KL 302.11 Labs Module3 Managing Outside Computers v1.6 en PDF

KL 302.
11
Kaspersky
Endpoint Security
and Management.
Scaling
Managing computers located
outside the network
Lab Guide
www.kaspersky.com
Table of contents
Lab 1. Install a connection gateway in the DMZ .......................................................................................................... 2

Task A: Create a group for connection gateways in the DMZ ............................................................................... 2
Task B: Create a new package for the KSC Agent ................................................................................................. 3
Task C: In the package properties, enable the connection gateway in DMZ mode ............................................... 4
Task D: Create a stand-alone installation package ............................................................................................... 6
Task E: Copy the stand-alone installation package to the server in DMZ ............................................................. 7
Task F: Install the connection gateway from the stand-alone package ................................................................. 9
Task G: Allow access to TCP port 13000 of the gateway in the firewall ............................................................. 10
Task H: Assign the connection gateway to a group in KSC ................................................................................. 11
Lab 2. Configure a persistent connection via a connection gateway in the DMZ ....................................................... 13
Task A: Configure forwarding connections to port 13000 of the gateway ........................................................... 14
Task B: Create a group for desktop computers located outside the network ....................................................... 15
Task C: Create a new package for the KSC Agent ............................................................................................... 15
Task D: Configure connections via the connection gateway in the package ....................................................... 16
Task E: Create a stand-alone installation package ............................................................................................. 17
Task F: Install the Network Agent on a computer located outside the network ................................................... 19
Task G: Test connection via the connection gateway .......................................................................................... 20
Lab 3. Configure a conditional connection via the connection gateway in the DMZ ................................................. 21
Task A: Create a Network Agent policy in a group for traveling laptops ............................................................ 22
Task B: Create a profile and descriptions of network locations .......................................................................... 22
Task C: Make sure that the laptop has received the policy .................................................................................. 26
Task D: Make sure that the laptop connects via the gateway from an external network ..................................... 26
Task E: Make sure that the laptop connects directly from the internal network .................................................. 28
Lab 4. Configure updating from the local Administration Server .............................................................................. 30
Task A: Prepare a policy and the lo-ksc.abc.lab certificate ................................................................................ 30
Task B: Configure the Network Agent policy ....................................................................................................... 31
Task C: Make sure that the laptop has received the policy .................................................................................. 37
Task D: Check the settings in the remote office ................................................................................................... 38
Task E: Check the settings in HQ......................................................................................................................... 39
L–2 KASPERSKY™
KL 302.11: Kaspersky Security Center. Scaling
Lab 1.
Install a connection gateway in the DMZ
Scenario. A part of the company's computers are outside the local network and can only connect to the administration server
through public networks (internet). You want to connect these computers through a KSC gateway deployed in the
demilitarized zone. To achieve this, you need to install KSC Agent on a server in the demilitarized zone and configure the
Agent to act as the connection gateway.
Contents. In this lab, we will:
A. Create a group for connection gateways in the DMZ

B. Create a new package for the KSC Agent
C. In the package properties, enable the connection gateway in DMZ mode
D. Create a stand-alone installation package
E. Copy the stand-alone installation package to the server in DMZ
F. Install the connection gateway from the stand-alone package
G. Allow access to TCP port 13000 of the gateway in the firewall
H. Assign the connection gateway to a group in KSC
Task A: Create a group for connection gateways in the DMZ
Create a new group Managed devices\dmz-cgw in the KSC console.
The task is performed on admin-desktop.

The machines hq-router, lo-router, dc, hq-ksc1, dmz-cgw, and admin-desktop must be powered on.
1. Log on to the admin-desktop

workstation under the
ABC\KSCAdmin account with the
password Ka5per5Ky
2. Start the KSC Console
3. Log on to server hq-ksc1 (10.28.1.20)
under the abc.lab\kscadmin account
with the password Ka5per5Ky
4. Select the Managed devices node and

switch to the Devices tab
5. Click the New group button
6. Type Dmz-cgw for the name and click
OK
L–3
Lab 1
Task B: Create a new package for the KSC Agent
You can assign the Distribution Point and Connection Gateway role to any Network Agent in Kaspersky Security Center
Administration Console. At the next planned synchronization, the Agent will learn about this and begin to perform the role.
However, computers cannot typically connect to the KSC Server from DMZ. To assign the connection gateway role to a
computer in the DMZ, you need to install the KSC Agent in a special mode: Connection gateway in DMZ. Such an agent will
not try to connect to the Administration Server; instead, it will wait for connections from the Administration Server on TCP
port 13000.
To install the Network Agent in this mode, change the Network Agent package settings. For this purpose, create a new package
from the ordinary Network Agent installation package.

7. In the KSC Console, select the node

Advanced | Remote installation |
Installation packages
8. Click the button Create installation
package
9. Click the button Create an installation

package for a Kaspersky application
10. Name the package Connection
Gateway
L–4 KASPERSKY™
11. Click Browse

12. For the File name, type \\hq-ksc1 (or
\\10.28.1.20)and press ENTER
13. Open the folder
\KLSHARE\Packages\NetAgent_11.x.x.x
xxx
14. Select the nagent.kud file and click
Open, then Next
15. Accept the license agreement

16. Wait for the package to be generated
and click Finish
Make sure that the Connection

gateway installation package has
appeared in the Installation packages
node
Task C: In the package properties, enable the connection gateway in DMZ

mode
Enable the Connection Gateway functionality, configure tagging, and specify the IP address of the Administration Server in the
properties of the Network Agent installation package.
L–5
Lab 1

17. Open the properties of the Connection gateway

package
18. Open the Connection section
19. In the Administration Server address field, enter
IP address 10.28.1.20
20. Open the Advanced section

21. Select the check box Use Network Agent as
connection gateway in DMZ
L–6 KASPERSKY™
22. Open the Tags section

23. In the field below the list, type Connection gateway
and click Add
24. Save the package properties
Task D: Create a stand-alone installation package
An installation package is easier to copy when it consists of a single file. Create a stand-alone package that will install the
Connection Gateway.

The machines hq-router, lo-router, dc, hq-ksс1, dmz-cgw, and admin-desktop must be powered on.
25. Select the Connection gateway package

and click the link Create stand-alone
installation package in the right pane
L–7
Lab 1
26. Select Move unassigned devices to this

group and specify the group Managed
devices\dmz-cgw

and click Next, then Finish
Task E: Copy the stand-alone installation package to the server in DMZ
Since connections from DMZ to the internal network are usually prohibited, the administrator may not always be able to copy
the installation package from the shared folder on the Administration Server. Connections in the opposite direction, from the
internal network to the DMZ, are limited to the ports necessary for work. In this lab, we assume that access to shared folders of
computers located in the DMZ from the internal network is allowed.
Save the remote installation package to the Upload shared folder on the server that acts as the connection gateway in the DMZ.
L–8 KASPERSKY™

The machines hq-router, lo-router, dc, hq-ksс1, dmz-cgw, and admin-desktop must be powered on.
28. Click View the list of stand-alone

packages
29. Select the Connection gateway package

and click Save as
30. Copy the stand-alone package to

the dmz-cgw machine
31. In the File name field, type the path to
the shared folder \\10.28.3.30\Upload
and click Save
32. In the Enter network credentials

window, enter the user name dmz-
cgw\Administrator and password
Ka5per5Ky
L–9
Lab 1
33. Type cgw for the package name and

click Save
34. Wait for the stand-alone package to be

saved on the server in the DMZ and
close the General list of stand-alone
packages
Task F: Install the connection gateway from the stand-alone package
A stand-alone package is not only easier to copy because it consists of a single file, but also easier to install because all
installation parameters are set already. To take no part in the installation at all, you can run the package executable file with the
/s parameter, which enables a so-called silent installation without the interface.
The task is performed on dmz-cgw.

The hq-router, dc, hq-ksc1, dmz-cgw, and admin-desktop machines must be powered on.
35. Switch to the dmz-cgw machine

36. Log on to the dmz-cgw computer under the administrator
account with the password Ka5per5Ky
37. Minimize the wAmp window
38. Run the command line interface (cmd.exe) as an
administrator
39. Go to the C:\ Upload folder
40. Carry out the following command to start silent installation
— cgw.exe /s
41. Wait for 2 minutes
42. Make sure that the Network Agent service is installed and
running
— sc query klnagent
L–10 KASPERSKY™
43. To find the PID of the klnagent.exe process, enter

— tasklist | findstr klnagent
44. Carry out the following command to make sure that Agent
service listens on port TCP 13000
— netstat –ano | findstr <klnagent PID>
Task G: Allow access to TCP port 13000 of the gateway in the firewall
Add a firewall rule PRIVATE-TO-DMZ on the hq-router gateway to allow connections from the local network to TCP port
13000 in the DMZ. Without it, the KSC Administration server will not be able to connect to a connection gateway deployed in
DMZ.
The task is performed on hq-router.

45. Switch to the hq-router machine

46. Authenticate as vyos, password Ka5per5Ky
47. Carry out the following command to switch to
the editing mode
— configure
48. Carry out the following command (type it on a

single line) to create a new rule
— set firewall name PRIVATE_TO_DMZ rule
100 description “Allow KSC port 13000”
49. Type the following command on a single line to

switch to the editing mode
— edit firewall name PRIVATE_TO_DMZ rule
100
50. Carry out the following commands to set rules
— set action accept
— set protocol tcp
— set destination address 10.28.3.30
— set destination port 13000
L–11
Lab 1
51. Exit the editing mode

— exit
52. To apply the settings, carry out the command
— commit
53. Save the settings
— save
54. Switch to the admin-desktop machine

55. Start PowerShell
56. Carry out the following commands to test
connection on port 13000 of the connection
gateway (type it on a single line)
— Test-NetConnection –ComputerName
10.28.3.30 –Port 13000
Task H: Assign the connection gateway to a group in KSC
Assign the server deployed in the DMZ as a connection gateway to the group Managed devices\dmz-cgw.

57. In the KSC Console, open the

Administration Server properties
58. Open the Distribution points section
59. Select Manually assign distribution
points
60. Click Add below the list of devices
L–12 KASPERSKY™
61. Click the arrow on the Select button

next to the field Device to act as
distribution point and click Add
connection gateway in DMZ by
address
62. Specify the IP address of the connection
gateway in DMZ 10.28.3.30 and click
OK
63. Click the arrow on the Select button

next to the field Distribution point
scope and click Administration group
64. Select the Managed devices | dmz-cgw
group and click OK
65. Click OK to close the Administration

Server properties window
66. Select the Managed devices | dmz-cgw

node (group) and switch to the Devices
tab
67. Wait for 5 minutes
68. Refresh the contents of the Managed
devices | dmz-cgw group and make sure
that the dmz-cgw endpoint is there
L–13
Lab 2
Configure a persistent connection via a connection gateway in the DMZ
The task is performed on dmz-cgw.
69. Switch to the dmz-cgw virtual machine

70. Run the command line interface
(cmd.exe) as an administrator
71. Change the directory to C:\Program
Files (x86)\Kaspersky
Lab\NetworkAgent
72. Run the klnagchk.exe utility to consult
the local Network Agent statistics
73. Make sure that the output contains
— This device is a connection
gateway
SSL port: 13000
— Attempting to connect to
Administration Server…OK
Conclusion
A connection gateway in DMZ accepts connections from external computers and tunnels them to the Administration Server
through its own connection with the server. A connection gateway in the DMZ typically cannot initiate connections to the
administration server; therefore, you need to add it to the list of distribution points on the Administration Server beforehand. If
a connection gateway is configured as a connection gateway in the DMZ, Administration Server will initiate connections on
TCP port 13000 of the connection gateway. You will need to allow incoming connections on port 13000 of the connection
gateway in the firewall installed between the network where the administration server is located and the DMZ.
Lab 2.
Configure a persistent connection via a
connection gateway in the DMZ
Scenario. A part of the company's computers are outside the local network and can only connect to the administration server
through public networks (internet). You want to connect desktops through a KSC gateway deployed in the demilitarized zone.
You have installed the connection gateway and connected it to the KSC Administration Server. Now, allow connections to the
connection gateway through public networks and configure the Network Agent on the external computers to connect to the
KSC server through the connection gateway.
A. Configure forwarding connections to port 13000 of the gateway

B. Create a group for desktop computers located outside the network
C. Create a new package for the KSC Agent
D. Configure connections via the connection gateway in the package
E. Create a stand-alone installation package
F. Copy the stand-alone installation package to the web server
G. Install the KSC Agent on a computer located outside the network
L–14 KASPERSKY™
Task A: Configure forwarding connections to port 13000 of the gateway
Create a rule for forwarding connections (destination NAT) from the external interface of hq-router to port 13000 at the
address of the KSC connection gateway. Also, configure the INET_TO_DMZ rule in the firewall that will allow incoming
connections to port 13000 of the KSC gateway. Without this, external computers will not be able to connect to the connection
gateway.
The task is performed on hq-router and customer-desktop.

The hq-router, dc, hq-ksc1, dmz-cgw, admin-desktop, customer-router, and customer-desktop machines must be powered
on.
1. Power on the customer-router and customer-

desktop virtual machines
2. On the hq-router machine, log on to the vyos
3. If you are in the edit mode ([edit] above the
command line invitation), exit it: Carry out the exit
command
4. Display the list of interfaces in order to understand
which of them is external and find out its address
show interfaces
In this case, the external interface is eth0 with the
address 10.28.0.2
5. Switch to the editing mode

— configure
6. Create a new rule to forward port 13000 from the
external interface to the address of the connection
gateway in DMZ (on vyos, rule destination nat)
— set nat destination rule 10 description
“Forward port 13000 from the public interface
to the KSC connection gateway in DMZ”
7. Configure the rule: Specify inbound interface eth0,
destination port 13000, and destination address
10.28.3.30 (address of the connection gateway in the
DMZ)
— edit nat destination rule 10
— set inbound-interface eth0
— set translation address 10.28.3.30
— commit
— save
8. Carry out the following commands to configure the
INET_TO_DMZ rule in the firewall that will allow
connections on TCP port 13000
— edit firewall name INET_TO_DMZ rule 20
— set description “Allow connections to the KSC
connection gateway port 13000”
— set action accept
— commit
— save
— exit
L–15
Lab 2
The task is performed on customer-desktop.
9. Switch to the customer-desktop machine

10. Log into the system under the Administrator
account with the password Qwerty!@
11. Start PowerShell
12. Test accessibility of the public address of ABC Inc.
(10.28.0.2, from step 4)
— Test-NetConnection 10.28.0.2
— PingSucceded : True
14. Check the capability to connect to port 13000 of the
gateway:
— Test-NetConnection 10.28.0.2 –port 13000
— TcpTestSucceded : True
Task B: Create a group for desktop computers located outside the network
Create a Home office group for remote desktops that will connect through the connection gateway in DMZ.

on.

password Ka5per5Ky
17. Start the Kaspersky Security Center
Administration Console
18. Connect to server hq-ksc1 (10.28.1.20)
under the ABC\KSCAdmin account
19. Select the Managed devices node
20. Click the New group button
21. Type the Home office name and click
OK
Task C: Create a new package for the KSC Agent
Create a new package from the ordinary Network Agent package. In the next task, we will specify parameters for connecting to
the KSC server through a connection gateway in this package. It is recommended that you create a separate Network Agent
package for each set of connection parameters.
L–16 KASPERSKY™
The task is performed on admin-desktop

on.

23. Click the button Create installation
package
24. Click the button Create an installation
package for a Kaspersky application
25. Name the package Network Agent for
remote connections
26. Click Browse
27. For the File name, type \\hq-ksc1 (or
\\10.28.1.20)and press ENTER
28. Open the folder \KLSHARE\Packages
\NetAgent_11.x.x.xxxx
29. Select the nagent.kud file and click Open, then Next
30. Accept the license agreement
31. Wait for the package to be generated and click Finish
32. Make sure that the installation package Network Agent for remote connections has appeared in the storage
Task D: Configure connections via the connection gateway in the package
Configure the gateway connection parameters in the Advanced section of the Network Agent package properties.

on.
33. In the KSC Console, select the node Advanced |

Remote installation | Installation packages
34. Open the properties of the package Network Agent
for remote connections
35. Open the Advanced section
36. Select the check box Connect to Administration
Server by using connection gateway
37. In the Connection gateway address field, enter the
address of the public interface 10.28.0.2 (from step
4)
38. Save the package properties
L–17
Lab 2
Task E: Create a stand-alone installation package
A package that consists of one file is easier to deliver to external computers. Make a stand-alone installation package Network
Agent for remote connections.

on.

40. Select the Network Agent for remote
connections package and click the link
Create stand-alone installation
package in the right pane
41. Select Move unassigned devices to this

group and specify the group Managed
devices | Home office
and click Next
L–18 KASPERSKY™
43. Click Open folder
44. On the shortcut menu of

the installer.exe file, click Copy
45. In the address box, type the path to the

shared folder \\10.28.3.30\www_root
and press ENTER
46. Paste the installer.exe file
L–19
Lab 2
47. Rename the installer.exe file to

nagent4remote.exe
48. Close Windows Explorer
49. Click Next
50. On the last page of the wizard, click

Finish
Task F: Install the Network Agent on a computer located outside the network
Install the Network Agent from the stand-alone package on an external computer.

on.
51. Switch to the customer-desktop machine

52. Start Internet Explorer
53. Download the file nagent4remote.exe from
http://10.28.0.2:7780/www_root/
54. Start installation from the stand-alone package nagent4remote.exe
L–20 KASPERSKY™
55. Make sure that the installation and the Administration Server connection
test have completed successfully
Task G: Test connection via the connection gateway
Make sure that the computer has connected to the KSC Administration server via the connection gateway in DMZ.

on.
56. Run the command line (cmd.exe) as

administrator
57. Change the directory to C:\Program Files
(x86)\Kaspersky Lab\NetworkAgent
58. Start the klnagchk.exe utility
59. Pay attention to the following lines:
— Administration Server address: 'hq-
ksc1.abc.lab’
— Location of distribution points:
10.28.0.2:13000 (SSL)
Administration Server…OK
60. Check the (non-)accessibility of the

administration server address using the
command
— ping hq-ksc1.abc.lab
L–21
Lab 3
Configure a conditional connection via the connection gateway in the DMZ
61. Switch to the admin-desktop machine

62. In the KSC Console, select the Managed
devices | Home office node (group)
63. Make sure that the customer-desktop
computer has appeared in the group
Conclusion
In order to connect external computers via a connection gateway, you need to allow connections to port 13000 of the
connection gateway from public networks (internet). If the connection gateway is behind a NAT, you will need to forward
connections (destination NAT) from the external address of the gateway to the internal address of the KSC connection
gateway.
If external desktops cannot connect to the KSC server to find out about the connection gateway in the DMZ, you can set up
connection through a connection gateway during the Network Agent installation: In the interactive wizard or in the installation
package.
Lab 3.
Configure a conditional connection via the
connection gateway in the DMZ
Scenario. You want to make laptops connect to the KSC server directly from within the internal network, and through a
connection gateway from public networks. You have already installed a connection gateway in the DMZ, connected it to the
KSC Administration Server and allowed connections to the connection gateway through the public networks. Now, configure
conditional connection (depending on the network location) via the connection gateway for laptops.
A. Create a Network Agent policy in a group for traveling laptops

B. Create a profile and descriptions of network locations
C. Make sure that the laptop has received the policy
D. Make sure that the laptop connects via the gateway from an external network
E. Make sure that the laptop connects directly from the internal network
L–22 KASPERSKY™
Task A: Create a Network Agent policy in a group for traveling laptops
Create a group Managed devices | Roaming laptops. Move the tom-laptop computer to the group. Copy the Network Agent
policy from the Managed devices to the Roaming laptops group.

The hq-router, dc, hq-ksc1, dmz-cgw, admin-desktop, customer-router, and tom-laptop machines must be powered on.
1. Power on the tom-laptop computer

password Ka5per5Ky
4. Log on to server hq-ksc-01 (10.28.1.20)
under the abc.lab\KSCAdmin account
5. Select the Managed devices node
6. Click the New group button and create
a group named Roaming laptops
7. Find the tom-laptop computer and move
it to the Roaming laptops group
8. Copy the Network Agent policy from

the Managed devices to the Roaming
laptops group
9. Make sure that there are two policies on
the list now: Active, which is inherited
from the Managed devices group, and
an inactive non-inherited policy
Task B: Create a profile and descriptions of network locations
In the Network Agent policy of the Roaming laptops group, create a connection profile and a network location description.
Configure the profile to make computers connect to the Administration Server via the connection gateway, use the
Administration Server not only for updates, and receive connection settings from it. In the network location, use inverted
conditions based on the SSL connection accessibility and resolvability of a DNS name.

L–23
Lab 3
10. Open the properties of the inactive policy.

11. Go to Connectivity | Connection profiles
12. Create another connection profile: In the lower part
of the window, to the right of the Administration
Server connection profiles list, click Add
13. Type the name hq-ksc1 via cgw 10.28.0.2

14. Enter the Administration Server address hq-
ksc1.abc.lab
15. Specify 10.28.0.2 for the connection gateway
address (the public interface on the gateway)
16. Select the check box Enable out-of-office mode
17. Clear the Use to receive updates only check box
18. Select the check box Synchronize connection
settings…
19. Click OK to save the profile
20. To add a network location description, click Add

below the list of network locations in the upper part
of the window
L–24 KASPERSKY™
21. Enter the Public location name

22. In the Use connection profile list, select <Home
Administration Server>
23. Add a condition for this location: Click Add and
select the SSL connection address accessibility
24. To add an SSL address, click the Add button below

the Values list
25. Enter network address 10.28.1.20:13000 (the
Administration Server address)
26. Click Browse to select the Administration Server
certificate
27. Open the folder
C:\ProgramData\KasperskyLab\adminkit\1103
(the adminkit subfolder is hidden; you can enter the
address manually or show hidden folders)
28. Select the klserver.cer certificate file and click
Open
29. To save the SSL address, click OK
30. Select the option Does not match any of the values
in the list
31. Click OK to save the condition
32. Add another condition: Click Add and select Name

resolvability
L–25
Lab 3
33. To add a name to the Values list, click Add

34. Type the DNS name of the Administration Server:
hq-ksc1.abc.lab
35. Select the option Does not match any of the values
in the list and click OK
36. Select the profile hq-ksc1 via cgw

37. Select the Description enabled check box
38. Click OK to save the network location description
39. Click Yes to confirm that you understand the

consequences
40. Close the lock in the upper-right corner (Editing

locked)
L–26 KASPERSKY™
41. Open the General section

42. Rename the policy to Network Agent for roaming
laptops
43. Clear the Inherit settings from parent policy check
box
44. Activate the policy: In the Policy status area, select
Active Policy
45. Click OK to save the policy
Task C: Make sure that the laptop has received the policy
Check the Network Agent settings on the tom-laptop computer using the klnagchk.exe utility.
The task is performed on tom-laptop.

46. Switch to the tom-laptop machine

47. Log into the system under the ABC\Tom
48. Run powershell.exe as administrator
(Administrator:Ka5per5Ky)
— cd ‘C:\Program Files (x86)\Kaspersky
Lab\NetworkAgent’
51. Make sure that the utility outputs information
about the profile specified in the policy and
network locations
Task D: Make sure that the laptop connects via the gateway from an external
network
Move the tom-laptop computer to the msp-customer network and check connection to the Administration Server.
L–27
Lab 3

52. Disconnect tom-laptop from the

hq-lan network and connect it
to the msp-customer network:
53. In vSphere Client console, select
the customer-desktop virtual
machine
54. Switch to the Networks tab
55. Check which network the
customer-desktop computer is
connected to (see the Name
field), and write down or
memorize it

the tom-laptop virtual machine
57. Open the properties of the tom-
laptop virtual machine
58. Check which network the tom-
laptop computer is connected to
and write down which Network
adapter 1 it uses
59. For tom-laptop, specify the
same Network adapter 1 as
customer-desktop has, and
click OK
60. Wait a couple of minutes for

tom-laptop to receive an
address in the new network
61. In the Set Network Location
window, select Public network
62. On the subsequent page, click
Close
L–28 KASPERSKY™
63. Run the klnagchk.exe utility

again via the command shell
with administrator permissions
64. In the utility output, pay
attention to the following lines:
— Used profile: ‘hq-ksc1 via
CGW 10.28.0.2’
— Administration Server
address: ‘hq-ksc1.abc.lab’
— Location of distribution
points:
10.28.0.2:13000 (SSL)
Administration
Server…OK
65. Carry out the following

command to make sure that the
administration server name hq-
ksc1.abc.lab cannot be resolved
from the current location
— nslookup hq-ksc1.abc.lab
Task E: Make sure that the laptop connects directly from the internal
network
Move the tom-laptop computer to the hq-lan network and check connection to the Administration Server.

L–29
Lab 3
66. Disconnect tom-laptop from the msp-

customer network and connect it to the hq-
lan network:
67. In vSphere Client console, select the tom-
68. Open the properties of the tom-laptop
virtual machine
69. Change Network adapter 1 to the value
that you wrote down at step 58 of this lab
70. Wait a couple of minutes for tom-laptop to
receive an address in the new network
71. Run the klnagchk.exe utility again via the

command shell with administrator
permissions
72. Note that the utility’s output does NOT
contain the following lines
— Used profile: ‘hq-ksc-01 via CGW
10.28.0.2’
— Location of distribution points:
10.28.0.2:13000 (SSL)
73. Power off all machines except dc, hq-router, lo-router
Conclusion
To make laptops connect to the server in a different manner depending on the location (directly or through a connection
gateway), create a profile for connections through the connection gateway and describe a network location for networks
outside the perimeter. In the location description, use conditions that unambiguously determine whether the laptop is inside or
outside. For example, use the condition “the computer cannot resolve the DNS name of the Administration Server and cannot
establish an SSL connection to the Administration Server IP address”.
L–30 KASPERSKY™
Lab 4.
Configure updating from the local
Administration Server
Scenario. There are several geographically distributed sites at the organization. All sites are joined into a single network, but
the capacity of channels between the sites is limited. Each site has its own Kaspersky Security Center Administration Server.
It is highly desirable that the computers download updates from their local network source. Desktop computers are connected
to their local Administration Server and do not create traffic between the sites. However, many employees have laptops and
move between the offices often.
To provide updates in such a network, describe each site as a network location in the Kaspersky Security Center and configure
connection profiles to make notebooks update from the local administration server.
A. Prepare a policy and the lo-ksc.abc.lab certificate

B. Configure the Network Agent policy
C. Make sure that the laptop has received the policy
D. Check the settings in the remote office
E. Check the settings in HQ
Task A: Prepare a policy and the lo-ksc.abc.lab certificate
Copy the Administration Server certificate file lo-ksc.abc.lab to the shared folder \\dc\Public
Import the policy from the cgw_connection_profiles file to the Managed devices | Roaming laptops group.
The task is performed on lo-ksc and admin-desktop.

The hq-router, dc, hq-ksс1, admin-desktop, lo-router, lo-ksc, and tom-laptop machines must be powered on.
1. Log on to the lo-ksc computer under

the abc\LOAdmin account with the password
Ka5per5Ky
2. In Windows Explorer, open the folder
093\cert
This folder is hidden. Either configure
Windows Explorer to show hidden folders, or
simply enter the full path manually
3. Copy the klserver.cer file to clipboard
4. Open the \\dc\Public folder in a new Windows
Explorer window
5. Paste the copied certificate file
6. Rename the file to lo-ksc.cer
L–31
Lab 4
Configure updating from the local Administration Server
7. Switch to the admin-desktop workstation

8. Log on to the abc\KSCAdmin account,
password Ka5per5Ky
10. Connect to server hq-ksc1 (10.28.1.20) under
the ABC\KSCAdmin account with the
password Ka5per5Ky
11. Create a node (group) Managed devices |
Roaming laptops
12. Find the tom-laptop computer and move it to
the Roaming laptops group
13. Switch to the Policies tab

14. Click the button Import policy from file
15. Select the
\\dc\Pub\cgw_connection_profiles.klp file
and click Open
16. Make sure that there are two Network Agent
policies on the list now: Active, which is
inherited from the Managed devices group,
and an inactive non-inherited policy
Task B: Configure the Network Agent policy
Open the properties of the inactive policy. Switch to the Connection | Connection Profiles section. Configure a profile for
connecting through connection gateway (CGW) and descriptions of network locations. Activate the policy.
L–32 KASPERSKY™

The hq-router, dc, hq-ksс1, tom-laptop, lo-router, lo-ksc1, and admin-desktop machines must be powered on.
17. Open the properties of the inactive policy Network

Agent for roaming laptops (1)
18. Open the Connectivity section
19. Go to Connectivity | Connection profiles
20. Make sure that the policy already has a profile (hq-
ksc1 via cgw 10.28.0.2) and a description of
network locations
21. Create another profile: In the lower part of the
window, to the right of the Administration Server
connection profiles list, click Add
22. Name it update from lo-ksc.abc.lab

23. Enter the lo-ksc.abc.lab Administration Server
address
24. Make sure that the Enable out-of-office mode
check box is cleared
25. Make sure that the Use to receive updates only
check box is selected
26. Click OK to save the profile
27. To add a network location description, click Add

below the list of network locations in the upper part
of the window
L–33
Lab 4
28. Enter LO (by SSL accessibility) for the location

name
29. In the Use connection profile list, select Update
from lo-ksc.abc.lab

the Values list
32. Enter network address lo-ksc.abc.lab:13000 (the

certificate
34. Open the folder \\dc\Public
35. Select the certificate file lo-ksc.cer and click Open

L–34 KASPERSKY™
38. Add another condition: Click Add and select Subnet

location
39. Click Add to specify the subnet address

40. Type 10.28.4.0 for the subnet address,
255.255.255.0 for the mask, and click OK
42. Select the Description enabled check box and click

OK to save the network location description
consequences
44. Select the LO (by SSL accessibility) description

and move it to the top of the list (use the buttons on
the right)
45. To add one more network location, click Add below
the list of network locations in the upper part of the
window
L–35
Lab 4
46. Enter HQ (by SSL accessibility) for the location

name
47. In the Use connection profile list, select <Home
Administration Server>

the Values list
50. Enter network address 10.28.1.20:13000 (the
certificate
52. Open the folder
(the adminkit subfolder is hidden; you can enter the
address manually or show hidden folders)
53. Select the klserver.cer certificate file and click
Open
56. Select the Description enabled check box

57. Add another condition: Click Add and select Subnet
location
L–36 KASPERSKY™
58. Click Add to specify the subnet address

59. Type 10.28.2.0 for the subnet address,
255.255.255.0 for the mask, and click OK
61. Click OK to save the location description

consequences
63. Select the HQ (by SSL accessibility) description

and move it to the top of the list (use the buttons on
the right)
64. Close the lock at the top of the window (change
Editing allowed to Editing locked)
L–37
Lab 4
65. Open the General section

66. Clear the Inherit settings from parent policy check
box
67. Activate the policy: In the Policy status area, select
Active Policy
68. Click OK to save the policy
Task C: Make sure that the laptop has received the policy
Check the Network Agent settings on tom-laptop using the klnagchk.exe utility.

69. Switch to the tom-laptop machine

70. Log into the system under the ABC\Tom
71. Run powershell.exe as administrator
(Administrator:Ka5per5Ky)
— cd ‘C:\Program Files (x86)\Kaspersky
Lab\NetworkAgent’
74. Make sure that the utility outputs information
about two profiles and three network
locations
L–38 KASPERSKY™
Task D: Check the settings in the remote office
Move tom-laptop to the LOLAN network and check its Administration Server connection settings.

Disconnect tom-laptop from the

HQLAN network and connect it
to the LOLAN network
the lo-ksc virtual machine
76. Switch to the Networks tab
77. Check which network the lo-ksc
computer is connected to (see the
Name field), and write down or
memorize it

the tom-laptop virtual machine
79. Open the properties of the tom-
80. Check which network the tom-
laptop computer is connected to
and write down which Network
adapter 1 it uses
81. For tom-laptop, specify the same
Network adapter 1 as lo-ksc
has, and click OK
82. Wait a couple of minutes for
tom-laptop to receive an address
in the new network
L–39
Lab 4
83. Run the klnagchk.exe utility

again (in PowerShell with
administrator permissions)
84. In the utility output, pay attention
to the following lines:
Administration Server address:
‘hq-ksc-1.abc.lab’
Settings for updates

Used profile: ‘Update from lo-
ksc.abc.lab’
Administration Server address:
'lo-ksc.abc.lab'
Task E: Check the settings in HQ
Move tom-laptop to the HQLAN network and check connection to the Administration Server

Disconnect tom-laptop from the LOLAN

network and connect it to the HQLAN
network
85. In vSphere Client console, select the tom-
86. Open the properties of the tom-laptop
virtual machine
87. Change Network adapter 1 to the value
that you wrote down at step 80 of this lab
88. Wait a couple of minutes for tom-laptop
to receive an address in the new network
L–40 KASPERSKY™
89. Run the klnagchk.exe utility again via the

command shell with administrator
permissions
90. Note that there is no Settings for updates
section in the utility’s output
91. Power off all machines except dc, hq-
router, lo-router
Conclusion
You have configured laptops download updates from the local Administration Server at any office. For this purpose, you
created descriptions of network locations for geographically distributed offices in the Network Agent policy and specified the
Administration Servers to be used as update sources at these offices in the connection profiles.
In this lab, we configured the policy on the Administration Server of one office only. In real life, you need to specify the same
settings in laptop policies on all servers.

KL 302.11 Labs Module3 Managing Outside Computers v1.6 en PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KL 302.11 Labs Module3 Managing Outside Computers v1.6 en PDF

Uploaded by

Copyright:

Available Formats

KL 302.

Lab 1. Install a connection gateway in the DMZ .......................................................................................................... 2

Contents. In this lab, we will:

A. Create a group for connection gateways in the DMZ

Task A: Create a group for connection gateways in the DMZ

Create a new group Managed devices\dmz-cgw in the KSC console.

The task is performed on admin-desktop.

1. Log on to the admin-desktop

4. Select the Managed devices node and

Task B: Create a new package for the KSC Agent

The task is performed on admin-desktop.

7. In the KSC Console, select the node

9. Click the button Create an installation

11. Click Browse

15. Accept the license agreement

Make sure that the Connection

Task C: In the package properties, enable the connection gateway in DMZ

The task is performed on admin-desktop.

17. Open the properties of the Connection gateway

20. Open the Advanced section

22. Open the Tags section

Task D: Create a stand-alone installation package

The task is performed on admin-desktop.

25. Select the Connection gateway package

26. Select Move unassigned devices to this

27. Wait for the package to be generated

Task E: Copy the stand-alone installation package to the server in DMZ

The task is performed on admin-desktop.

28. Click View the list of stand-alone

29. Select the Connection gateway package

30. Copy the stand-alone package to

32. In the Enter network credentials

33. Type cgw for the package name and

34. Wait for the stand-alone package to be

Task F: Install the connection gateway from the stand-alone package

The task is performed on dmz-cgw.

35. Switch to the dmz-cgw machine

43. To find the PID of the klnagent.exe process, enter

The task is performed on hq-router.

45. Switch to the hq-router machine

48. Carry out the following command (type it on a

49. Type the following command on a single line to

51. Exit the editing mode

The task is performed on admin-desktop.

54. Switch to the admin-desktop machine

Task H: Assign the connection gateway to a group in KSC

The task is performed on admin-desktop.

57. In the KSC Console, open the

61. Click the arrow on the Select button

63. Click the arrow on the Select button

65. Click OK to close the Administration

66. Select the Managed devices | dmz-cgw

The task is performed on dmz-cgw.

69. Switch to the dmz-cgw virtual machine

Contents. In this lab, we will:

A. Configure forwarding connections to port 13000 of the gateway

Task A: Configure forwarding connections to port 13000 of the gateway

The task is performed on hq-router and customer-desktop.

1. Power on the customer-router and customer-

5. Switch to the editing mode

The task is performed on customer-desktop.

9. Switch to the customer-desktop machine

The task is performed on admin-desktop.