KSC Open API  13.1
Kaspersky Security Center API description
Connection gateways

Distribution points may be assigned a connection gateway role. Connection gateways are designed to be a link between Network Agents and Administration Server in network configurations where direct connection from Network Agents to Administration Server is not possible or is not desired. There are two typical schemes when connection gateways are used:

  1. The tconnection gateway is located in remote office and office computers do not have an internet connection, and thus may not connect to Administration Server. In this case, the connection gateway role is assigned to a dedicated host that has a connection with the Administration Server and the 'Keep connection' option is set to a connection gateway in the Network Agent properties. Such a connection gateway may be registered by using the UaControl.RegisterUpdateAgent() call.
  2. Access from outside the corporate network is required for some Network Agents or mobile devices, but for security reasons, the Administration Server ports may not be allowed to be accessed from the internet. In this case, the administrator organizes the DMZ network, i.e. applications from DMZ hosts may not access corporate resources such as the Administration Server, but the DMZ is accessible from the corporate network. The Network Agent with the connection gateway role is installed in the DMZ (the 'Install as connection gateway' option must be set during installation) and this connection gateway must be registered by using the UaControl.RegisterDmzGateway() call.

In both cases, Network Agents communicate with the Administration Server via a connection gateway, not directly.
Each connection gateway is always a distribution point, and all Network Agents from its scope consider it as both distribution point and connection gateway.


Connecting mobile devices through a connection gateway

The connection gateway host may be a gateway not only for Network Agents, but also for mobile devices managed by Administration Server.
SSL authentication-related notes:

  • The connection gateway may use SSL client authentication to verify that devices being connected have a certificate signed by the Administration Server key for mobile devices. In case this check is active, only devices having this certificate are allowed to connect through the connection gateway. There is also a possibility to open a port for devices without performing client authentication. This is not recommended, as it's less secure.
  • Mobile devices verify that the connection gateway certificate is signed by the Administration Server certificate and check that the connection gateway DNS name is contained in the connection gateway certificate. As a connection gateway DNS name is always configuration-specific, this name must be entered by the administrator so that Administration Server can embed this DNS name(s) into the connection gateway certificate.


Web Console, installed in DMZ

For security reasons, Web Console may be installed in the DMZ. In this case, it needs the possibility to connect to Administration Server, which by DMZ definition is prohibited. To fulfill this requirement, the connection gateway may be configured to open a local port for tunneling Web Console connections to Administration Server. Web Console would connect to the local connection gateway port as it was connecting to Administration Server, and traffic will be tunneled automatically by the connection gateway.
This port may be opened only for the connection gateway located in the DMZ, with the "CgServerInitiateConnection" option enabled.


See also: