Network polling

Information about the structure of the network and devices on this network is received by Kaspersky Security Center Cloud Console through regular polling of the Windows network, IP ranges, Microsoft Active Directory domain controller and a Samba domain controller. For a Samba domain controller, Samba 4 is used as an Active Directory domain controller. Network polling can be started either manually or automatically according to a schedule.

Based on the results of this polling, Kaspersky Security Center Cloud Console updates the list of unassigned devices. You can also configure rules for newly discovered devices to be moved automatically to administration groups.

Kaspersky Security Center Cloud Console uses the following methods of network polling:

• IP range polling. Kaspersky Security Center Cloud Console polls the specified IP ranges using Internet Control Message Protocol (ICMP) packets and compiles a complete set of data on devices within those IP ranges.
• Windows network polling. You can run either of the two Windows network polls: fast or full. During a fast poll, Kaspersky Security Center Cloud Console only retrieves information from the list of the NetBIOS names of devices in all network domains and work groups. During a full poll, the following information is requested from each device: operating system (OS) name, IP address, DNS name, and NetBIOS name.
• Domain controllers polling. Information about the Active Directory unit structure and about DNS names of the devices from Active Directory groups is recorded to the Kaspersky Security Center Cloud Console database.

Polling results are shown in the Discovery & deployment → Discovery section separately for the Windows network polling and the Domain controllers polling methods.

Polling results for the IP range polling method are shown in the Discovery & deployment → Unassigned devices section.

One device can be shown in more than one detection area. If a device is detected in the HQ domain and its address is 192.168.0.1, the device will appear in both the Windows domains section and the Unassigned devices section. You can modify network polling settings for each polling method. For example, you may want to modify the polling schedule or to set whether to poll the entire Active Directory forest or only a specific domain.

Windows network polling

About Windows network polling

During a quick poll, the Administration Server only retrieves information from the list of the NetBIOS names of devices in all network domains and workgroups. During a full poll, the following information is requested from each client device:

• Operating system name
• IP address
• DNS name
• NetBIOS name

Both quick polls and full polls require the following:

• Ports UDP 137/138, TCP 139 must be available on the network.
• The Microsoft Computer Browser service must be used, and the primary browser computer must be enabled on the distribution point.
• The Microsoft Computer Browser service must be used, and the primary browser computer must be enabled on the client devices:
  • On at least one device, if the number of networked devices does not exceed 32.
  • On at least one device for each 32 networked devices.

The full poll can run only if the quick poll has run at least once.

Viewing and modifying the settings for Windows network polling

To modify the properties of Windows network polling:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Click the name of the distribution point that you want to use to poll the network.

   The distribution point properties window opens.

4. Select the Windows domains polling section.
5. Enable or disable Windows network polling by using the Enable network polling toggle button.
6. Configure the schedule for the quick polling and the full polling.
7. Click the OK button.

The properties are saved and applied to all of the discovered Windows domains and workgroups.

Domain controller polling

Kaspersky Security Center Cloud Console supports polling of a Microsoft Active Directory domain controller and a Samba domain controller only by using a distribution point.

Kaspersky Security Center Cloud Console allows you to poll a Samba domain controller only by using a Linux distribution point. For a Samba domain controller, Samba 4 is used as an Active Directory domain controller.

When you poll a domain controller, a distribution point retrieves information about the domain structure, user accounts, security groups, and DNS names of the devices that are included in the domain. Domain controller polling is performed according to a schedule that you set.

Prerequisites

Before you poll a domain controller, ensure that the following protocols are enabled:

• Simple Authentication and Security Layer (SASL)
• Lightweight Directory Access Protocol (LDAP)

Ensure that the following ports are available on the domain controller device:

• 389 for SASL
• 636 for TLS

Domain controller polling by using a distribution point

You can also poll a domain controller by using a distribution point. A Windows- or Linux-based managed device can act as a distribution point.

For a Linux distribution point, polling of a Microsoft Active Directory domain controller and a Samba domain controller are supported.
For a Windows distribution point, only polling of a Microsoft Active Directory domain controller is supported.
Polling with a Mac distribution point is not supported.

To configure domain controller polling by using the distribution point:

1. Open the distribution point properties.
2. Select the Domain controller polling section.
3. Select the Enable domain controller polling option.
4. Select the domain controller that you want to poll.

   If you use a Linux distribution point, in the Poll specified domains section, click Add, and then specify the address and user credentials of the domain controller.

   If you use a Windows distribution point, you can select one of the following options:

   • Poll current domain
   • Poll entire domain forest
   • Poll specified domains
5. Click the Set polling schedule button to specify the polling schedule options if needed.

   Polling starts only according to the specified schedule. Manual start of polling is not available.

After the polling is completed, the domain structure will be displayed in the Domain controllers section.

If you set up and enabled device moving rules, the newly discovered devices are automatically included in the Managed devices group. If no moving rules have been enabled, the newly discovered devices are automatically included in the Unassigned devices group.

The discovered user accounts can be used for domain authentication in Kaspersky Security Center Cloud Console.

Viewing the results of domain controller polling

To view the results of domain controller polling:

1. In the main menu, go to Discovery & deployment → Discovery → Domain controllers.

   The list of discovered organizational units is displayed.

2. Select an organizational unit, and then click the Devices button.

   The list of devices in the organizational unit is displayed.

You can search the list and filter the results.

IP range polling

Kaspersky Security Center Cloud Console attempts to perform reverse name resolution for every address from the specified range to a DNS name using standard DNS requests. If this operation succeeds, the server sends an ICMP ECHO REQUEST (the same as the ping command) to the received name. If the device responds, the information about it is added to the Kaspersky Security Center Cloud Console database. The reverse name resolution is necessary to exclude the network devices that can have an IP address but are not computers, for example, network printers or routers.

This polling method relies upon a correctly configured local DNS service. It must have a reverse lookup zone. If this zone is not configured, IP subnet polling will yield no results. On the networks where Active Directory is used, such a zone is maintained automatically. But on these networks, IP subnet polling does not provide more information than Active Directory polling. Moreover, administrators of small networks often do not configure the reverse lookup zone because it is not necessary for the work of many network services. For these reasons, IP subnet polling is disabled by default.

Initially, Kaspersky Security Center Cloud Console gets IP ranges for polling from the network settings of the distribution point device which is used for network polling. If the device address is 192.168.0.1 and the subnet mask is 255.255.255.0, Kaspersky Security Center Cloud Console includes the network 192.168.0.0/24 in the list of polling address automatically. Kaspersky Security Center Cloud Console polls all addresses from 192.168.0.1 to 192.168.0.254.

It is not recommended to use IP range polling if you use Windows network polling and/or Active Directory polling.

Viewing and modifying the settings for IP range polling

To view and modify the properties of IP range polling:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Click the name of the distribution point that you want to use to poll the network.

   The distribution point properties window opens.

4. Select the IP range polling section.
5. Enable or disable IP polling by using the Enable range polling toggle button.
6. Configure the polling schedule. By default, IP polling runs every 420 minutes (seven hours).
7. If necessary, add or modify IP ranges to poll.

   When specifying the polling interval, make sure that this setting does not exceed the value of the IP address lifetime parameter. If an IP address is not verified by polling during the IP address lifetime, this IP address is automatically removed from the polling results. By default, the life span of the polling results is 24 hours, because dynamic IP addresses (assigned using Dynamic Host Configuration Protocol (DHCP)) change every 24 hours.

8. Click the OK button.

The properties are saved and applied to all IP ranges.

Configuring a Samba domain controller

Kaspersky Security Center Cloud Console supports a Linux domain controller running only on Samba 4.

A Samba domain controller supports the same schema extensions as a Microsoft Active Directory domain controller. You can enable full compatibility of a Samba domain controller with a Microsoft Active Directory domain controller by using the Samba 4 schema extension. This is an optional action.

We recommend enabling full compatibility of a Samba domain controller with a Microsoft Active Directory domain controller. This will ensure the correct interaction between Kaspersky Security Center Cloud Console and the Samba domain controller.

To enable full compatibility of a Samba domain controller with a Microsoft Active Directory domain controller:

1. Execute the following command to use the RFC2307 schema extension:

   samba-tool domain provision --use-rfc2307 --interactive

2. Enable the schema update in a Samba domain controller. To do this, add the following line to the /etc/samba/smb.conf file:

   dsdb:schema update allowed = true

   If the schema update completes with an error, you need to perform a full restore of the domain controller that acts as a schema master.

If you want to poll a Samba domain controller correctly, you have to specify the netbios name and workgroup parameters in the /etc/samba/smb.conf file.

Adding and modifying an IP range

Expand all | Collapse all

Initially, Kaspersky Security Center Cloud Console gets IP ranges for polling from the network settings of the distribution point device which is used for network polling. If the device address is 192.168.0.1 and the subnet mask is 255.255.255.0, Kaspersky Security Center Cloud Console includes the network 192.168.0.0/24 in the list of polling address automatically. Kaspersky Security Center Cloud Console polls all addresses from 192.168.0.1 to 192.168.0.254. You can modify the automatically defined IP ranges or add custom IP ranges.

To add a new IP range:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Click the name of the distribution point that you want to use to poll the network.

   The distribution point properties window opens.

4. Select the IP range polling section.
5. To add a new IP range, click the Add button.
6. In the window that opens, specify the following settings:
   • Name

     A name of the IP range. You might want to specify the IP range itself as its name, for example, "192.168.0.0/24".

   • IP interval or subnet address and mask

     Set the IP range by specifying either the start and end IP addresses or the subnet address and subnet mask. You can add as many subnets as you need. Named IP ranges are not allowed to overlap, but unnamed subnets inside an IP range have no such restrictions.

   • IP address lifetime (hours)

     When specifying this parameter make sure that it exceeds the polling interval set in the polling schedule. If an IP address is not verified by polling during the IP address lifetime, this IP address is automatically removed from the polling results. By default, the life span of the polling results is 24 hours, because dynamic IP addresses (assigned using Dynamic Host Configuration Protocol (DHCP)) change every 24 hours.

7. Click the OK button.

The new IP range is added to the list of IP ranges.

When the polling is complete, you can view the list of discovered devices by using the Devices button. By default, the life span of the polling results is 24 hours and it is equal to the IP address lifetime setting.