Contents
- Configuring Administration Server
- Creating a hierarchy of Administration Servers: adding a secondary Administration Server
- Configuring storage term of events concerning to the deleted devices
- Aggregate emails about events
- Limitations on management of secondary Administration Servers running on-premises through Kaspersky Security Center Cloud Console
- Viewing the list of secondary Administration Servers
- Deleting a hierarchy of Administration Servers
- Configuring the interface
- Managing virtual Administration Servers
Configuring Administration Server
This section describes the configuration process and properties of Kaspersky Security Center Administration Server.
Creating a hierarchy of Administration Servers: adding a secondary Administration Server
You can make an Administration Server running on-premises function as a secondary Administration Server, thus establishing a "primary/secondary" hierarchy on your network. For the Administration Server that is in the Kaspersky infrastructure, both primary and secondary Administration Servers on your network are secondary Servers. You can add a Windows-based Administration Server as well as a Linux-based Administration Server.
To add a secondary Administration Server that is available for connection:
- Make sure that the future secondary Administration Server has Kaspersky Security Center Web Console installed.
- On the future secondary Administration Server, download the Administration Server certificate and save it so you can add it to the primary Administration Server during one of the steps of the Add secondary Administration Server wizard.
- Perform the following actions via the Kaspersky Security Center Web Console on the future Secondary Administration Server (alternatively, you can prompt the administrator of the future Secondary Administration Server to perform these actions):
- In the main menu, click the settings icon (
) next to the name of the future secondary Administration Server.
- On the properties page that opens, proceed to the Hierarchy of Administration Servers section of the General tab.
- Select the This Administration Server is secondary in the hierarchy option.
- Select Cloud Console as the type of the primary Administration Server.
The fields for settings to establish connection between secondary and primary Administration Servers become available.
- In the HDS server address (from primary Administration Server on Cloud Console) and HDS server ports fields, enter the address and port of the Kaspersky Security Center Cloud Console primary Administration Server.
You can find HDS Server address and HDS Server port in the Kaspersky Security Center Cloud Console Administration Server, in the Hierarchy of Administration Servers section of the General tab of the properties window. You can copy and paste this data into the fields in the window of the secondary Administration Server.
- Click the Specify primary Administration Server certificate button, and then select the certificate.
You can download this certificate from Kaspersky Security Center Cloud Console Administration Server, in the Hierarchy of Administration Servers section of the General tab of the properties window, by clicking the View Administration Server certificate button.
- Click the Specify Hosted Discovery Service certificates button, and then select the certificate.
You can download this certificate from Kaspersky Security Center Cloud Console Administration Server, in Hierarchy of Administration Servers section of the General tab of the properties window, by clicking the HDS root CA certificate button.
- If you use a proxy server to connect to the Kaspersky Security Center Cloud Console Administration Server (that is, the primary Server in the hierarchy that you have built), specify this and enter the proxy server credentials.
- Select the Connect primary Administration Server to secondary Administration Server in DMZ option if the secondary Administration Server is in a demilitarized zone.
- Click Save to save the changes and exit the window.
- In the main menu, click the settings icon (
- In the main menu, click the settings icon (
) next to the name of the future primary Administration Server.
- On the properties page that opens, click the Administration Servers tab.
- Select the check box next to the name of the administration group to which you want to add the secondary Administration Server.
- On the menu line, click Connect secondary Administration Server.
The Add secondary Administration Server wizard starts. Proceed through the wizard by using the Next button.
- Fill in the following fields:
- If you use a proxy server to connect to the Kaspersky Security Center Cloud Console Administration Server (that is, the future primary Server), specify this and enter the proxy server credentials.
- Follow the further instructions of the wizard.
After the wizard finishes, the "primary/secondary" hierarchy is built. The primary Administration Server starts receiving connection from the secondary Administration Server through port 13000. The tasks and policies from the primary Administration Server are received and applied. The secondary Administration Server is displayed on the primary Administration Server, in the administration group to which it was added.
Configuring storage term of events concerning to the deleted devices
In Kaspersky Security Center Cloud Console, events are stored in an event repository. You cannot configure how many events to store in the event repository.
In the Events repository section of the Administration Server properties window, you can configure the maximum storage term of events concerning to the deleted devices. The maximum storage term is 1000 days.
To configure the number of days to store events relating to the deleted devices:
- In the main menu, click the settings icon (
) next to the Kaspersky Security Center Cloud Console Administration Server.
The Administration Server properties window opens.
- On the General tab, select the Events repository section.
- Enable Store events after devices are deleted option.
- In the Maximum storage period (days) edit box specify the number of days to store events relating to the deleted devices.
The number of days to store events concerning to the deleted devices is limited by the specified value.
Additionally, you can change the settings of any task to save events related to the task progress, or save only task execution results. In doing so, you will reduce the number of events in the database, increase the speed of execution of scenarios associated with analysis of the event table in the database, and lower the risk that critical events will be overwritten by a large number of events.
Aggregate emails about events
During the operation, Kaspersky Security Center Cloud Console and managed Kaspersky applications generate events. Each event is attributed to a certain type and level of severity (Critical, Functional failure, Warning, or Info). Depending on the conditions under which an event occurred, Kaspersky Security Center Cloud Console can assign different levels of severity to events of the same type.
Kaspersky Security Center Cloud Console automatically sends, by email, notifications about events. Kaspersky Security Center Cloud Console sends notifications about events listed in the Administration Server properties window, on the Event configuration tab. Common notification settings are used for all event types.
To limit the number of emails that have to be sent, Kaspersky Security Center Cloud Console, during specific periods, aggregates events with the same severity level. Values of the periods are managed by Kaspersky specialists. As a result, recipients get aggregated email messages according to the following template: "<Number> <Severity_level> (and lower-level) events have occurred".
Limitations on management of secondary Administration Servers running on-premises through Kaspersky Security Center Cloud Console
After you switch to a secondary Administration Server running on-premises by using the corresponding option in Kaspersky Security Center Cloud Console, the application imposes specific limitations on management of this secondary Administration Server. The following settings related to the Kaspersky Security Center Cloud Console operation become unavailable for the user:
- In the settings of Network Agent policies and Administration Server policies, the Event configuration and Application settings tabs are unavailable; no new policies can be created.
- In the settings of Network Agent tasks and Administration Server tasks, the Event configuration and Application settings tabs are unavailable; no new tasks can be created.
- Management of Network Agent and Administration Server is unavailable, as well as the properties window of the secondary Administration Server.
- The quick start wizard is unavailable.
- The storage and notification settings for Network Agent and Administration Server events cannot be modified.
- The Current application versions section is unavailable.
- The Installation packages section is unavailable.
Viewing the list of secondary Administration Servers
To view the list of the secondary (including virtual) Administration Servers:
In the main menu, click the name of the Administration Server, which is next to the settings icon ().
The drop-down list of the secondary (including virtual) Administration Servers is displayed.
You can proceed to any of these Administration Servers by clicking its name.
Deleting a hierarchy of Administration Servers
If you no longer want to have a hierarchy of Administration Servers, you can disconnect them from this hierarchy.
To delete a hierarchy of Administration Servers:
- In the main menu, click the settings icon (
) next to the name of the primary Administration Server.
- On the page that opens, proceed to the Administration Servers tab.
- In the administration group from which you want to delete the secondary Administration Server, select the secondary Administration Server.
- On the menu line, click Delete.
- In the window that opens, click OK to confirm that you want to delete the secondary Administration Server.
The former primary Administration Server and the former secondary Administration Server are now independent of each other. The hierarchy no longer exists.
Configuring the interface
You can configure the Kaspersky Security Center Cloud Console interface to display and hide sections and interface elements, depending on the features that you use.
To configure the Kaspersky Security Center Cloud Console interface in accordance with the currently used set of features:
- In the main menu, go to your account settings, and then select Interface options.
- In the Interface options window that opens, enable or disable the options:
- Set the number of devices that Kaspersky Security Center Cloud Console displays in policy distribution results.
- Click Save.
The console interface settings are configured according to your preferences.
Page topManaging virtual Administration Servers
This section describes the following actions to manage virtual Administration Servers:
- Create virtual Administration Servers
- Enable and disable virtual Administration Servers
- Assign an administrator for a virtual Administration Server
- Change the Administration Server for client devices
- Delete virtual Administration Servers
Creating a virtual Administration Server
You can create virtual Administration Servers and add them to administration groups.
To create and add a virtual Administration Server:
- In the main menu, click the settings icon (
) next to the name of the required Administration Server.
- On the page that opens, proceed to the Administration Servers tab.
- Select the administration group to which you want to add a virtual Administration Server.
- On the menu line, click New virtual Administration Server.
- On the page that opens, define the Name of virtual Administration Server.
- Click Save.
The new virtual Administration Server is created, added to the administration group and displayed on the Administration Servers tab.
Page topEnabling and disabling a virtual Administration Server
When you create a new virtual Administration Server, it is enabled by default. You can disable or enable it again at any time. Disabling or enabling a virtual Administration Server is equal to switching off or on a physical Administration Server.
To enable or disable a virtual Administration Server:
- In the main menu, click the settings icon (
) next to the name of the required Administration Server.
- On the page that opens, proceed to the Administration Servers tab.
- Select the virtual Administration Server that you want to enable or disable.
- On the menu line, click the Enable / disable virtual Administration Server button.
The virtual Administration Server state is changed to enabled or disabled, depending on its previous state. The updated state is displayed next to the Administration Server name.
Assigning an administrator for a virtual Administration Server
When you use virtual Administration Servers in your organization, you might want to assign a dedicated administrator for each virtual Administration Server. For example, this might be useful when you create virtual Administration Servers to manage separate offices or departments of your organization, or if you are an MSP provider and you manage your tenants through virtual Administration Servers.
When you create a virtual Administration Server, it inherits the user list and all of the user rights of the primary Administration Server. If a user has access rights to the primary Server, this user has access rights to the virtual Server as well. After creation, you configure the access rights to the Servers independently. If you want to assign an administrator for a virtual Administration Server only, make sure that the administrator is not included in the Access rights list in the properties of the primary Administration Server.
You assign an administrator for a virtual Administration Server by granting the administrator access rights to the virtual Administration Server. You can grant the required access rights in one of the following ways:
- Configure access rights for the administrator manually
- Assign one or more user roles for the administrator
When you assign an administrator, make sure that you grant access to a single virtual Administration Server. An administrator with access to multiple virtual Administration Servers cannot sign in to Kaspersky Security Center Cloud Console.
An administrator of a virtual Administration Server signs in to Kaspersky Security Center Cloud Console the same way as signing in to the primary Administration Server. Kaspersky Security Center Cloud Console authenticates the administrator and opens the virtual Administration Server to which the administrator has access rights. The administrator cannot switch between Administration Servers.
Prerequisites
Before you start, ensure that the following conditions are met:
- The virtual Administration Server is created.
- On the primary Administration Server, you have created an account for the administrator that you want to assign for the virtual Administration Server.
- The created account of the virtual Server administrator is not included in the Access rights lists in the properties of any Servers—primary or secondary.
- You have the Modify object ACLs right in the General features → User permissions functional area.
Configuring access rights manually
To assign an administrator for a virtual Administration Server:
- In the main menu, switch to the required virtual Administration Server:
- Click the chevron icon (
) to the right of the current Administration Server name.
- Select the required Administration Server.
- Click the chevron icon (
- In the main menu, click the settings icon (
) next to the name of the Administration Server.
The Administration Server properties window opens.
- On the Access rights tab, click the Add button.
A unified list of users of the primary Administration Server and the current virtual Administration Server opens.
- From the list of users, select the account of the administrator that you want to assign for the virtual Administration Server, and then click the OK button.
The application adds the selected user to the user list on the Access rights tab.
- Select the check box next to the added account, and then click the Access rights button.
- Configure the rights that the administrator will have on the virtual Administration Server.
For successful authentication, at minimum, the administrator must have the following rights:
- Read right in the General features → Basic functionality functional area
- Read right in the General features → Virtual Administration Servers functional area
The application saves the modified user rights to the administrator account.
Configuring access rights by assigning user roles
Alternatively, you can grant the access rights to a virtual Administration Server administrator through user roles. For example, this might be useful if you want to assign several administrators on the same virtual Administration Server. If this is the case, you can assign the administrators' accounts the same one or more user roles instead of configuring the same user rights for several administrators.
To assign an administrator for a virtual Administration Server by assigning user roles:
- On the primary Administration Server, create a new user role, and then specify all of the required access rights that an administrator must have on the virtual Administration Server. You can create several roles, for example, if you want to separate access to different functional areas.
- In the main menu, switch to the required virtual Administration Server:
- Click the chevron icon (
) to the right of the current Administration Server name.
- Select the required Administration Server.
- Click the chevron icon (
- Assign the new role or several roles to the administrator account.
When assigning roles to a user, in the main menu, go to Users & roles → Users & groups, and then select the Users tab. If you select the Groups tab, and then assign roles to the group where the user is a member, the user will not be able to log in to Kaspersky Security Center Cloud Console.
The application assigns the new role to the administrator account.
Configuring access rights at the object level
In addition to assigning access rights at the functional area level, you can configure access to specific objects on the virtual Administration Server, for example, to a specific administration group or a task. To do this, switch to the virtual Administration Server, and then configure the access rights in the object's properties.
Deleting a virtual Administration Server
When you delete a virtual Administration Server, all of the objects created on the Administration Server, including policies and tasks, will be deleted as well. The managed devices from the administration groups that were managed by the virtual Administration Server will be removed from the administration groups. To return the devices under management of Kaspersky Security Center Cloud Console, run the network polling, and then move the found devices from the Unassigned devices group to the administration groups.
To delete a virtual Administration Server:
- In the main menu, click the settings icon (
) next to the name of the Administration Server.
- On the page that opens, proceed to the Administration Servers tab.
- Select the virtual Administration Server that you want to delete.
- On the menu line, click the Delete button.
The virtual Administration Server is deleted.