Connecting out-of-office devices

This section describes how to connect out-of-office devices (that is, managed devices that are located outside of the main network) to Administration Server.

Scenario: Connecting out-of-office devices through a connection gateway

This scenario describes how to connect managed devices that are located outside of the main network to Administration Server.

Prerequisites

The scenario has the following prerequisites:

• A demilitarized zone (DMZ) is organized in your organization's network.
• Kaspersky Security Center Administration Server is deployed on the corporate network.

Stages

This scenario proceeds in stages:

1. Selecting a client device in the DMZ

   This device will be used as a connection gateway. The device that you select must meet the requirements for connection gateways.

2. Installing Network Agent in the connection gateway role

   We recommend that you use a local installation to install Network Agent on the selected device.

   By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

   In the Connection gateway window of the Network Agent Setup Wizard, select Use Network Agent as a connection gateway in DMZ. This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

   Alternatively, you can install Network Agent on a Linux device and configure Network Agent to work as a connection gateway, but pay attention to the list of limitations of Network Agent running on Linux devices.

3. Allowing connections in firewalls on the connection gateway

   To make sure that Administration Server can actually connect to the connection gateway in the DMZ, allow connections to TCP port 13000 in all firewalls between Administration Server and the connection gateway.

   If the connection gateway has no real IP address on the internet, but instead is located behind Network Address Translation (NAT), configure a rule to forward connections through NAT.

4. Creating an administration group for external devices

   Create a new group under the Managed devices group. This new group will contain external managed devices.

5. Connecting the connection gateway to Administration Server

   The connection gateway that you have configured is waiting for a connection from Administration Server. However, Administration Server does not list the device with the connection gateway among managed devices. This is because the connection gateway has not tried to establish a connection to Administration Server. Therefore, you need a special procedure to ensure that Administration Server initiates a connection to the connection gateway.

   Do the following:

   1. Add the connection gateway as a distribution point.
   2. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.

   The connection gateway is connected and configured.

6. Connecting external desktop computers to Administration Server

   Usually, external desktop computers are not moved inside the perimeter. Therefore, you need to configure them to connect to Administration Server through the gateway when installing Network Agent.

7. Setting up updates for external desktop computers

   If updates of security applications are configured to be downloaded from Administration Server, external computers download updates through the connection gateway. This has two disadvantages:

   • This is unnecessary traffic, which takes up bandwidth of the company's internet communication channel.
   • This is not necessarily the quickest way to get updates. It is very likely that it would be cheaper and faster for external computers to receive updates from Kaspersky update servers.

   Do the following:

   1. Move all external computers to the separate administration group that you created earlier.
   2. Exclude the group with external devices from the update task.
   3. Create a separate update task for the group with external devices.
8. Connecting traveling laptops to Administration Server

   Traveling laptops are within the network sometimes and outside the network at other times. For effective management, you need them to connect to Administration Server differently depending on their location. For efficient use of traffic, they also need to receive updates from different sources, depending on their location.

   You need to configure rules for out-of-office users: connection profiles and network location descriptions. Each rule defines the Administration Server instance to which traveling laptops must connect, depending on their location and the Administration Server instance from which they must receive updates.

About connecting out-of-office devices

Some managed devices are always located outside of the main network (for example, computers in a company's regional branches; kiosks, ATMs, and terminals installed at various points of sale; computers in the home offices of employees). Some devices travel outside the perimeter from time to time (for example, laptops of users who visit regional branches or a customer's office).

You still need to monitor and manage the protection of out-of-office devices—receive actual information about their protection status and keep the security applications on them in the up-to-date state. This is necessary because, for example, if such a device is compromised while being away from the main network, it could become a platform for propagating threats as soon as it connects to the main network. To connect out-of-office devices to Administration Server, you can use two methods:

• Connection gateway in the demilitarized zone (DMZ)

  See the data traffic scheme: Administration Server on LAN, managed devices on the Internet, connection gateway in use

• Administration Server in DMZ

  See the data traffic scheme: Administration Server in DMZ, managed devices on Internet

A connection gateway in the DMZ

A recommended method for connecting out-of-office devices to Administration Server is organizing a DMZ in the organization's network and installing a connection gateway in the DMZ. External devices will connect to the connection gateway, and Administration Server inside the network will initiate a connection to the devices via the connection gateway.

As compared to the other method, this one is more secure:

• You do not need to open access to Administration Server from outside the network.
• A compromised connection gateway does not pose a high risk to the safety of the network devices. A connection gateway does not actually manage anything itself and does not establish any connections.

Also, a connection gateway does not require many hardware resources.

However, this method has a more complicated configuration process:

• To act a device as a connection gateway in the DMZ, you need to install Network Agent and connect it to Administration Server in a specific way.
• You will not be able to use the same address for connecting to Administration Server for all situations. From outside the perimeter, you will need to use not just a different address (connection gateway address), but also a different connection mode: through a connection gateway.
• You also need to define different connection settings for laptops in different locations.

The scenario in this section describes this method.

Administration Server in the DMZ

Another method is installing a single Administration Server in the DMZ.

This configuration is less secure than the other method. To manage external laptops in this case, Administration Server must accept connections from any address on the internet. It will still manage all devices in the internal network, but from the DMZ. Therefore, a compromised Server could cause an enormous amount of damage, despite the low likelihood of such an event.

The risk gets significantly lower if Administration Server in the DMZ does not manage devices in the internal network. Such a configuration can be used, for example, by a service provider to manage the devices of customers.

You might want to use this method in the following cases:

• If you are familiar with installing and configuring Administration Server, and do not want to perform another procedure to install and configure a connection gateway.
• If you need to manage more devices. The maximum capacity of Administration Server is 100,000 devices, while a connection gateway can support up to 10,000 devices.

This solution also has possible difficulties:

• Administration Server requires more hardware resources and one more database.
• Information about devices will be stored in two unrelated databases (for Administration Server inside the network and another one in the DMZ), which complicates monitoring.
• To manage all devices, Administration Server needs to be joined into a hierarchy, which complicates not only monitoring but also management. A secondary Administration Server instance imposes limitations on the possible structures of administration groups. You have to decide how and which tasks and policies to distribute to a secondary Administration Server instance.
• Configuring external devices to use Administration Server in the DMZ from the outside and to use the primary Administration Server from the inside is not simpler than to just configure them to use a conditional connection through a gateway.
• High security risks. A compromised Administration Server instance makes it easier to compromise its managed laptops. If this happens, the hackers just need to wait for one of the laptops to return to the corporate network so that they can continue their attack on the local area network.

Connecting external desktop computers to Administration Server

Desktop computers that are always outside of the main network (for example, computers in the company's regional branches; kiosks, ATMs, and terminals installed at various points of sale; computers in the home offices of employees) cannot be connected to Administration Server directly. They must be connected to Administration Server via a connection gateway that is installed in the demilitarized zone (DMZ). This configuration is made when installing Network Agent on those computers.

To connect external desktop computers to Administration Server:

1. Create a new installation package for Network Agent.
2. Open the properties of the created installation package and go to the Advanced section, and then select the Connect to Administration Server by using connection gateway option.

   The Connect to Administration Server by using connection gateway setting is incompatible with the Use Network Agent as a connection gateway in DMZ setting. You cannot enable both of these settings at the same time.

3. In Connection gateway address, specify the public address of the connection gateway.

   If the connection gateway is located behind Network Address Translation (NAT) and does not have its own public address, configure a NAT gateway rule for forwarding connections from the public address to the internal address of the connection gateway.

4. Create a stand-alone installation package based on the created installation package.
5. Deliver the stand-alone installation package to the target computers, either electronically or on a removable drive.
6. Install Network Agent from the stand-alone package.

External desktop computers are connected to Administration Server.

About connection profiles for out-of-office users

Out-of-office users of laptops (hereinafter also referred to as "devices") may need to change the method of connecting to an Administration Server or switch between Administration Servers depending on the current location of the device on the enterprise network.

Connection profiles are supported only for devices running Windows.

Using different addresses of a single Administration Server

The following procedure is only applied to Kaspersky Security Center 10 Service Pack 1 and later.

Devices with Network Agent installed can connect to the Administration Server either from the organization's intranet or from the internet. This situation may require Network Agent to use different addresses for connection to Administration Server: the external Administration Server address for the Internet connection and the internal Administration Server address for the internal network connection.

To do this, you must add a profile (for connection to Administration Server from the Internet) to the Network Agent policy. Add the profile in the policy properties (Connectivity section, Connection profiles subsection). In the profile creation window, you must disable the Use to receive updates only option and select the Synchronize connection settings with the Administration Server settings specified in this profile option. If you use a connection gateway to access Administration Server (for example, in a Kaspersky Security Center configuration as that described in Internet access: Network Agent as connection gateway in DMZ), you must specify the address of the connection gateway in the corresponding field of the connection profile.

Switching between Administration Servers depending on the current network

The following procedure is only applied to Kaspersky Security Center 10 Service Pack 2 Maintenance Release 1 and any later versions.

If the organization has multiple offices with different Administration Servers and some of the devices with Network Agent installed move between them, you need Network Agent to connect to the Administration Server of the local network in the office where the device is currently located.

In this case, you must create a profile for connection to Administration Server in the properties of the policy of Network Agent for each of the offices, except for the home office where the original home Administration Server is located. You must specify the addresses of Administration Servers in connection profiles and enable or disable the Use to receive updates only option:

• Select the option if you need Network Agent to be synchronized with the home Administration Server, while using the local Server for downloading updates only.
• Disable this option if it is necessary for Network Agent to be managed completely by the local Administration Server.

After that, you must set up the conditions of switching to the newly created profiles: at least one condition for each of the offices, except for the home office. Every condition's purpose consists in detection of items that are specific for an office's network environment. If a condition is true, the corresponding profile gets activated. If none of the conditions is true, Network Agent switches to the home Administration Server.

Creating a connection profile for out-of-office users

Expand all | Collapse all

An Administration Server connection profile is available only on devices running Windows.

To create a profile for connecting Network Agent to Administration Server for out-of-office users:

1. In the console tree, select the administration group containing the client devices for which you need to create a profile for connecting Network Agent to the Administration Server.
2. Do one of the following:
   • If you want to create a connection profile for all devices in the group, select a Network Agent policy in the group workspace, on the Policies tab. Open the properties window of the selected policy.
   • If you want to create a connection profile for a device in a group, select that device in the group workspace, on the Devices tab, and perform the following actions:
     1. Open the properties window of the selected device.
     2. In the Applications section of the device properties window, select Network Agent.
     3. Open the Network Agent properties window.
3. In the properties window, in the Connectivity section, select the Connection profiles subsection.
4. In the Administration Server connection profiles settings group, click the Add button.

   By default, the list of connection profiles contains the <Offline mode> and <Home Administration Server> profiles. Profiles cannot be edited or removed.

   The <Offline mode> profile does not specify any Server for connection. Therefore, Network Agent, when switched to that profile, does not attempt to connect to any Administration Server while applications installed on client devices run under out-of-office policies. The <Offline mode> profile can be used if devices are disconnected from the network.

   The <Home Administration Server> profile specifies for connection the Administration Server that was selected during Network Agent installation. The <Home Administration Server> profile is applied when a device is reconnected to the home Administration Server after it was running on an external network for some time.

5. In the New profile window that opens, configure the connection profile:
   • Profile name

     In the entry field you can view or change the connection profile name.

   • Administration Server

     Address of the Administration Server to which the client device must connect during profile activation.

   • Port

     Port number that is used for connection.

   • SSL port

     Port number for connection if using the SSL protocol.

   • Use SSL

     If this option is enabled, the connection is established through a secure port, by using SSL protocol.

     By default, this option is enabled. We recommend that you do not disable this option so your connection remains secured.

   • Click the Configure connection through proxy server link to configure connection through a proxy server. Select the Use proxy server option if you want to use a proxy server when connecting to the internet. If this option is selected, the fields are available for entering settings. Specify the following settings for proxy server connection:
     • Proxy server address

       Address of the proxy server used for Kaspersky Security Center connection to the internet.

     • Port number

       Number of the port through which Kaspersky Security Center proxy connection will be established.

     • Proxy server authentication

       If this check box is selected, in the entry fields you can specify the credentials for proxy server authentication.

       This entry field is available if the Use proxy server check box is selected.

     • User name (this field is available if the Proxy server authentication option is selected)

       User account under which connection to the proxy server is established (this field is available if the Proxy server authentication check box is selected).

     • Password (this field is available if the Proxy server authentication option is selected)

       Password set by the user under whose account the proxy server connection is established (this field is available if the Proxy server authentication check box is selected).

       To see the entered password, click and hold the Show button for as long as you require.

   • Connection gateway settings

     Address of the gateway through which client devices connect to the Administration Server.

   • Enable out-of-office mode

     If this option is enabled, in case of connection through this profile, applications installed on the client device use policy profiles for devices in out-of-office mode, as well as out-of-office policies. If no out-of-office policy has been defined for the application, the active policy will be used.

     If this option is disabled, applications will use active policies.

     By default, this option is disabled.

   • Use to receive updates only

     If this option is enabled, the profile will only be used for downloading updates by applications installed on the client device. For other operations, connection to the Administration Server will be established with the initial connection settings defined during Network Agent installation.

     By default, this option is enabled.

   • Synchronize connection settings with the Administration Server settings specified in this profile

     If this option is enabled, Network Agent connects to Administration Server using the settings specified in the profile properties.

     If this option is disabled, Network Agent connects to Administration Server using the original settings that have been specified during installation.

     This option is available if the Use to receive updates only option is disabled.

     By default, this option is disabled.

6. Select the Enable out-of-office mode when Administration Server is not available option to allow the applications installed on a client device to use policy profiles for devices in out-of-office mode, as well as out-of-office policies, at any connection attempt if the Administration Server is not available. If no out-of-office policy has been defined for the application, the active policy will be used.

A profile for connecting Network Agent to Administration Server is created for out-of-office users. When Network Agent connects to Administration Server using this profile, applications installed on the client device will use policies for devices in out-of-office mode, or out-of-office policies.

About switching Network Agent to other Administration Servers

The initial settings of the Network Agent connection to Administration Server are defined when installing the Network Agent. To switch the Network Agent to other Administration Servers, you can use the switching rules. This feature is supported only for Network Agents installed on devices running Windows.

The switching rules can trigger on changing the following network parameters:

• Default gateway address.
• IP address of the Dynamic Host Configuration Protocol (DHCP) server.
• DNS suffix of the subnet.
• IP address of the network DNS server.
• Windows domain accessibility.
• Subnet address and mask.
• IP address of the network WINS server.
• DNS or NetBIOS name of the client device.
• SSL connection address accessibility.

If rules for switching the Network Agent to other Administration Servers have been created, the Network Agent responds to changes in the network parameters as follows:

• If the network settings comply with one of the rules created, Network Agent connects to the Administration Server specified in this rule. Applications installed on client devices switch to out-of-office policies, provided such behavior is enabled by a rule.
• If none of the rules apply, Network Agent reverts to the default settings of connection to the Administration Server specified during the installation. Applications installed on client devices switch back to active policies.
• If the Administration Server is not accessible, Network Agent uses out-of-office policies.

Network Agent switches to the out-of-office policy only if the Enable out-of-office mode when Administration Server is not available option is enabled in the Network Agent policy settings.

The settings of Network Agent connection to Administration Server are saved in a connection profile. In the connection profile, you can create rules for switching client devices to out-of-office policies, and you can configure the profile so that it could only be used for downloading updates.

Creating a Network Agent switching rule by network location

Expand all | Collapse all

Network Agent-switching by network location is available only on devices running Windows.

To create a rule for Network Agent switching from one Administration Server to another if network settings change:

1. In the console tree, select the administration group containing the devices for which you need to create a Network Agent switching rule by the network location description.
2. Do one of the following:
   • If you want to create a rule for all devices in the group, go to the group workspace and select a Network Agent policy on the Policies tab. Open the properties window of the selected policy.
   • If you want to create a rule for a device selected from a group, go to the group workspace, select the device on the Devices tab, and perform the following actions:
     1. Open the properties window of the selected device.
     2. In the Applications section of the device properties window, select Network Agent.
     3. Open the Network Agent properties window.
3. In the properties window that opens, in the Connectivity section, select the Connection profiles subsection.
4. In the Network location settings section, click the Add button.
5. In the New description window that opens, configure the network location description and switching rule. Specify the following network location description settings:
   • Network location description name

     The name of a network location description cannot be longer than 255 characters nor contain special symbols, such as ("*<>?\/:|).

   • Use connection profile

     In the drop-down list you can specify the connection profile that Network Agent uses to connect to the Administration Server. This profile will be used when the network location description conditions are met. The connection profile contains the settings for Network Agent connection to the Administration Server; it also defines when client devices must switch to out-of-office policies. The profile is used only for downloading updates.

6. In the Switch conditions section, click the Add button to create a list of network location description conditions.

   The conditions in a rule are combined by using the logical AND operator. To trigger a switching rule by the network location description, all of the rule switching conditions must be met.

7. In the drop-down list, select the value that corresponds to the change in characteristics of the network to which the client device is connected:
   • Default connection gateway address—The address of the main network gateway has changed.
   • DHCP server address—The IP address of the network Dynamic Host Configuration Protocol (DHCP) server has changed.
   • DNS domain—The DNS suffix of the subnet has changed.
   • DNS server address—The IP address of the network DNS server has changed.
   • Windows domain accessibility—Changes the status of the Windows domain to which the client device is connected.
   • Subnet—Changes the subnet address and mask.
   • WINS server address—The IP address of the network WINS server has changed.
   • Name resolvability—The DNS or NetBIOS name of the client device has changed.
   • SSL connection address accessibility—The client device can or cannot (depending on the option that you select) establish an SSL connection with a specified Server (name:port). For each server, you can additionally specify an SSL certificate. In this case, the Network Agent verifies the Server certificate in addition to checking the capability of an SSL connection. If the certificate does not match, the connection fails.
8. In the window that opens, specify the condition for Network Agent to be switched to another Administration Server. The name of the window depends on the value selected during the previous step. Specify the following settings of the switching condition:
   • Value

     In the field, you can add one or several values for the condition being created.

   • Matches at least one value from the list

     If this option is selected, the condition will be met regardless of any value specified in the Value list.

     By default, this option is selected.

   • Does not match any of the values in the list

     If this option is selected, the condition is met if its value is not in the Value list.

9. In the New description window, select the Description enabled option to enable the use of the new network location description.

A new switching rule by the network location description is created; any time its conditions are met, the Network Agent uses the connection profile specified in the rule to connect to the Administration Server.

The network location descriptions are checked for a match to the network layout in the order of their appearance in the list. If a network matches several descriptions, the first one will be used.

You can change the order of rules on the list using the Up button () and Down button ().