Adjustment of distribution points and connection gateways

A structure of administration groups in Kaspersky Security Center performs the following functions:

• Sets the scope of policies

  There is an alternate way of applying relevant settings on devices, by using policy profiles. In this case, you set the scope of policies with tags, device locations in Active Directory organizational units, or membership in Active Directory security groups.

• Sets the scope of group tasks

  There is an approach to defining the scope of group tasks that is not based on a hierarchy of administration groups: use of tasks for device selections and tasks for specific devices.

• Sets access rights to devices, virtual Administration Servers, and secondary Administration Servers
• Assigns distribution points

When building the structure of administration groups, you must take into account the topology of the organization's network for the optimum assignment of distribution points. The optimum distribution of distribution points allows you to save traffic on the organization's network.

Depending on the organizational schema and network topology, the following standard configurations can be applied to the structure of administration groups:

• Single office
• Multiple small remote offices

Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.

Standard configuration of distribution points: Single office

In a standard "single-office" configuration, all devices are on the organization's network so they can "see" each other. The organization's network may consist of a few separate parts (networks or network segments) linked by narrow channels.

The following methods of building the structure of administration groups are possible:

• Building the structure of administration groups taking into account the network topology. The structure of administration groups may not reflect the network topology with absolute precision. A match between the separate parts of the network and certain administration groups would be enough. You can use automatic assignment of distribution points or assign them manually.
• Building the structure of administration groups, without taking the network topology into account. In this case, you must disable automatic assignment of distribution points, and then assign one or several devices to act as distribution points for a root administration group in each of the separate parts of the network, for example, for the Managed devices group. All distribution points will be at the same level and will feature the same scope spanning all devices on the organization's network. In this case, each Network Agent will connect to the distribution point that has the shortest route. The route to a distribution point can be traced with the tracert utility.

Standard configuration of distribution points: Multiple small remote offices

This standard configuration provides for a number of small remote offices, which may communicate with the head office over the internet. Each remote office is located behind the NAT, that is, connection from one remote office to another is not possible because offices are isolated from one another.

The configuration must be reflected in the structure of administration groups: a separate administration group must be created for each remote office (groups Office 1 and Office 2 in the figure below).

Remote offices are included in the administration group structure

One or multiple distribution points must be assigned to each administration group that correspond to an office. Distribution points must be devices at the remote office that have a sufficient amount of free disk space. Devices deployed in the Office 1 group, for example, will access distribution points assigned to the Office 1 administration group.

If some users move between offices physically, with their laptops, you must select two or more devices (in addition to the existing distribution points) in each remote office and assign them to act as distribution points for a top-level administration group (Root group for offices in the figure above).

Example: A laptop is deployed in the Office 1 administration group and then is moved physically to the office that corresponds to the Office 2 administration group. After the laptop is moved, Network Agent attempts to access the distribution points assigned to the Office 1 group, but those distribution points are unavailable. Then, Network Agent starts attempting to access the distribution points that have been assigned to the Root group for offices. Because remote offices are isolated from one another, attempts to access distribution points assigned to the Root group for offices administration group will only be successful when Network Agent attempts to access distribution points in the Office 2 group. That is, the laptop will remain in the administration group that corresponds to the initial office, but the laptop will use the distribution point of the office where it is physically located at the moment.

About assigning distribution points

You can assign a managed device as a distribution point manually or automatically.

If you assign managed device as a distribution point manually, you can select any device in your network.

If you assign distribution points automatically, Kaspersky Security Center can select only the managed device that meets the following conditions:

• The device has at least 50 GB of free disk space.
• The managed device is connected with Kaspersky Security Center directly (not through the gateway).
• The managed device is not a laptop.

  If your network does not have devices that meet the specified conditions, Kaspersky Security Center will not assign any device as a distribution point automatically.

Assigning distribution points automatically

We recommend that you assign distribution points automatically. In this case, Kaspersky Security Center will select on its own which devices must be assigned distribution points.

To assign distribution points automatically:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Select the Automatically assign distribution points option.

   If automatic assignment of devices as distribution points is enabled, you cannot configure distribution points manually or edit the list of distribution points.

4. Click the Save button.

Administration Server assigns and configures distribution points automatically.

Assigning distribution points manually

Expand all | Collapse all

Kaspersky Security Center allows you to manually assign devices to act as distribution points.

We recommend that you assign distribution points automatically. In this case, Kaspersky Security Center will select on its own which devices must be assigned distribution points. However, if you have to opt out of assigning distribution points automatically for any reason (for example, if you want to use exclusively assigned servers), you can assign distribution points manually after you calculate their number and configuration.

Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.

To manually assign a device to act as distribution point:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Select the Manually assign distribution points option.
4. Click the Assign button.
5. Select the device that you want to make a distribution point.

   When selecting a device, keep in mind the operation features of distribution points and the requirements set for the device that acts as distribution point.

6. Select the administration group that you want to include in the scope of the selected distribution point.
7. Click the OK button.

   The distribution point that you have added will be displayed in the list of distribution points, in the Distribution points section.

8. Click the newly added distribution point in the list to open its properties window.
9. Configure the distribution point in the properties window:
   • The General section contains the setting of interaction between the distribution point and client devices:
     • SSL port

       The number of the SSL port for encrypted connection between client devices and the distribution point using SSL.

       By default, port 13000 is used.

     • Use multicast

       If this option is enabled, IP multicasting will be used for automatic distribution of installation packages to client devices within the group.

       IP multicasting decreases the time required to install an application from an installation package to a group of client devices, but increases the installation time when you install an application to a single client device.

     • IP multicast address

       IP address that will be used for multicasting. You can define an IP address in the range of 224.0.0.0 – 239.255.255.255

       By default, Kaspersky Security Center automatically assigns a unique IP multicast address within the given range.

     • IP multicast port number

       Number of the port for IP multicasting.

       By default, the port number is 15001. If the device with Administration Server installed is specified as the distribution point, port 13001 is used for SSL connection by default.

     • Gateway address for remote devices

       The IPv4 address through which remote devices connect to the distribution point.

     • Deploy updates

       Updates are distributed to managed devices from the following sources:

       • This distribution point, if this option is enabled.
       • Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.

       If you use distribution points to deploy updates, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.

       If you disable this option, the number of update downloads and load on the Administration Server may increase. By default, this option is enabled.

     • Deploy installation packages

       Installation packages are distributed to managed devices from the following sources:

       • This distribution point, if this option is enabled.
       • Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.

       If you use distribution points to deploy installation packages, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.

       If you disable this option, the number of installation package downloads and load on the Administration Server may increase. By default, this option is enabled.

     • Run push server

       In Kaspersky Security Center, a distribution point can work as a push server for the devices managed through the mobile protocol and for the devices managed by Network Agent. For example, a push server must be enabled if you want to be able to force synchronization of KasperskyOS devices with Administration Server. A push server has the same scope of managed devices as the distribution point on which the push server is enabled. If you have several distribution points assigned for the same administration group, you can enable push server on each of the distribution points. In this case, Administration Server balances the load between the distribution points.

     • Push server port

       The port number for the push server. You can specify the number of any unoccupied port.

   • In the Scope section, specify the scope to which the distribution point will distribute updates (administration groups and / or network location).

     Only devices running a Windows operating system can determine their network location. Network location cannot be determined for devices running other operating systems.

   • If the distribution point works on a machine other than Administration Server, in the Source of updates section, you can select a source of updates for the distribution point:
     • Source of updates

       Select a source of updates for the distribution point:

       • To allow the distribution point to receive updates from the Administration Server, select Retrieve from Administration Server.
       • To allow the distribution point to receive updates by using a task, select Use update download task, and then specify a Download updates to the repositories of distribution points task:
         • If such a task already exists on the device, select the task in the list.
         • If no such task yet exists on the device, click the Create task link to create a task. The Add Task Wizard starts. Follow the instructions of the Wizard.

     • Download diff files

       This option enables the downloading diff files feature.

       By default, this option is enabled.

   • In the Internet connection settings subsection, you can specify the internet access settings:
     • Use proxy server

       If this check box is selected, in the entry fields you can configure the proxy server connection.

       By default, this check box is cleared.

     • Proxy server address

       Address of the proxy server.

     • Port number

       Port number that is used for connection.

     • Bypass proxy server for local addresses

       If this option is enabled, no proxy server is used to connect to devices on the local network.

       By default, this option is disabled.

     • Proxy server authentication

       If this check box is selected, in the entry fields you can specify the credentials for proxy server authentication.

       By default, this check box is cleared.

     • User name

       User account under which connection to the proxy server is established.

     • Password

       Password of the account under which the task will be run.

   • In the KSN Proxy section, you can configure the application to use the distribution point to forward KSN requests from the managed devices:
     • Enable KSN Proxy on distribution point side

       The KSN proxy service is run on the device that is used as a distribution point. Use this feature to redistribute and optimize traffic on the network.

       The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network statement, to Kaspersky. By default, the KSN statement is located in %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center\ksneula.

       By default, this option is disabled. Enabling this option takes effect only if the Use Administration Server as a proxy server and I agree to use Kaspersky Security Network options are enabled in the Administration Server properties window.

       You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.

     • Forward KSN requests to Administration Server

       The distribution point forwards KSN requests from the managed devices to the Administration Server.

       By default, this option is enabled.

     • Access KSN Cloud/Private KSN directly over the internet

       The distribution point forwards KSN requests from managed devices to the KSN Cloud or Private KSN. The KSN requests generated on the distribution point itself are also sent directly to the KSN Cloud or Private KSN.

       The distribution points that have Network Agent version 11 (or earlier) installed cannot access Private KSN directly. If you want to reconfigure the distribution points to send KSN requests to Private KSN, enable the Forward KSN requests to Administration Server option for each distribution point.

       The distribution points that have Network Agent version 12 (or later) installed can access Private KSN directly.

     • Ignore proxy server settings when connecting to Private KSN

       Enable this option, if you have the proxy server settings configured in the distribution point properties or in the Network Agent policy, but your network architecture requires that you use Private KSN directly. Otherwise, requests from the managed applications cannot reach Private KSN.

       This option is available if you select the Access KSN Cloud/Private KSN directly over the internet option.

     • Port

       The number of the TCP port that the managed devices will use to connect to KSN proxy server. The default port number is 13111.

     • Use UDP port

       If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled.

     • UDP port

       The number of the UDP port that the managed devices will use to connect to KSN proxy server. The default UDP port to connect to the KSN proxy server is 15111.

   • If the distribution point works on a machine other than Administration Server, in the Connection gateway section, you can configure the distribution point to act as a gateway for connection between Network Agent instances and Administration Server:
     • Connection gateway

       If a direct connection between Administration Server and Network Agents cannot be established due to organization of your network, you can use the distribution point to act as the connection gateway between Administration Server and Network Agents.

       Enable this option if you need the distribution point to act as a connection gateway between Network Agents and Administration Server. By default, this option is disabled.

     • Establish connection to gateway from Administration Server (if gateway is in DMZ)

       If Administration Server is located outside the demilitarized zone (DMZ), on local area network, Network Agents installed on remote devices cannot connect to Administration Server. You can use a distribution point as the connection gateway with reverse connectivity (Administration Server establishes a connection to distribution point).

       Enable this option if you need to connect Administration Server to the connection gateway in DMZ.

     • Open local port for Kaspersky Security Center 14 Web Console

       Enable this option if you need the connection gateway in DMZ to open a port for Web Console that is in DMZ or on the internet. Specify the port number that will be used for the connection from Web Console to the distribution point. The default port number is 13299.

       This option is available if you enable the Establish connection to gateway from Administration Server (if gateway is in DMZ) option.

     When connecting mobile devices to Administration Server via the distribution point that acts as a connection gateway, you can enable the following options:

     • Open port for mobile devices (SSL authentication of the Administration Server only)

       Enable this option if you need the connection gateway to open a port for mobile devices and specify the port number that mobile devices will use for connection to distribution point. The default port number is 13292. The mobile device will check the Administration Server certificate. When establishing the connection, only Administration Server is authenticated.

     • Open port for mobile devices (two-way SSL authentication)

       Enable this option if you need connection gateway to open a port that will be used for two-way authentication of Administration Server and mobile devices. Mobile device will check the Administration Server certificate, and Administration Server will check the mobile device certificate. Specify the following parameters:

       • Port number that mobile devices will use for connection to the distribution point. The default port number is 13293.
       • DNS domain names of the connection gateway that will be used by mobile devices. Separate domain names with commas. The specified domain names will be included in the distribution point certificate. If the domain names used by mobile devices do not match the common name in the distribution point certificate, mobile devices do not connect to the distribution point.

         The default DNS domain name is the FQDN name of the connection gateway.

     In both cases, the certificates are checked during the TLS session establishment on distribution point only. The certificates are not forwarded to be checked by the Administration Server. After a TLS session with the mobile device is established, the distribution point uses the Administration Server certificate to create a tunnel for synchronization between the mobile device and Administration Server. If you open the port for two-way SSL authentication, the only way to distribute the mobile device certificate is via an installation package.

   • Configure the polling of Windows domains, Active Directory, and IP ranges by the distribution point:
     • Windows domains

       You can enable device discovery for Windows domains and set the schedule for the discovery.

     • Active Directory

       You can enable network polling for Active Directory and set the schedule for the poll.

       If you use a Windows distribution point, you can select one of the following options:

       • Poll current Active Directory domain.
       • Poll Active Directory domain forest.
       • Poll selected Active Directory domains only. If you select this option, add one or more Active Directory domains to the list.
     • IP ranges

       You can enable device discovery for IPv4 ranges and IPv6 networks.

       If you enable the Enable range polling option, you can add scanned ranges and set the schedule for them. You can add IP ranges to the list of scanned ranges.

       If you enable the Use Zeroconf to poll IPv6 networks option, the distribution point automatically polls the IPv6 network by using zero-configuration networking (also referred to as Zeroconf). In this case, the specified IP ranges are ignored because the distribution point polls the whole network. The Use Zeroconf to poll IPv6 networks option is available if the distribution point runs Linux. To use Zerocong IPv6 polling, you must install the avahi-browse utility on the distribution point.

   • In the Advanced section, specify the folder that the distribution point must use to store distributed data:
     • Use default folder

       If you select this option, the application uses the Network Agent installation folder on the distribution point.

     • Use specified folder

       If you select this option, in the field below, you can specify the path to the folder. It can be a local folder on the distribution point, or it can be a folder on any device on the corporate network.

       The user account used on the distribution point to run Network Agent must have read/write access to the specified folder.

10. Click the OK button.

The selected devices act as distribution points.

Modifying the list of distribution points for an administration group

You can view the list of distribution points assigned to a specific administration group and modify the list by adding or removing distribution points.

To view and modify the list of distribution points assigned to an administration group:

1. In the main menu, go to DEVICES → MANAGED DEVICES.
2. In the Current path field above the list of managed devices, click the path link.
3. In the left-side pane that opens, select an administration group for which you want to view the assigned distribution points.

   This enables the DISTRIBUTION POINTS menu item.

4. In the main menu, go to DEVICES → DISTRIBUTION POINTS.
5. To add new distribution points for the administration group, click the Assign button above the list of managed devices and select devices from the pane that opens.
6. To remove the assigned distribution points, select devices from the list and click the Unassign button.

Depending on your modifications, the new distribution points are added to the list or existing distribution points are removed from the list.

Forced synchronization

Although Kaspersky Security Center automatically synchronizes the status, settings, tasks, and policies for managed devices, in some cases you might want to run the synchronization for a specified device forcibly. You can run forced synchronization for the following devices:

• Devices that have Network Agent installed
• Devices running KasperskyOS

  Before running forced synchronization for a KasperskyOS device, ensure that the device is included in a distribution point scope and that a push server is enabled on the distribution point.

• iOS devices
• Android devices

  Before running forced synchronization for an Android device, you must configure Google Firebase Cloud Messaging.

Synchronizing a single device

To force synchronization between the Administration Server and a managed device:

1. In the main menu, go to DEVICES → MANAGED DEVICES.
2. Click the name of the device that you want to synchronize with the Administration Server.

   A property window opens with the General section selected.

3. Click the Force synchronization button.

The application synchronizes the selected device with the Administration Server.

Synchronizing multiple devices

To force synchronization between the Administration Server and multiple managed devices:

1. Open the device list of an administration group or a device selection:
   • In the main menu, go to DEVICES → MANAGED DEVICES, click the path link in the Current path field above the list of managed devices, then select the administration group that contains devices to synchronize.
   • Run a device selection to view the device list.
2. Select the check boxes next to the devices that you want to synchronize with the Administration Server.
3. Above the list of managed devices, click the ellipsis button (), and then click the Force synchronization button.

   The application synchronizes the selected devices with the Administration Server.

4. In the device list, check that the time of last connection to the Administration Server has changed, for the selected devices, to the current time. If the time has not changed, update the page content by clicking the Refresh button.

The selected devices are synchronized with the Administration Server.

Viewing the time of a policy delivery

After changing a policy for a Kaspersky application on the Administration Server, the administrator can check whether the changed policy has been delivered to a specific managed device. A policy can be delivered during a regular synchronization or a forced synchronization.

To view the date and time that an application policy was delivered to a managed device:

1. In the main menu, go to DEVICES → MANAGED DEVICES.
2. Click the name of the device that you want to synchronize with the Administration Server.

   A property window opens with the General section selected.

3. Select the Applications tab.
4. Select the application for which you want to view the policy synchronization date.

   The application policy window opens with the General section selected and the policy delivery date and time displayed.

Enabling a push server

In Kaspersky Security Center, a distribution point can work as a push server for the devices managed through the mobile protocol and for the devices managed by Network Agent. For example, a push server must be enabled if you want to be able to force synchronization of KasperskyOS devices with Administration Server. A push server has the same scope of managed devices as the distribution point on which the push server is enabled. If you have several distribution points assigned for the same administration group, you can enable push server on each of the distribution points. In this case, Administration Server balances the load between the distribution points.

You might want to use distribution points as push servers to make sure that there is continuous connectivity between a managed device and the Administration Server. Continuous connectivity is needed for some operations, such as running and stopping local tasks, receiving statistics for a managed application, or creating a tunnel. If you use a distribution point as a push server, you do not have to use the Do not disconnect from the Administration Server option on managed devices or send packets to the UDP port of the Network Agent.

A push server supports the load of up to 50,000 simultaneous connections.

To enable push server on a distribution point:

1. Click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Click the name of the distribution point on which you want to enable the push server.

   The distribution point properties window opens.

4. On the General section, enable the Run push server option.
5. In the Push server port field, type the port number. You can specify number of any unoccupied port.
6. In the Address for remote hosts field, specify the IP address or the name of the distribution point device.
7. Click the OK button.

The push server is enabled on the selected distribution point.