Preparing for application installation

Before installing Kaspersky Security components, perform the following:

• Check whether the Kaspersky Security Center components and VMware components meet the software requirements of Kaspersky Security.
• Prepare the virtual infrastructure for application installation. The preparatory steps depend on the type of VMware NSX Manager you use: VMware NSX-T Manager or VMware NSX-V Manager.
• You can download the files required for the installation of the application from Kaspersky website.

  The file necessary for running the Kaspersky Security components Installation Wizard and SVM images are also available for downloading in the Kaspersky Security Center Administration Console in the list of current versions of Kaspersky applications. The list of the current application versions is displayed in the workspace of the Administration Server <Server name> node on the Monitoring tab in the Update section by clicking the View current versions of Kaspersky applications link. You can filter the list by Virtualization value.

• Prepare SVM images:
  1. Make sure the SVM images are received from a trusted source (for more information about validating the SVM image, refer to the application page in the Knowledge Base).
  2. Place all SVM image files in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol. For example, you can publish SVM images on the Kaspersky Security Center Web Server.

     The path to the folder with SVM image files must not contain special characters and the characters of the national alphabets.

• In the settings of the network hardware or software used for traffic monitoring, open the ports that are required for the application operation.
• Configure the settings of the accounts that are required for installation and operation of the application.
• If you are planning to use network data storage for SVMs, create a network folder for hosting the network data storage and a user account for connecting SVMs. Network data storage is used for storing backup copies of files that have been moved to Backups on SVMs.

  An SMB network folder accessible via the SMBv3 protocol is required for network data storage. The amount of space necessary for the network data storage can be estimated based on the following formula: (N+1) GB, where N is the number of SVMs that connect to the network data storage.

  You need to make sure that the amount of space allocated for network data storage is sufficient for storing backup copies of files. Kaspersky Security does not monitor availability of free space in the network data storage and does not notify you if backup copies of files cannot be stored. It is recommended to use third-party tools to monitor the available space in the network folder.

Accounts for installing and using the application

User account for installing the Kaspersky Security administration plug-in and Integration Server

Installation of the Kaspersky Security administration plug-in and Integration Server requires an account that has software installation privileges (for example, an account from the group of local administrators).

If the computer hosting the Kaspersky Security Center Administration Console belongs to an Active Directory domain, connection to the Integration Server requires a domain account that belongs to the KLAdmins group or an account that belongs to the group of local administrators.

To prevent unauthorized access, it is recommended to ensure the security of the account that is used to connect to the Integration Server.

User accounts for deploying and removing SVMs, and for operation of the application

The following user accounts are required to deploy, delete and work with the SVMs that have Kaspersky Security components:

• To connect the Integration Server to VMware vCenter Server, you can use one of the following accounts:
  • VMware vCenter Server account to which the ReadOnly predefined system role is assigned with the Propagate to children flag. To ensure that powered-off virtual machines can be scanned, the following privileges need to be assigned to this account:
    • Virtual machine → Change Configuration → Add existing disk
    • Virtual machine → Change Configuration → Add or remove device
    • Virtual machine → Change Configuration → Remove disk
    • ESX Agent Manager → Modify
  • VMware vCenter Server account to which the Administrator predefined system role is assigned with the Propagate to children flag.
• To connect the Integration Server to VMware NSX Manager, you need a VMware NSX Manager account that has the Enterprise Admin or Enterprise Administrator role assigned (depending on VMware NSX Manager version). Integration Server connection is required to enable registration of Kaspersky Security services and configuration of new SVM settings.
• In the infrastructure managed by VMware NSX-T Manager, a VMware vCenter Server administrator account or an account with the following privileges is required to connect VMware NSX-T Manager to VMware vCenter Server:
  • Extension → Register extension
  • Extension → Unregister extension
  • Extension → Update extension
  • Sessions → Message
  • Sessions → Validate session
  • Sessions → View and stop sessions
  • Host → Configuration → Maintenance
  • Host → Configuration → NetworkConfiguration
  • Host → Local Operations → virtual machine
  • Host → Local Operations → Delete virtual machine
  • Host → Local Operations → Reconfigure virtual machine
  • Tasks
  • Scheduled task
  • Global → Cancel task
  • Permissions → Reassign role permissions
  • Resource → Assign vApp to resource pool
  • Resource → Assign virtual machine to resource pool
  • Virtual Machine → Configuration
  • Virtual Machine → Guest Operations
  • Virtual Machine → Provisioning
  • Virtual Machine → Inventory
  • Network → network
  • vApp
• If you want to use Kaspersky Security to protect the virtual infrastructure managed by VMware Cloud Director, you also need a VMware Cloud Director account that has the following permissions to connect the Integration Server to VMware Cloud Director:
  • General → Perform administrator queries
  • Organization → View Organizations

Roles must be assigned to user accounts at the top level of the hierarchy of VMware virtual infrastructure objects.

For information on how to create user accounts in a VMware infrastructure, please refer to VMware documentation.

User account for connecting the Integration Server to Kaspersky Security Center

This account is used if the application is operating in multitenancy mode.

The Integration Server connects to Kaspersky Security Center to receive information about virtual Administration Servers created in Kaspersky Security Center, and to map virtual Administration Servers to Cloud Director organizations that contain tenant virtual machines.

Connecting the Integration Server to Kaspersky Security Center requires an account with read permissions in the following Kaspersky Security Center functional scopes:

• General functions → Basic functionality
• General functions → Virtual Administration Servers

You can create and configure the account used for connecting the Integration Server to Kaspersky Security Center in the properties window of the Kaspersky Security Center Administration Server in the Security section.

By default, the Security section is not displayed in the Administration Server properties window. To enable the display of the Security section, you must select the Display security settings sections check box in the Configure interface window (View → Configure interface menu) and restart the Kaspersky Security Center Administration Console.

For more details on the rights of user accounts in Kaspersky Security Center, please refer to the Kaspersky Security Center documentation.

User account for connecting SVMs to network data storage

This user account is required if you are using network data storage for SVMs. Network data storage is used for storing backup copies of files that have been moved to Backups on SVMs.

To connect SVMs to network data storage, you need an account with read and write permissions in the network folder hosting the storage.

It is recommended to restrict access to this network folder for all other user accounts.

Ports used

To install and run application components, in the network hardware or software settings used to control network traffic between virtual machines, you must open the following ports as described in the table below.

Ports used by the application

Page top

Publishing SVM images on the Kaspersky Security Center Web Server

You can publish SVM images on the Kaspersky Security Center Web Server or place them on another network resource that is accessible over the HTTP or HTTPS protocol.

To publish SVM images on the Kaspersky Security Center Web Server:

1. Make sure that the Web Server is running. To do so, start the services.msc snap-in and verify that the Kaspersky Web Server service has the Running status.
2. In the shared folder of the Administration Server, create a subfolder named public.

   To find out the path to the shared folder:

   1. View the shared folder name and the name of the computer on which it is located in the Administration Server properties window in the Additional → Administration Server shared folder section.
   2. On the specified computer, carry out the following command in the command line: net share <shared folder name>.

      After this command is executed, the Path string will show the path to the shared folder in the file system.

3. Copy all Kaspersky Security SVM image files into the public folder.
4. Make sure that the SVM images have been published. To do so, open your browser and enter the following in the address bar:

   http://<IP address for connecting to the Kaspersky Security Center Administration Server>:8060/public

   An IP address must be specified as the Administration Server address; localhost should not be specified.

   Port 8060 is used by default. If you have modified the default settings, in the address field specify the port that is defined in the Web server section of the Kaspersky Security Center Administration Server properties window.

If publication of SVM images completed successfully, you will see a page containing a list of Kaspersky Security image files.

Preparing virtual infrastructure managed by VMware NSX-T Manager

Before installing Kaspersky Security in the infrastructure managed by VMware NSX-T Manager, do the following:

• Combine VMware ESXi hypervisors into one or several VMware clusters.
• If you want to use an N-VDS switch, reserve one physical network interface for configuring N-VDS on each VMware ESXi hypervisor.
• Configure the Agent VM Settings in the properties of each hypervisor: select a network and storage for service virtual machines and SVMs. For details on configuring Agent VM Settings, please refer to the VMware product documentation.
• Install the Guest Introspection Thin Agent component on each virtual machine that you want to protect using Kaspersky Security.

  On the virtual machines running Windows, the NSX File Introspection Driver, which is included in VMware Tools version 11.2.5 package acts as the Guest Introspection Thin Agent component. By default, NSX File Introspection Driver is not installed, so when installing the VMware Tools package, select NSX File Introspection Driver to install.

  Special packages are provided for installation of the Guest Introspection Thin Agent component on the virtual machines running Linux operating system. For more details please refer to documentation attached to VMware products.

• Perform the following actions in the VMware NSX Manager Web Console:
  1. Register VMware vCenter Server to which VMware NSX-T Manager is connected as NSX Compute Manager.
  2. Create an NSX Transport Node Profile for the NSX Transport Zone of the Overlay type, to which the protected virtual machines are connected. You can use the default NSX transport zone.
  3. Prepare hypervisors for protection deployment. To do this, apply the created NSX Transport Node Profile on each VMware cluster where the SVMs with Kaspersky Security components will be deployed. As a result, NSX Transport Nodes will be configured and VMware NSX components will be installed on VMware ESXi hypervisors.
  4. If you want to install the Network Threat Protection component, perform the following additional actions:
     • Make sure that the correct license type is used for VMware NSX-T Data Center.
     • In the NSX Transport Zone for which you created the NSX Transport Node Profile, create an NSX Segment and connect the protected virtual machines to it.

Registering NSX Compute Manager

VMware vCenter Server is registered as NSX Compute Manager in VMware NSX Manager Web Console, in the System → Fabric → Compute Managers section. Specify the account for connecting VMware NSX-T Manager to VMware vCenter Server and connection settings.

After registration of the added VMware vCenter Server is completed, the table displays the following information:

• Registration Status – Registered.
• Connection Status – Up.

For more information about registering VMware vCenter Server as NSX Compute Manager, refer to VMware product documentation and the Knowledge base.

Creating NSX Transport Node Profile

The NSX Transport Node Profile is created in VMware NSX Manager Web Console, in the System → Fabric → Profiles section on the Transport Node Profiles tab.

Specify the following settings:

• Name – an arbitrary name for the new NSX Transport Node Profile.
• In the New Node Switch section:
  • Type – switch type. If you want to use a VDS switch, create a Distributed Virtual Switch (dvSwitch) in your Datacenter.
  • Mode – Standard.
  • Name – depending on the selected switch type:
    • If you selected N-VDS – an arbitrary name of the switch that will be created as a result of applying the NSX Transport Node Profile on VMware ESXi hypervisors.
    • If you selected VDS – VMware vCenter Server name and Distributed Virtual Switch name.
  • Transport Zone – NSX Transport Zone of the Overlay type, to which protected virtual machines are connected.
  • Uplink Profile – nsx-default-uplink-hostswitch-profile.
  • IP Assignment (TEP) – a way to assign IP addresses in the virtual infrastructure: using DHCP or using a static pool of IP addresses. If you use pools of IP addresses, preconfigure and select the pool of IP addresses for the tunnel endpoints on hypervisors in the field below.
  • Teaming Policy Uplink Mapping – if you select the N-VDS switch type, you can specify the physical network interface. The N-VDS switch will be created based on this interface as a result of applying the NSX Transport Node Profile on the VMware ESXi hypervisors.

For more information on creating NSX Transport Node Profile, refer to the VMware product documentation and the Knowledge Base.

Preparing hypervisors for protection deployment

To prepare hypervisors for protection deployment, apply the NSX Transport Node Profile that was created before on each VMware cluster where you want to deploy SVM. As a result, NSX Transport Nodes will be configured and the required VMware NSX components will be installed on VMware ESXi hypervisors.

The procedure is performed by clicking the Configure NSX button on the Host Transport Nodes tab, in the System → Fabric → Nodes section of VMware NSX Manager Web Console. The list of clusters opens after you select the VMware vCenter Server that you registered as the NSX Compute Manager in the Managed by field.

Specify the NSX Transport Node Profile that was created before for the clusters on which you want to deploy SVMs.

If the procedure finishes successfully, the table displays the following information for each selected cluster:

• NSX Configuration – Success.
• Node Status – Up.

For more information about preparing hypervisors for protection deployment refer to VMware product documentation and to the Knowledge Base.

Creating NSX Segment

NSX Segment is created in VMware NSX Manager Web Console in the Networking → Segments section on the Segments tab.

Specify the name for the new NSX Segment and select the NSX Transport Zone where you previously created the NSX Transport Node Profile.

After creating the NSX segment, connect to it the network interfaces of the virtual machines that you want to protect from the network threats. Connection is established in the virtual machine properties, in VMware vSphere Client console.

For more details on configuring the NSX Segment, refer to the VMware product documentation and the Knowledge base.

Viewing information about the NSX Data Center license

The Network Threat Protection component requires a valid license of one of the following types:

• NSX Data Center Advanced.
• NSX Data Center Enterprise Plus.
• NSX Data Center for Remote Office Branch Office.
• NSX for vSphere Advanced.
• NSX for vSphere Enterprise.

When a different type of license id used, the Network Service Insertion (Third Party Integration) function that is required for enabling Network Threat Protection on VMware ESXi hypervisors is not available.

You can view information about the used licenses in VMware NSX Manager Web Console in the System → Licenses section.

For more information about working with NSX Data Center licenses, refer to VMware product documentation.

Preparing virtual infrastructure managed by VMware NSX-V Manager

Before installing Kaspersky Security in the infrastructure managed by VMware NSX-V Manager, do the following:

• Combine VMware ESXi hypervisors into one or several VMware clusters.
• Configure the Agent VM Settings in the properties of each hypervisor: select a network and storage for service virtual machines and SVMs. For details on configuring Agent VM Settings, please refer to the VMware product documentation.
• Deploy the Guest Introspection service on each VMware cluster on which you want to deploy the SVMs with the File Threat Protection component. As a result, the Guest Introspection service virtual machines are deployed on each hypervisor that is part of the cluster.

  Deployment of the Guest Introspection service is performed in the VMware vSphere Client console.

• Install the Guest Introspection Thin Agent component on each virtual machine that you want to protect using Kaspersky Security.

  On the virtual machines running Windows, the NSX File Introspection Driver, which is included in VMware Tools version 11.2.5 package acts as the Guest Introspection Thin Agent component. By default, NSX File Introspection Driver is not installed, so when installing the VMware Tools package, select NSX File Introspection Driver to install.

  Special packages are provided for installation of the Guest Introspection Thin Agent component on the virtual machines running Linux operating system. For more details please refer to documentation attached to VMware products.

• If you want to install the Network Threat Protection component, perform the following additional actions:
  • Make sure that the correct license type is used for VMware NSX Data Center for vSphere.
  • Install VMware NSX components on hypervisors. Installation is performed in the VMware vSphere Client console in the Networking & Security → Installation and Upgrade section on the Host Preparation tab. You need to select the VMware cluster on which the SVMs with the Network Threat Protection component will be deployed and perform the Actions → Install action. Refer to the Knowledge Base for more details.

Deploying the Guest Introspection service virtual machines

To deploy the Guest Introspection service virtual machines on VMware clusters:

1. In the VMware vSphere Client console, start the Deployment Wizard for network services and protection services for virtual machines (in the Networking & Security → Installation and Upgrade section on the Service Deployments tab).
2. Use the Wizard to specify the deployment settings:
   1. Select the Guest Introspection service in the table.
   2. Select one or several VMware clusters on which you want to install the File Threat Protection component.
   3. If required, change the default settings for all Guest Introspection service virtual machines that will be deployed on hypervisors within the selected VMware cluster:
      • Network that will be used by the service virtual machines.
      • Storage for deployment of service virtual machines.
      • Method of assigning IP addresses. By default, service virtual machines receive network settings via the DHCP protocol. You can configure a static pool of IP addresses that will be used for assigning IP addresses to service virtual machines.
3. Finish the Wizard and wait for deployment of the Guest Introspection service to complete.

   A Guest Introspection service virtual machine will be deployed on each hypervisor within the VMware cluster that you selected.

For more details about deploying the Guest Introspection service, please refer to the Knowledge Base.

Viewing information about the license for NSX for vSphere

The Network Threat Protection component requires a valid license of one of the following types:

• NSX for vSphere Advanced.
• NSX for vSphere Enterprise.

When using a standard NSX for vSphere license, the Network Service Insertion (Third Party Integration) function that is required for enabling protection against network threats on VMware ESXi hypervisors is unavailable.

You can view information about the utilized licenses in the VMware vSphere Client console in the Administration → Licenses section on the Products tab (for details, please refer to the Knowledge Base).

For more details on working with NSX for vSphere licenses, please refer to the VMware product documentation.