KSC Open API
Kaspersky Security Center API description
Administration Server hierarchy

Several Administration Servers may be organized in a "primary/secondary" hierarchy. Each primary Administration Server may have many secondary Administration Servers. Each secondary Administration Server may have only one primary Administration Server. Accordingly, a hierarchy of Administration Servers is a tree-like structure without loops.
Administration Server hierarchy helps to:

  • distribute CPU/network load to many Administration Servers compared to single one
  • reduce amount of internetwork traffic between offices
  • delegate responsibility of administration tasks to local office administrators


Secondary Administration Server registration

There are two options how to organize communication between the primary Administration Server and secondary Administration Server:

  • The secondary Administration Server maintains connection with the primary Administration Server - should be used by default.
    To register a "primary/secondary" dependency in this case one should do following (order matters):
    1. connect to the primary Administration Server and call ServerHierarchy.RegisterServer, providing:
      • secondary Administration Server display name
      • administration group ID where the secondary Administration Server will be located
      • secondary Administration Server general connection certificate (same as used to connect to this Server by Administration Console)
    2. connect to the secondary Administration Server and save the settings using HostGroup.SS_Write:
      • "KLSRV_MASTER_SRV_USE" value must be 'true'
      • "KLSRV_MASTER_SRV_ADDR", "KLSRV_MASTER_SRV_PORTS" - primary Administration Server address and port(s), required only for the on-premises primary Administration Server
      • "KLSRV_MASTER_HDS_ADDR", "KLSRV_MASTER_HDS_PORTS" - HDS server address and port(s), required only for the hosted primary Administration Server
      • "KLSRV_MASTER_HDS_CA" - Root certificates to verify HDS server, required only for the hosted primary Administration Server
      • "KLSRV_MASTER_SRV_SSL_CERT" - primary Administration Server certificate
      • "KLSRV_MASTER_SRV_PROXYHOST_*" - if proxy server is required to connect from the secondary Administration Server to the primary Administration Server
    See Administration Server hierarchy in the hosted mode for registering hierarchy for hosted Servers.
  • The primary Administration Server maintains the connection with the secondary Administration Server - this is required for example if the secondary Administration Server should be located in DMZ and thus doesn't have a possibility to create network connection with the primary Administration Server.
    Such secondary Administration Servers are called 'passive'.
    To register a "primary/secondary" dependency in this case one should do following (order matters):
    1. connect to the secondary Administration Server and save the settings using HostGroup.SS_Write:
      • "KLSRV_MASTER_SRV_USE" value must be 'true'
      • "KLSRV_MASTER_SRV_PASSIVE_SLAVE" value must be 'true'
      • "KLSRV_MASTER_SRV_SSL_CERT" - primary Administration Server certificate
    2. connect to the primary Administration Server and call ServerHierarchy.RegisterServer, providing:
      • secondary Administration Server display name
      • administration group ID where the secondary Administration Server will be located
      • secondary Administration Server location which will be used to connect to the secondary Administration Server from the primary Administration Server
      • secondary Administration Server general connection certificate (same as used to connect to this server by Administration Console)
      • 'passive' flag set to true

Administration Server hierarchy in the hosted mode

The hosted Adminsitration Servers are not allowed to be registered as the secondary Administration Servers. However, the hosted Administration Servers may be registered as the primary Administration Servers for the on-premises secondary Administration Server. In case of non-passive connection, the secondary Administration Server does not need to know the hosted primary Administration Server address, but it does need to know address of HDS server. Thus, during registering the hosted primary Administration Server on the on-premises secondary Administration Server, fields "KLSRV_MASTER_SRV_ADDR", "KLSRV_MASTER_SRV_PORTS" are not required, but fields "KLSRV_MASTER_HDS_ADDR", "KLSRV_MASTER_HDS_PORTS" are mandatory. Field KLSRV_MASTER_HDS_CA is also mandatory and is used by the secondary Administration Server to verify HDS server identity.

See also: