Kaspersky Security Center Cloud Console
[Topic 176384]

Creating a hierarchy of Administration Servers: adding a secondary Administration Server

Expand all | Collapse all

You can make an Administration Server running on-premises function as a secondary Administration Server, thus establishing a "primary/secondary" hierarchy on your network. For the Administration Server that is in the Kaspersky infrastructure, both primary and secondary Administration Servers on your network are secondary Servers. You can add a Windows-based Administration Server as well as a Linux-based Administration Server.

To add a secondary Administration Server that is available for connection:

  1. Make sure that the future secondary Administration Server has Kaspersky Security Center Web Console installed.
  2. On the future secondary Administration Server, download the Administration Server certificate and save it so you can add it to the primary Administration Server during one of the steps of the Add secondary Administration Server wizard.
  3. Perform the following actions via the Kaspersky Security Center Web Console on the future Secondary Administration Server (alternatively, you can prompt the administrator of the future Secondary Administration Server to perform these actions):
    1. In the main menu, click the settings icon () next to the name of the future secondary Administration Server.
    2. On the properties page that opens, proceed to the Hierarchy of Administration Servers section of the General tab.
    3. Select the This Administration Server is secondary in the hierarchy option.
    4. Select Cloud Console as the type of the primary Administration Server.

      The fields for settings to establish connection between secondary and primary Administration Servers become available.

    5. In the HDS server address (from primary Administration Server on Cloud Console) and HDS server ports fields, enter the address and port of the Kaspersky Security Center Cloud Console primary Administration Server.

      You can find HDS Server address and HDS Server port in the Kaspersky Security Center Cloud Console Administration Server, in the Hierarchy of Administration Servers section of the General tab of the properties window. You can copy and paste this data into the fields in the window of the secondary Administration Server.

    6. Click the Specify primary Administration Server certificate button, and then select the certificate.

      You can download this certificate from Kaspersky Security Center Cloud Console Administration Server, in the Hierarchy of Administration Servers section of the General tab of the properties window, by clicking the View Administration Server certificate button.

    7. Click the Specify Hosted Discovery Service certificates button, and then select the certificate.

      You can download this certificate from Kaspersky Security Center Cloud Console Administration Server, in Hierarchy of Administration Servers section of the General tab of the properties window, by clicking the HDS root CA certificate button.

    8. If you use a proxy server to connect to the Kaspersky Security Center Cloud Console Administration Server (that is, the primary Server in the hierarchy that you have built), specify this and enter the proxy server credentials.
    9. Select the Connect primary Administration Server to secondary Administration Server in DMZ option if the secondary Administration Server is in a demilitarized zone.
    10. Click Save to save the changes and exit the window.
  4. In the main menu, click the settings icon () next to the name of the future primary Administration Server.
  5. On the properties page that opens, click the Administration Servers tab.
  6. Select the check box next to the name of the administration group to which you want to add the secondary Administration Server.
  7. On the menu line, click Connect secondary Administration Server.

    The Add secondary Administration Server wizard starts. Proceed through the wizard by using the Next button.

  8. Fill in the following fields:
    • Secondary Administration Server display name

      A name by which the secondary Administration Server will be displayed in the hierarchy. If you want, you can enter the IP address as a name, or you can use a name like, for example, "Secondary Server for group 1".

    • Secondary Administration Server address (optional)

      Specify the IP address or the domain name of the secondary Administration Server.

      This parameter is required if the Connect primary Administration Server to secondary Administration Server in DMZ option is enabled.

  9. If you use a proxy server to connect to the Kaspersky Security Center Cloud Console Administration Server (that is, the future primary Server), specify this and enter the proxy server credentials.
  10. Follow the further instructions of the wizard.

After the wizard finishes, the "primary/secondary" hierarchy is built. The primary Administration Server starts receiving connection from the secondary Administration Server through port 13000. The tasks and policies from the primary Administration Server are received and applied. The secondary Administration Server is displayed on the primary Administration Server, in the administration group to which it was added.

See also:

Ports used by Kaspersky Security Center Cloud Console

Page top
[Topic 178059]

Configuring storage term of events concerning to the deleted devices

In Kaspersky Security Center Cloud Console, events are stored in an event repository. You cannot configure how many events to store in the event repository.

In the Events repository section of the Administration Server properties window, you can configure the maximum storage term of events concerning to the deleted devices. The maximum storage term is 1000 days.

To configure the number of days to store events relating to the deleted devices:

  1. In the main menu, click the settings icon () next to the Kaspersky Security Center Cloud Console Administration Server.

    The Administration Server properties window opens.

  2. On the General tab, select the Events repository section.
  3. Enable Store events after devices are deleted option.
  4. In the Maximum storage period (days) edit box specify the number of days to store events relating to the deleted devices.

The number of days to store events concerning to the deleted devices is limited by the specified value.

Additionally, you can change the settings of any task to save events related to the task progress, or save only task execution results. In doing so, you will reduce the number of events in the database, increase the speed of execution of scenarios associated with analysis of the event table in the database, and lower the risk that critical events will be overwritten by a large number of events.

See also:

Events of Kaspersky Security Center Cloud Console components

Page top
[Topic 176098]

Aggregate emails about events

During the operation, Kaspersky Security Center Cloud Console and managed Kaspersky applications generate events. Each event is attributed to a certain type and level of severity (Critical, Functional failure, Warning, or Info). Depending on the conditions under which an event occurred, Kaspersky Security Center Cloud Console can assign different levels of severity to events of the same type.

Kaspersky Security Center Cloud Console automatically sends, by email, notifications about events. Kaspersky Security Center Cloud Console sends notifications about events listed in the Administration Server properties window, on the Event configuration tab. Common notification settings are used for all event types.

To limit the number of emails that have to be sent, Kaspersky Security Center Cloud Console, during specific periods, aggregates events with the same severity level. Values of the periods are managed by Kaspersky specialists. As a result, recipients get aggregated email messages according to the following template: "<Number> <Severity_level> (and lower-level) events have occurred".

See also:

Configuring notification delivery

Monitoring and reporting

Page top
[Topic 189656]

Limitations on management of secondary Administration Servers running on-premises through Kaspersky Security Center Cloud Console

After you switch to a secondary Administration Server running on-premises by using the corresponding option in Kaspersky Security Center Cloud Console, the application imposes specific limitations on management of this secondary Administration Server. The following settings related to the Kaspersky Security Center Cloud Console operation become unavailable for the user:

  • In the settings of Network Agent policies and Administration Server policies, the Event configuration and Application settings tabs are unavailable; no new policies can be created.
  • In the settings of Network Agent tasks and Administration Server tasks, the Event configuration and Application settings tabs are unavailable; no new tasks can be created.
  • Management of Network Agent and Administration Server is unavailable, as well as the properties window of the secondary Administration Server.
  • The quick start wizard is unavailable.
  • The storage and notification settings for Network Agent and Administration Server events cannot be modified.
  • The Current application versions section is unavailable.
  • The Installation packages section is unavailable.
Page top
[Topic 191452]

Viewing the list of secondary Administration Servers

To view the list of the secondary (including virtual) Administration Servers:

In the main menu, click the name of the Administration Server, which is next to the settings icon ().

The drop-down list of the secondary (including virtual) Administration Servers is displayed.

You can proceed to any of these Administration Servers by clicking its name.

See also:

Creating a hierarchy of Administration Servers: adding a secondary Administration Server

Page top
[Topic 178565]

Deleting a hierarchy of Administration Servers

If you no longer want to have a hierarchy of Administration Servers, you can disconnect them from this hierarchy.

To delete a hierarchy of Administration Servers:

  1. In the main menu, click the settings icon () next to the name of the primary Administration Server.
  2. On the page that opens, proceed to the Administration Servers tab.
  3. In the administration group from which you want to delete the secondary Administration Server, select the secondary Administration Server.
  4. On the menu line, click Delete.
  5. In the window that opens, click OK to confirm that you want to delete the secondary Administration Server.

The former primary Administration Server and the former secondary Administration Server are now independent of each other. The hierarchy no longer exists.

See also:

Creating a hierarchy of Administration Servers: adding a secondary Administration Server

Page top
[Topic 180308]

Configuring the interface

Expand all | Collapse all

You can configure the Kaspersky Security Center Cloud Console interface to display and hide sections and interface elements, depending on the features that you use.

To configure the Kaspersky Security Center Cloud Console interface in accordance with the currently used set of features:

  1. In the main menu, go to your account settings, and then select Interface options.
  2. In the Interface options window that opens, enable or disable the options:
    • Show data encryption and protection

      You can use this option to hide or show the Operations → Data encryption and protection section in the interface. Kaspersky Security Center Cloud Console saves the value of this option only for your own user account while the other user can set a different value.

    • Show MDR features

      You can use this option to hide or show the Monitoring & reporting Incidents section in the interface. Kaspersky Security Center Cloud Console saves the value of this option only for your own user account while the other user can set a different value.

  3. Set the number of devices that Kaspersky Security Center Cloud Console displays in policy distribution results.
  4. Click Save.

The console interface settings are configured according to your preferences.

Page top
[Topic 195133][Topic 231121]

Creating a virtual Administration Server

You can create virtual Administration Servers and add them to administration groups.

To create and add a virtual Administration Server:

  1. In the main menu, click the settings icon () next to the name of the required Administration Server.
  2. On the page that opens, proceed to the Administration Servers tab.
  3. Select the administration group to which you want to add a virtual Administration Server.
  4. On the menu line, click New virtual Administration Server.
  5. On the page that opens, define the Name of virtual Administration Server.
  6. Click Save.

The new virtual Administration Server is created, added to the administration group and displayed on the Administration Servers tab.

Page top
[Topic 177870]

Enabling and disabling a virtual Administration Server

When you create a new virtual Administration Server, it is enabled by default. You can disable or enable it again at any time. Disabling or enabling a virtual Administration Server is equal to switching off or on a physical Administration Server.

To enable or disable a virtual Administration Server:

  1. In the main menu, click the settings icon () next to the name of the required Administration Server.
  2. On the page that opens, proceed to the Administration Servers tab.
  3. Select the virtual Administration Server that you want to enable or disable.
  4. On the menu line, click the Enable / disable virtual Administration Server button.

The virtual Administration Server state is changed to enabled or disabled, depending on its previous state. The updated state is displayed next to the Administration Server name.

See also:

Virtual Administration Server

Deleting a virtual Administration Server

Page top
[Topic 218343]

Assigning an administrator for a virtual Administration Server

When you use virtual Administration Servers in your organization, you might want to assign a dedicated administrator for each virtual Administration Server. For example, this might be useful when you create virtual Administration Servers to manage separate offices or departments of your organization, or if you are an MSP provider and you manage your tenants through virtual Administration Servers.

When you create a virtual Administration Server, it inherits the user list and all of the user rights of the primary Administration Server. If a user has access rights to the primary Server, this user has access rights to the virtual Server as well. After creation, you configure the access rights to the Servers independently. If you want to assign an administrator for a virtual Administration Server only, make sure that the administrator is not included in the Access rights list in the properties of the primary Administration Server.

You assign an administrator for a virtual Administration Server by granting the administrator access rights to the virtual Administration Server. You can grant the required access rights in one of the following ways:

  • Configure access rights for the administrator manually
  • Assign one or more user roles for the administrator

When you assign an administrator, make sure that you grant access to a single virtual Administration Server. An administrator with access to multiple virtual Administration Servers cannot sign in to Kaspersky Security Center Cloud Console.

An administrator of a virtual Administration Server signs in to Kaspersky Security Center Cloud Console the same way as signing in to the primary Administration Server. Kaspersky Security Center Cloud Console authenticates the administrator and opens the virtual Administration Server to which the administrator has access rights. The administrator cannot switch between Administration Servers.

Prerequisites

Before you start, ensure that the following conditions are met:

  • The virtual Administration Server is created.
  • On the primary Administration Server, you have created an account for the administrator that you want to assign for the virtual Administration Server.
  • The created account of the virtual Server administrator is not included in the Access rights lists in the properties of any Servers—primary or secondary.
  • You have the Modify object ACLs right in the General featuresUser permissions functional area.

Configuring access rights manually

To assign an administrator for a virtual Administration Server:

  1. In the main menu, switch to the required virtual Administration Server:
    1. Click the chevron icon (The chevron icon.) to the right of the current Administration Server name.
    2. Select the required Administration Server.
  2. In the main menu, click the settings icon () next to the name of the Administration Server.

    The Administration Server properties window opens.

  3. On the Access rights tab, click the Add button.

    A unified list of users of the primary Administration Server and the current virtual Administration Server opens.

  4. From the list of users, select the account of the administrator that you want to assign for the virtual Administration Server, and then click the OK button.

    The application adds the selected user to the user list on the Access rights tab.

  5. Select the check box next to the added account, and then click the Access rights button.
  6. Configure the rights that the administrator will have on the virtual Administration Server.

    For successful authentication, at minimum, the administrator must have the following rights:

    • Read right in the General featuresBasic functionality functional area
    • Read right in the General featuresVirtual Administration Servers functional area

The application saves the modified user rights to the administrator account.

Configuring access rights by assigning user roles

Alternatively, you can grant the access rights to a virtual Administration Server administrator through user roles. For example, this might be useful if you want to assign several administrators on the same virtual Administration Server. If this is the case, you can assign the administrators' accounts the same one or more user roles instead of configuring the same user rights for several administrators.

To assign an administrator for a virtual Administration Server by assigning user roles:

  1. On the primary Administration Server, create a new user role, and then specify all of the required access rights that an administrator must have on the virtual Administration Server. You can create several roles, for example, if you want to separate access to different functional areas.
  2. In the main menu, switch to the required virtual Administration Server:
    1. Click the chevron icon (The chevron icon.) to the right of the current Administration Server name.
    2. Select the required Administration Server.
  3. Assign the new role or several roles to the administrator account.

    When assigning roles to a user, in the main menu, go to Users & rolesUsers & groups, and then select the Users tab. If you select the Groups tab, and then assign roles to the group where the user is a member, the user will not be able to log in to Kaspersky Security Center Cloud Console.

The application assigns the new role to the administrator account.

Configuring access rights at the object level

In addition to assigning access rights at the functional area level, you can configure access to specific objects on the virtual Administration Server, for example, to a specific administration group or a task. To do this, switch to the virtual Administration Server, and then configure the access rights in the object's properties.

See also:

Virtual Administration Server

Deleting a virtual Administration Server

Page top
[Topic 237346]

Deleting a virtual Administration Server

When you delete a virtual Administration Server, all of the objects created on the Administration Server, including policies and tasks, will be deleted as well. The managed devices from the administration groups that were managed by the virtual Administration Server will be removed from the administration groups. To return the devices under management of Kaspersky Security Center Cloud Console, run the network polling, and then move the found devices from the Unassigned devices group to the administration groups.

To delete a virtual Administration Server:

  1. In the main menu, click the settings icon () next to the name of the Administration Server.
  2. On the page that opens, proceed to the Administration Servers tab.
  3. Select the virtual Administration Server that you want to delete.
  4. On the menu line, click the Delete button.

The virtual Administration Server is deleted.

See also:

Virtual Administration Server

Enabling and disabling a virtual Administration Server

Page top
[Topic 218393]