Kaspersky Administration Kit 6.0 MP1/MP2

	Useful links
	What ports should be opened on Administration Server and client computers?

In the corporate network you might have Administration Agent or Server installed on the same computer with Microsoft ISA Server. To provide efficiency of this logical network you need to configure ISA Server additionally to let through the traffic between Administration Agent and Server.

To provide data transfer from the Administration Server the following connections are established with the Server: 

• Outgoing TCP:13000 (from Administration Agent); 
• Outgoing TCP:14000 (from Administration Agent); 
• Send UDP:13000 (from Administration Agent); 
• Outgoing TCP:18000 (from the authentication server Cisco NAC).

In its turn Administration Server establishes the following connections with the Administration Agent: 

• Send UDP:15000 (to manually synchronize the Server with the Agent and to get real statistics about a client computer); 
• Outgoing TCP:13001 (if Update Agents are deployed in the network); 
• Send UDP:13001 (if Update Agents are deployed in the network); 
• Send UDP: 60000 (to realize the Wake-On-LAN function).

To allow the traffic, configure the following settings:

1. On ISA Server create the following protocol definitions ( Firewall Policy -> Toolbox -> New -> Protocol): 

• АК: Agent to Server Protocol: 
• Primary connections: 
• Port range: 13000 – 13000;Protocol type: TCP; Direction: Outbound; 
• Port range: 14000 – 14000; Protocol type: TCP; Direction: Outbound; 
• Port range: 18000 – 18000; Protocol type: TCP; Direction: Outbound; 
• Port range: 13000 – 13000; Protocol type: UDP; Direction: Send. 
• Secondary connections: are missing. 

• АК: Server to Agent Protocol: 
• Primary connections: 
• Port range: 13001 – 13001; Protocol type: TCP; Direction: Outbound; 
• Port range: 13001 – 13001; Protocol type: UDP; Direction: Send; 
• Port range: 15000 – 15000; Protocol type: UDP; Direction: Send; 
• Port range: 60000 – 60000; Protocol type: UDP; Direction: Send. 
• Secondary connections: are missing.

 

In the figure in the list or primary connections UDP 60000 port is missing (example of the network in which the Wake-On-LAN function is not used).

2. Create the necessary allowing rule depending on which Kaspersky Administration Kit component is installed on the computer with ISA Server: 

• Administration Agent is installed together with Isa Server

In this case allowing rules on the ISA Server should be created with the following parameters:

• To connect to Administration Server: 
• From: LocalHost; 
• To: <any object of ISA Server policies which comprises a computer/ several computers with administration server installed> (for example, Internal network); 
• Protocols: АК: Agent to Server Protocol. 
• To connect Server to Administration Agent: 
• From: <any object of ISA Server policies which comprises a computer/ several computers with administration server installed> (for example, Internal network); 
• To: LocalHost; 
• Protocols: АК: Server to Agent Protocol. 
• Administration Server is installed together with ISA Server

In this case allowing rules on the ISA Server should be created with the following parameters: 

• To connect to Administration Server: 
• From: <any object of ISA Server policies which comprises a computer/ several computers with administration server installed> (for example, Internal network); 
• To: LocalHost; 
• Protocols: АК: Agent to Server Protocol. 
• To connect Server to Administration Agent: 
• From: LocalHost; 
• To: <any object of ISA Server policies which comprises a computer/ several computers with administration server installed> (for example, Internal network);
• Protocols: АК: Server to Agent Protocol.