Installing Administration Server on a Microsoft failover cluster

The procedure of installing Administration Server on a failover cluster differs from both standard and custom installation on a stand-alone device.

Perform the procedure described in this section on the node that contains a common data storage of the cluster.

To install Kaspersky Security Center Administration Server on a cluster:

Run the ksc_<version number>.<build number>_full_<localization language>.exe executable file.

A window opens prompting you to select Kaspersky applications to install. In the application selection window, click the Install Kaspersky Security Center 13.1 Administration Server link to start the Administration Server Setup Wizard. Follow the instructions of the Wizard.

Step 1. Reviewing the License Agreement and Privacy Policy

At this step of the Setup Wizard, you must read the License Agreement, which is to be concluded between you and Kaspersky, as well as the Privacy Policy.

You may also be prompted to view the License Agreements and Privacy Policies for application management plug-ins that are available in the Kaspersky Security Center distribution kit.

Please carefully read the License Agreement and Privacy Policy. If you agree with all the terms of the License Agreement and the Privacy Policy, select the following check boxes in the I confirm I have fully read, understood, and accept the following section:

• The terms and conditions of this EULA
• Privacy Policy describing the handling of data

Installation of the application on your device will continue after you select both check boxes.

If you do not accept the License Agreement or the Privacy Policy, cancel installation by clicking the Cancel button.

Step 2. Selecting the type of installation on a cluster

Select the type of installation on the cluster:

• Cluster (install on all cluster nodes)

  This is the recommended option. If you select this option, Administration Server will be installed on all nodes of the cluster simultaneously.

  At the step of selecting the Administration Console for installation, you will need to select the console that will be installed on the current cluster node. If you install a console only on the cluster node, in case of node failure, you will lose access to Administration Server. We recommend that during this step, you select the MMC-based console for installation on all cluster nodes. After you install Administration Server, install Kaspersky Security Center 13.1 Web Console on a separate device that is not a cluster node. This allows you to manage Administration Server by using Kaspersky Security Center 13.1 Web Console if the cluster node fails.

• Locally (install on this device only)

  If you select this option, Administration Server will be installed only on the current node, as if on a stand-alone server, and Administration Server will not work as a cluster-aware application. For example, you may want to choose this option to save shared storage space if fault tolerance is not needed for Administration Server. In case of the current node failure, you will have to install Administration Server on another node and restore the Administration Server state from a backup.

Further steps are the same as when you use the standard or custom installation method, starting from the installation method selection step.

Page top

Step 3. Specifying the name of the virtual Administration Server

Specify the network name of the new virtual Administration Server. You will be able to use this name to connect Administration Console or Kaspersky Security Center 13.1 Web Console to Administration Server.

The name that you specify must differ from the cluster name.

Step 4. Specifying the network details of the virtual Administration Server

To specify the network details of the new virtual Administration Server instance:

1. In Network to use, select the domain network to which the current cluster node is connected.
2. Do either of the following:
   • If DHCP is used in the selected network to assign IP addresses, select the Use DHCP option.
   • If DHCP is not used in the selected network, specify the required IP address.

     The IP address that you specify must differ from the cluster IP address.

3. Click Add to apply the specified settings.

You will be able to use the automatically assigned or the specified IP address to connect Administration Console or Kaspersky Security Center Web Console to Administration Server.

Page top

Step 5. Specifying a cluster group

A cluster group is a special failover cluster role that contains common resources for all nodes. You have two options:

• Creating a new cluster group.

  This option is recommended in most cases. The new cluster group will contain all common resources that relate to the Administration Server instance.

• Selecting an existing cluster group.

  Select this option if you want to use a common resource that is already associated with an existing cluster group. For example, you may want to use this option if you want to use a storage associated with an existing cluster group and if there are no other available storage for a new cluster group.

Step 6. Selecting a cluster data storage

To select a cluster data storage:

1. In Available repositories, select the data storage to which the common resources of the virtual Administration Server instance will be installed.
2. If the selected data storage contains several volumes, under Available sections on disk drive, select the required volume.
3. In Installation path, enter the path on the common data storage to which the resources of the virtual Administration Server instance will be installed.

The data storage is selected.

Step 7. Specifying an account for remote installation

Specify the user name and password that will be used for remote installation of the virtual Administration Server instance on a passive node of the cluster.

The account that you specify must be granted administrative privileges on all nodes of the cluster.

Step 8. Selecting the components to be installed

Select the components of Kaspersky Security Center Administration Server that you want to install:

• Mobile Device Management. Select this check box if you must create installation packages for mobile devices when the Kaspersky Security Center Setup Wizard is running. You can also create installation packages for mobile devices manually, after Administration Server installation, by using Administration Console tools.
• SNMP agent. This component receives statistical information for the Administration Server over the SNMP protocol. The component is available if the application is installed on a device with SNMP installed.

  After Kaspersky Security Center is installed, the .mib files required for receiving statistics are located in the SNMP subfolder of the application installation folder.

Network Agent and Administration Console are not displayed in the component list. These components are installed automatically and you cannot cancel their installation.

At this step you must specify a folder for installation of Administration Server components. By default, the components are installed to <Disk>:\Program Files\Kaspersky Lab\Kaspersky Security Center. If no such folder exists, this folder is created automatically during installation. You can change the destination folder by using the Browse button.

Page top

Step 9. Selecting network size

Specify the size of the network on which Kaspersky Security Center is to be installed. Depending on the number of devices on the network, the Wizard configures the installation and appearance of the application interface so that they match.

The following table lists the application installation settings and interface appearance settings, which are adjusted based on various network sizes.

Dependence of installation settings on the network scale selected

If you connect Administration Server to a MySQL or SQL Express database server, it is not recommended to use the application to manage more than 10,000 devices. For the MariaDB database management system, the maximum recommended number of managed devices is 20,000.

Page top

Step 10. Selecting a database

At this step of the Wizard, you must select the mechanism—Microsoft SQL Server (SQL Express) or MySQL—that will be used to store the Administration Server database. The MySQL option is relevant to both MySQL and MariaDB.

It is recommended to install the Administration Server on a dedicated server instead of a domain controller. However, if you install Kaspersky Security Center on a server that acts as a read-only domain controller (RODC), Microsoft SQL Server (SQL Express) must not be installed locally (on the same device). In this case, we recommend that you install Microsoft SQL Server (SQL Express) remotely (on a different device), or that you use MySQL or MariaDB, if you need to install the DBMS locally.

The Administration Server database structure is provided in the klakdb.chm file, which is located in the Kaspersky Security Center installation folder (this file is also available in an archive on the Kaspersky portal: klakdb.zip).

Page top

Step 11. Configuring the SQL Server

At this step of the Wizard, you configure SQL Server.

Depending on the database that you have selected, specify the following settings:

• If you selected Microsoft SQL Server (SQL Server Express) in the previous step:
  • In the SQL Server instance name field, specify the name of the SQL Server on the network. To view a list of all SQL Servers that are on the network, click the Browse button. This field is blank by default.

    If you connect to the SQL Server through a custom port, then together with the SQL Server host name specify the port number separated with a comma, for example:

    SQL_Server_host_name,1433

    If you secure communication between the Administration Server and SQL Server by means of a certificate, specify in the SQL Server instance name field the same host name that was used at the certificate generating. If you use a named instance of SQL Server, then together with the SQL Server host name specify the port number separated with a comma, for example:

    SQL_Server_name,1433

    If you use several instances of SQL Server on the same host, then additionally specify the instance name separated with a backslash, for example:

    SQL_Server_name\SQL_Server_instance_name,1433

    If a SQL Server on the enterprise network has the Always On feature enabled, specify the name of the availability group listener in the SQL Server instance name field. Note that Administration Server supports only the synchronous-commit availability mode when the Always On feature is enabled.

  • In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.

  If at this stage you want to install SQL Server on the device from which you are installing Kaspersky Security Center, you must stop installation and restart it after SQL Server is installed. The supported SQL Server versions are listed in the system requirements.

  If you want to install SQL Server on a remote device, you do not have to interrupt the Kaspersky Security Center Setup Wizard. Install SQL Server and resume installation of Kaspersky Security Center.

• If you selected MySQL in the previous step:
  • In the SQL Server instance name field, specify the name of the SQL Server instance. By default, the name is the IP address of the device on which Kaspersky Security Center is to be installed.
  • In the Port field, specify the port for Administration Server connection to the SQL Server database. The default port number is 3306.

In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.

Step 12. Selecting an authentication mode

Determine the authentication mode that will be used when Administration Server connects to the SQL Server.

Depending on the database that is selected, you can choose from the following authentication modes:

• For SQL Express or Microsoft SQL Server select one of the following options:
  • Microsoft Windows Authentication mode. Verification of rights uses the account used for starting Administration Server.
  • SQL Server Authentication mode. If you select this option, the account specified in the window is used to verify access rights. Fill in the Account and Password fields.

    To see the entered password, click and hold the Show button.

  For both authentication modes, the application checks if the database is available. If the database is not available, an error message is displayed, and you have to provide correct credentials.

  If the Administration Server database is stored on another device and the Administration Server account does not have access to the database server, you must use SQL Server authentication mode when installing or upgrading Administration Server. This may occur when the device that stores the database is outside the domain or when Administration Server is installed under a LocalSystem account.

For the MySQL server or MariaDB server, specify the account and password.

Page top

Step 13. Selecting the account to start Administration Server

Select the account that will be used to start Administration Server as a service.

• Generate the account automatically. The application creates an account named KL-AK-*, under which the kladminserver service will run.

  You can select this option if you plan to locate the shared folder and the DBMS on the same device as Administration Server.

• Select an account. The Administration Server service (kladminserver) will run under the account that you selected.

  You will have to select a domain account if, for example, you plan to use as the DBMS a SQL Server instance of any version, including SQL Express, that is located on another device, and/or you plan to locate the shared folder on another device.

  Starting from version 10 Service Pack 3, Kaspersky Security Center supports managed service accounts (MSA) and group managed service accounts (gMSA). If these types of accounts are used in your domain, you can select one of them as the account for the Administration Server service.

  Before specifying MSA or gMSA, you must install the account on the same device on which you want to install Administration Server. If the account is not installed yet, then cancel the Administration Server installation, install the account, and then restart the Administration Server installation. For details about installation of managed service accounts on a local device, refer to the official Microsoft documentation.

  To specify MSA or gMSA:

  1. Click the Browse button.
  2. In the window that opens, click the Object type button.
  3. Select the Account for services type and click OK.
  4. Select the relevant account and click OK.

The account that you selected must have different permissions, depending on the DBMS that you plan for use.

For security reasons, please do not assign the privileged status to the account under which you run Administration Server.

If later you decide to change the Administration Server account, you can use the utility for Administration Server account switching (klsrvswch).

Page top

Step 14. Selecting the account for running the Kaspersky Security Center services

Select the account under which the services of Kaspersky Security Center will run on this device:

• Generate the account automatically. Kaspersky Security Center creates a local account named KlScSvc on this device in the kladmins group. The services of Kaspersky Security Center will be run under the account that has been created.
• Select an account. The Kaspersky Security Center services will be run under the account that you selected.

  You will have to select a domain account if, for example, you intend to save reports to a folder located on a different device or if this is required by your organization's security policy. You may also have to select a domain account if you install Administration Server on a failover cluster.

For security reasons, do not grant privileged status to the account under which the services are run.

The KSN proxy service (ksnproxy), Kaspersky activation proxy service (klactprx), and Kaspersky authentication portal service (klwebsrv) will be run under the selected account.

Page top

Step 15. Selecting a shared folder

Define the location and name of the shared folder that will be used to do the following:

• Store the files necessary for remote installation of applications (these files are copied to Administration Server during creation of installation packages).
• Store updates that have been downloaded from an update source to Administration Server.

File sharing (read-only) will be enabled for all users.

You can select either of the following options:

• Create a shared folder. Create a new folder. In the text box, specify the path to the folder.
• Select an existing shared folder. Select a shared folder that already exists.

The shared folder can be a local folder on the device that is used for installation or a remote directory on any client device on the corporate network. You can click the Browse button to select the shared folder, or specify the shared folder manually by entering its UNC path (for example, \\server\Share) in the corresponding field.

By default, the installer creates a local Share subfolder in the application folder that contains the components of Kaspersky Security Center.

You can define a shared folder later if needed.

Page top

Step 16. Configuring the connection to Administration Server

Expand all | Collapse all

Configure the connection to Administration Server:

• Port

  The number of the port used to connect to the Administration Server.

  The default port number is 14000.

• SSL port

  Secure Sockets Layer (SSL) port number used to securely connect to the Administration Server via SSL.

  The default port number is 13000.

• Encryption key length

  Select the length of the encryption key: 1024 bit or 2048 bit.

  A 1024-bit encryption key places a smaller load on the CPU, but it is considered obsolete because it cannot provide reliable encryption due to its technical specifications. Also, the existing hardware probably will turn out to be incompatible with SSL certificates featuring 1024-bit keys.

  A 2048-bit encryption key meets all state-of-the-art encryption standards. However, use of a 2048-bit encryption key may add to the load on a CPU.

  By default, 2048 bit (best security) is selected.

If Administration Server is installed on a device running Microsoft Windows XP Service Pack 2, the built-in system Firewall blocks TCP ports 13000 and 14000. Therefore, to allow access to Administration Server on the device after installation, these ports must be opened manually.

Page top

Step 17. Defining the Administration Server address

Specify the Administration Server address. You can select one of the following options:

• DNS domain name. You can use this method if the network includes a DNS server and client devices can use it to receive the Administration Server address.
• NetBIOS name. You can use this method if client devices receive the Administration Server address using the NetBIOS protocol or if a WINS server is available on the network.
• IP address. You can use this method if Administration Server has a static IP address that will not be subsequently changed.

Page top

Step 18. Administration Server address for connection of mobile devices

This Setup Wizard step is available if you have selected Mobile Device Management for installation.

In the Address for connection of mobile devices window, specify the external address of the Administration Server for connection of mobile devices that are outside of the local network. You can specify the IP address or Domain Name System (DNS) of the Administration Server.

Page top

Step 19. Unpacking and installing files on the hard drive

After the installation of Kaspersky Security Center components is configured, you can start installing files on the hard drive.

If installation requires additional programs, the Setup Wizard will notify you, on the Installing Prerequisites page, before installation of Kaspersky Security Center begins. The required programs are installed automatically after you click the Next button.

On the last page, you can select which console to start for work with Kaspersky Security Center:

• Start MMC-based Administration Console
• Start Kaspersky Security Center Web Console

  This option is available only if you opted to install Kaspersky Security Center 13.1 Web Console in one of the previous steps.

You can also click Finish to close the Wizard without starting work with Kaspersky Security Center. You can start the work later at any time.

At the first startup of Administration Console or Kaspersky Security Center 13.1 Web Console, you can perform the initial setup of the application.