Kaspersky Secure Mobility Management

Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server

A connection gateway is Network Agent operating in a special mode. Network Agent is a Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky applications. A connection gateway receives connections from other Network Agents and tunnels them to the Administration Server through its own connection with the Server. Unlike an ordinary Network Agent, a connection gateway may be configured to wait for connections from the Administration Server rather than establishing connections to it.

A connection gateway lets you more efficiently use the security features to protect network infrastructure against potential vulnerabilities.

• Using a connection gateway makes it easier to monitor suspicious activity on a separate network node outside a LAN (local network area). It helps to avoid direct malicious attacks via a mobile protocol by implementing a different protocol for communications between the connection gateway and Kaspersky Security Center.
• The surface of potential network attacks is smaller, since the communication between Kaspersky Security Center and a connection gateway is established through a single port (by default, 13000) through which all requests are processed.
• Using a connection gateway makes it possible to verify the mobile certificate outside a LAN and prevent devices from sending data to Kaspersky Security Center before they are authenticated, which protects network infrastructure against vulnerabilities in low-level protocols such as TLS/SSL.

This topic describes how to configure a connection gateway to connect mobile devices to Kaspersky Security Center Administration Server. The configuration proceeds in the following steps:

1. Install Network Agent in the connection gateway role on a host.
2. Configure the connection gateway on Kaspersky Security Center Administration Server.

This article contains an overview of the scenario. For detailed instructions, refer to the Kaspersky Security Center Help.

Requirements

For a connection gateway to work correctly with mobile devices, the following requirements must be met:

• Port 13293 or port 13292 must be open on the host with the connection gateway.

  These ports are designed to connect and synchronize mobile devices.

  • When using port 13293, the TLS certificate is verified on the connection gateway (without being sent to the Administration Server).
  • When using port 13292, the certificate is not verified (the LP_MobileMustUseTwoWayAuthOnPort13292 flag is ignored).
• Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
• The host must have a static address accessible from the internet.

Install Network Agent in the connection gateway role on a host

First, you need to install Network Agent on the selected host device acting in the gateway connection role. You can download a full installation package of Kaspersky Security Center or use a local installation of Kaspersky Security Center.

By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

To install Network Agent in the connection gateway role:

1. Start the Network Agent Setup Wizard and follow its instructions leaving default values for all of the options until the Select Administration Server window opens.
2. In the Select Administration Server window, configure the following settings:
   • Enter the address of the device with Administration Server installed.
   • In the Port, SSL port, and UDP port fields, leave the default values.
   • Select the Use SSL to connect to Administration Server check box to establish a connection to the Administration Server through a secure port via SSL.

     We recommend that you do not clear this check box so your connection remains secured.

   • Select the Allow Network Agent to open UDP port check box to manage client devices and receive information about them.
3. Click Next and proceed through the Wizard with default settings up to the Connection gateway window.
4. In the Connection gateway window, select Use Network Agent as a connection gateway in DMZ.

   This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

5. Click Next and start the installation.

Network Agent is now installed and configured in the connection gateway role.

Configure the connection gateway on Kaspersky Security Center Administration Server

Once you have installed Network Agent in the connection gateway role, you need to connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server. Therefore, you need to add the connection gateway as a distribution point to ensure that Administration Server initiates a connection to the connection gateway.

To configure the connection gateway on Administration Server:

1. Add the connection gateway as a distribution point in Kaspersky Security Center.
   1. In the console tree, select the Administration Server node.
   2. In the context menu of Administration Server, select Properties.
   3. In the Administration Server properties window, select the Distribution points section.
   4. Click the Add button.

      The Add distribution point window opens.

   5. In the Add distribution point window, perform the following actions:
      • Specify the IP address of the device with Network Agent installed in the Device to act as distribution point field. To do this, select Add connection gateway in DMZ by address in the drop-down list.

        Enter the IP address of the connection gateway or enter the name if the connection gateway is accessible by name.

      • In the Distribution point scope field, select the group to which the connection gateway will be distributed from the drop-down list, and then click OK.
   6. In the Distribution points section, click OK to save the changes you have made.

   The connection gateway will be saved as a new entry named Temporary entry for connection gateway.

   Administration Server almost immediately attempts to connect to the connection gateway at the address that you specified. If it succeeds, the entry name changes to the name of the connection gateway device. This process takes up to five minutes.

   While the temporary entry for the connection gateway is being converted to a named entry, the connection gateway also appears in the Unassigned devices group.

2. Create a new group under the Managed devices group. This new group will contain external managed devices.
3. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.
4. Configure properties of the connection gateway that you have deployed:
   1. In the Distribution points section of the Administration Server properties, select the connection gateway, and then click Properties.

      For detailed information on configuring the distribution point properties, refer to the Kaspersky Security Center Help.

   2. In the General section, under DNS domain names of the distribution point for access by mobile devices (included in the certificate), specify your connection gateway DNS name that will be used to connect to the mobile device.

      If the 'CA: true' basic constraint is not set for a custom mobile Administration Server certificate, the same certificate will be used for the connection gateway as for the Administration Server.

   3. In the Connection Gateway section, select the following check boxes and leave the default port numbers:
      • Open port for mobile devices (SSL authentication of the Administration Server only)
      • Open port for mobile devices (two-way SSL authentication)
   4. Click OK to save the changes you have made.

The connection gateway is now configured. You can now add new mobile devices by specifying the connection gateway address. New devices will appear on the Administration Server.

To change the mobile device connection address, reissue the mobile certificate with a new connection address specified when configuring the connection gateway (in the Administration Server properties window, select Administration server connection settings → Certificates). For detailed information on reissuing mobile certificates, refer to the Reissuing the mobile Administration Server certificate section.

To make sure mobile devices are synchronized with Kaspersky Security Center on the connection gateway, the connection address you have set when configuring the connection gateway must be specified in the properties of Kaspersky Endpoint Security for Android installation packages.