Specifics of connecting Kaspersky Industrial CyberSecurity for Networks nodes as connection gateways in Kaspersky Security Center

You can use nodes with installed application components (Server and sensors) as connection gateways in Kaspersky Security Center. Distribution points act as gateways for connections to the Kaspersky Security Center Administration Server. The diagram of communication with managed devices using distribution points allows you to optimize database, application module, and Kaspersky Lab application update traffic on the network and configure traffic restrictions for IP ranges in Kaspersky Security Center. If a Kaspersky Industrial CyberSecurity for Networks Server or sensor node provides the only available connection between the Administration Server and managed devices located on an isolated network, the connection gateway role on this node allows you to provide Administration Server network connectivity with these devices.

This section describes a scenario for configuring and scanning a Kaspersky Industrial CyberSecurity for Networks node to act as a connection gateway in Kaspersky Security Center. The scenario consists of the following steps:

  1. Installing Network Agent on the node

    Network Agent is installed automatically on the Kaspersky Industrial CyberSecurity for Networks Server node if the functionality for communication between the application and Kaspersky Security Center was added during Server installation. After adding the communication functionality, enable and configure the functionality in Kaspersky Industrial CyberSecurity for Networks.

    You must enable and configure the communication functionality in Kaspersky Industrial CyberSecurity for Networks before configuring Network Agent on the Server to act as a connection gateway. Enabling the communication functionality after configuring Network Agent on the Server resets the specified configuration settings and disables the connection gateway role on the node. In that case, to resume node operation as a connection gateway, repeat the steps in the scenario, starting with Network Agent configuration.

    Network Agent is not installed by default on the sensor node. To install Network Agent from the current application version distribution kit, do the following on the computer with the sensor installed:

    1. Copy the package file for installing Network Agent from the directory with the unpacked script and installation package files included in the distribution kit to an arbitrary directory:
      • In the version for CentOS Stream, the file is located inside the kics4net-release_<application version number>/linux-centos subdirectory. File name: klnagent64-<Network Agent version number>.x86_64.rpm.
      • In the version for Astra Linux Special Edition, the file is located inside the kics4net-release_<application version number>/linux-astra subdirectory. File name: klnagent64_<Network Agent version number>_amd64.deb.
    2. In the operating system console, go to the folder with the package file and enter the following command depending on the operating system:
      • For CentOS Stream:

        sudo rpm -i klnagent64-< Network Agent version number >.x86_64.rpm

      • For Astra Linux Special Edition:

        sudo dpkg -i klnagent64_<Network Agent version number>_amd64.deb

    Wait for the Network Agent installation process to finish.

  2. Allowing the use of ports

    At this step, you must allow the use of firewall ports on the Network Agent node computer. To enable port use, run the following command depending on the operating system:

    • For CentOS Stream:

      sudo firewall-cmd --permanent --add-port=13000/tcp

      sudo firewall-cmd --permanent --add-port=13295/tcp

      sudo systemctl restart firewalld

    • For Astra Linux Special Edition:

      sudo ufw allow 13000/tcp

      sudo ufw allow 13295/tcp

      sudo systemctl restart ufw

  3. Configuring Network Agent

    This step activates connection gateway mode on Administration Agent. When this mode is activated with subsequent addition of a node as a distribution point, Kaspersky Security Center changes the identification and authentication details for using this device as a connection gateway.

    Changes to credentials and authentication information require that for the new distribution point to be used as the connection gateway on a previously configured network, you reinstall Network Agent on all devices that you want to connect to the newly added connection gateway. This includes those devices that previously used the node as a connection gateway. Until Network Agent is reinstalled on these devices, they will not be able to connect to the newly added connection gateway.

    To activate connection gateway mode on Network Agent, you need to perform the following actions on the node computer:

    1. Run the post-installation script to configure the Network Agent local environment. To do so, enter the following command:

      sudo /opt/kaspersky/klnagent64/lib/bin/setup/postinstall.pl

    2. Please carefully read the End User License Agreement. To go to the next screens containing the text of the End User License Agreement, press SPACE.
    3. When done viewing and if you fully agree with the terms of the End User License Agreement, accept the terms. To do so, enter y.
    4. Enter the Administration Server name or IP address.
    5. If needed, change the default ports for unencrypted and encrypted connections to the Administration Server.
    6. Select a mode for connecting to the Administration Server. To do so, enter the appropriate character:

      y: secure connections via SSL

      n: unencrypted connections.

    7. At the step where the Network Agent operation mode is requested, select Use as connection gateway.
    8. Wait for the script to finish. Two to three minutes after the script finishes running, check the connection between Network Agent and the Administration Server. To do so, enter the following command:

      sudo /opt/kaspersky/klnagent64/bin/klnagchk

    The screen will display information about the connection to the Administration Server. If the configuration was applied successfully, the following messages will be displayed on the screen:

    HostId: < ID as an alphanumeric sequence>

    This host was installed as a connection gateway, but not yet registered on server

    Connecting to server...OK

    Connecting to the Administration Agent...OK

  4. Adding a node as a distribution point in Kaspersky Security Center

    The Kaspersky Industrial CyberSecurity for Networks node will begin acting as a connection gateway after it is added as a distribution point in Kaspersky Security Center. To do this, do the following:

    1. Connect to the Kaspersky Security Center Administration Server.
    2. In the console tree, open the context menu of the Administration Server node and select Properties.
    3. In the Administration Server properties window, select the Distribution points section.
    4. In the right part of the window, select Manually assign distribution points and click Add.

      The Add distribution point window opens.

    5. To specify a device that will act as a distribution point, select the option to add a connection gateway and enter the IP address or computer name of the Kaspersky Industrial CyberSecurity for Networks node.
    6. To specify the scope of the distribution point, select the Administration group option and specify the administration group whose devices will use the connection gateway.
    7. After adding the node to the list of distribution points, make sure that a persistent connection with the Administration Server is enabled for the node. To do so, open the node properties window and check that the Do not disconnect from the Administration Server check box in the General section is selected. This check box must be selected automatically and must not be cleared or selected manually.
  5. Verifying a successful connection between Network Agent and Kaspersky Security Center

    You can verify that the steps involved in adding the connection gateway and distribution point were successful on the node computer. To do so, enter the following command:

    sudo /opt/kaspersky/klnagent64/bin/klnagchk

    The screen will display information about the connection to the Administration Server. If the steps are completed successfully, the following messages are displayed on the screen:

    Host is a connection gateway

    Host is a distribution point

    Connection with server: active

    CG connection with server: active

Page top