Scenario: Creating a hierarchy of Administration Servers managed through Kaspersky Security Center Cloud Console

Expand all | Collapse all

This scenario describes the actions that you must perform to create a hierarchy of Administration Servers managed through Kaspersky Security Center Cloud Console, which thus assumes the role of primary Administration Server. This hierarchy can be subsequently used for migration of managed devices and objects from Kaspersky Security Center to Kaspersky Security Center Cloud Console, as well as management of secondary Administration Servers and devices through Kaspersky Security Center Cloud Console.

Kaspersky Security Center Cloud Console can only act as primary Administration Server, while Administration Servers running on-premises can only act as secondary Administration Servers. Other hierarchical schemes are not available.

Prerequisites

Before you start, make sure that the following prerequisites are met:

• Upgrading Administration Server running on-premises to version 12 or later.
• Installing Kaspersky Security Center Web Console on the Administration Server running on-premises.
• Installing the web plug-ins for the applications that you intend to manage through Kaspersky Security Center Cloud Console.
• Upgrading the managed applications to versions supported by Kaspersky Security Center Cloud Console.
• Making sure that the Download updates to the Administration Server repository task on the Administration Server running on-premises does not have the primary Administration Server assigned as the update source; modifying the task settings accordingly, if necessary.

After the hierarchy is created, the policies and tasks that are effective in Kaspersky Security Center Cloud Console are applied on the secondary Administration Server, thus superseding its existing policies and tasks. If you want to avoid this behavior, delete all policies and tasks of Kaspersky Security Center Cloud Console before the hierarchy creation. Alternatively, you can change the status of each Kaspersky Security Center Cloud Console policy to Inactive in its settings and disable the Distribute to secondary and virtual Administration Servers option in the settings of each Kaspersky Security Center Cloud Console task.

You can delete your hierarchy of Administration Servers at any time, if necessary.

Stages of hierarchy creation

The basic scenario provides for a secondary Administration Server that cannot be accessed over the internet. However, the set of actions within some of the steps described below may vary if the secondary Administration Server is accessible over the internet. Also, some of the steps must be skipped in this case.

Creation of a hierarchy of Administration Servers comprises the following stages:

1. Retrieving the certificate of the secondary Administration Server

   If the secondary Administration Server is accessible over the internet, skip this step.

   In Kaspersky Security Center Web Console running on-premises, open the Administration Server properties and on the General tab, open the General section. Click the View Administration Server certificate link. The certificate file, in the CER format, is automatically saved in the folder specified in your browser settings.

2. Retrieving the connection settings and certificates from Kaspersky Security Center Cloud Console

   If the secondary Administration Server is accessible over the internet, skip this step.

   In Kaspersky Security Center Cloud Console, open the Administration Server properties and on the General tab open the Hierarchy of Administration Servers section. The following connection settings are displayed:

   • HDS address

     Displays the web address used for connection to Hosted Discovery Service (HDS).

   • HDS port

     Displays the number of the port used for connection to HDS.

   The section also contains two links:

   • View Administration Server certificate

     Clicking this link starts the download of the public key of the Kaspersky Security Center Cloud Console instance certificate.

   • HDS Root CA certificate

     Clicking this link starts the download of the file in .pem format that contains a list of trusted root certificates issued by Certification Authorities (CA). This file is designed for use by the secondary Administration Server: it is required to verify the HDS certificate.

   Copy the connection settings manually—by using the clipboard or any other convenient way—and save them to a file of any convenient format. Click the View Administration Server certificate link and wait until the certificate file is downloaded. Click the HDS Root CA certificate link and wait until the file with the list of trusted root certificates issued by Certification Authorities is downloaded. Both files are saved to the folder specified in your browser settings.

3. Selecting the secondary Administration Server for connection

   In the Administration Server properties, proceed to the Administration servers tab. In the hierarchy of administration groups, select the check box next to the administration group that you want to contain the secondary Administration Server with all its managed devices. Click the Connect secondary Administration Server button.

   On the page that opens, in the Secondary Administration Server display name field specify the name under which the secondary Administration Server must be displayed in the hierarchy. It is used for your convenience only and so it can differ from the actual secondary Administration Server name, if necessary. Click Next.

   If the secondary Administration Server is accessible over the internet, you must also specify the address of the secondary Administration Server in the Secondary Administration Server address (optional) field.

   On the next page, click the Browse button and specify the .pem file that you saved from the secondary Administration Server. Click Next.

4. Enabling and configuring proxy server

   The actions described in this step are optional. Perform them only if your connection requires the use of proxy server.

   Click Next. On the Connection and authentication settings page, you can enable and configure the use of proxy server, if necessary. Select the Use proxy server check box and specify the following proxy settings:

   • Proxy server address

     The proxy server address.

   • User name

     The user name to log in to the proxy server.

   • Password

     The password to log in to the proxy server.

5. Specifying the authentication settings and adding the secondary Administration Server to the hierarchy

   Click Next. On the Secondary Administration Server credentials page, specify the following settings:

   • User name

     The user name under which you log in to the secondary Administration Server.

   • Password

     The password used to log in to the secondary Administration Server.

   Click Next and wait until the secondary Administration Server appears in the hierarchy.

   If the secondary Administration Server is accessible over the internet, it connects to the primary Administration Server.

   If the secondary Administration Server is accessible over the internet and the connection between the two Administration Servers is successfully established, skip all further steps.

   If the secondary Administration Server cannot be accessed over the internet, it becomes visible but you must perform additional actions on the secondary Administration Server to gain control of it.

6. Configuring the connection in Kaspersky Security Center Web Console running on-premises

   In Kaspersky Security Center Web Console running on-premises, open the Administration Server properties and on the General tab, open the Hierarchy of Administration Servers section. Select the This Administration Server is secondary in the hierarchy check box. In the Type of primary Administration Server list, select the Kaspersky Security Center Cloud Console option.

   Kaspersky Security Center Web Console checks whether the primary Administration Server is specified as the update source in the Download updates to the Administration Server repository task. If the primary Administration Server is specified as the update source, you get the corresponding warning message and a link to the task settings. You can modify the settings and then go back to the hierarchy creation, or you can skip this action and proceed with the hierarchy creation.

   In the Settings to establish connection between secondary and primary Administration Servers group, specify the following settings:

   • HDS server address (from primary Administration Server on Cloud Console)

     Enter the address of the HDS server in Fully Qualified Domain Name (FQDN) format, which you have copied and saved from the Administration Server properties in Kaspersky Security Center Cloud Console.

   • HDS server ports

     Enter the number(s) of the HDS server port(s), which you have copied and saved from the Administration Server properties in Kaspersky Security Center Cloud Console.

7. Adding the certificates to the secondary Administration Server

   Click the Specify primary Administration Server certificate button and specify the certificate file that you saved from the Administration Server properties in Kaspersky Security Center Cloud Console.

   Click the Specify Hosted Discovery Service certificates button and specify the .pem file that you saved from the Administration Server properties in Kaspersky Security Center Cloud Console.

   If you have enabled the use of proxy server when connecting the secondary Administration Server in Kaspersky Security Center Cloud Console, select the Use proxy server check box and specify the same proxy settings as in Kaspersky Security Center Cloud Console.

   You can also select the Connect primary Administration Server to secondary Administration Server in DMZ check box if the secondary Administration Server is in a demilitarized zone (DMZ).

   Demilitarized zone is a segment of a local network that contains servers, which respond to requests from the global Web. In order to ensure the security of an organization's local network, access to the LAN from the demilitarized zone is protected with a firewall.

   The secondary Administration Server connects to the primary Administration Server.

Results

Upon performing the above steps, you can make sure that the hierarchy is created successfully:

• The active policies of the primary Administration Server become effective on the secondary Administration Server. The tasks of the primary Administration Server are distributed to the secondary Administration Server. If the Distribute to secondary and virtual Administration Servers option is enabled in the settings of a group task, every such task is also distributed to the secondary Administration Server.
• Policy settings that are locked against changes on the primary Administration Server are displayed as locked against changes in all policies on the secondary Administration Server.
• Policies applied by the primary Administration Server are displayed in the list of policies of the secondary Administration Server (Assets (Devices) → Policies & profiles).
• Group tasks distributed by the primary Administration Server are displayed in the list of tasks of the secondary Administration Server (Assets (Devices) → Tasks).
• Policies and tasks created on the primary Administration Server cannot be modified on the secondary Administration Server.
• In Kaspersky Security Center Cloud Console, in the structure of administration groups the secondary Administration Server is displayed within the group that you selected when you added this Administration Server.

Page top