating an Account • 24 Adding Accounts from an Untrusted Domain •

20

C

Changing Your Password • 29 Configuring Endpoint Security webRH Settings •

25 Configuring Logs • 55 Configuring Pointsec PC Module Profiles • 33 Creating Accounts • 16 Creating Active Directory Accounts • 16 Creating and Deploying webRH Profiles • 31 Creating Local Endpoint Security webRH

Accounts • 21 Creating New Tokens • 14 Creating OUs • 10 Creating Pointsec Media Encryption Module

Profiles • 40 Creating Pointsec Mobile Module Profiles • 42 Creating Pointsec PC 6 Module Profiles • 37 Creating Pointsec PC Module Profiles • 34 Creating Pointsec Protector Module Profiles •

39 Creating Token User Accounts • 22

D

Deleting Logs • 54 Deleting OUs • 12 Deleting Tokens • 15 Deleting User Accounts • 24 Deploying Pointsec Media Encryption Module

Profiles • 41 Deploying Pointsec Mobile Module Profiles • 43 Deploying Pointsec PC 6 Module Profiles • 38 Deploying Pointsec PC Module Profiles • 36 Deploying Pointsec Protector Module Profiles •

40 DES encryption • 57 Downloading webRH Profiles • 32

E

Editing User Accounts • 23 Endpoint Security webRH and Organizational

Units • 8 End-User Products with webRH Function • 7 Examples • 57 Exporting Logs to Files • 53

F

Format Requirements for .csv Token Files • 57

Format Specification • 57

G

General Instructions for Creating webRH Profiles • 31

Group Accounts • 18

H

Helpdesk Structure • 6

I

Important Information • 3 Importing License Files • 27 Importing Tokens • 13 Introduction • 51 Introduction to Endpoint Security webRH • 6 Introduction to Profiles • 31

L

Log Files in webRH • 51 Logging in to Endpoint Security webRH • 9

M

Managing Authentication Tokens • 13 Managing Endpoint Security webRH • 8 Managing Licenses • 26 Managing User Accounts • 23

O

Obtaining Check Point Licenses • 27

P

Pointsec Media Encryption Module Profiles • 40 Pointsec Media Encryption Module Remote

Help • 49 Pointsec Mobile Module Profiles • 42 Pointsec PC 6 Module Profiles • 37 Pointsec PC 6 Module Remote Help • 46 Pointsec PC Module Profiles • 33 Pointsec PC Module Remote Help • 44 Pointsec Protector Module Profiles • 39 Pointsec Protector Module Remote Help • 48 Primary Administration Tasks • 9 Providing Remote Help • 44

R

Related Documentation • 7 Remote Help • 44 Removing Pointsec Mobile from Devices • 50 Replacing an Old License • 29

S

Supported Token File Formats • 56

T

Testing Tokens • 15 The Challenge of Encryption • 6 The Concept of Remote Help • 6 The webRH Solution • 6 Token Information • 56

U

Unlocking an Account • 25

Page 60

User Accounts • 16 User Types • 8 Using Advanced Search • 19

V

Verifying User Identities • 44 Viewing Imported Licenses • 27 Viewing OU Properties • 11 Viewing the Logs • 51

W

Working with Organizational Units (OUs) • 9 Working with Profiles • 31

Documents

Endpoint Security webRH - Check Point Software...Endpoint Security webRH uses a hierarchical management structure for Remote Help helpdesk staff. Administrators can use the webRH Organizational