Automatic distribution of updates

Kaspersky Security Center allows automatic distribution and installation of updates on client devices and secondary Administration Servers.

Distributing updates to client devices automatically

To distribute updates of the selected application to client devices automatically immediately after they are downloaded to the Administration Server repository:

1. Connect to the Administration Server, which manages the client devices.
2. Create an update deployment task for the selected client devices in one of the following ways:
   • If you need to distribute updates to client devices that belong to a selected administration group, create a task for the selected group.
   • If you need to distribute updates to client devices that belong to different administration groups or belong to none of the administration groups, create a task for specific devices.

   The Add Task Wizard starts. Follow its instructions and perform the following actions:

   1. In the Task type Wizard window, in the node of the required application select the updates deployment task.

      The name of the updates deployment task displayed in the Task type window depends on the application for which you create this task. For detailed information about names of update tasks for the selected Kaspersky applications, see the corresponding Guides.

   2. In the Schedule Wizard window, in the Scheduled start field, select When new updates are downloaded to the repository.

The newly created update distribution task will start for the selected devices every time any updates are downloaded to the Administration Server repository.

If an update distribution task for the required application has already been created for the selected devices, to automatically distribute updates to client devices, in the task properties window, in the Schedule section, select When new updates are downloaded to the repository as the start option in the Scheduled start field.

Distributing updates to secondary Administration Servers automatically

To distribute the updates of the selected application to secondary Administration Servers immediately after the updates are downloaded to the primary Administration Server repository:

1. In the console tree, in the primary Administration Server node, select the Tasks folder.
2. In the list of tasks in the workspace, select the Download updates to the repository of the Administration Server task of the Administration Server.
3. Open the Settings section of the selected task in one of the following ways:
   • By selecting Properties in the context menu of the task.
   • By clicking the Edit settings link in the information box for the selected task.
4. In the Settings section of the task properties window, select the Other settings subsection, and then click the Configure link.
5. In the Other settings window that opens, select the Force update of secondary Administration Servers check box.

In the settings of the updates download task of the Administration Server, on the Settings tab of the task properties window, select the Force update of secondary Administration Servers check box.

After the primary Administration Server retrieves updates, the update download tasks automatically start on secondary Administration Servers regardless of their schedule.

Installing updates for software modules of Network Agents automatically

To install updates for software modules of Network Agents automatically after they are uploaded to the Administration Server repository:

1. In the console tree, in the primary Administration Server node, select the Tasks folder.
2. In the list of tasks in the workspace, select the Download updates to the repository of the Administration Server task of the Administration Server.
3. Open the properties window of the selected task in one of the following ways:
   • By selecting Properties in the context menu of the task.
   • By clicking the Configure task link in the information box for the selected task.
4. In the task properties window, select the Settings section.
5. Click the Configure link in the Other settings section to open the Other settings window.
6. In the Other settings window that opens, select the Update Network Agent modules check box.

   If this check box is selected, updates for software modules of Network Agent will be automatically installed after they are uploaded to the Administration Server repository. If this check box is cleared, Network Agent updates will not be installed automatically. Retrieved updates can be installed manually. By default, this check box is selected.

   Network Agent software modules can only be installed automatically for Network Agent 10 Service Pack 1 or later.

7. Click OK.

Updates for Network Agent software modules will be installed automatically.

Assigning distribution points automatically

We recommend that you assign distribution points automatically. Kaspersky Security Center will then select on its own which devices must be assigned distribution points.

To assign distribution points automatically:

1. Open the main application window.
2. In the console tree, select the node with the name of the Administration Server for which you want to assign distribution points automatically.
3. In the context menu of the Administration Server, click Properties.
4. In the Administration Server properties window, in the Sections pane select Distribution points.
5. In the right part of the window, select the Automatically assign distribution points option.

   If automatic assignment of devices as distribution points is enabled, you cannot configure distribution points manually or edit the list of distribution points.

6. Click OK.

Administration Server assigns and configures distribution points automatically.

Assigning a device a distribution point manually

Expand all | Collapse all

Kaspersky Security Center allows you to assign devices to act as distribution points.

We recommend that you assign distribution points automatically. In this case, Kaspersky Security Center will select on its own which devices must be assigned distribution points. However, if you have to opt out of assigning distribution points automatically for any reason (for example, if you want to use exclusively assigned servers), you can assign distribution points manually after you calculate their number and configuration.

Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.

To manually assign a device to act as distribution point:

1. In the console tree, select the Administration Server node.
2. In the context menu of the Administration Server, select Properties.
3. In the Administration Server properties window, select the Distribution points section and click the Add button. This button is available if Manually assign distribution points has been selected.

   The Add distribution point window opens.

4. In the Add distribution point window, perform the following actions:
   1. Select a device that will act as distribution point (select one in an administration group, or specify the IP address of a device). When selecting a device, keep in mind the operation features of distribution points and the requirements set for the device that acts as distribution point.
   2. Indicate the specific devices to which the distribution point will distribute updates. You can specify an administration group or a network location description.
5. Click OK.

   The distribution point that you have added will be displayed in the list of distribution points, in the Distribution points section.

6. Select the newly added distribution point in the list and click the Properties button to open its properties window.
7. Configure the distribution point in the properties window:
   • The General section contains the settings of interaction between the distribution point and client devices.
     • SSL port

       The number of the SSL port for encrypted connection between client devices and the distribution point using SSL.

       By default, port 13000 is used.

     • Use multicast

       If this option is enabled, IP multicasting will be used for automatic distribution of installation packages to client devices within the group.

       IP multicasting decreases the time required to install an application from an installation package to a group of client devices, but increases the installation time when you install an application to a single client device.

     • IP multicast address

       IP address that will be used for multicasting. You can define an IP address in the range of 224.0.0.0 – 239.255.255.255

       By default, Kaspersky Security Center automatically assigns a unique IP multicast address within the given range.

     • IP multicast port number

       Number of the port for IP multicasting.

       By default, the port number is 15001. If the device with Administration Server installed is specified as the distribution point, port 13001 is used for SSL connection by default.

     • Deploy updates

       Updates are distributed to managed devices from the following sources:

       • This distribution point, if this option is enabled.
       • Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.

       If you use distribution points to deploy updates, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.

       If you disable this option, the number of update downloads and load on the Administration Server may increase. By default, this option is enabled.

     • Deploy installation packages

       Installation packages are distributed to managed devices from the following sources:

       • This distribution point, if this option is enabled.
       • Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.

       If you use distribution points to deploy installation packages, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.

       If you disable this option, the number of installation package downloads and load on the Administration Server may increase. By default, this option is enabled.

     • Use this distribution point as a push server

       In Kaspersky Security Center, a distribution point can work as a push server for the devices managed through the mobile protocol. For example, a push server must be enabled if you want to be able to force synchronization of KasperskyOS devices with Administration Server. A push server has the same scope of managed devices as the distribution point on which the push server is enabled. If you have several distribution points assigned for the same administration group, you can enable push server on each of the distribution points. In this case, Administration Server balances the load between the distribution points.

       If you manage devices with KasperskyOS installed, or plan to do so, you must use a distribution point as a push server. You can also use a distribution point as a push server if you want to send push notifications to client devices.

     • Push server port

       The port on the distribution point that client devices will use for connection. By default, port 13295 is used.

   • In the Scope section, specify the scope to which the distribution point will distribute updates (administration groups and / or network location).
   • In the KSN Proxy section, you can configure the application to use the distribution point to forward KSN requests from the managed devices.
     • Enable KSN Proxy on distribution point side

       The KSN proxy service is run on the device that is used as a distribution point. Use this feature to redistribute and optimize traffic on the network.

       The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network statement, to Kaspersky. By default, the KSN statement is located in %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center\ksneula.

       By default, this option is disabled. Enabling this option takes effect only if the Use Administration Server as a proxy server and I agree to use Kaspersky Security Network options are enabled in the Administration Server properties window.

       You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.

     • Forward KSN requests to Administration Server

       The distribution point forwards KSN requests from the managed devices to the Administration Server.

       By default, this option is enabled.

     • Access KSN Cloud / Private KSN directly over Internet

       The distribution point forwards KSN requests from managed devices to the KSN Cloud or Private KSN. The KSN requests generated on the distribution point itself are also sent directly to the KSN Cloud or Private KSN.

       The distribution points that have Network Agent version 11 (or earlier) installed cannot access Private KSN directly. If you want to reconfigure the distribution points to send KSN requests to Private KSN, enable the Forward KSN requests to Administration Server option for each distribution point.

       The distribution points that have Network Agent version 12 (or later) installed can access Private KSN directly.

     • Ignore KSC proxy server settings when connecting to Private KSN

       Enable this option, if you have the proxy server settings configured in the distribution point properties or in the Network Agent policy, but your network architecture requires that you use Private KSN directly. Otherwise, requests from the managed applications cannot reach Private KSN.

       This option is available if you select the Access KSN Cloud / Private KSN directly over the Internet option.

     • TCP port

       The number of the TCP port that the managed devices will use to connect to KSN proxy server. The default port number is 13111.

     • UDP port

       If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to the KSN proxy server is 15111.

   • In the Device discovery section, configure the polling of Windows domains, Active Directory, and IP ranges by the distribution point.
     • Windows domains

       You can enable device discovery for Windows domains and set the schedule for the discovery.

     • Active Directory

       You can enable network polling for Active Directory and set the schedule for the poll.

       If you select the Enable Active Directory polling check box, you can select one of the following options:

       • Poll current Active Directory domain.
       • Poll Active Directory domain forest.
       • Poll selected Active Directory domains only. If you select this option, add one or more Active Directory domains to the list.
     • IP ranges

       You can enable device discovery for IP ranges.

       If you select the Enable range polling check box, you can add scan ranges and set the schedule for them.

       You can add IP ranges to the list of scanned ranges.

   • In the Advanced section, specify the folder that the distribution point must use to store distributed data.
     • Use default folder

       If you select this option, the application uses the Network Agent installation folder on the distribution point.

     • Use specified folder

       If you select this option, in the field below, you can specify the path to the folder. It can be a local folder on the distribution point, or it can be a folder on any device on the corporate network.

       The user account used on the distribution point to run Network Agent must have read/write access to the specified folder.

The selected devices act as distribution points.

Only devices running a Windows operating system can determine their network location. Network location cannot be determined for devices running other operating systems.

Removing a device from the list of distribution points

To remove a device from the list of distribution points:

1. In the console tree, select the Administration Server node.
2. In the context menu of the Administration Server, select Properties.
3. In the Administration Server properties window, in the Distribution points section, select the device that acts as distribution point, and click the Remove button.

The device will be removed from the list of distribution points and will stop acting as distribution point.

You cannot remove a device from the list of distribution points if it was assigned by the Administration Server automatically.

Downloading updates by distribution points

Kaspersky Security Center allows distribution points to receive updates from the Administration Server, Kaspersky servers, or from a local or network folder.

To configure update download for a distribution point:

1. In the console tree, select the Administration Server node.
2. In the context menu of the Administration Server, select Properties.
3. In the Administration Server properties window, in the Distribution points section, select the distribution point through which updates will be delivered to client devices in the group.
4. Click the Properties button to open the properties window of the selected distribution point.
5. In the distribution point properties window, select the Sources of updates section.
6. Select an update source for the distribution point:
   • To allow the distribution point to receive updates from the Administration Server, select Retrieve from Administration Server:
     • Download diff files

       This option enables the downloading diff files feature.

       By default, this option is enabled.

   • To allow the distribution point to receive updates by using a task, select Use task for forced download of updates:
     • Click the Browse button if such a task already exists on the device, and select the task in the list that appears.
     • Click the New task button to create a task if no such task yet exists on the device. The Add Task Wizard starts. Follow the instructions of the Wizard.

     The Download updates to the repositories of distribution points task is a local task. You have to create a new task for each device that acts as distribution point.

The distribution point will receive updates from the specified source.