Professional Documents
Culture Documents
11
Kaspersky
Endpoint Security
and Management.
Scaling
Managing computers located
outside the network
Lab Guide
www.kaspersky.com
Table of contents
Lab 1.
Install a connection gateway in the DMZ
Scenario. A part of the company's computers are outside the local network and can only connect to the administration server
through public networks (internet). You want to connect these computers through a KSC gateway deployed in the
demilitarized zone. To achieve this, you need to install KSC Agent on a server in the demilitarized zone and configure the
Agent to act as the connection gateway.
You can assign the Distribution Point and Connection Gateway role to any Network Agent in Kaspersky Security Center
Administration Console. At the next planned synchronization, the Agent will learn about this and begin to perform the role.
However, computers cannot typically connect to the KSC Server from DMZ. To assign the connection gateway role to a
computer in the DMZ, you need to install the KSC Agent in a special mode: Connection gateway in DMZ. Such an agent will
not try to connect to the Administration Server; instead, it will wait for connections from the Administration Server on TCP
port 13000.
To install the Network Agent in this mode, change the Network Agent package settings. For this purpose, create a new package
from the ordinary Network Agent installation package.
Enable the Connection Gateway functionality, configure tagging, and specify the IP address of the Administration Server in the
properties of the Network Agent installation package.
L–5
Lab 1
Install a connection gateway in the DMZ
An installation package is easier to copy when it consists of a single file. Create a stand-alone package that will install the
Connection Gateway.
Since connections from DMZ to the internal network are usually prohibited, the administrator may not always be able to copy
the installation package from the shared folder on the Administration Server. Connections in the opposite direction, from the
internal network to the DMZ, are limited to the ports necessary for work. In this lab, we assume that access to shared folders of
computers located in the DMZ from the internal network is allowed.
Save the remote installation package to the Upload shared folder on the server that acts as the connection gateway in the DMZ.
L–8 KASPERSKY™
KL 302.11: Kaspersky Security Center. Scaling
A stand-alone package is not only easier to copy because it consists of a single file, but also easier to install because all
installation parameters are set already. To take no part in the installation at all, you can run the package executable file with the
/s parameter, which enables a so-called silent installation without the interface.
42. Make sure that the Network Agent service is installed and
running
— sc query klnagent
L–10 KASPERSKY™
KL 302.11: Kaspersky Security Center. Scaling
44. Carry out the following command to make sure that Agent
service listens on port TCP 13000
— netstat –ano | findstr <klnagent PID>
Task G: Allow access to TCP port 13000 of the gateway in the firewall
Add a firewall rule PRIVATE-TO-DMZ on the hq-router gateway to allow connections from the local network to TCP port
13000 in the DMZ. Without it, the KSC Administration server will not be able to connect to a connection gateway deployed in
DMZ.
Assign the server deployed in the DMZ as a connection gateway to the group Managed devices\dmz-cgw.
Conclusion
A connection gateway in DMZ accepts connections from external computers and tunnels them to the Administration Server
through its own connection with the server. A connection gateway in the DMZ typically cannot initiate connections to the
administration server; therefore, you need to add it to the list of distribution points on the Administration Server beforehand. If
a connection gateway is configured as a connection gateway in the DMZ, Administration Server will initiate connections on
TCP port 13000 of the connection gateway. You will need to allow incoming connections on port 13000 of the connection
gateway in the firewall installed between the network where the administration server is located and the DMZ.
Lab 2.
Configure a persistent connection via a
connection gateway in the DMZ
Scenario. A part of the company's computers are outside the local network and can only connect to the administration server
through public networks (internet). You want to connect desktops through a KSC gateway deployed in the demilitarized zone.
You have installed the connection gateway and connected it to the KSC Administration Server. Now, allow connections to the
connection gateway through public networks and configure the Network Agent on the external computers to connect to the
KSC server through the connection gateway.
Create a rule for forwarding connections (destination NAT) from the external interface of hq-router to port 13000 at the
address of the KSC connection gateway. Also, configure the INET_TO_DMZ rule in the firewall that will allow incoming
connections to port 13000 of the KSC gateway. Without this, external computers will not be able to connect to the connection
gateway.
Task B: Create a group for desktop computers located outside the network
Create a Home office group for remote desktops that will connect through the connection gateway in DMZ.
Create a new package from the ordinary Network Agent package. In the next task, we will specify parameters for connecting to
the KSC server through a connection gateway in this package. It is recommended that you create a separate Network Agent
package for each set of connection parameters.
L–16 KASPERSKY™
KL 302.11: Kaspersky Security Center. Scaling
29. Select the nagent.kud file and click Open, then Next
30. Accept the license agreement
31. Wait for the package to be generated and click Finish
32. Make sure that the installation package Network Agent for remote connections has appeared in the storage
Configure the gateway connection parameters in the Advanced section of the Network Agent package properties.
A package that consists of one file is easier to deliver to external computers. Make a stand-alone installation package Network
Agent for remote connections.
Task F: Install the Network Agent on a computer located outside the network
Install the Network Agent from the stand-alone package on an external computer.
55. Make sure that the installation and the Administration Server connection
test have completed successfully
Make sure that the computer has connected to the KSC Administration server via the connection gateway in DMZ.
Conclusion
In order to connect external computers via a connection gateway, you need to allow connections to port 13000 of the
connection gateway from public networks (internet). If the connection gateway is behind a NAT, you will need to forward
connections (destination NAT) from the external address of the gateway to the internal address of the KSC connection
gateway.
If external desktops cannot connect to the KSC server to find out about the connection gateway in the DMZ, you can set up
connection through a connection gateway during the Network Agent installation: In the interactive wizard or in the installation
package.
Lab 3.
Configure a conditional connection via the
connection gateway in the DMZ
Scenario. You want to make laptops connect to the KSC server directly from within the internal network, and through a
connection gateway from public networks. You have already installed a connection gateway in the DMZ, connected it to the
KSC Administration Server and allowed connections to the connection gateway through the public networks. Now, configure
conditional connection (depending on the network location) via the connection gateway for laptops.
Create a group Managed devices | Roaming laptops. Move the tom-laptop computer to the group. Copy the Network Agent
policy from the Managed devices to the Roaming laptops group.
In the Network Agent policy of the Roaming laptops group, create a connection profile and a network location description.
Configure the profile to make computers connect to the Administration Server via the connection gateway, use the
Administration Server not only for updates, and receive connection settings from it. In the network location, use inverted
conditions based on the SSL connection accessibility and resolvability of a DNS name.
30. Select the option Does not match any of the values
in the list
31. Click OK to save the condition
Task C: Make sure that the laptop has received the policy
Check the Network Agent settings on the tom-laptop computer using the klnagchk.exe utility.
Task D: Make sure that the laptop connects via the gateway from an external
network
Move the tom-laptop computer to the msp-customer network and check connection to the Administration Server.
L–27
Lab 3
Configure a conditional connection via the connection gateway in the DMZ
Task E: Make sure that the laptop connects directly from the internal
network
Move the tom-laptop computer to the hq-lan network and check connection to the Administration Server.
Conclusion
To make laptops connect to the server in a different manner depending on the location (directly or through a connection
gateway), create a profile for connections through the connection gateway and describe a network location for networks
outside the perimeter. In the location description, use conditions that unambiguously determine whether the laptop is inside or
outside. For example, use the condition “the computer cannot resolve the DNS name of the Administration Server and cannot
establish an SSL connection to the Administration Server IP address”.
L–30 KASPERSKY™
KL 302.11: Kaspersky Security Center. Scaling
Lab 4.
Configure updating from the local
Administration Server
Scenario. There are several geographically distributed sites at the organization. All sites are joined into a single network, but
the capacity of channels between the sites is limited. Each site has its own Kaspersky Security Center Administration Server.
It is highly desirable that the computers download updates from their local network source. Desktop computers are connected
to their local Administration Server and do not create traffic between the sites. However, many employees have laptops and
move between the offices often.
To provide updates in such a network, describe each site as a network location in the Kaspersky Security Center and configure
connection profiles to make notebooks update from the local administration server.
Copy the Administration Server certificate file lo-ksc.abc.lab to the shared folder \\dc\Public
Import the policy from the cgw_connection_profiles file to the Managed devices | Roaming laptops group.
Open the properties of the inactive policy. Switch to the Connection | Connection Profiles section. Configure a profile for
connecting through connection gateway (CGW) and descriptions of network locations. Activate the policy.
L–32 KASPERSKY™
KL 302.11: Kaspersky Security Center. Scaling
Task C: Make sure that the laptop has received the policy
Check the Network Agent settings on tom-laptop using the klnagchk.exe utility.
Move tom-laptop to the LOLAN network and check its Administration Server connection settings.
Move tom-laptop to the HQLAN network and check connection to the Administration Server
Conclusion
You have configured laptops download updates from the local Administration Server at any office. For this purpose, you
created descriptions of network locations for geographically distributed offices in the Network Agent policy and specified the
Administration Servers to be used as update sources at these offices in the connection profiles.
In this lab, we configured the policy on the Administration Server of one office only. In real life, you need to specify the same
settings in laptop policies on all servers.