Network Agent policy settings
Expand all | Collapse all
To configure the Network Agent policy:
- In the main menu, go to 资产(设备) → 策略和配置文件.
- Click the name of the Network Agent policy.
The properties window of the Network Agent policy opens. The properties window contains the tabs and settings described below.
Consider that for Linux and Windows-based devices, various settings are available.
常规
On this tab, you can modify the policy name, policy status and specify the inheritance of policy settings:
- In the 策略状态 block, you can select one of the following policy modes:
- 活动策略
If this option is selected, the policy becomes active.
By default, this option is selected.
- 非活动策略
If this option is selected, the policy becomes inactive, but it is still stored in the Policies folder. If required, the policy can be activated.
- In the 设置继承 settings group, you can configure the policy inheritance:
- 从父策略继承设置
If this option is enabled, the policy setting values are inherited from the upper-level group policy and, therefore, are locked.
By default, this option is enabled.
- 在子策略中强制继承设置
If this option is enabled, after policy changes are applied, the following actions will be performed:
- The values of the policy settings will be propagated to the policies of administration subgroups, that is, to the child policies.
- In the Settings inheritance block of the General section in the properties window of each child policy, the Inherit settings from parent policy option will be automatically enabled.
If this option is enabled, the child policies settings are locked.
By default, this option is disabled.
事件配置
On this tab, you can configure event logging and event notification. Events are distributed according to importance level in the following sections:
In each section, the list shows the types of events and the default event storage period on the Administration Server (in days). After you click the event type, you can specify the settings of event logging and notifications about events selected in the list. By default, common notification settings specified for the entire Administration Server are used for all event types. However, you can change specific settings for the required event types.
For example, in the 警告 section, you can configure the 发生了安全问题 event type. Such events may happen, for instance, when the free disk space of a distribution point is less than 2 GB (at least 4 GB are required to install applications and download updates remotely). To configure the 发生了安全问题 event, click it and specify where to store the occurred events and how to notify about them.
If Network Agent detected a security issue, you can manage this issue by using the settings of a managed device.
应用程序设置
设置
In the Settings section, you can configure the Network Agent policy:
- 仅通过分发点分发文件
If this option is enabled, Network Agents on managed devices retrieve updates from distribution points only.
If this option is disabled, Network Agents on managed devices retrieve updates from distribution points or from Administration Server.
Note that the security applications on managed devices retrieve updates from the source set in the update task for each security application. If you enable the 仅通过分发点分发文件 option, make sure that Kaspersky Security Center Linux is set as an update source in the update tasks.
By default, this option is disabled.
- 事件队列的最大大小(MB)
In this field you can specify the maximum space on the drive that an event queue can occupy.
The default value is 2 megabytes (MB).
- 应用程序被允许在设备上检索策略扩展数据
Network Agent installed on a managed device transfers information about the applied security application policy to the security application (for example, Kaspersky Endpoint Security for Linux). You can view the transferred information in the security application interface.
Network Agent transfers the following information:
- 保护网络代理服务免遭非授权的卸载或终止,并防止设置更改
When this option is enabled, after Network Agent is installed on a managed device, the component cannot be removed or reconfigured without required privileges. The Network Agent service cannot be stopped. This option has no effect on domain controllers.
Enable this option to protect Network Agent on workstations operated with local administrator rights.
By default, this option is disabled.
- 使用卸载密码
If this option is enabled, by clicking the Modify button you can specify the password for the klmover utility and Network Agent remote uninstallation.
By default, this option is disabled.
存储库
In the 存储库 section, you can select the types of objects whose details will be sent from Network Agent to Administration Server. If modification of some settings in this section is prohibited by the Network Agent policy, you cannot modify these settings.
- 已安装应用程序详情
If this option is enabled, information about applications installed on client devices is sent to the Administration Server.
By default, this option is enabled.
- 硬件注册表的详细信息
Network Agent installed on a device sends information about the device hardware to the Administration Server. You can view the hardware details in the device properties.
Ensure that the lshw utility is installed on Linux devices from which you want to fetch hardware details. Hardware details fetched from virtual machines may be incomplete depending on the hypervisor used.
连接
The 连接 section includes three subsections:
In the 网络 subsection, you can configure the connection to Administration Server, enable the use of a UDP port, and specify the UDP port number.
- In the 连接到管理服务器 settings group, you can configure connection to the Administration Server and specify the time interval for synchronization between client devices and the Administration Server:
- 同步间隔(分钟)
Network Agent synchronizes the managed device with the Administration Server. We recommend that you set the synchronization interval (also referred to as the heartbeat) to 15 minutes per 10,000 managed devices.
If the synchronization interval is set to less than 15 minutes, synchronization is performed every 15 minutes. If synchronization interval is set to 15 minutes or more, synchronization is performed at the specified synchronization interval.
- 压缩网络流量
If this option is enabled, the speed of data transfer by Network Agent is increased by means of a decrease in the amount of information being transferred and a consequent decreased load on the Administration Server.
The workload on the CPU of the client computer may increase.
By default, this check box is enabled.
- 在 Microsoft Windows 防火墙中打开网络代理端口
If this option is enabled, a UDP port, necessary for the work of Network Agent, is added to the Microsoft Windows Firewall exclusion list.
By default, this option is enabled.
- 使用 SSL 连接
If this option is enabled, connection to the Administration Server is established through a secure port via SSL.
By default, this option is enabled.
- 以默认连接设置在分发点(如果可用)上使用连接网关
If this option is enabled, the connection gateway on the distribution point is used under the settings specified in the administration group properties.
By default, this option is enabled.
- 使用 UDP 端口
If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to the KSN proxy server is 15111.
- UDP 端口号
In this field you can enter the UDP port number. The default port number is 15000.
The decimal system is used for records.
In the 连接配置文件 subsection, you can specify the network location settings and enable out-of-office mode when Administration Server is not available. The settings in the 连接配置文件 section are available only on devices running Windows:
- 网络位置设置
Network location settings define the characteristics of the network to which the client device is connected and specify rules for Network Agent switching from one Administration Server connection profile to another when those network characteristics are altered.
- 管理服务器连接配置文件
Connection profiles are supported only for devices running Windows.
You can view and add profiles for Network Agent connection to the Administration Server. In this section, you can also create rules for switching Network Agent to different Administration Servers when the following events occur:
- When the client device connects to a different local network
- When the device loses connection with the local network of the organization
- When the connection gateway address is changed or the DNS server address is modified
- 当管理服务器不可用时启用漫游模式
If this option is enabled, in case of connection through this profile, applications installed on the client device use policy profiles for devices in out-of-office mode, as well as out-of-office policies. If no out-of-office policy has been defined for the application, the active policy will be used.
If this option is disabled, applications will use active policies.
By default, this option is disabled.
In the 连接计划 subsection, you can specify the time intervals during which Network Agent sends data to the Administration Server:
- 必要时连接
If this option is selected, the connection is established when Network Agent has to send data to the Administration Server.
By default, this option is selected.
- 在指定时间间隔连接
If this option is selected, Network Agent connects to the Administration Server at a specified time. You can add several connection time periods.
通过分发点的网络轮询
In the 通过分发点的网络轮询 section, you can configure automatic polling of the network. You can use the following options to enable the polling and set its frequency:
- Zeroconf
If this option is enabled, the distribution point automatically polls the network with IPv6 devices by using zero-configuration networking (also referred to as Zeroconf). In this case, the enabled IP range polling is ignored, because the distribution point polls the whole network.
To start to use Zeroconf, the following conditions must be fulfilled:
- The distribution point must run Linux.
- You must install the avahi-browse utility on the distribution point.
If this option is disabled, the distribution point does not poll networks with IPv6 devices.
By default, this option is disabled.
- IP 范围
If the option is enabled, the distribution point automatically polls IP ranges according to the schedule that you configured by clicking the 设置轮询计划 button.
If this option is disabled, the distribution point does not poll IP ranges.
The frequency of IP range polling for Network Agent versions prior to 10.2 can be configured in the 轮询间隔(分钟) field. The field is available if the option is enabled.
By default, this option is disabled.
- 域控制器
If the option is enabled, the distribution point automatically polls domain controllers according to the schedule that you configured by clicking the 设置轮询计划 button.
If this option is disabled, the distribution point does not poll domain controllers.
The frequency of domain controller polling for Network Agent versions prior to 10.2 can be configured in the 轮询间隔(分钟) field. The field is available if this option is enabled.
By default, this option is disabled.
分发点网络设置
In the 分发点网络设置 section, you can specify the internet access settings:
- 使用代理服务器
- 地址
- 端口号
- 对本地地址不使用代理服务器
If this option is enabled, no proxy server is used to connect to devices on the local network.
By default, this option is disabled.
- 代理服务器身份验证
If this check box is selected, in the entry fields you can specify the credentials for proxy server authentication.
By default, this check box is cleared.
- 用户名
- 密码
KSN 代理(分发点)
In the KSN 代理(分发点) section, you can configure the application to use the distribution point to forward Kaspersky Security Network (KSN) requests from the managed devices:
- 在分发点端启用 KSN 代理
The KSN proxy service is run on the device that is used as a distribution point. Use this feature to redistribute and optimize traffic on the network.
The distribution point sends the KSN statistics, which are listed in the Kaspersky Security Network statement, to Kaspersky.
By default, this option is disabled. Enabling this option takes effect only if the 使用管理服务器作为代理服务器 and 我同意使用卡巴斯基安全网络 options are enabled in the Administration Server properties window.
You can assign a node of an active-passive cluster to a distribution point and enable KSN proxy server on this node.
- 转发 KSN 请求到管理服务器
The distribution point forwards KSN requests from the managed devices to the Administration Server.
By default, this option is enabled.
- 通过互联网直接访问 KSN 云/KPSN
The distribution point forwards KSN requests from managed devices to the KSN Cloud or KPSN. The KSN requests generated on the distribution point itself are also sent directly to the KSN Cloud or KPSN.
- 端口
The number of the TCP port that the managed devices will use to connect to KSN proxy server. The default port number is 13111.
- UDP 端口
If you need the managed devices to connect to KSN proxy server through a UDP port, enable the Use UDP port option and specify a UDP port number. By default, this option is enabled. The default UDP port to connect to the KSN proxy server is 15111.
更新(分发点)
In the 更新(分发点) section, you can enable the downloading diff files feature, so distribution points take updates in the form of diff files from Kaspersky update servers.
重启管理
In the 重启管理 section, you can specify the action to be performed if the operating system of a managed device has to be restarted for correct use, installation, or uninstallation of an application. The settings in the 重启管理 section are available only on devices running Windows:
- 不重启操作系统
Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.
- 如果必要,自动重启操作系统
Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).
- 提示用户操作
The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.
By default, this option is selected.
- 重复提示间隔(分钟)
If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.
By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.
If this option is disabled, the prompt is displayed only once.
- 在该时间后强制重启(分钟)
After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.
By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.
- 强行关闭锁定会话中的应用程序
Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.
If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.
If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.
By default, this option is disabled.
Page top