Configuring an allowlist of IP addresses to connect to Administration Server

By default, users can log in to Kaspersky Security Center under any device where they can open Kaspersky Security Center Web Console (hereinafter referred to as Web Console) or where MMC-based Administration Console is installed. However, you can configure Administration Server so that users can connect to it only from devices with allowed IP addresses. In this case, even if an intruder steals a Kaspersky Security Center account, he or she will not be able to log in to Kaspersky Security Center because the IP address of the intruder's device is not in the allowlist.

The IP address is verified when a user logs in to Kaspersky Security Center or runs an application that interacts with Administration Server via Kaspersky Security Center OpenAPI. At this moment, a user's device tries to establish a connection with Administration Server. If the IP address of the device is not in the allowlist, an authentication error occurs and the KLAUD_EV_SERVERCONNECT event notifies you that a connection with Administration Server has not been established.

Requirements for an allowlist of IP addresses

IP addresses are verified only when the following applications try to connect to Administration Server:

Therefore, specify addresses of the devices on which the applications listed above are installed.

You can set IPv4 and IPv6 addresses. You cannot specify ranges of IP addresses.

How to establish an allowlist of IP addresses

If you have not set an allowlist earlier, follow the instructions below.

To establish an allowlist of IP addresses to log in to Kaspersky Security Center:

  1. On the Administration Server device, run the command prompt under an account with administrator rights.
  2. Change your current directory to the Kaspersky Security Center installation folder (usually, <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center).
  3. Enter the following command, using administrator rights:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP addresses>" -t s

    Specify IP addresses that meet the requirements listed above. Several IP addresses must be separated by a semicolon.

    Example of how to allow only one device to connect to Administration Server:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0" -t s

    Example of how to allow multiple devices to connect to Administration Server:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0; 198.51.100.0; 203.0.113.0" -t s

  4. Restart the Administration Server service.

You can find out whether you have successfully configured the allowlist of IP addresses in Kaspersky Event Log on the Administration Server.

How to change an allowlist of IP addresses

You can change an allowlist just as you did when you first established it. For this purpose, run the same command and specify a new allowlist:

klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP addresses>" -t s

If you want to delete some IP addresses from the allowlist, rewrite it. For example, your allowlist includes the following IP addresses: 192.0.2.0; 198.51.100.0; 203.0.113.0. You want to delete the 198.51.100.0 IP address. To do this, enter the following command at the command prompt:

klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0; 203.0.113.0" -t s

Do not forget to restart the Administration Server service.

How to reset a configured allowlist of IP addresses

To reset an already configured allowlist of IP addresses:

  1. Enter the following command at the command prompt, using administrator rights:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "" -t s

  2. Restart the Administration Server service.

After that, IP addresses are not verified any more.

Page top