Planning Kaspersky Security Center deployment

When planning the deployment of Kaspersky Security Center components on an organization's network, you must take into account the size and scope of the project; specifically, the following factors:

• Total number of devices
• Number of MSP clients

One Administration Server can support a maximum of 100,000 devices. If the total number of devices on an organization's network exceeds 100,000, multiple Administration Servers must be deployed on the service provider side and combined into a hierarchy for convenient centralized management.

Up to 500 virtual servers can be created on a single Administration Server, so an individual Administration Server is required for each 500 MSP clients.

At the stage of deployment planning, the assignment of the special certificate X.509 to the Administration Server must be considered. Assignment of the X.509 certificate to the Administration Server may be useful in the following cases (partial list):

• Inspecting secure socket layer (SSL) traffic by means of an SSL termination proxy
• Specifying required values in certificate fields
• Providing the required encryption strength of a certificate

Providing internet access to the Administration Server

To allow devices on the client network to access the Administration Server over the internet, you have to make available the following Administration Server ports:

• 13000 TCP—Administration Server TLS port for connecting Network Agents deployed on the client network
• 8061 TCP—HTTPS port for publishing stand-alone packages using Administration Console tools
• 8060 TCP—HTTP port for publishing stand-alone packages using Administration Console tools
• 13292 TCP—TLS port required only if there are mobile devices that need to be managed

If you need to provide clients with basic options of network administration through Kaspersky Security Center 13.1 Web Console, you also have to open the following Kaspersky Security Center 13.1 Web Console ports:

• 8081 TCP—HTTPS port
• 8080 TCP—HTTP port

Kaspersky Security Center standard configuration

One or several Administration Servers are deployed on the MSPs' servers. The number of Administration Servers can be selected either based on available hardware, or on the total number of MSP clients served or total number of managed devices.

One Administration Server can support up to 100,000 devices. You must consider the possibility of increasing the number of managed devices in the near future: it may be useful to connect a slightly smaller number of devices to a single Administration Server.

Up to 500 virtual servers can be created on a single Administration Server, so an individual Administration Server is required for each 500 MSP clients.

If multiple Servers are used, it is recommended that you combine them into a hierarchy. Using a hierarchy of Administration Servers allows you to avoid dubbed policies and tasks, handle the whole set of managed devices, as if they are managed by a single Administration Server: i.e., search for devices, build selections of devices, and create reports.

On each virtual server that corresponds to an MSP client, you must assign one or several distribution point(s). If MSP clients and the Administration Server are linked through the internet, it may be useful to create a Download updates to the repositories of distribution points task for the distribution points, so that they will download updates directly from Kaspersky servers, not from the Administration Server.

If some devices in the MSP client network have no direct internet access, you have to switch the distribution points to the connection gateway mode. In this case, Network Agents on devices on the MSP client network will be connected, for further synchronization, to the Administration Server—but through the gateway, not directly.

As the Administration Server, most probably, will not be able to poll the on the MSP client network, it may be useful to turn this function over to a distribution point.

The Administration Server will not be able to send notifications to port 15000 UDP to managed devices located behind the NAT on the MSP client network. To resolve this issue, it may be useful to enable the mode of continuous connection to the Administration Server in the properties of devices acting as distribution points and running in connection gateway mode (Do not disconnect from the Administration Server check box). The continuous connection mode is available if the total number of distribution points does not exceed 300.

About distribution points

Device with Network Agent installed can be used as distribution point. In this mode, Network Agent can perform the following functions:

• Distribute updates (these can be retrieved either from the Administration Server or from Kaspersky servers). In the latter case, the Download updates to the repositories of distribution points task must be created for the device serving as the distribution point.
• Install software (including initial deployment of Network Agents) on other devices.
• Poll the network to detect new devices and update information about existing ones. A distribution point can apply the same device discovery methods as the Administration Server.

Deployment of distribution points on an organization's network pursues the following objectives:

• Reduce the load on the Administration Server if it functions as the update source.
• Optimize internet traffic since, in this case, each device on the MSP client network does not have to access Kaspersky servers or the Administration Server for updates.
• Provide the Administration Server access to devices behind the NAT (relative to the Administration Server) of the MSP client network, which allows the Administration Server to perform the following actions:
  • Send notifications to devices over UDP.
  • Poll the network.
  • Perform initial deployment.

A distribution point is assigned for an administration group. In this case, the distribution point's scope includes all devices within the administration group and all of its subgroups. However, the device acting as the distribution point does not have to be included in the administration group to which it has been assigned.

You can make a distribution point function as a connection gateway. In this case, devices in the scope of this distribution point will be connected to the Administration Server through the gateway, not directly. You can use this mode in scenarios that do not allow the establishment of a direct connection between devices with Network Agent and an Administration Server.

Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.

Hierarchy of Administration Servers

An MSP may run multiple Administration Servers. It can be inconvenient to administer several separate Administration Servers, so a hierarchy can be applied. A "primary/secondary" configuration for two Administration Servers provides the following options:

• A secondary Administration Server inherits policies and tasks from the primary Administration Server, thus preventing duplication of settings.
• Selections of devices on the primary Administration Server can include devices from secondary Administration Servers.
• Reports on the primary Administration Server can contain data (including detailed information) from secondary Administration Servers.

Virtual Administration Servers

On the basis of a physical Administration Server, multiple virtual Administration Servers can be created, which will be similar to secondary Administration Servers. Compared to the discretionary access model, which is based on access control lists (ACLs), the virtual Administration Server model is more functional and provides a larger degree of isolation. In addition to a dedicated structure of administration groups for assigned devices with policies and tasks, each virtual Administration Server features its own group of unassigned devices, own sets of reports, selected devices and events, installation packages, moving rules, etc. For maximum mutual isolation of MSP clients, we recommend that you choose virtual Administration Servers as the functionality to be used. In addition, creating a virtual Administration Server for each MSP client allows you to provide clients basic options of network administration through Kaspersky Security Center 13.1 Web Console.

Virtual Administration Servers are very similar to secondary Administration Servers, but with the following distinctions:

• A virtual Administration Server lacks most global settings and its own TCP ports.
• A virtual Administration Server has no secondary Administration Servers.
• A virtual Administration Server has no other virtual Administration Servers.
• A physical Administration Server views devices, groups, events, and objects on managed devices (items in Quarantine, applications registry, etc.) of all its virtual Administration Servers.
• A virtual Administration Server can only scan the network with distribution points connected.

Managing mobile devices with Kaspersky Endpoint Security for Android

Mobile devices with installed Kaspersky Endpoint Security for Android (hereinafter referred to as KES devices) are managed by means of the Administration Server. Kaspersky Security Center 10 Service Pack 1, as well as later versions, supports the following features for managing KES devices:

• Handling mobile devices as client devices:
  • Membership in administration groups
  • Monitoring, such as viewing statuses, events, and reports
  • Modifying local settings and assigning policies for Kaspersky Endpoint Security for Android
• Sending commands in centralized mode
• Installing mobile apps packages remotely

Administration Server manages KES devices through TLS, TCP port 13292.