Deploying a tenant protection infrastructure

The tenant protection infrastructure created using the Integration Server REST API is based on the use of virtual Kaspersky Security Center Administration Servers. Each tenant is provided with a virtual Administration Server and an account that the tenant administrator uses to connect to the virtual Administration Server.

One Kaspersky Security Center Administration Server can support up to 500 virtual Administration Servers.

Tenant virtual machines with Light Agents installed are located on the tenant's virtual Administration Server.

A tenant administrator can perform the following actions on their virtual Administration Server:

• Centrally manage protection of their virtual machines using the Light Agent policies and group tasks.
• Receive information about their infrastructure protection status using event notifications and reports available on the virtual Administration Server.
• Work with copies of files placed in backup storage on all of the virtual machines of this tenant.

For more information about virtual Administration Servers, see the Kaspersky Security Center help.

The service provider's administrator installs the solution in their infrastructure and ensures the operation of Light Agents and other solution components:

• Configures the settings for connecting Light Agents installed on tenant virtual machines to the SVMs and to the Integration Server.
• Activates the solution and monitors license restrictions.
• Updates the solution's databases and application modules.
• Configures the Protection Server settings.

The service provider's administrator can also configure general protection settings for tenant virtual machines.

During operation, information that may contain personal and confidential data is transmitted between Kaspersky Security Center and Kaspersky Security solution components installed in the service provider's infrastructure and on tenant virtual machines.

Before creating a tenant protection infrastructure, you need to perform the following steps:

1. Install or update the Kaspersky Security solution.

   The following components must be installed in the service provider's infrastructure:

   • Integration Server and Integration Server Console.
   • Protection Server.
   • Kaspersky Security management plug-ins.

   If you are using Kaspersky Security for Virtualization 5.2 Light Agent to protect virtual machines with Windows guest operating systems, SVMs with Protection Servers versions 6.0 and 5.2 must be deployed in the service provider's infrastructure.

2. Prepare the solution for work:
   • Prepare the Protection Server for operation.
   • Change the default password of the multitenancy account. A multitenancy account is created automatically as a result of Integration Server installation. It is required to interact with the Integration Server REST API.
   • Configure the settings for connecting the Integration Server to Kaspersky Security Center Administration Server. These settings are required for authorization on the Kaspersky Security Center Administration Server when executing requests to the Integration Server REST API.

Deploying a tenant protection infrastructure consists of the following steps:

1. Creating a tenant and virtual Kaspersky Security Center Administration Server for the tenant.
2. Configuring the location of SVMs that will protect tenants' virtual machines and configuring Protection Server settings.
3. Configuring SVM discovery settings and general operating settings for Light Agents installed on tenant virtual machines.
4. Installing Kaspersky Security Center Network Agent and Light Agent on tenant virtual machines and moving the virtual machines to a virtual Administration Server configured for the tenant.
5. Registering tenant virtual machines in the Integration Server database.
6. Activating a tenant.
7. Transferring the following Kaspersky Security Center Administration Server connection settings to the tenant administrator:
   • Address of the virtual Administration Server configured for the tenant;
   • Administrator account settings of the virtual Administration Server.

   Tenant administrator are advised to change the account password they receive from the service provider's administrator.

The steps of deploying tenant protection infrastructure can be automated using the Integration Server REST API and the Kaspersky Security Center OpenAPI™.

To prevent unauthorized access, it is recommended to deploy the SVM and the device on which the Kaspersky Security Center Administration Server and the Integration Server are installed in a dedicated virtual network and to configure routing with address translation (SNAT) from the tenant subnets to this subnet.

In this section: Configuring the Integration Server connection settings to the Kaspersky Security Center Administration Server Creating a tenant and virtual Administration Server Configuring SVM path and Protection Server settings Configuring settings for SVM discovery by Light Agents and general tenant protection settings Installing a Light Agent on tenant virtual machines Registering tenant virtual machines Activating a tenant

Page top