Deployment of the Kaspersky Security Center failover cluster

This section contains both general information about the Kaspersky Security Center failover cluster, and instructions on the preparation and deployment of the Kaspersky Security Center failover cluster in your network.

Scenario: Deployment of a Kaspersky Security Center failover cluster

A Kaspersky Security Center failover cluster provides high availability of Kaspersky Security Center and minimizes downtime of Administration Server in case of a failure. The failover cluster is based on two identical instances of Kaspersky Security Center installed on two computers. One of the instances works as an active node and the other one is a passive node. The active node manages protection of the client devices, while the passive one is prepared to take all of the functions of the active node in case the active node fails. When a failure occurs, the passive node becomes active and the active node becomes passive.

Prerequisites

You have hardware that meets the requirements for the failover cluster.

Stages

Kaspersky applications deployment proceeds in stages:

1. Creating an account for Kaspersky Security Center services

   Create a new domain group (in this scenario the name 'KLAdmins' is used for this group), and then grant the local administrator's permissions to the group on both nodes and on the file server. Then create two new domain user accounts, (in this scenario the names 'ksc' and 'rightless' are used for these accounts), and add the accounts to the KLAdmins domain group.

   Add the user account, under which Kaspersky Security Center will be installed, to the previously created KLAdmins domain group.

2. File server preparation

   Prepare the file server to work as a component of the Kaspersky Security Center failover cluster. Make sure that the file server meets the hardware and software requirements, create two shared folders for Kaspersky Security Center data, and configure permissions to access the shared folders.

   How-to instructions: Preparing a file server for the Kaspersky Security Center failover cluster

3. Preparation of active and passive nodes

   Prepare two devices with identical hardware and software to work as the active and passive nodes.

   How-to instructions: Preparing nodes for the Kaspersky Security Center failover cluster

4. Database Management System (DBMS) installation

   Select any of the supported DBMS, and then install the DBMS on a dedicated device. For information about how to install the DBMS refer to its documentation.

5. Kaspersky Security Center installation

   Install Kaspersky Security Center in the failover cluster mode on both nodes. You must first install Kaspersky Security Center on the active node, and then install it on the passive one.

   Additionally, you can install Kaspersky Security Center Web Console on a separate device that is not a cluster node.

   How-to instructions: Installing Kaspersky Security Center on the Kaspersky Security Center failover cluster nodes

6. Testing the failover cluster

   Check that you configured the failover cluster correctly and that it works properly. For example, you can stop one of the Kaspersky Security Center services on the active node: kladminserver, klnagent, ksnproxy, klactprx, or klwebsrv. After the service is stopped, the protection management must be automatically switched to the passive node.

Results

The Kaspersky Security Center failover cluster is deployed. Please familiarize yourself with the events that lead to the switch between the active and passive nodes.

About the Kaspersky Security Center failover cluster

A Kaspersky Security Center failover cluster provides high availability of Kaspersky Security Center and minimizes downtime of Administration Server in case of a failure. The failover cluster is based on two identical instances of Kaspersky Security Center installed on two computers. One of the instances works as an active node and the other one is a passive node. The active node manages protection of the client devices, while the passive one is prepared to take all of the functions of the active node in case the active node fails. When a failure occurs, the passive node becomes active and the active node becomes passive.

Hardware and software requirements

To deploy a Kaspersky Security Center failover cluster, you must have the following hardware:

• Two devices with identical hardware and software. These devices will act as the active and passive nodes.
• A file server that supports the CIFS/SMB protocol, version 2.0 or later. You must provide a dedicated device that will act as a file server.

  Make sure you have provided high network bandwidth between the file server, and the active and passive nodes.

• A device with Database Management System (DBMS).

Deployment schemes

You can choose one of the following schemes to deploy Kaspersky Security Center failover cluster:

• A scheme that uses a secondary network adapter.
• A scheme that uses a third-party load balancer.

  

  A scheme that uses a secondary network adapter

Scheme legend:

Administration Server sends data to the database. Open the necessary ports on the device where the database is located, for example, port 3306 for MySQL Server, or port 1433 for Microsoft SQL Server. Please refer to the DBMS documentation for the relevant information.

On the managed devices, open the following ports: TCP 13000, UDP 13000, and TCP 17000.

A scheme that uses a third-party load balancer

Scheme legend:

On the load balancer device, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13299, and TCP 17000.

If you want to use the klakaut utility for automation, you must also open the TCP 13291 port.

On the managed devices, open the following ports: TCP 13000, UDP 13000, and TCP 17000.

Administration Server sends data to the database. Open the necessary ports on the device where the database is located, for example, port 3306 for MySQL Server, or port 1433 for Microsoft SQL Server. Please refer to the DBMS documentation for the relevant information.

Switch conditions

The failover cluster switches protection management of the client devices from the active node to the passive node if any of the following events occurs on the active node:

• The active node is broken due to a software or hardware failure.
• The active node was temporarily stopped for maintenance activities.
• At least one of the Kaspersky Security Center services (or processes) failed or was deliberately terminated by user. The Kaspersky Security Center services are the following ones: kladminserver, klnagent, klactprx, and klwebsrv.
• The network connection between the active node and the storage on the file server was interrupted or terminated.

Preparing a file server for a Kaspersky Security Center failover cluster

A file server works as a required component of a Kaspersky Security Center failover cluster.

To prepare a file server:

1. Make sure that the file server meets the hardware and software requirements.
2. Make sure that the file server and both nodes (active and passive) are included in the same domain or the file server is the domain controller.
3. On the file server, create two shared folders. One of them is used to keep information about the failover cluster state. The other one is used to store the data and settings of Kaspersky Security Center. You will specify paths to the shared folders while configuring the installation of Kaspersky Security Center.
4. Grant full access permissions (both share permissions and NTFS permissions) to the created shared folders for the following user accounts and groups:
   • Domain group KLAdmins.
   • User accounts $<node1> and $<node2>. Here, <node1> and <node2> are the device names of the active and passive nodes.

The file server is prepared. To deploy the Kaspersky Security Center failover cluster, follow the further instructions in this scenario.

Preparing nodes for a Kaspersky Security Center failover cluster

Prepare two devices to work as active and passive nodes for a Kaspersky Security Center failover cluster.

To prepare nodes for a Kaspersky Security Center failover cluster:

1. Make sure that you have two devices that meet the hardware and software requirements. These devices will act as the active and passive nodes of the failover cluster.
2. Make sure that the file server and both nodes are included in the same domain.
3. Do one of the following:
   • On each of the nodes, configure a secondary network adapter.

     A secondary network adapter can be physical or virtual. If you want to use a physical network adapter, connect and configure it with standard operating system tools. If you want to use a virtual network adapter, create it by using third-party software.

     Ensure that the following conditions are met:

     • The secondary network adapters are disabled.

       You can create the secondary network adapters in the disabled state or disable them after creation.

     • The secondary network adapters on both nodes have the same IP address.
   • Use a third-party load balancer. For example, you can use an nginx server. In this case, do the following:
     1. Provide a dedicated Linux-based device with nginx installed.
     2. Configure load balancing. Set the active node as the main server and the passive node as the backup server.
     3. On the nginx server, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13299, and TCP 17000.

        If you want to use the klakaut utility for automation, you must also open the TCP 13291 port.

4. Restart both nodes and the file server.
5. Map the two shared folders, that you created during the file server preparation step, to each of the nodes. You must map the shared folders as network drives. When mapping the folders, you can select any vacant drive letters. To access the shared folders, use the credentials of the user account that you created during step 1 of the scenario.

The nodes are prepared. To deploy the Kaspersky Security Center failover cluster, follow the further instructions of the scenario.

Installing Kaspersky Security Center on the Kaspersky Security Center failover cluster nodes

Kaspersky Security Center is installed on both nodes of the Kaspersky Security Center failover cluster separately. First, you install the application on the active node, then on the passive one. When installing, you choose which node will be active and which will be passive.

Only a user from the KLAdmins domain group can install Kaspersky Security Center on every node.

To install Kaspersky Security Center on the active node of the Kaspersky Security Center failover cluster:

1. Run the ksc_14_<build number>_full_<language>.exe executable file.

   A window opens and prompts you to select the Kaspersky applications to install. In the application selection window, click the Install Kaspersky Security Center 14 Administration Server link to start the Administration Server Setup Wizard. Follow the instructions of the Wizard.

2. Please carefully read the License Agreement and Privacy Policy. If you agree with all the terms of the License Agreement and the Privacy Policy, select the following check boxes in the I confirm I have fully read, understood, and accept the following section:
   • The terms and conditions of this EULA
   • Privacy Policy describing the handling of data

   Installation of the application on your device will continue after you select both check boxes.

   If you do not accept the License Agreement or the Privacy Policy, cancel installation by clicking the Cancel button.

3. Select Primary node of Kaspersky Failover cluster to install the application on the active node.
4. In the Shared folder window, do the following:
   • In the State share and Data share fields, specify the paths to the shared folders that you created on the file server during its preparation.
   • In the State share drive and Data share drive fields, select the network drives to which you mapped the shared folders during preparation of the nodes.
   • Select the cluster connectivity mode: via a secondary network adapter or a third-party load balancer.
5. Perform other steps of custom installation, starting with step 3.

   In step 13, specify the IP address of a secondary network adapter if you have created an adapter when preparing the cluster nodes. Otherwise, enter the IP address of the third-party load balancer that you use.

Kaspersky Security Center is installed on the active node.

To install Kaspersky Security Center on the passive node of the Kaspersky Security Center failover cluster:

1. Run the ksc_14_<build number>_full_<language>.exe executable file.

   A window opens and prompts you to select the Kaspersky applications to install. In the application selection window, click the Install Kaspersky Security Center 14 Administration Server link to start the Administration Server Setup Wizard. Follow the instructions of the Wizard.

2. Please carefully read the License Agreement and Privacy Policy. If you agree with all the terms of the License Agreement and the Privacy Policy, select the following check boxes in the I confirm I have fully read, understood, and accept the following section:
   • The terms and conditions of this EULA
   • Privacy Policy describing the handling of data

   Installation of the application on your device will continue after you select both check boxes.

   If you do not accept the License Agreement or the Privacy Policy, cancel installation by clicking the Cancel button.

3. Select Secondary node of Kaspersky Failover cluster to install the application on the passive node.
4. In the Shared folder window, in the State share field, specify a path to the shared folder with information about the cluster state that you created on the file server during its preparation.
5. Click the Install button. When installation is over, click the Finish button.

Kaspersky Security Center is installed on the passive node. Now, you can test the Kaspersky Security Center failover cluster to make sure that you configured it correctly and that the cluster works properly.

Starting and stopping cluster nodes manually

You may need to stop the entire Kaspersky Security Center failover cluster or temporarily detach one of the nodes of the cluster for maintenance. If this is the case, follow the instructions in this section. Do not try to start or stop the services or processes related to the failover cluster by using any other means. This may cause data loss.

Starting and stopping the entire failover cluster for maintenance

To start or stop the entire failover cluster:

1. On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
2. Open the command line, and then run one of the following commands:
   • To stop the cluster, run: klfoc -stopcluster --stp klfoc
   • To start the cluster, run: klfoc -startcluster --stp klfoc

The failover cluster is started or stopped, depending on the command that you run.

Maintaining one of the nodes

To maintain one of the nodes:

1. On the active node, stop the failover cluster by using the klfoc -stopcluster --stp klfoc command.
2. On the node that you want to maintain, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
3. Open command line, and then detach the node from the cluster by running the detach_node.cmd command.
4. On the active node, start the failover cluster by using the klfoc -startcluster --stp klfoc command.
5. Perform maintenance activities.
6. On the active node, stop the failover cluster by using the klfoc -stopcluster --stp klfoc command.
7. On the node that was maintained, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
8. Open command line, and then attach the node to the cluster by running the attach_node.cmd command.
9. On the active node, start the failover cluster by using the klfoc -startcluster --stp klfoc command.

The node is maintained and attached to the failover cluster.