Distribution point devices running macOS cannot download updates from Kaspersky update servers.
If one or more devices running macOS are within the scope of the Download updates to the repositories of distribution points task, the task completes with the Failed status, even if it has successfully completed on all Windows devices.
Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.
To manually assign a device to act as distribution point:
In the main menu, click the Administration Server name.
The Administration Server properties window opens.
On the General tab, select the Distribution points section.
Click the Assign button.
Select the device that you want to make a distribution point.
When selecting a device, keep in mind the operation features of distribution points and the requirements set for the device that acts as distribution point.
Select the administration group that you want to include in the scope of the selected distribution point.
Click the Add button.
The distribution point that you have added will be displayed in the list of distribution points, in the Distribution points section.
Select the newly added distribution point in the list to open its properties window.
Configure the distribution point in the properties window:
The General section contains the settings of interaction between the distribution point and client devices:
If this option is enabled, IP multicasting will be used for automatic distribution of installation packages to client devices within the group.
IP multicasting decreases the time required to install an application from an installation package to a group of client devices, but increases the installation time when you install an application to a single client device.
By default, the port number is 15001. If the device with Administration Server installed is specified as the distribution point, port 13001 is used for SSL connection by default.
Updates are distributed to managed devices from the following sources:
This distribution point, if this option is enabled.
Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.
If you use distribution points to deploy updates, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.
If you disable this option, the number of update downloads and load on the Administration Server may increase. By default, this option is enabled.
Installation packages are distributed to managed devices from the following sources:
This distribution point, if this option is enabled.
Other distribution points, Administration Server, or Kaspersky update servers, if this option is disabled.
If you use distribution points to deploy installation packages, you can save traffic because you reduce the number of downloads. Also, you can relieve the load on the Administration Server and relocate the load between the distribution points. You can calculate the number of distribution points for your network to optimize the traffic and load.
If you disable this option, the number of installation package downloads and load on the Administration Server may increase. By default, this option is enabled.
In Kaspersky Security Center Cloud Console, a distribution point can work as a push server for Windows-based and Linux-based devices that are managed by Network Agent. A push server has the same scope of managed devices as the distribution point on which the push server is enabled. If you have several distribution points assigned for the same administration group, you can enable a push server on each of the distribution points. In this case, Administration Server balances the load between the distribution points.
The port number for the push server. You can specify the number of any unoccupied port.
In the Scope section, specify the scope to which the distribution point will distribute updates (administration groups and / or network location).
If you want to specify an administration group, click the Add group button. In the right pane that opens, select the administration group from the drop-down list, and then click the Add button.
If you want to specify a subnet, click the Add subnet button. In the right pane that opens, click the Add button, and then specify the subnet name.
For devices running Windows operating system, the Automatically assign distribution points within this network location description toggle switch is displayed. Network location cannot be determined for devices running other operating systems.
In the Source of updates section, you can select a source of updates for the distribution point.
If your distribution points use proxy server when connecting to the internet, in the Internet connection settings section, you can specify the following settings:
By default, this option is disabled. Enabling this option takes effect only if the I agree to use Kaspersky Security Network option is enabled in the Administration Server properties window.
You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.
If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled.
The number of the UDP port that the managed devices will use to connect to KSN proxy server. The default UDP port to connect to the KSN proxy server is 15111.
If you need the managed devices to connect to KSN proxy server through an HTTPS port, enable the Use HTTPS option and specify an HTTPS through port number. The default HTTPS port to connect to the KSN proxy server is 17111.
The number of the HTTPS port that the managed devices will use to connect to KSN proxy server. The default HTTPS port to connect to the KSN proxy server is 17111.
In the Connection gateway section, you can configure the distribution point to act as a gateway for connection between Network Agent instances and Administration Server if a direct connection cannot be established due to organization of your network. To do this, enable the Connection gateway toggle switch.
By default, this option is disabled.
When connecting mobile devices to Administration Server via the distribution point that acts as a connection gateway, you can enable the following options:
Enable this option if you need the connection gateway to open a port for mobile devices and specify the port number that mobile devices will use for connection to distribution point. The default port number is 13292. The mobile device will check the Administration Server certificate. When establishing the connection, only Administration Server is authenticated.
Enable this option if you need connection gateway to open a port that will be used for two-way authentication of Administration Server and mobile devices. Mobile device will check the Administration Server certificate, and Administration Server will check the mobile device certificate. Specify the following parameters:
Port number that mobile devices will use for connection to the distribution point. The default port number is 13293.
DNS domain names of the connection gateway that will be used by mobile devices. Separate domain names with commas. The specified domain names will be included in the distribution point certificate. If the domain names used by mobile devices do not match the common name in the distribution point certificate, mobile devices do not connect to the distribution point.
The default DNS domain name is the FQDN name of the connection gateway.
In both cases, the certificates are checked during the TLS session establishment on distribution point only. The certificates are not forwarded to be checked by the Administration Server. After a TLS session with the mobile device is established, the distribution point uses the Administration Server certificate to create a tunnel for synchronization between the mobile device and Administration Server. If you open the port for two-way SSL authentication, the only way to distribute the mobile device certificate is via an installation package.
Configure the polling of Windows domains, domain controller, and IP ranges by the distribution point:
You can enable device discovery for Windows domains by turning on the Enable network polling toggle switch, and then click the Set full polling schedule button to set the schedule for the discovery.
In the window that opens, specify the polling schedule:
Scheduled start
You can select one of the following polling schedule options:
Every N days
The polling runs regularly, with the specified interval in days, starting from the specified date and time. By default, the polling runs every day, starting from the current system date and time.
Every N minutes
The polling runs regularly, with the specified interval in minutes, starting from the specified time. By default, the polling runs every five minutes, starting from the current system time.
By days of week
The polling runs regularly, on the specified days of week, and at the specified time. By default, the polling runs every Friday at 6:00:00 PM.
Every month on specified days of selected weeks
The polling runs regularly, on the specified days of each month, and at the specified time. By default, no days of month are selected; the default start time is 6:00:00 PM.
Start interval (days)
Specify what N is equal to (for minutes or days).
The field is displayed if you selected the Every N days or Every N minutes schedule option.
Starting from
Specify when to start the first poll.
The field is displayed if you selected the Every N days or Every N minutes schedule option.
Run missed tasks
If the Administration Server is switched off or unavailable during the time for which the poll is scheduled, the Administration Server can either start the poll immediately after it is switched on, or wait for the next time for which the poll scheduled.
By default, this option is disabled, which means that Administration Server waits for the next time for which the polling is scheduled.
If you enable the option, Administration Server starts polling immediately after it is switched on.
The section is only displayed for the distribution points running Windows.
You can enable network polling for Active Directory and set the schedule for the poll.
If you use a Windows distribution point, you can select one of the following options:
Poll current Active Directory domain.
Poll Active Directory domain forest.
Poll selected Active Directory domains only. If you select this option, add one or more Active Directory domains to the list.
If you use a Linux distribution point with installed Network Agent version 15, you can poll only Active Directory domains for which you specify the address and user credentials. Polling of the current Active Directory domain and the Active Directory domain forest is not available.
You can enable device discovery for domain controllers.
In the Polling field, after you switch the toggle button to the Enabled position, you can select domain controllers for polling and also specify the polling schedule for them.
If you use a Linux distribution point, in the Poll specified domains section, click Add, and then specify the address and user credentials of the domain controller. Also, you can specify the type of domain to be polled: Active Directory or Samba, FreeIPA, ALD Pro.
If you use a Windows distribution point, you can select one of the following options:
You can enable device discovery for IPv4 ranges and IPv6 networks.
If you enable the Enable range polling option, you can add scanned ranges and set the schedule for them. You can add IP ranges to the list of scanned ranges.
If you enable the Use Zeroconf to poll IPv6 networks option, the distribution point automatically polls the IPv6 network by using zero-configuration networking (also referred to as Zeroconf). In this case, the specified IP ranges are ignored because the distribution point polls the whole network. The Use Zeroconf to poll IPv6 networks option is available if the distribution point runs Linux. To use Zeroconf IPv6 polling, you must install the avahi-browse utility on the distribution point.
In the Advanced section, specify the folder that the distribution point must use to store distributed data:
If you select this option, in the field below, you can specify the path to the folder. It can be a local folder on the distribution point, or it can be a folder on any device on the corporate network.
The user account used on the distribution point to run Network Agent must have read/write access to the specified folder.
In the Statistics section you can view statistics on downloading anti-virus databases to the device or statistics on installing packages to the device.