To be sure that the protection of your Administration Servers and managed devices is up-to-date, you must provide timely updates of the following:
Before downloading Kaspersky databases and software modules, Kaspersky Security Center checks if Kaspersky servers are accessible. If access to the servers using system DNS is not possible, the application uses public DNS servers. This is necessary to make sure anti-virus databases are updated and the level of security is maintained for the managed devices.
Depending on the configuration of your network, you can use the following schemes of downloading and distributing the required updates to the managed devices:
Using the Download updates to the Administration Server repository task
In this scheme, Kaspersky Security Center downloads updates through the Download updates to the Administration Server repository task. In small networks that contain less than 300 managed devices in a single network segment or less than 10 managed devices in each network segment, the updates are distributed to the managed devices directly from the Administration Server repository (see figure below).
Updating by using the Download updates to the Administration Server repository task without distribution points
By default, the Administration Server communicates with Kaspersky update servers and downloads updates by using the HTTPS protocol. You can configure the Administration Server to use the HTTP protocol instead of HTTPS.
If your network contains more than 300 managed devices in a single network segment or if your network consists of several network segments with more than 9 managed devices in each network segment, we recommend that you use distribution points to propagate the updates to the managed devices (see figure below). Distribution points reduce the load on the Administration Server and optimize traffic between the Administration Server and the managed devices. You can calculate the number and configuration of distribution points required for your network.
In this scheme, the updates are automatically downloaded from the Administration Server repository to the repositories of the distribution points. The managed devices included in the scope of a distribution point download the updates from the repository of the distribution point instead of the Administration Server repository.
Updating by using the Download updates to the Administration Server repository task with distribution points
When the Download updates to the Administration Server repository task is complete, the following updates are downloaded to the Administration Server repository:
These updates are installed automatically.
These updates are installed through the Update task for Kaspersky Endpoint Security for Windows.
These updates are not installed automatically. The administrator must explicitly approve and run installation of the updates.
Local administrator rights are required for installing patches on the Administration Server.
By default, these updates are installed automatically. You can change the settings in the Network Agent policy.
By default, Kaspersky Endpoint Security for Windows installs only those updates that you approve. (You can approve updates via the Administration Console or via Kaspersky Security Center Web Console). The updates are installed through the Update task and can be configured in the properties of this task.
The Download updates to the repository of the Administration Server task is not available on virtual Administration Servers. The repository of the virtual Administration Server displays updates downloaded to the primary Administration Server.
You can configure the updates to be verified for operability and errors on a set of test devices. If the verification is successful, the updates are distributed to other managed devices.
Each Kaspersky application requests required updates from Administration Server. Administration Server aggregates these requests and downloads only those updates that are requested by any application. This ensures that the same updates are not downloaded multiple times and that unnecessary updates are not downloaded at all. When running the Download updates to the Administration Server repository task, Administration Server sends the following information to Kaspersky update servers automatically in order to ensure the downloading of relevant versions of Kaspersky databases and software modules:
None of the transmitted information contains personal or other confidential data. AO Kaspersky Lab protects information in accordance with requirements established by law.
Using two tasks: the Download updates to the Administration Server repository task and the Download updates to the repositories of distribution points task
You can download updates to the repositories of distribution points directly from the Kaspersky update servers instead of the Administration Server repository, and then distribute the updates to the managed devices (see figure below). Download to the repositories of distribution points is preferable if the traffic between the Administration Server and the distribution points is more expensive than the traffic between the distribution points and Kaspersky update servers, or if your Administration Server does not have internet access.
Updating by using the Download updates to the Administration Server repository task and the Download updates to the repositories of distribution points task
By default, the Administration Server and distribution points communicate with Kaspersky update servers and download updates by using the HTTPS protocol. You can configure the Administration Server and/or distribution points to use the HTTP protocol instead of HTTPS.
To implement this scheme, create the Download updates to the repositories of distribution points task in addition to the Download updates to the Administration Server repository task. After that the distribution points will download updates from Kaspersky update servers, and not from the Administration Server repository.
Distribution point devices running macOS cannot download updates from Kaspersky update servers.
If one or more devices running macOS are within the scope of the Download updates to the repositories of distribution points task, the task completes with the Failed status, even if it has successfully completed on all Windows devices.
The Download updates to the Administration Server repository task is also required for this scheme, because this task is used to download Kaspersky databases and software modules for Kaspersky Security Center.
Manually through a local folder, a shared folder, or an FTP server
If the client devices do not have a connection to the Administration Server, you can use a local folder or a shared resource as a source for updating Kaspersky databases, software modules, and applications. In this scheme, you need to copy required updates from the Administration Server repository to a removable drive, then copy the updates to the local folder or the shared resource specified as an update source in the settings of Kaspersky Endpoint Security (see figure below).
Updating through a local folder, a shared folder, or an FTP server
For more information about sources of updates in Kaspersky Endpoint Security, see the following Helps:
Directly from Kaspersky update servers to Kaspersky Endpoint Security on the managed devices
On the managed devices, you can configure Kaspersky Endpoint Security to receive updates directly from Kaspersky update servers (see figure below).
Updating security applications directly from Kaspersky update servers
In this scheme, the security application does not use the repositories provided by Kaspersky Security Center. To receive updates directly from Kaspersky update servers, specify Kaspersky update servers as an update source in the interface of the security application. For more information about these settings, see the following Helps:
Through a local or network folder if Administration Server has no internet connection
If Administration Server has no internet connection, you can configure the Download updates to the Administration Server repository task to download updates from a local or network folder. In this case, you must copy the required update files to the specified folder from time to time. For example, you can copy the required update files from one of the following sources:
Because an Administration Server downloads only the updates that are requested by the security applications, the sets of security applications managed by the Administration Servers—the one that has an internet connection and the one that does not—must match.
If the Administration Server that you use to download updates has version 13.2 or earlier, open properties of the Download updates to the Administration Server repository task, and then enable the Download updates by using the old scheme option.
Updating through a local or network folder if Administration Server has no internet connection
Because this utility uses the old scheme to download updates, open properties of the Download updates to the Administration Server repository task, and then enable the Download updates by using the old scheme option.