This guide contains information about features of the Select and Advanced editions of Kaspersky Endpoint Security for Business. For information about other editions, please refer to the Online Help of the Kaspersky applications included in the solution.
This section provides instructions on how to deploy Kaspersky Endpoint Security for Business in an organization's network. When you complete these procedures, centralized management of the network protection is established through Kaspersky Security Center and Kaspersky security applications. Configuration of administration groups, Kaspersky application updates, Kaspersky database updates, and policies are described in the Kaspersky Security Center documentation.
Network description
The deployment process depends on the network's size, topology, and other factors. The network described in this document has a number of features and limitations listed below.
To deploy Kaspersky Endpoint Security for Business in a network that differs from the one described below, perform the scenario described in the Kaspersky Security Center documentation.
The instructions below are applicable to a network that has the following features and limitations:
Network consists of less than 10 000 client devices.
Single Kaspersky Security Center Administration Server is created to manage the client devices.
The Kaspersky Security Center Administration Server and the client devices are located on the internal network of an organization.
Distribution points are not used in the network, or they are assigned automatically.
Kaspersky Security Center is installed in the default folder.
Kaspersky Security Center works within the basic feature set that is provided without entering an activation code or specifying a key file. The features provided by a Kaspersky Security Center license, for example, Vulnerability and Patch Management, is not considered. For details about licensing options and their application, please refer to Kaspersky Security Center Online Help.
A free-of-charge DBMS is used—SQL Server Express or MySQL.
The DBMS is installed on the same device where the Administration Server is installed.
Administration Console and Kaspersky Security Center 11 Web Console are installed on the same device where the Administration Server is installed.
The default ports are used.
Accounts are created by Kaspersky Security Center. Existing accounts on network devices are not used.
You must check system requirements for each Kaspersky application that you want to install, prepare a license key for Kaspersky Endpoint Security for Business, install a DBMS, and prepare the Administration Server and client devices.
Before you start deployment of Kaspersky Endpoint Security for Business:
Make sure that you have a license key (activation code) for Kaspersky Endpoint Security for Business or license keys (activation codes) for Kaspersky security applications.
Unpack the archive that you received from your vendor. You will find two license keys (KEY files). One of the license keys is used to activate Kaspersky Security Center, and the other license key is used to activate Kaspersky security applications. You will also find two TXT files. One of these files contains information about the license keys and the list of Kaspersky applications that can be activated by each license key. The other TXT file contains an activation code.
If you first want to try out Kaspersky Endpoint Security for Business, you can get a free 30-day trial at the Kaspersky website.
For detailed information about the licensing of the Kaspersky security applications that are not included in Kaspersky Endpoint Security for Business, you can refer to the Help documentation of the applications.
Check that the device that you want to use as the Administration Server and the client devices meet the system requirements of the Kaspersky applications.
Select and install a DBMS on the same device that you want to use as the Administration Server or on another device. For a network of less than 10 000 client devices, you can use free-of-charge SQL Express or MySQL DBMS. Please refer to the documentation of the selected DBMS for system requirements and installation instructions.
Write down and save the DBMS settings because you will need them during Administration Server installation. These settings include the SQL Server name, number of the port used for connecting to SQL Server, and account name and password for accessing the SQL Server.
By default, the Kaspersky Security Center Installer creates the database for storage of Administration Server information, but you can opt out of creating this database and use a different database instead. In this case, make sure that the database has been created, you know its name, and the account under which the Administration Server will gain access to this database has the db_owner role for it.
If necessary, contact your DBMS administrator for more information.
Make sure that the client devices are accessible from the server. On inaccessible devices, you will have to install Kaspersky security applications locally.
Open the ports required for your network configuration on the Administration Server and on client devices: UDP port 13000, TLS port 13000, TCP port 13291, TLS port 13299, UDP port 15000, and TCP port 17000.
Make sure that the Administration Server device has an internet connection.
Make sure that you have all local administrator rights required for successful installation of Kaspersky Security Center Administration Server and further protection deployment on the devices.
Local administrator rights on client devices are required for Network Agent installation on these devices. After Network Agent is installed, you can use it to install applications on devices remotely, without using the account with the device administrator rights.
By default, on the device selected for Administration Server installation, the Kaspersky Security Center Installer creates the following local accounts under which Administration Server and the Kaspersky Security Center services will be run:
KL-AK-*: Administration Server service account
KlScSvc: Account for other services from the Administration Server pool
Installation of Kaspersky Security Center and a Kaspersky security application on the Administration Server device
At this step of the Setup Wizard, you must read the License Agreement, which is to be concluded between you and Kaspersky, as well as the Privacy Policy.
You may also be prompted to view the License Agreements and Privacy Policies for application management plug-ins that are available in the Kaspersky Security Center distribution kit.
Please carefully read the License Agreement and Privacy Policy. If you agree with all the terms of the License Agreement and the Privacy Policy, select the following check boxes in the I confirm I have fully read, understood, and accept the following section:
The terms and conditions of this EULA
Privacy Policy describing the handling of data
Installation of the application on your device will continue after you select both check boxes.
If you do not accept the License Agreement or the Privacy Policy, cancel installation by clicking the Cancel button.
In the installation type selection window, select Custom.
You can select standard or custom installation of Administration Server.
Standard installation is recommended if you want to try out Kaspersky Security Center by, for example, testing its operation on a small area within your network. During standard installation, you only configure the database. You can also install only the default set of management plug-ins for Kaspersky applications. You can also use standard installation if you already have some experience working with Kaspersky Security Center and are able to specify all relevant settings after standard installation.
Custom installation is recommended if you plan to modify the Kaspersky Security Center settings. When selecting management plug-ins to install, specify a management plug-in for each Kaspersky security application that you plan to use.
Administration Console and the server version of Network Agent are installed together with Administration Server.
Skip the step that prompts you to select the components to be installed.
The additional components—Mobile Device Management and SNMP agent—will not be installed.
Specify that you want to install Kaspersky Security Center 11 Web Console.
This step is displayed only if you are using a 64-bit operating system. Otherwise, this step is not displayed, because Kaspersky Security Center 11 Web Console does not work with 32-bit operating systems.
Select the Install Kaspersky Security Center 11 Web Console check box. If you do not select this check box, Kaspersky Security Center 11 Web Console will not be installed. Only Microsoft Management Console (MMC)-based Administration Console will be installed. However, if you are using a 64-bit operating system, you can install Kaspersky Security Center 11 Web Console later, after you begin working with Kaspersky Security Center.
Specify the size of the network on which Kaspersky Security Center is to be installed. Depending on the number of devices on the network, the Wizard configures installation and appearance of the application interface so that they match.
The following table lists the application installation settings and interface appearance settings that are adjusted based on various network sizes.
Dependence of installation settings on the network scale selected
Settings
1—100 devices
100—1000 devices
1000—5000 devices
More than 5000 devices
Display of node for slave and virtual Administration Servers and all settings related to slave and virtual Administration Servers in the console tree
not available
not available
available
available
Display of Security sections in the properties windows of the Administration Server and administration groups
not available
not available
available
available
Random distribution of startup time for the update task on client devices
not available
Over an interval of 5 minutes
Over an interval of 10 minutes
Over an interval of 10 minutes
If you connect Administration Server to a MySQL or SQL Express database server, it is not recommended to use the application to manage more than 5000 devices.
At this step of the Wizard, you must select the mechanism—Microsoft SQL Server (SQL Express) or MySQL—that will be used to store the Administration Server database.
If you install Kaspersky Security Center on a server that acts as a read-only domain controller (RODC), Microsoft SQL Server (SQL Express) is not available for installation. In this case, to install Kaspersky Security Center properly, we recommend that you use MySQL.
The Administration Server database structure is provided in the klakdb.chm file, which is located in the Kaspersky Security Center installation folder (this file is also available in an archive on the Kaspersky portal: klakdb.zip).
At this step of the Wizard, the SQL Server host is configured.
Depending on the database that you have selected, the following options are available for SQL Server configuration:
If you selected Microsoft SQL Server (SQL Server Express) in the previous step, specify the following settings:
In the SQL Server instance name field, specify the name of the SQL Server computer on the network. To view a list of all SQL Servers that are on the network, click the Browse button. This field is blank by default.
If Administration Server starts under a local administrator or LocalSystem account, the Browse button is not available.
If a SQL Server computer that has AlwaysON support enabled is on the enterprise network, in the SQL Server instance name field specify the name of the availability group listener.
In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.
If you selected MySQL in the previous step, specify the following settings:
In the SQL Server instance name field, specify the name of the SQL Server instance. By default, the name is the IP address of the device on which Kaspersky Security Center is to be installed.
In the Port field, specify the port for Administration Server connection to the SQL Server database. The default port number is 3306.
In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.
Select the authentication mode that will be used when Administration Server connects to the SQL Server.
Depending on the database that is selected, you can choose from the following authentication modes.
For SQL Express or Microsoft SQL Server select one of the following options:
Microsoft Windows Authentication mode. Verification of rights uses the account used for starting Administration Server.
SQL Server Authentication mode. If you select this option, the account specified in the window is used to verify access rights. Fill in the Account and Password fields.
Specify the account and password for the MySQL server.
The application checks whether the database is available. If the database is not available, an error message is displayed, and you must provide correct credentials.
Select the Generate the account automatically option. The application will create a new account for running the Administration Server.
When you select the Generate the account automatically option, the application creates an account named KL-AK-* under which the kladminserver service will run. You can select this option if you plan to locate the shared folder and the DBMS on the same device as Administration Server.
For security reasons, please do not assign the privileged status to the account under which you run Administration Server.
If you later decide to change the Administration Server account, you can use the utility for Administration Server account switching (klsrvswch).
Select the Generate the account automatically option. The application will create a new account for running the Kaspersky Security Center services.
Kaspersky Security Center creates a local account named KlScSvc on this device in the kladmins group. The services of Kaspersky Security Center will be run under the account that has been created.
For security reasons, do not grant privileged status to the account under which the services are run.
The KSN proxy server service (ksnproxy), Kaspersky activation proxy server service (klactprx), and Kaspersky authentication portal service (klwebsrv) will be run under the selected account.
Select the Create a shared folder option and specify the path to the folder.
Define the location and name of the shared folder that will be used to do the following:
Store the files necessary for remote installation of applications (these files are copied to Administration Server during creation of installation packages).
Store updates that have been downloaded from an update source to Administration Server.
File sharing (read-only) will be enabled for all users.
By default, the installer creates a local Share subfolder in the application folder that contains the components of Kaspersky Security Center.
Keep the default settings for the connection of client devices to the Administration Server:
Specify the Administration Server address. You can select one of the following options:
DNS domain name. This method is helpful in cases when the network includes a DNS server and client devices can use it to receive the Administration Server address.
NetBIOS name. This method is used if client devices receive the Administration Server address using the NetBIOS protocol or if a WINS server is available on the network.
IP address. This option is used if Administration Server has a static IP address that will not be subsequently changed.
Select application management plug-ins to install.
Select the management plug-in for each Kaspersky security application that you want to install. If some management plug-ins are not listed, you will be able to install them later.
Click the Start as MMC-based Administration Console link after the installation is complete. The Administration Console opens.
After the Kaspersky Security Center components are configured, you can start installing files on the hard disk.
If installation requires additional programs, the Setup Wizard will notify you, on the Installing Prerequisites page, before installation of Kaspersky Security Center begins. The required programs are installed automatically after you click the Next button.
On the last page, you can select which console to start for work with Kaspersky Security Center:
Start as MMC-based Administration Console
Start as Kaspersky Security Center 11 Web Console
After the Wizard has finished, perform the following operations:
Start Kaspersky Security Center 11 Web Console to make sure that Kaspersky Security Center 11 Web Console is installed successfully and you can log in to the application.
Install a Kaspersky security application (for example, Kaspersky Endpoint Security for Windows) on the Administration Server device.
Distribution package of Kaspersky Endpoint Security for Windows is included in the downloaded distribution package of Kaspersky Security Center. Run the installation file of Kaspersky Endpoint Security for Windows, and then follow the steps of the Setup Wizard.
Centralized deployment of Kaspersky security applications on client devices
You must perform the initial configuration of the Administration Server by using the Quick Start Wizard, discover all network devices, create an installation package for each Kaspersky security application that you want to install, and perform remote installation of Network Agent and the Kaspersky security applications on the client devices. You also have to install Network Agent and the Kaspersky security applications locally if the remote installation has failed or is not feasible on some devices (for example, because of an unstable network connection or a low throughput rate of the channel).
The instructions below enable you to deploy security applications by using MMC-based Administration Console. You can perform the same steps by using Kaspersky Security Center 11 Web Console.
To deploy Kaspersky security applications:
If you have not started an Administration Console at the previous steps, start the MMC-based Administration Console (Kaspersky Security Center in the list of installed applications).
Run the Administration Server Quick Start Wizard, if it has not opened automatically.
When Administration Server installation is complete, at the first connection to the Administration Server the Quick Start Wizard starts automatically. Perform initial configuration of Administration Server according to the existing requirements. During the initial configuration stage, the Wizard uses the default settings to create the policies and tasks that are required for protection deployment. If necessary, you can edit the settings of policies and tasks.
If you plan to use the Kaspersky Security Center features that are outside the basic functionality, use the license key or activation code to activate the application. You can do this at one of the steps of the Quick Start Wizard.
To make sure that the Quick Start Wizard has completed all the necessary operations successfully, check that the Download updates to the Administration Server repository task is available in Administration Server (in the Tasks folder of the console tree), as well as the policy for Kaspersky Endpoint Security for Windows (in the Policies folder of the console tree).
This step is part of the Quick Start Wizard. You can also start device discovery manually. Kaspersky Security Center receives the addresses and names of all devices detected on the network. You can then use Kaspersky Security Center to install Kaspersky applications and software from other vendors on the detected devices. Kaspersky Security Center regularly starts device discovery, which means that if any new instances appear on the network, they will be detected automatically.
Check that all client devices are discovered and added to the Unassigned devices group (Administration Server > Unassigned devices). If the devices have not been added, check that they are turned on and accessible, and then perform device discovery manually.
Install Network Agent and Kaspersky security applications on client devices.
This step is part of the Quick Start Wizard. You can also install Network Agent and Kaspersky security applications manually.
If your network consists of more than 500 client devices, we recommend that you divide the entire amount of client devices into smaller groups of 100-200 devices and to deploy the security applications to each group separately.
You may also have to manually install management plug-ins and web management plug-ins. You can download the management plug-ins and web management plug-ins (if any) by using Administration Console or Kaspersky Security Center 11 Web Console. Alternatively, use the links in the application list or visit the Kaspersky Technical Support webpage.
Make sure that you have an installation package for each application that you want to deploy. The list of installation packages is available at Advanced > Remote installation > Installation packages. If a required application is not listed, click Additional actions > View current versions of Kaspersky applications, select the required application, and then click Download and create installation package.
Remote installation—Using the Remote Installation Wizard, you can remotely install the security application (for example, Kaspersky Endpoint Security for Windows) and Network Agent on devices that have been detected by Administration Server on the organization's network. Normally, the Remote installation task successfully deploys protection to most networked devices. However, it may return an error on some devices if, for example, a device is turned off or cannot be accessed for any other reason. In this case, we recommend that you connect to the device manually and use local installation.
Local installation—Used on network devices on which protection could not be deployed using the remote installation task. To install protection on such devices, create a stand-alone installation package that you can run locally on those devices.
Make sure that Network Agents and the Kaspersky security applications are installed on managed devices. Run a Kaspersky Lab software version report and view its results.
Deploy license keys to client devices to activate managed security applications on those devices.
You have several options for license key deployment. If you use only one type of security application, for example, Kaspersky Endpoint Security for Windows, you deploy the license keys automatically. If you use different managed applications and you have to deploy a specific license key to devices, deploy it by means of the Add license key task.
After the deployment is complete, the network protection is configured with the default parameters, which may turn out to be sub-optimal for your organization. Complete the following scenarios to fine-tune the protection and monitoring of your network: