Professional Documents
Culture Documents
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Chapter 1 Overview
Introducing the License Server ...................................................................... 9
Licensing Files ..................................................................................... 10
License Pools ....................................................................................... 11
Shared Network Folder .......................................................................... 11
Service Account.................................................................................... 12
Reporting Tool........................................................................................... 12
Deployment Process................................................................................... 13
System Requirements ................................................................................ 15
Table of Contents 5
Encrypted Log Files .............................................................................. 43
Report File Locations ............................................................................ 43
Shared Folder Permissions..................................................................... 43
Firefox Settings .................................................................................... 43
Executing The Reporting Tool ..................................................................... 44
Command Reference.................................................................................. 44
Examples .................................................................................................. 45
6
Preface
Preface
In This Chapter
Introduction page 7
Who Should Read This Guide? page 7
Summary of Contents page 8
Contact Information page 8
Feedback page 8
Introduction
This document contains information regarding installation and use of the Check
Point License Server and Reporting tool. For information regarding installation and
use of specific Endpoint Security Client components, refer to their respective
Administration or Client guides.
7
Summary of Contents
Summary of Contents
This guide contains the following material:
TABLE 0-1
Chapter Description
Overview Introduces License Server and presents an overview
of the deployment process.
Installing License Server Describes the process of installing License Server.
Using License Server Describes how to perform license management
tasks using License Server.
Reporting Tool Introduces the Reporting Tool utility and presents
procedures for using it.
Contact Information
If you require information on other security Check Point products or services, or if
you encounter problems with License Server, please visit our web site or call us.
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please
help us by sending your comments to:
cp_techpub_feedback@checkpoint.com
8
Chapter 1
Overview
In This Chapter
Note - License Server does not work with legacy Pointsec licenses or
evaluation licenses.
9
Licensing Files
Licensing Files
Customers obtain Endpoint Security license files from the Check Point User Center.
Each license file contains the following components:
• A Certificate key that uniquely identifies each license file and protects it
against tampering
• A specified quantity of endpoint licenses (seats) - each endpoint computer
requires one endpoint license
• Definition of the specific Endpoint Security Client features enabled by this
license
• License Server IP address
10
License Pools
License Pools
A license pool contains one or more endpoint license files available for assignment
to a specific group of endpoint clients. If a license pool does not contain any
available endpoint licenses, the administrator must purchase additional licenses
and add them to the pool or transfer an existing license file from another pool.
Upon installation, the License Server creates one pool, known as the global pool.
When using a single pool in a given environment, all endpoint licenses reside n the
global pool. You can define multiple license pools on a License Server to contain
licenses available only to specific groups of endpoint clients. For example,
individual departments, teams or branch offices can use their own license pools.
Administrators assign names to each new license pool. When multiple license pools
are in use, each client is assigned to a specific named pool by its profile or by the
server managing that client. If the pool to which a client is assigned does not exist,
licenses, if available, are allocated from the global (default) pool. Likewise, if there
are no available licenses in the assigned pool, licenses are allocated from the
global pool.
For example, if a client requests a Full Disk Encryption license, the License Server
first looks for an available license in the pool name that corresponds to the
‘Company Name’ in the profile. It this pool does not exist or does not contain any
available licenses, the License Server server looks for available licenses in the
global pool. If there are no available licenses in the global pool, the License Server
cannot assign a license and returns an error.
Chapter 1 Overview 11
Service Account
Service Account
The Service Account is a designated Windows user having access permission to
shared network folders and permission to run the License Service service. You
define the service account and password during the License Server installation
process and may be changed by an authorized administrator using the Windows
user definition process.
Reporting Tool
The Reporting Tool is a command line utility that summarizes and presents
information regarding Full Disk Encryption client status, including encryption,
licenses and logged events. Reports are saved as XML files and, by default,
automatically displayed in a web browser. The Reporting Tool can create the
following reports:
• Summary and detailed reports of client encryption status
• Reports showing client license usage and status
• Reports showing events gathered from client logs
12
Deployment Process
Deployment Process
The following table presents an overview of the process of deploying Endpoint
Security using the License Server.
Step Description
1 Make an inventory of your network layout and clients to determine:
• How many endpoint licenses are required
• How many license servers are required
• How many endpoint licenses each server will manage
• Where the license server(s) will be deployed
• How many license pools are required
• Location and permissions for access to shared network folders
2 Create the shared network folders and configure your network and
firewall so that all endpoint computers can access them.
3 Acquire Check Point license file(s) that match your network set-up as
determined in Step 1.
4 Install the License Server(s).
Chapter 1 Overview 13
Deployment Process
Step Description
5 Install Endpoint Security servers as required to support Endpoint
Security Client features deployed on your client computers. Make
certain that you purchase the appropriate licenses for these servers.
The following list shows which servers are required for each of the
available features:
• Full Disk Encryption: Full Disk Encryption master installation
• Port Protection: Media Encryption Server
• Media Encryption: Media Encryption Server
• Firewall: Secure Access Server
• Anti-Malware: Secure Access Server
• VPN Client: Secure Access Server
For installation instructions for these servers, please refer to the
relevant product documentation.
6 Install Endpoint Security Client on client computers.
7 Activate the license. Activation typically occurs automatically
following installation. If automatic activation is unsuccessful, activate
the license manually offline.
See the appropriate feature Administration Guide for information regarding client
installation, creating installation profiles, and deploying Endpoint Security to
clients.
14
System Requirements
System Requirements
The following table presents the minimum hardware and operating system
requirements for the License Server.
Item Description
CPU Pentium III 450 MHz
Disk Space 300 MB
RAM 512 MB
Network Interface 1
Operating System Microsoft Windows XP Professional (SP2)
Windows Server 2003
Chapter 1 Overview 15
System Requirements
16
Chapter 2
Installing License Server
In This Chapter
This chapter provides detailed instructions for installing initially configuring the
License Server.
17
Running the Installation Wizard
18
Running the Installation Wizard
4. Select the features that you wish to install. Both Endpoint Security License
Server and Endpoint Security Reporting Tool are selected by default.
2. In the License Server Shared Folders window, Click Add, and then browse to a
the shared network folders used to share data with Endpoint Security Client
computers. Repeat this step for each shared folder you wish to define.
Note - Mapped drives are not supported as shared network folders. Use
either UNC path names or local paths.
20
Adding License Files
2. In the Add License window, enter the fully qualified path or navigate to the
appropriate license file.
3. Click OK. Repeat this step for each license you wish to add. Click Close in the
License Configuration window to continue.
You can also add licenses by cutting and pasting the license string contained in the
email you received from the User Center. Refer to “Working With Licenses” on
page 26 for details.
22
Completing the Installation
2. When the Wizard Complete window opens, click Yes, I want to restart my
computer now and then Finish.
After you install the License Server, configure the client to communicate with it.
Refer to the appropriate Administrator’s Guides for instructions.
24
Chapter 3
Using License Server
In This Chapter
25
Working With Licenses
3. In the Add License window, enter the fully qualified path or navigate to the
appropriate license file.
Click Change License Pool to change the license pool and/or create a new
license pool.
26
Working With Licenses
5. Repeat the preceding steps if you wish to add more license files.
3. Copy the license string from the email that you received from the Support
Center, as indicated below. Make certain that you copy the entire license string,
even if it extends over more than one line.
28
Working With Licenses
4. In the Add License window, click Paste License. You can also manually type
license information in the designated fields.
5. Click Calculate to calculate and display the validation code. Compare this with
the validation code that appears in your email.
Warning - If any licenses from the selected license file remain assigned
to endpoint clients, an error message appears. If you choose to
proceed, the License Server will automatically deactivate all such
licenses, effectively “decommissioning” those endpoint clients.
4. Click Yes to confirm.
30
Working With Licenses
2. Click Yes to confirm that you wish to move this license file to a different pool.
3. In the Change License Pool window, select the pool to which you wish to move
the license file and click OK.
a. If you wish to create a new license pool at this time, click New. Enter the
name of the new license pool in the designated field.
32
Working with Shared Network Folders
Note - Mapped drives are not supported as shared network folders. Use
either UNC path names or local paths.
A license status summary appears showing shared folders and general license
information.
Options:
-l Display License Information
-c Display Clients Information
-decom Display deactivated licneses
decom decom (-g <GUID> | -f <FQDN>) [-pool <license pool>]
[-h help]
offline offline -r <request challenge> -f <FQDN> [-pool
<license pool>] [-h help]
34
Displaying License Information
Argument Description
-l Returns license information
-c Returns client information
-decom Returns deactivated clients
-d Creates a detailed report
-ck <certificate key> Returns only the specified certificate key
-pool [pool name] or Returns only results from the specified license pool. The
[all] all argument results from all pools. If you do not specify
a pool name, results from the global pool appear.
-f Display only the specified client FDQN
-g Display only the specified GUID
-r {-s} Create and save an html file and display it in a web
browsers. The optional -s argument saves the html file
without displaying in the browser.
Files are saved in the /WebData/Reports subdirectory.
-t Display detailed report with truncated columns to fit in
an 80 character command line window)
-o <output file> Create report as text file to the specified file name
You can use only one filter argument (-ck, -f, -g) in any command.
Example: Viewing status of installed Licenses by certificate key
Info –l -d -ck CF7550EF8C05 -pool MyNewPool -r displays a detailed license
file for a specific certificate key in MyNewPool in a web browser.
Example: Viewing status of all installed clients to a text file
Info –c -pool all -o client_report.txt creates a text file containing basic
information for all installed clients.
a. Enter values for either the GUID or FDQN for the client.
b. Enter the optional license pool argument (-pool) if desired. The global pool
is assumed if no argument is provided.
36
Event Logging
Event Logging
License Server provides a basic set of logging and auditing features. The following
events are recorded in the LicSerLog.log file located in the Log subfolder of License
Server
• Adding/removing license file
• Adding/removing Shared folder
• Changing the password
• Activating a client
• Deactivating a client
• Offline activation
The following License Server events are recorded in the client side log file:
Event Description
EVID_LICENSE_INVALID An invalid license was detected.
EVID_LICENSE_EXPIRED An expired license was detected.
EVID_LICENSE_ACTIVATION A license was activated on a
license server.
EVID_FAILED_LICENSE_ACTIVATION A license activation failed
EVID_LICENSE_DEACTIVATION A license was deactivated on he
license server.
EVID_FAILED_LICENSE_DEACTIVATION License deactivation failed.
EVID_LICENSE_SERVER_INCONSISTENCY A client detects a license server
inconsistency.
For example:
The element <transaction
counter> in a response message
is lower than in the previous
response. This will happen if the
license server is reinstalled.
38
Changing the License IP Address
8. Click Change.
9. Click Get License.
10. Click Get License File to download the new license.
11. Add the new license file to the License Server.
40
Chapter 4
Reporting Tool
In This Chapter
Overview page 41
Before Using the Reporting Tool page 42
Executing The Reporting Tool page 44
Command Reference page 44
Examples page 45
Overview
The Reporting Tool is a command line utility that summarizes and presents
information regarding Full Disk Encryption client status, including encryption,
licenses and logged events. Reports are saved as XML files and, by default,
automatically displayed in a web browser. The Reporting Tool can create the
following reports:
• Summary and detailed reports of client encryption status
• Reports showing client license usage and status
• Reports showing events gathered from client logs
Administrators can analyze files located in the network shared folders specified in
the License Server configuration or specify a location containing files for the tool to
analyze. The Reporting Tool is typically installed together with the License Server.
You can, however, install it as a separate, stand-alone utility.
For further information refer to the Full Disk Encryption Administration Guide.
41
Before Using the Reporting Tool
42
Encrypted Log Files
Firefox Settings
To display reports in Firefox version 3.0 and higher:
1. Go to the following URL: about:config.
2. If the following warning appears, click I’ll be careful.
Note - You cannot use the License Server Utility window to execute the
Reporting Tool.
Command Reference
The dslogs.exe, basic syntax is as follows:
dslogs.exe <Report Option> <Input Argument> [Optional Arguments]
The following tables explain the various options and arguments:
Table 4-1 Report Options
Argument Description
-s Summary encryption status report
-sd Detailed encryption status report
-lic Client license status report (available only when the Reporting
Tools is not installed together with the License Server).
-log Client event log report
-all All reports
Note - The -lic and -all reports calculate the number of licenses
differently when the Reporting Tool is not installed together with the
License Server.
44
Examples
Argument Description
-l <path> Extracts data from all files located in the specified folder.
A fully qualified path to the specified folder is required.
- lr <path> Extracts data from all files in the specified folder and all
subfolders. A fully qualified path to the specified parent
folder is required.
dirs_list Extracts data from all files located in folders contained in
-f <file name> the specified text file. Fully qualified paths to each of the
folders, as well as to the text file, are required.
files_list Extracts data from all files contained in the specified text
-f <file name> file. Fully qualified paths to each file in the list, as well
as to the text file itself, are required.
<file name> Extract data from the specified file. A fully qualified path
to the specified file is required. Can only be used with
the -sd and -log report types.
Table 4-3 Report Options
Argument Description
-n <any integer> Extracts only the last specified number of entries
-p <password> Uses the specified password to decrypt protected log files
-o <output folder> Specifies the destination folder for the output reports
(created under the Reports folder).
-sl Silent mode - suppresses displaying reports in a browser
-v Displays detailed (verbose) information
Examples
dslogs.exe -sd -f C:\logs\status.txt - Generates a detailed encryption status report
from the data contained in the status.txt.file.
dslogs.exe -log -f C:\logs\test.log Generates an event log report containing the last
10 events contained in the test.log file.
dslogs.exe -all -lr C:\Shared\Log - Generate license, encryption status and log reports
from all files contained in the C:\Shared\Log folder.
dslogs.exe -s Generates encryption status report from all the files located in the
defined shared network folder and its subdirectories.
46