Support Center > Search Results > SecureKnowledge Details
Capsule Docs On-Premises vs. Capsule Docs managed in the Cloud Technical Level

Capsule Docs Deployment Types

Check Point Capsule Docs supports two different types of deployments to provide customers with options that best suit their business needs:

  • Capsule Docs On-Premises (see sk102651)
  • Capsule Docs managed in the Cloud

This solution compares the two deployment types.

  Capsule Docs managed in the Cloud Capsule Docs On-Premises



  • Leverages Check Point Cloud infrastructure. No server deployment is needed.
  • Multi-tenant architecture creates different isolated sections in the server, to prevent cross-organizational access.
  • The Cloud stores the community encryption keys, users, policy settings, and audit logs. Documents are never uploaded to the Cloud.
  • Manages Capsule Docs communities through a Web Portal.
  • Uses LDAP, managed by Check Point, for user management.
  • Capsule Docs Management Server (Capsule Docs is a blade within Endpoint Security Management Server) on Windows or Gaia must be installed within the organization's perimeter.
  • SmartEndpoint provides security policy management, client management, deployment capabilities, and advanced monitoring.
  • Reverse Proxy (Capsule Docs Proxy or a third party server) should be configured for clients that don't have access to internal resources (for example, mobile users and external users).
  • An SMTP Server should be configured if protected data is shared with a 3rd party.

High Availability and Load Balancing

Check Point Disaster Recovery site guarantees the lowest possible RTO.

A Secondary Management Server and Endpoint Policy Servers can be used for redundancy and load balancing.

Disaster Recovery

Each document can be recovered using the master key. A password protected recovery utility can be downloaded from the relevant management platform.

Central Management

  • Periodic policy updates.
  • Latest version of the client is suggested to the end user.
  • Client software deployment.
  • Advanced reporting capabilities (for example, client problems and deployment progress).
  • Proactive remote administration operations on the client (for example, restart and update).
  • Immediate updates of policy settings and groups that the logged in user is a member of.
Supported Platforms

Client Supported platforms

  • Windows (Win 7 to Win 10). 
  • iOS (7 and above)
  • Android (4 and above)
  • Mac OSX (10.13 and above)

Web Interface for accessing protected documents (deprecated for now due to lack of Flash support in modern browsers)


Supported Applications

  • All versions of Microsoft Office 2010/2013/2016/2019/365 since version E82.50 and above.
  • Adobe Acrobat Reader DC, see sk157772

Mobile Support

Protected documents can be accessed with the Capsule Docs App or Capsule Workspace App.

Seamless Access to protected documents from smartphones and tablets is provided for easy use of documents while away from home/office.

Communication and Updates


Clients communicate securely with the Cloud over HTTPS.

  • Clients that have access to internal resources communicate with the server directly over HTTPS.
  • All other clients, for example mobile devices and external users, communicate through a reverse proxy (Capsule Docs Proxy or a third party server) over HTTPS. Capsule Workspace clients communicate through SSL VPN.

Clients Updates

Periodic update based on administrator configuration.

Default is set to 24 hours.

  • For managed clients: Automatic and immediate updates.
  • For non-managed clients: Periodic updates based on administrator configuration. Default is set to 24 hours.

The Check Point Capsule Docs Plugin and Capsule Docs Viewer support communication through a proxy server.

  • Proxy detection is done automatically.
  • Proxy authentication is supported using NTLM/Negotiate protocols.

Offline Work

Offline work is supported after initial connection to the Server and as long as user works with existing groups and classifications. The administrator can configure how long users are allowed to work offline.

Users, Groups, Permissions, and Policy Configuration

Users Auto Provisioning

The administrator can configure which domains are considered as internal.


AD users are considered as internal and automatically provisioned as Capsule Docs users.

Policy Customization

One global policy is applied to all users in the community.

Capsule Docs policy can be customized for different users, organizational units, and groups (either AD groups or Virtual groups).

AD Integration

AD structure can be fully/partially imported into the Cloud and reused for the Capsule Docs purposes. No further synchronization is automatically done after the structure is imported.

AD is fully integrated and automatically synchronized through a configured AD scanner.

Groups Management

Virtual groups can be created manually by the administrator and then can later be used by end users as authorized groups for protected documents.


AD groups can be imported into the Cloud and re-used by end users when protecting documents.

No further synchronization is done.


Administrators can configure which AD groups are available for end users when they select authorized users/groups for a protected document.

User permissions Configuration

A user's permissions for a document are determined by the document classification.

Classification is a set of the following permissions: Edit, Change Classification, Remove Protection, Print, Copy/Paste, Add users, Screen Capture, Mobile Access.

  • Document creator is granted with full (most permissive) permissions.
  • A set of Classification permissions applies to all authorized users except the document creator.
  • Classification permissions can be configured differently for Internal and External users.
  • Elevated permissions can be configured for Authors.

Default Protection Settings

The administrator can configure the initial classification. The administrator can also control whether new documents are automatically protected with this classification, and whether the end user is asked to protect old documents upon Save/Save as.

Default group is All internal users.

  • The administrator can configure default authorized groups.
  • The administrator can define the role of each authorized entity (user/group) in the initial access list which is assigned to newly protected documents.

Revoked User Permissions to Documents

  • Removing a user from the Capsule Docs environment results in revocation of access to all protected documents. When the user's computer or mobile device connects to the service, the client-side keys cache is deleted, as well. If the client is offline, the cache is deleted after a pre-configured time.
  • Deleting a classification will result in revocation of access to any document protected by this classification.


Permissions of AD deleted users are automatically revoked.

Working with 3rd Party Users

Incorporating 3rd Party into Capsule Docs Environment

A 3rd party user is incorporated into the organization Capsule Docs environment once his email address is added to a protected document, or when the administrator explicitly adds him through the management interface (either manually or by importing a CSV file). Until the user activates his account he is considered as "Invited".


  • The administrator can configure specific domains as internal (the domain that was scanned from AD is considered as internal, by default).
  • The administrator can also determine that users from specific domains are automatically considered as invited.
  • Administrator control sharing with 3rd party:
    • Configure that end users are not allowed to invite new users to the environment at all.
    • Control the domains from which new users can be invited.
    • Configure blocked domains from which 3rd party users cannot be invited.


Sharing Data with 3rd Party

In order to share documents with a 3rd party, the end user should simply add a group of this 3rd party, or enter specific mail addresses to a protected document.

When a 3rd party user makes an attempt to access a protected document for the first time, he is asked to activate his account (activation code is sent by mail). Once user has activated his account, he can access protected documents without any additional action.

Lightweight application with viewing capabilities can be downloaded and installed without the need for administrative privileges or reboot.

Activation procedure is available from the Web Portal.


Working with 3rd Party Applications
Capsule Docs Development Tools

Capsule Docs Development tools let you use your own applications for document protection.

  • Apply Capsule Docs protection to files.
  • Remove Capsule Docs protection from files.
  • Inspect the file protection status.

There are different types of Capsule Docs Protection API:

  • Capsule Docs SDK - C/C++/.Net/Java Wrappers. 
  • Capsule Docs Protection Tool - command line utility.
Logging & Monitoring


  • All operations done on protected files (including "Open", "Save", "Save-as", "Apply Protection", "Change Protection", "Remove Protection", "Print",  and "Copy Paste") are fully audited.
  • The following information can be easily retrieved by running the relevant queries:
    • Document audit trail and User audit trail.
    • Document distribution patterns within the organization.
    • Access by external parties.
  • Logs are sent periodically.
  • Web Portal for Viewing audit logs and pre-configured reports.
  • Logs upload frequency for managed clients can be configured in SmartEndpoint.
  • Logs can be viewed and analyzed with the powerful SmartLog, providing cross-product information and strong searching and filtering capabilities.


User Name / Password
  • Registration is done through the Capsule Docs Web Portal.
  • Authentication is done against an LDAP Server, which is managed by Check Point.
  • Single Sign-On for Active Directory users.
  • External users entities are created by the Capsule Docs Management Server and are stored in its local database.
  • Authentication of 3rd party is done against Capsule Docs local database. AD/other identity management system are not involved in the 3rd party authentication procedure.

Encryption Algorithms

The document content is encrypted with an AES symmetric key. The content key is encrypted with several RSA asymmetric keys (once with the Master key and once per each user/group on the document).

  • AES 128
  • RSA 2048
  • AES 256
  • RSA 2048

Encryption Keys

  • Keys are rotated (i.e. become obsolete) on a monthly/yearly basis, providing maximal cryptographic strength.
  • Private keys that are stored in the cache on the client machine are only: the key of the logged in user and the keys of the groups that the logged in user is a member of.
  • The administrator can configure how frequently users must be authorized to store data in the cache. If the user was offline or couldn't be authorized for a longer period than the one configured by the administrator, the cache is deleted.
Additional Features

User Education


Ask User Mechanism:

  • User education to prevent unintentional data loss: Users are notified upon blocked/ non-recommended operations.
  • User exception to applied classification: Users are asked to provide a reason for the exception. The reason is audited and available from the Audit logs.

Outlook Plug-in:

Verifies that all recipients of a sent email are authorized to access all protected documents that are attached to the email.

  • If a recipient is not authorized to access an attached document, the plugin informs the user who sent the email.
  • The user can choose how the recipient/authorization mismatch is shown:
    • By document – A list shows each inaccessible document and the users that cannot access it.
    • By User – A list shows each unauthorized user and the documents that he cannot access.

Document Markings

  • Configuration per classification of Header (Microsoft Excel Only), Footer(Microsoft Word, Microsoft PowerPoint), and Watermarks (Microsoft Word).
  • Upon protecting a document with a specific classification, the corresponding markings are applied automatically.
Data Classification   Classify data without encryption. Allow integration with 3rd party vendors. For example, DLP solutions. Support document markings for Office.
Localization Capsule Docs Plugin Localization Support for: French, German, Spanish, Russian and Simplified Chinese.
Content-Aware Protection for Mail Attachments (Available starting March 2016)  

The feature enables DLP Gateway administrators to set protect action for email attachments.

  • Seamless experience - Automatic protection based on administrator configuration. 
  • Flexibility - The administrator can allow sending protected documents, and allow or block attachments. 
  • Content Awareness - Different protection settings for different types of data. 
  • Access Control - The authorized user list can include defined users and groups and/or e-mail sender/recipients. 
  • End User Education - UserCheck alerts the user to the organization security policy.
Bulk Protection Services (Available starting March 2016)

File Protection for Windows-based Servers and Workstations

Protection is applied locally and runs on the Windows computer. Continuous monitoring on specific targets is also available to protect new files as soon as they are created.


Content-Aware File Protection for CIFS and NFS-compatible Network Locations

Protection is applied through a network gateway with the DLP Software Blade to files that match specified data types.

Related Solution:
sk105220 - Check Point Capsule Docs Technical Overview

Give us Feedback
Please rate this document