Adjustment of distribution points and connection gateways

A structure of administration groups in Kaspersky Security Center Cloud Console serves the following functions:

• Sets the scope of policies

  There is an alternate way of applying relevant settings on devices, by using policy profiles. In this case, the scope of policies is set with tags, device locations in Active Directory organizational units, membership in Active Directory security groups, etc.

• Sets the scope of group tasks

  There is an approach to defining the scope of group tasks that is not based on a hierarchy of administration groups: use of tasks for device selections and tasks for specific devices.

• Sets access rights to devices and secondary Administration Servers
• Assigns distribution points

When building the structure of administration groups, you must take into account the topology of the organization's network for the optimum assignment of distribution points. The optimum distribution of distribution points enables you to save traffic in the organization's network.

Depending on the organizational schema and network topology, the following standard configurations can be applied to the structure of administration groups:

• Single office
• Multiple small remote offices

Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.

Calculating the number and configuration of distribution points

The more client devices a network contains, the more distribution points it requires. Use the tables below to calculate the number of distribution points required for your network.

Make sure that the devices that you intend to use as distribution points have sufficient volume of free disk space, are not shut down regularly, and have Sleep mode disabled.

Number of exclusively assigned distribution points on a network that contains a single network segment, based on the number of networked devices

Number of exclusively assigned distribution points on a network that contains multiple network segments, based on the number of networked devices

Using standard client devices (workstations) as distribution points

If you plan to use standard client devices (that is, workstations) as distribution points, we recommend that you assign distribution points as shown in the tables below in order to avoid excessive load on the communication channels and on Administration Server:

Number of workstations functioning as distribution points on a network that contains a single network segment, based on the number of networked devices

Number of workstations functioning as distribution points on a network that contains multiple network segments, based on the number of networked devices

If a distribution point is not available, update Kaspersky databases, software modules, and applications manually or directly from the Kaspersky update servers.

Standard configuration of distribution points: Single office

In a standard "single-office" configuration, all devices are on the organization's network so they can "see" each other. The organization's network may consist of a few separate parts (networks or network segments) linked by narrow channels.

The following methods of building the structure of administration groups are possible:

• Building the structure of administration groups taking into account the network topology. The structure of administration groups may not reflect the network topology with absolute precision. A match between the separate parts of the network and certain administration groups would be enough.
• Building the structure of administration groups, without taking the network topology into account. In this case, you must assign one or several devices to act as distribution points for a root administration group in each of the separate parts of the network, for example, for the Managed devices group. All distribution points will be at the same level and will feature the same scope spanning all devices in the organization's network. In this case, each Network Agent will connect to the distribution point that has the shortest route. The route to a distribution point can be traced with the tracert utility.

Standard configuration of distribution points: Multiple small remote offices

This standard configuration provides for a number of small remote offices, which may communicate with the head office over the internet. Each remote office is located behind the NAT, that is, connection from one remote office to another is not possible because offices are isolated from one another.

The configuration must be reflected in the structure of administration groups: a separate administration group must be created for each remote office (groups Office 1 and Office 2 in the figure below).

Remote offices are included in the administration group structure

One or multiple distribution points must be assigned to each administration group that correspond to an office. Distribution points must be devices at the remote office that have a sufficient amount of free disk space. Devices deployed in the Office 1 group, for example, will access distribution points assigned to the Office 1 administration group.

If some users move between offices physically, with their laptops, you must select two or more devices (in addition to the existing distribution points) in each remote office and assign them to act as distribution points for a top-level administration group (Root group for offices in the figure above).

Example: A laptop is deployed in the Office 1 administration group and then is moved physically to the office that corresponds to the Office 2 administration group. After the laptop is moved, Network Agent attempts to access the distribution points assigned to the Office 1 group, but those distribution points are unavailable. Then, Network Agent starts attempting to access the distribution points that have been assigned to the Root group for offices. Because remote offices are isolated from one another, attempts to access distribution points assigned to the Root group for offices administration group will only be successful when Network Agent attempts to access distribution points in the Office 2 group. That is, the laptop will remain in the administration group that corresponds to the initial office, but the laptop will use the distribution point of the office where it is physically located at the moment.

Assigning distribution points manually

Expand all | Collapse all

Kaspersky Security Center Cloud Console enables you to manually assign devices to act as distribution points. We recommend that you calculate the number and configuration of distribution points required for your network.

Distribution point devices running macOS cannot download updates from Kaspersky update servers.

If one or more devices running macOS are within the scope of the Download updates to the repositories of distribution points task, the task completes with the Failed status, even if it has successfully completed on all Windows devices.

Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.

To manually assign a device to act as distribution point:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Click the Assign button.
4. Select the device that you want to make a distribution point.

   When selecting a device, keep in mind the operation features of distribution points and the requirements set for the device that acts as distribution point.

5. Select the administration group that you want to include in the scope of the selected distribution point.
6. Click the Add button.

   The distribution point that you have added will be displayed in the list of distribution points, in the Distribution points section.

7. Select the newly added distribution point in the list to open its properties window.
8. Configure the distribution point in the properties window:
   • The General section contains the settings of interaction between the distribution point and client devices:
     • SSL port

       The number of the SSL port for encrypted connection between client devices and the distribution point using SSL.

       By default, port 13000 is used.

     • Use multicast

       If this option is enabled, IP multicasting will be used for automatic distribution of installation packages to client devices within the group.

       IP multicasting decreases the time required to install an application from an installation package to a group of client devices, but increases the installation time when you install an application to a single client device.

     • IP multicast address

       IP address that will be used for multicasting. You can define an IP address in the range of 224.0.0.0 – 239.255.255.255

       By default, Kaspersky Security Center Cloud Console automatically assigns a unique IP multicast address within the given range.

     • IP multicast port number

       Number of the port for IP multicasting.

       By default, the port number is 15001. If the device with Administration Server installed is specified as the distribution point, port 13001 is used for SSL connection by default.

     • Deploy updates

       Updates are distributed to managed devices from the following sources:

       • This distribution point, if this option is enabled.
       • Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.

       If you use distribution points to deploy updates, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.

       If you disable this option, the number of update downloads and load on the Administration Server may increase. By default, this option is enabled.

     • Deploy installation packages

       Installation packages are distributed to managed devices from the following sources:

       • This distribution point, if this option is enabled.
       • Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.

       If you use distribution points to deploy installation packages, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.

       If you disable this option, the number of installation package downloads and load on the Administration Server may increase. By default, this option is enabled.

     • Run push server

       In Kaspersky Security Center Cloud Console, a distribution point can work as a push server for Windows-based and Linux-based devices that are managed by Network Agent. A push server has the same scope of managed devices as the distribution point on which the push server is enabled. If you have several distribution points assigned for the same administration group, you can enable a push server on each of the distribution points. In this case, Administration Server balances the load between the distribution points.

     • Push server port

       The port number for the push server. You can specify the number of any unoccupied port.

   • In the Scope section, specify the scope to which the distribution point will distribute updates (administration groups and / or network location).

     Only devices running a Windows operating system can determine their network location. Network location cannot be determined for devices running other operating systems.

   • In the KSN Proxy section, you can configure the application to use the distribution point to forward KSN requests from the managed devices:

     Enable KSN Proxy on the distribution point side

     The KSN proxy service is run on the device that is used as a distribution point. Use this feature to redistribute and optimize traffic on the network.

     This feature is not supported by distribution point devices running Linux or macOS.

     The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network statement, to Kaspersky. By default, the KSN statement is located in %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center\ksneula.

     By default, this option is disabled. Enabling this option takes effect only if the I agree to use Kaspersky Security Network option is enabled in the Administration Server properties window.

     You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.

   • Configure the polling of Windows domains, domain controller, and IP ranges by the distribution point:
     • Windows domains polling

       You can enable device discovery for Windows domains and set the schedule for the discovery.

     • Domain controller polling

       You can enable network polling for Active Directory and set the schedule for the poll.

       If you use a Windows distribution point, you can select one of the following options:

       • Poll current Active Directory domain.
       • Poll Active Directory domain forest.
       • Poll selected Active Directory domains only. If you select this option, add one or more Active Directory domains to the list.

       If you use a Linux distribution point with installed Network Agent version 15, you can poll only Active Directory domains for which you specify the address and user credentials. Polling of the current Active Directory domain and the Active Directory domain forest is not available.

       You can enable device discovery for domain controllers.

       If you select the Enable domain controller polling option, you can select domain controllers for polling and also specify the polling schedule for them.

       If you use a Linux distribution point, in the Poll specified domains section, click Add, and then specify the address and user credentials of the domain controller.

       If you use a Windows distribution point, you can select one of the following options:

       • Poll current domain
       • Poll entire domain forest
       • Poll specified domains
     • IP range polling

       You can enable device discovery for IPv4 ranges and IPv6 networks.

       If you enable the Enable range polling option, you can add scanned ranges and set the schedule for them. You can add IP ranges to the list of scanned ranges.

       If you enable the Use Zeroconf to poll IPv6 networks option, the distribution point automatically polls the IPv6 network by using zero-configuration networking (also referred to as Zeroconf). In this case, the specified IP ranges are ignored because the distribution point polls the whole network. The Use Zeroconf to poll IPv6 networks option is available if the distribution point runs Linux. To use Zeroconf IPv6 polling, you must install the avahi-browse utility on the distribution point.

   • In the Advanced section, specify the folder that the distribution point must use to store distributed data:
     • Use default folder

       If you select this option, the application uses the Network Agent installation folder on the distribution point.

     • Use specified folder

       If you select this option, in the field below, you can specify the path to the folder. It can be a local folder on the distribution point, or it can be a folder on any device on the corporate network.

       The user account used on the distribution point to run Network Agent must have read/write access to the specified folder.

9. Click the OK button.

The selected devices act as distribution points.

Modifying the list of distribution points for an administration group

You can view the list of distribution points assigned to a specific administration group and modify the list by adding or removing distribution points.

To view and modify the list of distribution points assigned to an administration group:

1. In the main menu, go to Assets (Devices) → Groups.
2. In the administration group structure, select the administration group for which you want to view the assigned distribution points.
3. Click the Distribution points tab.
4. Add new distribution points for the administration group by using the Assign button or remove the assigned distribution points by using the Unassign button.

Depending on your modifications, the new distribution points are added to the list or existing distribution points are removed from the list.

Using a distribution point as a push server

In Kaspersky Security Center Cloud Console, a distribution point can work as a push server for Windows-based and Linux-based devices that are managed by Network Agent. A push server has the same scope of managed devices as the distribution point on which the push server is enabled. If you have several distribution points assigned for the same administration group, you can enable a push server on each of the distribution points. In this case, Administration Server balances the load between the distribution points.

You can use distribution points as push servers to ensure that continuous connectivity between a managed device and the Administration Server. Continuous connectivity is needed for some operations, such as running and stopping local tasks, receiving statistics for a managed application, or creating a tunnel. If you use a distribution point as a push server, you do not have to send packets to the UDP port of Network Agent.

To use a distribution point as a push server:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Click the distribution point that you want to use as a push server.
4. In the property list of the selected distribution point, go to the General section, and then enable the Run push server option.

   The Push server port entry field becomes available.

5. In the Push server port entry field, specify the port on the distribution point that client devices will use for connection. By default, port 13295 is used.

   To establish connection between the distribution point acting as a push server and a managed device, you must manually add the specified push server port to the Microsoft Windows Firewall exclusion list.

6. Click OK to exit the distribution point properties window, and then click Save to apply changes.

   After you enable the Run push server option, the Do not disconnect from the Administration Server option is automatically enabled on the distribution point that acts as a push server. This option provides an early connection between Network Agent and the Administration Server.

7. Open the Network Agent policy settings window.
8. Go to Connectivity → Network, and then enable the Use distribution point to force connection to the Administration Server option. Close the lock for this option.
9. Also in the Network subsection, you can disable the Use UDP port option. The configured push server will provide continuous connectivity between a managed device and the Administration Server instead of sending packets through the UDP port.
10. Click OK to exit the window.

The distribution point starts acting as a push server. It can now send push notifications to client devices.

Using the "Do not disconnect from the Administration Server" option to provide continuous connectivity between a managed device and the Administration Server

If you do not use push servers, Kaspersky Security Center Cloud Console does not provide continuous connectivity between managed devices and the Administration Server. Network Agents on managed devices periodically establish connections and synchronize with the Administration Server. The interval between those synchronization sessions is defined in a Network Agent policy. If an early synchronization is required, the Administration Server (or a distribution point, if it is in use) sends a signed network packet over an IPv4 or IPv6 network to the UDP port of Network Agent. By default, the port number is 15000. If no connection through UDP is possible between the Administration Server and a managed device, synchronization will run at the next regular connection of Network Agent to the Administration Server within the synchronization interval.

Some operations cannot be performed without an early connection between Network Agent and the Administration Server, such as running and stopping local tasks, receiving statistics for a managed application, or creating a tunnel. To resolve this issue, if you are not using push servers, you can use the Do not disconnect from the Administration Server option to ensure continuous connectivity between a managed device and the Administration Server.

To provide continuous connectivity between a managed device and the Administration Server:

1. Do one of the following:
   • If the managed device accesses the Administration Server directly (that is, not via a distribution point):
     1. In the main menu, go to Devices → Managed devices.
     2. Click the name of the device with which you want to provide continuous connectivity.

        The property window of the managed device opens.

   • If the managed device accesses the Administration Server through a distribution point running in gateway mode, not directly:
     1. In the main menu, click the settings icon () next to the name of the required Administration Server.

        The Administration Server properties window opens.

     2. On the General tab, select the Distribution points section.
     3. In the distribution point list, click the name of the required distribution point.

        The properties window of the selected distribution point opens.

2. In the General section of the opened properties window, select the Do not disconnect from the Administration Server option.

Continuous connectivity is established between the managed device and the Administration Server.

The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.