Scenario: Configuring a connection gateway to connect mobile devices to Kaspersky Security Center Web Console
A connection gateway is Network Agent operating in a special mode. Network Agent is a Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky applications. A connection gateway receives connections from other Network Agents and tunnels them to the Administration Server through its own connection with the Server. Unlike an ordinary Network Agent, a connection gateway may be configured to wait for connections from the Administration Server rather than establishing connections to it.
A connection gateway lets you more efficiently use the security features to protect network infrastructure against potential vulnerabilities.
- Using a connection gateway makes it easier to monitor suspicious activity on a separate network node outside a LAN (local network area). It helps to avoid direct malicious attacks via a mobile protocol by implementing a different protocol for communications between the connection gateway and Kaspersky Security Center.
- The surface of potential network attacks is smaller, since the communication between Kaspersky Security Center and a connection gateway is established through a single port (by default, 13000) through which all requests are processed.
- Using a connection gateway makes it possible to verify the mobile certificate outside a LAN and prevent devices from sending data to Kaspersky Security Center before they are authenticated, which protects network infrastructure against vulnerabilities in low-level protocols such as TLS/SSL.
Requirements
For a connection gateway to work correctly with mobile devices, the following requirements must be met:
- Port 13293 or port 13292 must be open on the host with the connection gateway.
These ports are designed to connect and synchronize mobile devices.
- When using port 13293, the TLS certificate is verified on the connection gateway (without being sent to the Administration Server).
- When using port 13292, the certificate is not verified (the LP_MobileMustUseTwoWayAuthOnPort13292 flag is ignored).
- Port 13000 must be open between the connection gateway and Kaspersky Security Center. It does not need to be open outside the DMZ.
- The host must have a static address accessible from the internet.
Stages
The configuration proceeds in the following steps:
- Installing Network Agent in the connection gateway role on a host
First, you need to install Network Agent on the selected host device acting in the gateway connection role.
For information about generating a Network Agent installation package, refer to the Kaspersky Security Center Help.
You can install Network Agent in interactive mode by specifying installation parameters step by step. Alternatively, you can use an answer file—a text file that contains a custom set of installation parameters: variables and their respective values. Using this answer file allows you to run an installation in silent mode, that is, without user participation. For information on installing Network Agent in silent mode, refer to the Kaspersky Security Center Help.
- Configuring the connection gateway on Kaspersky Security Center Administration Server
Once you have installed Network Agent in the connection gateway role, you must connect it to Administration Server. Administration Server does not yet list the device with the connection gateway among the managed devices because the connection gateway has not tried to connect to Administration Server.
You must create a new group under the Managed Devices group and add the device acting as a connection gateway to the group that you have created. For information on manually adding devices to groups in Kaspersky Security Center Web Console, refer to the Kaspersky Security Center Help.
After that, assign the device as a distribution point and configure the distribution point to act as a connection gateway in the Connection gateway section of the distribution point properties. Then enable the Open port for mobile devices (SSL authentication of the Administration Server only) and Open port for mobile devices (two-way SSL authentication) options and specify ports and DNS domain names of the distribution point to connect mobile devices.
If the 'CA: true' basic constraint is not set for a custom mobile Administration Server certificate, the same certificate will be used for the connection gateway as for the Administration Server.
Results
The connection gateway will be configured. You will be able to add new mobile devices by specifying the connection gateway address.
To change the mobile device connection address, reissue the mobile certificate with a new connection address specified when configuring the connection gateway (in the Administration Server properties window, select General → Certificates). For detailed information on reissuing mobile certificates, refer to the Reissuing the mobile Administration Server certificate section.
To make sure mobile devices are synchronized with Kaspersky Security Center on the connection gateway, the connection address you have set when configuring the connection gateway must be specified in the properties of Kaspersky Endpoint Security for Android installation packages (Operations → Repositories → Installation packages).