Connecting out-of-office devices

This section describes how to connect out-of-office devices (that is, managed devices that are located outside of the main network) to Administration Server.

Scenario: Connecting out-of-office devices through a connection gateway

This scenario describes how to connect managed devices that are located outside of the main network to Administration Server.

Prerequisites

The scenario has the following prerequisites:

• A demilitarized zone (DMZ) is organized in your organization's network.
• Kaspersky Security Center Administration Server is deployed on the corporate network.

Stages

This scenario proceeds in stages:

1. Selecting a client device in the DMZ

   This device will be used as a connection gateway. The device that you select must meet the requirements for connection gateways.

2. Installing Network Agent in the connection gateway role

   We recommend that you use a local installation to install Network Agent on the selected device.

   By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

   In the Connection gateway window of the Network Agent Setup Wizard, select Use Network Agent as a connection gateway in DMZ. This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

   Alternatively, you can install Network Agent on a Linux device and configure Network Agent to work as a connection gateway, but pay attention to the list of limitations of Network Agent running on Linux devices.

3. Allowing connections in firewalls on the connection gateway

   To make sure that Administration Server can actually connect to the connection gateway in the DMZ, allow connections to TCP port 13000 in all firewalls between Administration Server and the connection gateway.

   If the connection gateway has no real IP address on the internet, but instead is located behind Network Address Translation (NAT), configure a rule to forward connections through NAT.

4. Creating an administration group for external devices

   Create a new group under the Managed devices group. This new group will contain external managed devices.

5. Connecting the connection gateway to Administration Server

   The connection gateway that you have configured is waiting for a connection from Administration Server. However, Administration Server does not list the device with the connection gateway among managed devices. This is because the connection gateway has not tried to establish a connection to Administration Server. Therefore, you need a special procedure to ensure that Administration Server initiates a connection to the connection gateway.

   Do the following:

   1. Add the connection gateway as a distribution point.
   2. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.

   The connection gateway is connected and configured.

6. Connecting external desktop computers to Administration Server

   Usually, external desktop computers are not moved inside the perimeter. Therefore, you need to configure them to connect to Administration Server through the gateway when installing Network Agent.

7. Setting up updates for external desktop computers

   If updates of security applications are configured to be downloaded from Administration Server, external computers download updates through the connection gateway. This has two disadvantages:

   • This is unnecessary traffic, which takes up bandwidth of the company's internet communication channel.
   • This is not necessarily the quickest way to get updates. It is very likely that it would be cheaper and faster for external computers to receive updates from Kaspersky update servers.

   Do the following:

   1. Move all external computers to the separate administration group that you created earlier.
   2. Exclude the group with external devices from the update task.
   3. Create a separate update task for the group with external devices.
8. Connecting traveling laptops to Administration Server

   Traveling laptops are within the network sometimes and outside the network at other times. For effective management, you need them to connect to Administration Server differently depending on their location. For efficient use of traffic, they also need to receive updates from different sources, depending on their location.

   You need to configure rules for out-of-office users: connection profiles and network location descriptions. Each rule defines the Administration Server instance to which traveling laptops must connect, depending on their location and the Administration Server instance from which they must receive updates.

Scenario: Connecting out-of-office devices through a secondary Administration Server in DMZ

If you want to connect managed devices that are located outside of the main network to Administration Server, you can do it by using a secondary Administration Server located in the demilitarized zone (DMZ).

Prerequisites

Before you start, make sure that you have done the following:

• A DMZ is organized in your organization's network.
• Kaspersky Security Center Administration Server is deployed on the internal network of the organization.

Stages

This scenario proceeds in stages:

1. Selecting a client device in the DMZ

   In the DMZ, select a client device that will be used as a secondary Administration Server.

2. Installing Kaspersky Security Center Administration Server

   Install Kaspersky Security Center Administration Server on this client device.

3. Creating a hierarchy of Administration Servers

   If you place a secondary Administration Server in the DMZ, the secondary Administration Server must receive a connection from the primary Administration Server. To do this, add a new Administration Server as secondary so that the primary Administration Server connects to the secondary Administration Server through port 13000. When combining two Administration Servers into a hierarchy, make sure that port 13299 is accessible on both Administration Servers. Kaspersky Security Center Web Console connects to an Administration Server through port 13299.

4. Connecting out-of-office managed devices to the secondary Administration Server

   You can connect out-of-office devices to the Administration Server in the DMZ in the same way that the connection is established between Administration Server and managed devices that are located in the main network. Out-of-office managed devices initiate the connection through port 13000.

About connecting out-of-office devices

Some managed devices are always located outside of the main network (for example, devices in a company's regional branches; kiosks, ATMs, and terminals installed at various points of sale; devices in the home offices of employees). Some devices travel outside the perimeter from time to time (for example, laptops of users who visit regional branches or a customer's office).

You still need to monitor and manage the protection of out-of-office devices—receive actual information about their protection status and keep the security applications on them in the up-to-date state. This is necessary because, for example, if such a device is compromised while being away from the main network, it could become a platform for propagating threats as soon as it connects to the main network. To connect out-of-office devices to Administration Server, you can use two methods:

• Connection gateway in the demilitarized zone (DMZ)

  See the data traffic scheme: Administration Server on LAN, managed devices on the Internet, connection gateway in use

• Administration Server in DMZ

  See the data traffic scheme: Administration Server in DMZ, managed devices on Internet

A connection gateway in the DMZ

A recommended method for connecting out-of-office devices to Administration Server is organizing a DMZ in the organization's network and installing a connection gateway in the DMZ. External devices will connect to the connection gateway, and Administration Server inside the network will initiate a connection to the devices via the connection gateway.

As compared to the other method, this one is more secure:

• You do not need to open access to Administration Server from outside the network.
• A compromised connection gateway does not pose a high risk to the safety of the network devices. A connection gateway does not actually manage anything itself and does not establish any connections.

Also, a connection gateway does not require many hardware resources.

However, this method has a more complicated configuration process:

• To act a device as a connection gateway in the DMZ, you need to install Network Agent and connect it to Administration Server in a specific way.
• You will not be able to use the same address for connecting to Administration Server for all situations. From outside the perimeter, you will need to use not just a different address (connection gateway address), but also a different connection mode: through a connection gateway.
• You also need to define different connection settings for laptops in different locations.

To add a connection gateway to a previously configured network:

1. Install the Network Agent in the connection gateway mode.
2. Reinstall the Network Agent on devices that you want to connect to the newly added connection gateway.

Administration Server in the DMZ

Another method is installing a single Administration Server in the DMZ.

This configuration is less secure than the other method. To manage external laptops in this case, Administration Server must accept connections from any address on the internet. It will still manage all devices in the internal network, but from the DMZ. Therefore, a compromised Server could cause an enormous amount of damage, despite the low likelihood of such an event.

The risk gets significantly lower if Administration Server in the DMZ does not manage devices in the internal network. Such a configuration can be used, for example, by a service provider to manage the devices of customers.

You might want to use this method in the following cases:

• If you are familiar with installing and configuring Administration Server, and do not want to perform another procedure to install and configure a connection gateway.
• If you need to manage more devices. The maximum capacity of Administration Server is 100,000 devices, while a connection gateway can support up to 10,000 devices.

This solution also has possible difficulties:

• Administration Server requires more hardware resources and one more database.
• Information about devices will be stored in two unrelated databases (for Administration Server inside the network and another one in the DMZ), which complicates monitoring.
• To manage all devices, Administration Server needs to be joined into a hierarchy, which complicates not only monitoring but also management. A secondary Administration Server instance imposes limitations on the possible structures of administration groups. You have to decide how and which tasks and policies to distribute to a secondary Administration Server instance.
• Configuring external devices to use Administration Server in the DMZ from the outside and to use the primary Administration Server from the inside is not simpler than to just configure them to use a conditional connection through a gateway.
• High security risks. A compromised Administration Server instance makes it easier to compromise its managed laptops. If this happens, the hackers just need to wait for one of the laptops to return to the corporate network so that they can continue their attack on the local area network.

Connecting external desktop devices to Administration Server

Desktop devices that are always outside of the main network (for example, devices in the company's regional branches; kiosks, ATMs, and terminals installed at various points of sale; devices in the home offices of employees) cannot be connected to Administration Server directly. They must be connected to Administration Server via a connection gateway that is installed in the demilitarized zone (DMZ). This configuration is made when installing Network Agent on those devices.

To connect external desktop devices to Administration Server:

1. Create a new installation package for Network Agent.
2. Open the properties of the created installation package and go to Settings → Advanced, and then select the Connect to Administration Server by using a connection gateway option.

   The Connect to Administration Server by using a connection gateway setting is incompatible with the Use Network Agent as a connection gateway in DMZ setting. You cannot enable both of these settings at the same time.

3. In the Connection gateway address field, specify the public address of the connection gateway.

   If the connection gateway is located behind Network Address Translation (NAT) and does not have its own public address, configure a NAT gateway rule for forwarding connections from the public address to the internal address of the connection gateway.

4. Create a stand-alone installation package based on the created installation package.
5. Deliver the stand-alone installation package to the target devices, either electronically or on a removable drive.
6. Install Network Agent from the stand-alone package.

External desktop devices are connected to Administration Server.

About connection profiles for out-of-office users

Out-of-office users of laptops (hereinafter also referred to as "devices") may need to change the method of connecting to an Administration Server or switch between Administration Servers depending on the current location of the device on the enterprise network.

Connection profiles are supported only for devices running Windows and macOS.

Using different addresses of a single Administration Server

Devices with Network Agent installed can connect to the Administration Server either from the organization's intranet or from the internet. This situation may require Network Agent to use different addresses for connection to Administration Server: the external Administration Server address for the internet connection and the internal Administration Server address for the internal network connection.

To do this, add a profile for connection to Administration Server from the internet in the Network Agent policy properties (in the Application settings → Network → Connection profiles → Administration Server connection profiles section). In the profile creation window, disable the Use to receive updates only option and make sure that the Synchronize connection settings with the Administration Server settings specified in this profile option is selected. If you use a connection gateway to access Administration Server (for example, in a Kaspersky Security Center configuration as that described in Internet access: Network Agent as connection gateway in DMZ), you must specify the address of the connection gateway in the corresponding field of the connection profile.

Switching between Administration Servers depending on the current network

If the organization has multiple offices with different Administration Servers and some of the devices with Network Agent installed move between them, you need Network Agent to connect to the Administration Server of the local network in the office where the device is currently located.

In this case, create a profile for connection to Administration Server in the Network Agent policy properties for each of the offices, except for the home office where the original home Administration Server is located. Specify the addresses of Administration Servers in connection profiles and enable or disable the Use to receive updates only option:

• Select the option if you need Network Agent to be synchronized with the home Administration Server, while using the local Server for downloading updates only.
• Disable this option if it is necessary for Network Agent to be managed completely by the local Administration Server.

After that, you must set up the conditions of switching to the newly created profiles: at least one condition for each of the offices, except for the home office. Every condition's purpose consists in detection of items that are specific for an office's network environment. If a condition is true, the corresponding profile gets activated. If none of the conditions is true, Network Agent switches to the home Administration Server.

Creating a connection profile for out-of-office users

Expand all | Collapse all

An Administration Server connection profile is available only on devices running Windows and macOS.

To create a profile for connecting Network Agent to Administration Server for out-of-office users:

1. If you want to create a connection profile for a group of managed devices, open the Network Agent policy of this group. To do this, do the following:
   1. In the main menu, go to DEVICES → POLICIES & PROFILES.
   2. Click the current path link.
   3. In the window that opens, select a required administration group.

      After that, the current path is changed.

   4. Add the Network Agent policy for the group of managed devices. If you have already created it, click the Network Agent policy name to open the policy properties.
2. If you want to create a connection profile for a specific managed device, do the following:
   1. In the main menu, go to DEVICES → MANAGED DEVICES.
   2. Click the name of the managed device.
   3. In the managed device properties window that opens, go to the Applications tab.
   4. Click the name of the Network Agent policy to which only the selected managed device applies.
3. In the properties window that opens, go to Application settings → Network → Connection profiles.
4. In the Administration Server connection profiles section, click the Add button.

   By default, the list of connection profiles contains the <Offline mode> and <Home Administration Server> profiles. Profiles cannot be edited or removed.

   The <Offline mode> profile does not specify any Server for connection. Therefore, Network Agent, when switched to that profile, does not attempt to connect to any Administration Server while applications installed on client devices run under out-of-office policies. The <Offline mode> profile can be used if devices are disconnected from the network.

   The <Home Administration Server> profile specifies the connection for the Administration Server that was selected during Network Agent installation. The <Home Administration Server> profile is applied when a device is reconnected to the home Administration Server after it was running on an external network for some time.

5. In the Configure profile window that opens, configure the connection profile:
   • Profile name

     In the entry field you can view or change the connection profile name.

   • Administration Server address

     Address of the Administration Server to which the client device must connect during profile activation.

   • Port number

     Port number that is used for connection.

   • SSL port

     Port number for connection if using the SSL protocol.

   • Use SSL connection

     If this option is enabled, the connection is established through a secure port, by using SSL protocol.

     By default, this option is enabled. We recommend that you do not disable this option so your connection remains secured.

   • Select the Use proxy server option if you want to use a proxy server when connecting to the internet. If this option is selected, fields are available for entering settings. Specify the following settings for a proxy server connection:
     • Address

       Address of the proxy server used for Kaspersky Security Center connection to the internet.

     • Port number

       Number of the port through which Kaspersky Security Center proxy connection will be established.

     • Proxy server authentication

       If this check box is selected, in the entry fields you can specify the credentials for proxy server authentication.

     • User name

       User account under which connection to the proxy server is established (this field is available if the Proxy server authentication check box is selected).

     • Password

       Password set by the user under whose account the proxy server connection is established (this field is available if the Proxy server authentication check box is selected).

       To see the entered password, click and hold the Show button for as long as you require.

   • Connection gateway address

     Address of the gateway through which client devices connect to the Administration Server.

   • Enable out-of-office mode when Administration Server is not available

     Select this check box to allow the applications installed on a client device to use policy profiles for devices in out-of-office mode, as well as out-of-office policies, at any connection attempt if the Administration Server is not available. If no out-of-office policy has been defined for the application, the active policy will be used.

     If this option is disabled, applications will use active policies.

     By default, this check box is cleared.

   • Use to receive updates only

     If this option is enabled, the profile will only be used for downloading updates by applications installed on the client device. For other operations, connection to the Administration Server will be established with the initial connection settings defined during Network Agent installation.

     By default, this option is enabled.

   • Synchronize connection settings with the Administration Server settings specified in this profile

     If this option is enabled, Network Agent connects to Administration Server using the settings specified in the profile properties.

     If this option is disabled, Network Agent connects to Administration Server using the original settings that have been specified during installation.

     This option is available if the Use to receive updates only option is disabled.

     By default, this option is disabled.

A profile for connecting Network Agent to Administration Server is created for out-of-office users. When Network Agent connects to Administration Server by using this profile, applications installed on the client device will use policies for devices in out-of-office mode or out-of-office policies.

About switching Network Agent to other Administration Servers

Kaspersky Security Center provides the option of switching Network Agent on a client device to other Administration Servers if the following settings of the network have been changed:

• Condition for DHCP server address—The IP address of the network Dynamic Host Configuration Protocol (DHCP) server has changed.
• Condition for default connection gateway address—The address of the main network gateway has changed.
• Condition for DNS domain—The DNS suffix of the subnet has changed.
• Condition for DNS server address—The IP address of the network DNS server has changed.
• Condition for WINS server address—The IP address of the network WINS server has changed. This setting is available only for devices running Windows.
• Condition for name resolvability—The DNS or NetBIOS name of the client device has changed.
• Condition for subnet—Changes the subnet address and mask.
• Condition for Windows domain accessibility—Changes the status of the Windows domain to which the client device is connected. This setting is available only for devices running Windows.
• Condition for SSL connection address accessibility—The client device can or cannot (depending on the option that you select) establish an SSL connection with a specified Server (name:port). For each server, you can additionally specify an SSL certificate. In this case, the Network Agent verifies the Server certificate in addition to checking the capability of an SSL connection. If the certificate does not match, the connection fails.

This feature is supported only for Network Agents installed on devices running Windows or macOS.

The initial settings of the Network Agent connection to Administration Server are defined when installing the Network Agent. Afterwards, if rules for switching the Network Agent to other Administration Servers have been created, the Network Agent responds to changes in the network settings as follows:

• If the network settings comply with one of the rules created, Network Agent connects to the Administration Server specified in this rule. Applications installed on client devices switch to out-of-office policies, provided such behavior is enabled by a rule.
• If none of the rules apply, Network Agent reverts to the default settings of connection to the Administration Server specified during the installation. Applications installed on client devices switch back to active policies.
• If the Administration Server is not accessible, Network Agent uses out-of-office policies.

Network Agent switches to the out-of-office policy only if the Enable out-of-office mode when Administration Server is not available option is enabled in the Network Agent policy settings.

The settings of Network Agent connection to Administration Server are saved in a connection profile. In the connection profile, you can create rules for switching client devices to out-of-office policies, and you can configure the profile so that it could only be used for downloading updates.

Creating a Network Agent switching rule by network location

Expand all | Collapse all

Network Agent-switching by network location is available only on devices running Windows and macOS.

To create a rule for Network Agent switching from one Administration Server to another if network settings change:

1. If you want to create a rule for a group of managed devices, open the Network Agent policy of this group. To do this, do the following:
   1. In the main menu, go to DEVICES → POLICIES & PROFILES.
   2. Click the current path link.
   3. In the window that opens, select a required administration group.

      After that, the current path is changed.

   4. Add the Network Agent policy for the group of managed devices. If you have already created it, click the Network Agent policy name to open the policy properties.
2. If you want to create a rule for a specific managed device, do the following:
   1. In the main menu, go to DEVICES → MANAGED DEVICES.
   2. Click the name of the managed device.
   3. In the managed device properties window that opens, go to the Applications tab.
   4. Click the name of the Network Agent policy to which only the selected managed device applies.
3. In the properties window that opens, go to Application settings → Network → Connection profiles.
4. In the Network location settings section, click the Add button.
5. In the properties window that opens, configure the network location description and switching rule. Specify the following network location description settings:
   • Description

     The name of a network location description cannot be longer than 255 characters nor contain special symbols, such as ("*<>?\/:|).

   • Use connection profile

     In the drop-down list you can specify the connection profile that Network Agent uses to connect to the Administration Server. This profile will be used when the network location description conditions are met. The connection profile contains the settings for Network Agent connection to the Administration Server; it also defines when client devices must switch to out-of-office policies. The profile is used only for downloading updates.

   • Description enabled

     Select this check box to enable the use of the new network location description.

6. Select conditions for the Network Agent switching rule:
   • Condition for DHCP server address—The IP address of the network Dynamic Host Configuration Protocol (DHCP) server has changed.
   • Condition for default connection gateway address—The address of the main network gateway has changed.
   • Condition for DNS domain—The DNS suffix of the subnet has changed.
   • Condition for DNS server address—The IP address of the network DNS server has changed.
   • Condition for WINS server address—The IP address of the network WINS server has changed. This setting is available only for devices running Windows.
   • Condition for name resolvability—The DNS or NetBIOS name of the client device has changed.
   • Condition for subnet—Changes the subnet address and mask.
   • Condition for Windows domain accessibility—Changes the status of the Windows domain to which the client device is connected. This setting is available only for devices running Windows.
   • Condition for SSL connection address accessibility—The client device can or cannot (depending on the option that you select) establish an SSL connection with a specified Server (name:port). For each server, you can additionally specify an SSL certificate. In this case, the Network Agent verifies the Server certificate in addition to checking the capability of an SSL connection. If the certificate does not match, the connection fails.

   The conditions in a rule are combined by using the logical AND operator. To trigger a switching rule by the network location description, all of the rule switching conditions must be met.

7. In the condition section, specify when Network Agent should be switched to another Administration Server. For this purpose, click the Add button, and then set the condition value.

   Also, the Matches at least one value from the list option is enabled by default. You can disable this option if you want the condition to be met with all specified values.

8. Save your changes.

A new switching rule by the network location description is created; any time its conditions are met, the Network Agent uses the connection profile specified in the rule to connect to the Administration Server.