The figure below shows data traffic if the Administration Server is on a local area network (LAN) and the managed devices are on the internet. A connection gateway is in use.
This deployment scheme is recommended if you do not want the managed devices to connect to the Administration Server directly and do not want to use a reverse proxy or corporate firewall.
Managed mobile devices connected to the Administration Server through a connection gateway
In this figure, the managed devices are connected to the Administration Server through a connection gateway that is located in the DMZ. No reverse proxy or corporate firewall is in use.
The arrows indicate the initiation of traffic: each arrow points from a device that initiates the connection to the device that "answers" the call. The number of the port and the name of the protocol used for data transfer are provided. Each arrow has a number label, and details about the corresponding data traffic are as follows:
Network Agents send requests to each other within one broadcasting domain. The data is then sent to the Administration Server and is used for defining the limits of the broadcasting domain and for automatic assignment of distribution points (if this option is enabled).
If Administration Server does not have direct access to the managed devices, communication requests from Administration Server to these devices are not sent directly.
If you used an earlier version of Kaspersky Security Center, the Administration Server on your network can receive connection from Network Agents through non-TLS port 14000. Kaspersky Security Center Linux also supports connection of Network Agents through port 14000, although using TLS port 13000 is recommended.
4a. A connection gateway in DMZ also receives connection from the Administration Server through TLS port 13000. Because a connection gateway in DMZ cannot reach the Administration Server's ports, the Administration Server creates and maintains a permanent signal connection with a connection gateway. The signal connection is not used for data transfer; it is only used for sending an invitation to the network interaction. When the connection gateway needs to connect to the Server, it notifies the Server through this signal connection, and then the Server creates the required connection for data transfer.
Out-of-office devices connect to the connection gateway through TLS port 13000 as well.
6a. Data from the browser, which is installed on a separate device of the administrator, is transferred to Kaspersky Security Center Web Console Server through TLS port 8080. The Kaspersky Security Center Web Console Server can be installed either on the Administration Server or on another device.
If you do not want your Administration Server to have access to the internet, you must manage this data manually.