Concerning to Kaspersky Administration Kit 6.0 MP1
Data exchange between clients and the Administration Server and connections of the Console to the Administration Server can be secured by SSL protocol (Secure Socket Layer). SSL protocol is responsible for authentication of communicating parities, encryption of the data being transferred, and verification of data integrity. Data integrity ensures that the data has not been corrupted or altered in transit. An SSL-enabled connection involves authentication of both sides of a network communication session and encryption of data using the closed key method. For secure connection of the Client and the Server13000 TCP-port should be opened on the Administration Server.
Administration Server certificate is used to authenticate the Administration Console when it is connected to the Administration Server and is being established or data is being transferred from client computers.
The Administration Server certificate is created during the installation of the Administration Server. The certificate is the klserver.cer file and is stored on the Administration Server, in the Cert folder in the installation directory.
Administration Server authentication when establishing connection with a client.
When a client connects to the Administration Server for the first time, it requests the certificate from the server and saves it locally.
When the client connects to the server next time, the Network Agent requests the certificate from the Administration Server and compares it with the local certificate. If the certificates differ, access to the Administration Server is denied.
If the Administration Server initiates connection, the Network Agent verifies the server's request for a UDP-enabled connection in a similar manner.
For the Server and the Client to be connected by the secure channel right-click Policies of the Network Agent > Properties > the Network tab > check Use server SSL connection. By default the option is checked.
IMPORTANT! If the Network Agent has been installed on a client locally, the administrator can manually specify the path to an Administration Server certificate. The certificate file can be transferred on the client computer on a disc or via the net. When connecting a Client to the Server for the first time you can choose the scenario by which the Client will get the certificate.
Administration Server authentication (when the Administration Console connects to the server)
When the Administration Console connects to the Administration Server for the first time, it requests the certificate from the server and saves it locally, on the administrator workstation. Upon subsequent connections of the Console to the Server with this name, the Server will be authenticated using this certificate.
If the Server does not pass authentication (i.e., the current certificate differs from that stored on the administrator workstation), the Console informs the user about this and requests the Server for a new certificate. If the connection is confirmed and another certificate is received, the Administration Console will save the new certificate to the hard disk so that it can be used to authenticate the Server in future sessions.
The parameter responsible for the enabling the mode of secure connection of the Server and the Console is in the Console window. By default this parameter is checked. If in further work the protected mode should be disabled, reconnect the Console by the Logon server command of the Server context menu. In the Logon window click the Options button and uncheck Use SSL-connection:
