Contents
Calculations for Administration Servers
This section provides the software and hardware requirements for devices used as Administration Servers. Also provided are recommendations for calculating the number and hierarchy of Administration Servers depending on the configuration of the organization's network.
Calculation of hardware resources for the Administration Server
This section contains calculations that provide guidance for planning hardware resources for the Administration Server. A recommendation on calculating disk space when the Vulnerability and Patch Management feature is used is provided separately.
Hardware requirements for the DBMS and the Administration Server
The following tables give the recommended minimum hardware requirements to a DBMS and Administration Server obtained during tests. For a complete list of operating systems and DBMSs supported, please refer to the list of hardware and software requirements.
Administration Server and DBMS are on different devices, the network includes 50,000 devices
Configuration of the device that has Administration Server installed
Hardware |
Value |
CPU |
4 cores, 2500 MHz |
RAM |
8 GB |
Hard drive |
300 GB, RAID recommended |
Network adapter |
1 Gbit |
Configuration of the device that has DBMS installed
Hardware |
Value |
|---|---|
CPU |
4 cores, 2500 MHz |
RAM |
16 GB |
Hard drive |
200 GB, SATA RAID |
Network adapter |
1 Gbit |
Administration Server and DBMS are on the same device, the network includes 50,000 devices
Configuration of the device that has Administration Server and DBMS installed
Hardware |
Value |
|---|---|
CPU |
8 cores, 2500 MHz |
RAM |
16 GB |
Hard drive |
500 GB, SATA RAID |
Network adapter |
1 Gbit |
Administration Server and DBMS are on different devices, the network includes 100,000 devices
Configuration of the device that has Administration Server installed
Hardware |
Value |
|---|---|
CPU |
8 cores, 2.13 GHz |
RAM |
8 GB |
Hard drive |
1 TB, with RAID |
Network adapter |
1 Gbit |
Configuration of the device with DBMS installed
Hardware |
Value |
|---|---|
CPU |
8 cores, 2.53 GHz |
RAM |
26 GB |
Hard drive |
500 GB, SATA RAID |
Network adapter |
1 Gbit |
The tests were run under the following settings:
- Automatic assignment of distribution points is enabled on the Administration Server, or distribution points are assigned manually in accordance with the recommended table.
- The backup task saves backup copies to a file resource located on a dedicated server.
- The synchronization interval for Network Agents is set as specified in the table below.
Synchronization interval for Network Agents
Synchronization interval (minutes)
Number of managed devices
15
10,000
30
20,000
45
30,000
60
40,000
75
50,000
150
100,000
Calculation of database space
The approximate amount of space that must be reserved in the database can be calculated using the following formula:
(600 * C + 2.3 * E + 2.5 * A + 1.2 * N * F), KB
where:
- C is the number of devices.
- E is the number of events to store.
- A is the total number of Active Directory objects:
- Device accounts
- User accounts
- Accounts of security groups
- Active Directory organizational units
If scanning of Active Directory is disabled, A is considered to equal zero.
- N is the average number of inventoried executable files on an endpoint device.
- F is the number of endpoint devices, where executable files were inventoried.
If you plan to enable (in the Kaspersky Endpoint Security policy settings) notification of Administration Server on applications that you run, you will need additional (0.03 * C) gigabytes to store in the database the information about applications that you run.
If Administration Server distributes Windows updates (thus acting as the Windows Server Update Services server), the database will require an additional 2.5 GB.
During operation, a certain unallocated space is always present in the database. Therefore, the actual size of the database file (by default, the KAV.MDF file, if you use SQL Server as the DBMS) often turns out to be approximately twice as large as the amount of space occupied in the database.
It is not recommended to limit explicitly the size of the transaction log (by default, the file KAV_log.LDF, if you use SQL Server as the DBMS). It is recommended to leave the default value of th MAXSIZE parameter. However, if you have to limit the size of this file, take into consideration that the typical necessary value of the MAXSIZE parameter for KAV_log.LDF is 20480 MB.
Calculation of disk space (with and without the use of the Vulnerability and Patch Management feature)
Calculation of disk space without the use of the Vulnerability and Patch Management feature
The Administration Server disk space required for the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder can be estimated approximately using the formula:
(724 * C + 0.15 * E + 0.17 * A), KB
where:
- C is the number of devices.
- E is the number of events to store.
- A is the total number of Active Directory objects:
- Device accounts
- User accounts
- Accounts of security groups
- Active Directory organizational units
If scanning of Active Directory is disabled, A is considered to equal zero.
Calculation of additional disk space with the use of the Vulnerability and Patch Management feature
- Updates. The shared folder additionally requires at least 4 GB to store updates.
- Installation packages. If some installation packages are stored on the Administration Server, the shared folder will require an additional amount of free disk space equal to the total size of all of the available installation packages to be installed.
- Remote installation tasks. If remote installation tasks are present on the Administration Server, an additional amount of free disk space (in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder) equal to the total size of all installation packages to be installed will be required.
- Patches. If Administration Server is involved in installation of patches, an additional amount of disk space will be required:
- The patches folder should have the amount of disk space equal to the total size of all patches that have been downloaded. By default, patches are stored in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\.working\wusfiles folder.
You can use the klsrvswch utility to specify a different folder for storing patches. The klsrvswch utility is located in the folder where Administration Server is installed. The default installation path: <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
If Administration Server is used as the WSUS server, you are advised to allocate at least 100 GB to this folder.
- The %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder must have an amount of disk space equal to the total size of those patches that are referenced by existing instances of update (patch) installation and vulnerability fix tasks.
- The patches folder should have the amount of disk space equal to the total size of all patches that have been downloaded. By default, patches are stored in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\.working\wusfiles folder.
Calculation of the number and configuration of Administration Servers
To reduce the load on the primary Administration Server, you can assign a separate Administration Server to each administration group. The number of secondary Administration Servers cannot exceed 500 for a single primary Administration Server.
We recommend that you create the configuration of Administration Servers in correspondence to the configuration of your organization's network.
Page topRecommendations for connecting dynamic virtual machines to Kaspersky Security Center
Dynamic virtual machines (also referred to as dynamic VMs) consume more resources than static virtual machines.
For more information on dynamic virtual machines, see Support of dynamic virtual machines.
When a new dynamic VM is connected, Kaspersky Security Center creates an icon for this dynamic VM in Administration Console and moves the dynamic VM to the administration group. After that, the dynamic VM is added to the Administration Server database. The Administration Server is fully synchronized with Network Agent installed on this dynamic VM.
In an organization's network, Network Agent creates the following network lists for each dynamic VM:
- Hardware
- Installed software
- Detected vulnerabilities
- Events and lists of executable files of the Application control component
The Network Agent transfers these network lists to the Administration Server. The size of the network lists depends on components installed on the dynamic VM, and may affect the performance of Kaspersky Security Center and database management system (DBMS). Note that the load can grow non-linearly.
After the user finishes working with the dynamic VM and turns it off, this machine is then removed from the virtual infrastructure and entries about this machine are removed from the Administration Server database.
All these actions consume a lot of Kaspersky Security Center and Administration Server database resources, and can reduce the performance of Kaspersky Security Center and DBMS. We recommend that you connect up to 20,000 dynamic VMs to Kaspersky Security Center.
You can connect more than 20,000 dynamic VMs to Kaspersky Security Center if the connected dynamic VMs perform standard operations (for example, database updates) and consume no more than 80 percent of memory and 75–80 percent of available cores.
Changing policy settings, software or operating system on the dynamic VM can reduce or increase resource consumption. The consumption of 80–95 percent of resources is considered optimal.
Page top