Support Center > Search Results > SecureKnowledge Details
Best Practices - Endpoint Security (videos)
Solution

This is a live document that is updated on regular basis without special notice. It does not replace any official documentation released by Check Point.

Table of Contents:

  • Operating System Installation and Server Setup
  • Preparing for Client Installation
  • Capsule Docs
  • Troubleshooting
  • Upgrade
  • Legacy Upgrade
  • High Availability
  • Policy Server
  • 3rd Party Deployment
  • Full Disk Encryption
  • Media Encryption
  • Endpoint for Mac

 

Operating System Installation and Server Setup


Estimated time to complete: 12 Minutes

Step 1 - Installing Gaia

Install Gaia Operating System prior Security Management server and Endpoint Security Server.

Note: Each customer needs a different machine capabilities; follow the Sizing Guide attached, so it will fit your needs


Estimated time to complete: 7 Minutes

Step 2 - First Time Wizard

First Time Wizard configures the OS settings through the Web browser.

Once done, it allows you to download SmartConsoles to configure the Endpoint Server and perform other configurations.

Note: Proceed anyway if prompted with a certificate error in the browser.


Estimated time to complete: 7 Minutes

Step 3 - Download and Install SmartConsole

Install various Smart Consoles which allows to manage, control and view logs centrally. Through the Smart Endpoint you will manage your Endpoint Server


Estimated time to complete: 7 Minutes

Step 4 - Activate and launch Endpoint Console

Through the SmartDashboard you will activate the Endpoint Server, get 15 days trial license that will allow you to impress from the Endpoint solution

Add license to Endpoint Best Practice Guide



Preparing for Client Installation


Estimated time to complete: 10 Minutes

Step 5 - Downloading Clients User Center

To secure your clients we will download Endpoint clients from the Check Point User Center, upload them to the Endpoint Server and then deploy them to the client machines.

Note: R77.20 Package Repository location was changed, see page 45 in R77.20 Endpoint Administration Guide


Estimated time to complete: 20 Minutes

Step 6 - Adding Active Directory scanner

By adding Organization scanner you can scan your entire Active Directory and control your objects either by adding to groups which get different policies or even direct assignment.

Note: Scanning can vary according to the AD size and structure and the machine's specifications.


Estimated time to complete: 6 Minutes


Estimated time to complete: 15 Minutes


Estimated time to complete: 20 Minutes

Step 7.a - Exported Client Package

The first step out of two. Add the requested blades into one package. In the next step we will deploy the package that we created.

Step 7.b - Installing Exported Client Package

The second step. Using the exported package, we will install it on the client and the blades we configured will be installed. Then the client will get the configured policies.

Note:The MSI package can be installed using 3rd party software

Alternative Step 7 - Deploy initial client

Another option is installing a Device Agent (DA) on the client. The agent will communicate with the Endpoint Server, download the assigned blades and get the configured policies.

Note: The MSI package can be installed using the 3rd party software




Capsule Docs


Estimated time to complete: 2 Minutes

Protecting a document for external user using Capsule Docs

This video demonstrates a creation of a protected document for external user using Capsule Docs


Estimated time to complete: 3 Minute

Accessing a protected document by external user

This video demonstrates how the external user ccesses a Capsule Docs protected document

 

Troubleshooting


Estimated time to complete: 3 Minutes

Collect CPinfo from Windows client

The main debug tool for the client is CPinfo. It collects information about the Endpoint Client components and assisting with resolving issues


Estimated time to complete: 1 Minute

Collect CPinfo from the Mac client

The main debug tool for MAC client is CPinfo. It collects information about the Endpoint Client components and assisting with resolving issues. Same tool as the Windows CPinfo




Estimated time to complete: 2 Minutes

DMU - Step 1 Creating a bootable ISO file

Creating a bootable media ISO with DMU and burn it on a CD

Windows 7 AIK download ; Windows 8 AIK download

DMU Windows AIK commands


Estimated time to complete: 1 Minute

DMU - Step 2 Exporting encrypted machine's Recovery file

Export the encrypted machine's recovery file to allow unloacking the encrypted drive and gather the required information


Estimated time to complete: 1 Minute

DMU - Step 3 unlocking the encrypted drive

Unlocking the encrypted drive using the created bootable media and the recovery file

 


Estimated time to complete: 2 Minutes

CPinfo Preboot - Step 1 Creating a bootable ISO file

Creating a bootable media ISO and burn it on a CD and adding CPinfo Preboot utility to a an external media

Windows 7 AIK download ; Windows 8 AIK download

CPinfo Preboot Windows AIK commands


Estimated time to complete: 1 Minute

CPinfo Preboot - Step 2 Collecting CPinfo Preboot

Boot the machine from a bootable media and collect the CPinfo Preboot

CPinfo Preboot commands





Estimated time to complete: 4 Minutes

Automatic CPinfo Preboot creation and collection

Demonstrating creation and collection of CPinfo Preboot using the Bootable Cpinfo Preboot tool

Bootable Cpinfo Preboot tool



Upgrade


Estimated time to complete: 10 Minutes

Step 1 - Backup Endpoint Security Server

As a first step of the upgrade from R77 to R77.10 is DataBase backup by migrating it from the existing Endpoint Security Server.

Note: Maintenance window might be required to stop the Check Point services


Estimated time to complete: 4 Minutes

Step 2 - Moving DB to a backup location

Place the Endpoint Server DataBase in a secured location in case revert backup is needed


Estimated time to complete: 25 Minutes

Step 3 - Upgrade Endpoint Server

The actual upgrade procedure to R77.10 from R77


Estimated time to complete: 1 Minute

Step 4 - Opening R77 10 console after upgrade

After the upgrade we will need to connect the new Endpoint Server with a new SmartEndpoint Console and activate the change to the Endpoint part as well





Estimated time to complete: 20 Minutes

Upgrade Endpoint Client

This video demonstrates the upgrade process from E80.50 to E80.51 through the Smart Endpoint



Legacy Upgrade


Estimated time to complete: 5 Minutes

Step 1 Upload Endpoint Client Packages

Once the new Endpoint server is up and running, upload the new client packages to the server


Estimated time to complete: Depending on AD size

Step 2 Scanning the Active Directory

Scanning the Active Directory will allow deploying packages and policies based on the machines and users in it


Estimated time to complete: 2 Minutes


Estimated time to complete: 1 Minute

Step 3a Add FDE Legacy Group

Allowing FDE legacy upgrade without using the Update Validation Password

Step 3b Add FDE Legacy Group

Verify that the ALLOW UPGRADE Group was added to the FDE clients


Estimated time to complete: 3 Minutes


Estimated time to complete: 2 Minutes


Estimated time to complete: 2 Minutes


Estimated time to complete: 1 Minute

Step 4a Media Encryption Keys and Devices Migration

Adding registry keys on the SQL Server to accept requests over TCP connections

Step 4b Media Encryption Keys and Devices Migration

Create a login profile to allow access to the legacy Media Encryption DataBase

Step 4c Media Encryption Keys and Devices Migration

Migrating the devices and the encryption keys from the Legacy Media Encryption Server to the new Server

Step 4d Media Encryption Keys and Devices Migration

Allowing automatic access to an encrypted media by adding the Media Encryption Legacy Site ID to the new Endpoint Server


Estimated time to complete: 10 Minutes

Step 5 Export Preupgrade Package

Create and export a Preupgrade client package


Estimated time to complete: 20 Minutes

Step 6 Upgarding the Endpoint Security Legacy client

Perform the actual upgrade from the Legacy Endpoint client using the Preupgrade package


Estimated time to complete: 1 Minute

Step 7 Automatic access to a legacy encrypted media

External media that was encrypted using the Legacy Endpoint client will be allowed to access the new client automatically



High Availability


Estimated time to complete: 6 Minutes

Step 1 - Secondary Server Setup

First Time Wizard - Secondary Server.

Note: Before performing this step you need to install the OS. Refer to video "Step 1 - Installing Gaia"


Estimated time to complete: 4 Minutes

Step 2 - Secondary Server object creation

Before building the High Availability setup we need to create the Secondary Server object on the Primary Server, establish SIC between them and install the DataBase


Estimated time to complete: 8 Minutes

Step 3 - Switch from Active to Standby Server

Fail-over to the Standby server and show how the client is now communicating with the Secondary Server instead of the Primary.

Note: Use the attached PDF to understand more about PAT and it's importance





Policy Server


Estimated time to complete: 10 Minutes

Policy Server - First Time Wizard

Policy Server role is to reduce load from the main server and keeps the clients connected when there is no connection to the Primary Endpoint Server. SmartEndpoint and SmartDashboard cannot connect to a Policy Server as it does not have a Database

You need to install the Operating System before performing this step.


Estimated time to complete: 7 Minutes

Policy Server - Activating Policy Server

Create the policy Server object and activate it, so it will communicate with the Endpoint Server (SIC) and with the Endpoint Clients


Estimated time to complete: 5 Minutes

Policy Server - Switching from Primary to Policy Server

If the Endpoint Client decides (proximity) to communicate with the Policy Server or if it cannot reach the Primary Endpoint Server. The Endpoint Client remains connected



3rd Party Deployment


Estimated time to complete: 3 Minutes

Step 1 - Creating an Endpoint Package with SCCM

This video demonstrates the creation of Package that was built from the MSI file that was exported from the Endpoint Security Server


Estimated time to complete: 3 Minutes

Step 2 - Creating an Endpoint Program with SCCM

This video demonstrates how to set permissions to run the client, the installation order, command line, interaction with the program and more.

Note: Administrator can use other MSI syntax according to the company needs.
Syntax:
# MsiExec /i EPS.msi /qn /l*v install.log REBOOT=ReallySuppress


Estimated time to complete: 3 Minutes

Step 3 - Creating a Distribution point for Endpoint Client

Add the package to SCCM Distribution Point, choose which machines will be deployed with the client and schedule the task, actions when installation fails and more


Estimated time to complete: 25 Minutes

Step 4 - Installing Endpoint Client using SCCM

Silent installation of Endpoint client (with some tips to speed the client installation) using SCCM



Full Disk Encryption Blade


Estimated time to complete: 7 Minutes


Estimated time to complete: 3 Minutes

Two Factor Authentication - Step 1 - Preparation

Before authenticating with an eToken or Smart Card to Preboot, you need to prepare a certificate for your Active Directory user and install the relevant middleware

Two Factor Authentication - Step 2 - Authenticate to Preboot

This video demonstrates the steps to configure eToken to authenticate to Preboot and then to Windows


Estimated time to complete: 2 Minutes

Remote Help - Password Change

Configure policy to enable Remote Help for FDE users and demonstrate the process of changing a password with Remote Help challenge / response process


Estimated time to complete: 2 Minutes

Preboot Bypass - WIL

Enabling Preboot Bypass which will allow the client to authenticate only through Windows without Preboot - Less secured! We will mention how to increase security of this feature in the video


Estimated time to complete: 2 Minutes

Temporarily Disabling Preboot - WOL

Temporarily Disabling Preboot allows the administrator disable Preboot protection temporarily, for example, for maintenance. It was previously called Wake on LAN (WOL)


Estimated time to complete: 3 Minutes

Customizing Preboot and OneCheck Background image

Change Preboot and OneCheck Login Screen based on your own logo

Media Encryption


Estimated time to complete: 3 Minutes

Read & Write to a USB

This video demonstrates the basic configuration of reading (Read & Copy) and writing to a USB while presenting the Business data partition and actions made to files on the USB itself


Estimated time to complete: 2 Minutes

Media Encryption offline access

Endpoint Media Encryption allows access to encrypted media on machines without Endpoint client installed or when the Endpoint Server is unreachable



Endpoint Security for Mac client


Estimated time to complete: 1 Minute

Installing Endpoint for MAC client - Step 1 - Upload package

This video demonstrates the Endpoint for MAC client upload to the Endpoint Server through SmartEndpoint.

Note: Download the Endpoint for MAC client from the User Center beofre performing this step


Estimated time to complete: 1 Minute

Installing Endpoint for MAC client - Step 2 - Download package from SmartEndpoint

Download Endpoint for MAC installation package from the Endpoint Server before installing it on the client machine


Estimated time to complete: 15 Minutes

Installing Endpoint for MAC client - Step 3 - Installation on the client machine

The actual installation on the MAC client machine

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment