Creating a hierarchy of Administration Servers: adding a secondary Administration Server
Expand all | Collapse all
In a hierarchy, a Linux-based Administration Server can work both as a primary Server and as a secondary Server. The primary Linux-based Server can manage both Linux-based and Windows-based secondary Servers. A primary Windows-based Server can manage a secondary Linux-based Server.
Adding secondary Administration Server (performed on the future primary Administration Server)
You can add an Administration Server as a secondary Administration Server, thus establishing a "primary/secondary" hierarchy.
To add a secondary Administration Server that is available for connection through Kaspersky Security Center Web Console:
- Make sure that port 13000 of the future primary Administration Server is available for receipt of connections from secondary Administration Servers.
- On the future primary Administration Server, click the settings icon ().
- On the properties page that opens, click the Administration Servers tab.
- Select the check box next to the name of the administration group to which you want to add the Administration Server.
- In the menu line, click Connect secondary Administration Server.
The Add secondary Administration Server wizard starts. Proceed through the wizard by using the Next button.
- Fill in the following fields:
- Secondary Administration Server display name
A name by which the secondary Administration Server will be displayed in the hierarchy. If you want, you can enter the IP address as a name, or you can use a name like, for example, "Secondary Server for group 1".
- Secondary Administration Server address (optional)
Specify the IP address or the domain name of the secondary Administration Server.
This parameter is required if the Connect primary Administration Server to secondary Administration Server in DMZ option is enabled.
- Administration Server SSL port
Specify the number of the SSL port on the primary Administration Server. The default port number is 13000.
- Administration Server API port
Specify the number of the port on the primary Administration Server for receiving connections over OpenAPI. The default port number is 13299.
- Connect primary Administration Server to secondary Administration Server in DMZ
Select this option if the secondary Administration Server is in a demilitarized zone (DMZ).
If this option is selected, the primary Administration Server initiates connection to the secondary Administration Server. Otherwise, the secondary Administration Server initiates connection to the primary Administration Server.
- Use proxy server
Select this option if you use a proxy server to connect to the secondary Administration Server.
In this case, you also have to specify the following settings of the proxy server:
- Specify the connection settings:
- Enter the address of the future primary Administration Server.
- If the future secondary Administration Server uses a proxy server, enter the proxy server address and user credentials to connect to the proxy server.
- Enter the credentials of the user that has access rights on the future secondary Administration Server.
Make sure that two-step verification is disabled for the account that you specify. If two-step verification is enabled for this account, then you can create the hierarchy from the future secondary Server only (see instructions below). This is a known issue.
If the connection settings are correct, the connection with the future secondary Server is established and the "primary/secondary" hierarchy is built. If the connection has failed, check the connection settings or specify the certificate of the future secondary Server manually.
The connection may also fail because the future secondary Server is authenticated with a self-signed certificate that was automatically generated by Kaspersky Security Center Linux. As a result, the browser might block downloading the self-signed certificate. If this is the case, you can do one of the following:
- For the future secondary Server, create a certificate that is trusted in your infrastructure and that meets the requirements for custom certificates.
- Add the self-signed certificate of the future secondary Server to the list of trusted browser certificates. We recommend that you use this option only if you cannot create a custom certificate. For the information about adding a certificate to the list of trusted certificates, refer to the documentation of your browser.
After the wizard finishes, the "primary/secondary" hierarchy is built. Connection between the primary and secondary Administration Servers is established through port 13000. The tasks and policies from the primary Administration Server are received and applied. The secondary Administration Server is displayed on the primary Administration Server, in the administration group to which it was added.
Adding secondary Administration Server (performed on the future secondary Administration Server)
If you could not connect to the future secondary Administration Server (for example, because it was temporarily disconnected or unavailable or because the certificate file of secondary Administration Server is self-signed), you are still able to add a secondary Administration Server.
To add as secondary an Administration Server that is not available for connection through Kaspersky Security Center Web Console:
- Send the certificate file of the future primary Administration Server to the system administrator of the office where the future secondary Administration Server is located. (You can, for example, write the file to an external device, such as a flash drive, or send it by email.)
The certificate file is located on the future primary Administration Server, at /var/opt/kaspersky/klnagent_srv/1093/cert/.
- Prompt the system administrator in charge of the future secondary Administration Server to do the following:
- Click the settings icon ().
- On the properties page that opens, proceed to the Hierarchy of Administration Servers section of the General tab.
- Select the This Administration Server is secondary in the hierarchy option.
- In the Primary Administration Server address field, enter the network name of the future primary Administration Server.
- Select the previously saved file with the certificate of the future primary Administration Server by clicking Browse.
- If necessary, select the Connect primary Administration Server to secondary Administration Server in DMZ check box.
- If the connection to the future primary Administration Server is performed through a proxy server, select the Use proxy server option and specify the connection settings.
- Click Save.
The "primary/secondary" hierarchy is built. The primary Administration Server starts receiving connection from the secondary Administration Server using port 13000. The tasks and policies from the primary Administration Server are received and applied. The secondary Administration Server is displayed on the primary Administration Server, in the administration group where it was added.
Page top