Deployment of the on-premises solution

Expand all | Collapse all

This guide contains information about features of the Select and Advanced editions of Kaspersky Endpoint Security for Business managed via the on-premises console and features of the Advanced edition of Kaspersky Endpoint Security for Business managed via the cloud console. For information about other editions, please refer to Online Help for the Kaspersky applications included in the solution.

This section provides instructions on how to deploy Kaspersky Endpoint Security for Business in an organization's network on Windows operating system. For the deployment procedure in pure Linux environment, see the Kaspersky Security Center 14.2 Linux installation scenario.

After you follow the instructions, centralized management of the policies and tasks is established through the Kaspersky Security Center and Kaspersky security applications, such as Kaspersky Endpoint Security for Windows or Kaspersky Endpoint Security for Mac. Configuration of administration groups, Kaspersky application updates, Kaspersky database updates, and policies is described in the Kaspersky Security Center documentation.

Prerequisites

To effectively deploy an on-premises solution, you must take into account a network's size, topology, and other factors. The network described in this document has a number of features and limitations listed below.

To deploy Kaspersky Endpoint Security for Business in a network that differs from the one described below, perform the scenario described in the Kaspersky Security Center documentation.

The instructions below are applicable to a network that has the following features and limitations:

• Network consists of less than 10,000 client devices.
• A single Kaspersky Security Center Administration Server is created to manage the client devices.
• The Kaspersky Security Center Administration Server and the client devices are located on the internal network of an organization.
• Distribution points are not used in the network, or they are assigned automatically.
• You install Kaspersky Security Center in the default folder.
• Kaspersky Security Center works within the basic feature set that is provided without entering an activation code or specifying a key file. The features provided by a Kaspersky Security Center license, for example, Vulnerability and Patch Management, is not considered. For details please refer to Kaspersky Security Center Online Help.
• A free-of-charge DBMS is used—SQL Server Express, MySQL, or MariaDB.
• You install the DBMS and the Administration Server on the same device.
• You install Administration Console and Kaspersky Security Center 14.2 Web Console on the same device where the Administration Server is installed.
• The default ports are used.
• Accounts are created by Kaspersky Security Center. Existing accounts on network devices are not used.

Deployment of Kaspersky security application for mobile devices is not described in this document and must be performed separately.

Stages

The scenario to deploy the on-premises solution proceeds in stages:

1. Preparation for the deployment

   You must check the system requirements for each Kaspersky application that you want to install, prepare a license key for Kaspersky Endpoint Security for Business, install a DBMS, and prepare the Administration Server and client devices.

   View detailed instructions

   Before you start deployment of Kaspersky Endpoint Security for Business:

   • Make sure that you have a license key (activation code) for Kaspersky Endpoint Security for Business or license keys (activation codes) for Kaspersky security applications.

     Unpack the archive that you received from your vendor. You will find two license keys (KEY files). One of the license keys is used to activate Kaspersky Security Center, and the other license key is used to activate Kaspersky security applications. You will also find two TXT files. One of these files contains information about the license keys and the list of Kaspersky applications that can be activated by each license key. The other TXT file contains an activation code.

     If you first want to try out Kaspersky Endpoint Security for Business, you can get a free 30-day trial at the Kaspersky website.

     For detailed information about the licensing of the Kaspersky security applications that are not included in Kaspersky Endpoint Security for Business, you can refer to the Help documentation of the applications.

   • Check that the device that you want to use as the Administration Server and the client devices meet the system requirements of the Kaspersky applications.
   • Select and install a DBMS.

     View details

     Select and install a DBMS on the same device that you want to use as the Administration Server or on another device. For a network of less than 10 000 client devices, you can use free-of-charge SQL Express or MySQL DBMS. Please refer to the documentation of the selected DBMS for system requirements and installation instructions.

     Write down and save the DBMS settings because you will need them during Administration Server installation. These settings include the SQL Server name, number of the port used for connecting to SQL Server, and account name and password for accessing the SQL Server.

     By default, the Kaspersky Security Center Installer creates the database for storage of Administration Server information, but you can opt out of creating this database and use a different database instead. In this case, make sure that the database has been created, you know its name, and the account under which the Administration Server will gain access to this database has the db_owner role for it.

     If necessary, contact your DBMS administrator for more information.

   • Make sure that the client devices are accessible from the server. On inaccessible devices, you will have to install Kaspersky security applications locally.
   • Open the ports required for your network configuration on the Administration Server and on client devices: UDP port 13000, TLS port 13000, TCP port 13291, TLS port 13299, UDP port 15000, and TCP port 17000.
   • Make sure that the Administration Server device has an internet connection.
   • Make sure that you have all local administrator rights required for successful installation of Kaspersky Security Center Administration Server and further protection deployment on the devices.

     View details

     Local administrator rights on client devices are required for Network Agent installation on these devices. After Network Agent is installed, you can use it to install applications on devices remotely, without using the account with the device administrator rights.

     By default, on the device selected for Administration Server installation, the Kaspersky Security Center Installer creates the following local accounts under which Administration Server and the Kaspersky Security Center services will be run:

     • KL-AK-*: Administration Server service account
     • KlScSvc: Account for other services from the Administration Server pool
   • If your organization's Public Key Infrastructure (PKI) requires that you use custom certificates issued by a specific certification authority (CA), prepare those certificates and make sure that they meet all the requirements. For details about Kaspersky Security Center certificates and requirements to custom certificates, please refer to Kaspersky Security Center Online Help.
2. Installation of Kaspersky Security Center and a Kaspersky security application on the Administration Server device

   You must download Kaspersky Security Center from the Kaspersky website and install Kaspersky Security Center (Administration Server, Administration Console, and other components) and a Kaspersky security application on the Administration Server device. As an option, Administration Console can be installed on the administrator's device.

   View detailed instructions

   To install Kaspersky Security Center:

   1. On the device selected for Kaspersky Security Center installation, download the Kaspersky Security Center installation package from the Kaspersky website or Kaspersky Technical Support web page.
   2. On the same device, run the downloaded installation file.

      The Setup Wizard starts.

   3. Review and accept the License Agreement and Privacy Policy.

      View details

      At this step of the setup wizard, you must read the License Agreement, which is to be concluded between you and Kaspersky, as well as the Privacy Policy.

      You may also be prompted to view the License Agreements and Privacy Policies for application management plug-ins that are available in the Kaspersky Security Center distribution kit.

      Please carefully read the License Agreement and Privacy Policy. If you agree with all the terms of the License Agreement and the Privacy Policy, confirm that by selecting the appropriate check boxes.

      Installation of the application on your device will continue after you select both check boxes.

      If you do not accept the License Agreement or the Privacy Policy, cancel installation by clicking the Cancel button.

      

      The End User License Agreement and Privacy Policy window

   4. In the Type of installation on cluster window, select Locally (install on this device only).

      

      The Type of installation on cluster window

   5. In the installation type selection window, select Custom.

      View details

      You can select standard or custom installation of Administration Server.

      Standard installation is recommended if you want to try out Kaspersky Security Center by, for example, testing its operation on a small area within your network. During standard installation, you only configure the database. You can also install only the default set of management plug-ins for Kaspersky applications. You can also use standard installation if you already have some experience working with Kaspersky Security Center and are able to specify all relevant settings after standard installation.

      Custom installation is recommended if you plan to modify the Kaspersky Security Center settings. When selecting management plug-ins to install, specify a management plug-in for each Kaspersky security application that you plan to use.

      Administration Console and the server version of Network Agent are installed together with Administration Server.

      

      The Installation type window

   6. Skip the step that prompts you to select the components to be installed.

      The additional components—Mobile Device Management and SNMP agent—will not be installed.

      

      The Custom installation window

   7. Specify that you want to install Kaspersky Security Center 14.2 Web Console.

      View details

      This step is displayed only if you are using a 64-bit operating system. Otherwise, this step is not displayed, because Kaspersky Security Center 14.2 Web Console does not work with 32-bit operating systems.

      Specify that you want to install Kaspersky Security Center 14.2 Web Console. Otherwise, Kaspersky Security Center 14.2 Web Console will not be installed. Only Microsoft Management Console (MMC)-based Administration Console will be installed. However, if you are using a 64-bit operating system, you can install Kaspersky Security Center 14.2 Web Console later, after you begin working with Kaspersky Security Center.

      

      The Kaspersky Security Center Administration Consoles window

   8. Select the network size.

      View details

      Specify the size of the network on which Kaspersky Security Center is to be installed. Depending on the number of devices on the network, the wizard configures the installation and appearance of the application interface so that they match.

      The following table lists the application installation settings and interface appearance settings, which are adjusted based on various network sizes.

      Dependence of installation settings on the network scale selected

      Settings	1—100 devices	101—1000 devices	1001—5000 devices	More than 5000 devices
      Display with the node for secondary and virtual Administration Servers, and all settings related to the secondary and virtual Administration Servers in the console tree	Not available	Not available	Available	Available
      Display with the Security sections in the properties windows of the Administration Server and administration groups	Not available	Not available	Available	Available
      Random distribution of startup time for the update task on client devices	Not available	Over an interval of 5 minutes	Over an interval of 10 minutes	Over an interval of 10 minutes

      If you connect Administration Server to a MySQL 5.7 or SQL Express database server, it is not recommended using the application to manage more than 10,000 devices. For the MariaDB database management system, the maximum recommended number of managed devices is 20,000.

      

      The Network size window

   9. Select the database.

      View details

      At this step of the wizard, select one of the following database management systems (DBMS) that will be used to store the Administration Server database:

      • Microsoft SQL Server or SQL Server Express
      • MySQL or MariaDB
      • PostgreSQL or Postgres Pro

      It is recommended to install the Administration Server on a dedicated server instead of a domain controller. However, if you install Kaspersky Security Center on a server that acts as a read-only domain controller (RODC), Microsoft SQL Server (SQL Express) must not be installed locally (on the same device). In this case, we recommend that you install Microsoft SQL Server (SQL Express) remotely (on a different device), or that you use MySQL, MariaDB, or PostgreSQL if you need to install the DBMS locally.

      The Administration Server database structure is provided in the klakdb.chm file, which is located in the Kaspersky Security Center installation folder. This file is also available in an archive on the Kaspersky portal: klakdb.zip.

      

      The Database server window

   10. Configure the SQL Server host.

       View details

       At this step of the Wizard, you configure SQL Server.

       Depending on the database that you have selected, three options are available for SQL Server configuration.

       If you selected Microsoft SQL Server or SQL Server Express in the previous step, specify the following settings:

       • In the SQL Server instance name field, specify the name of the SQL Server computer on the network. To view a list of all SQL Servers that are on the network, click the Browse button. This field is blank by default.

       If a SQL Server computer that has AlwaysON support enabled is on the enterprise network, in the SQL Server instance name field specify the name of the availability group listener.

       • In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.

       If you selected MySQL or MariaDB in the previous step, specify the following settings:

       • In the SQL Server instance name field, specify the name of the SQL Server instance. By default, the name is the IP address of the device on which Kaspersky Security Center is to be installed.
       • In the Port field, specify the port for Administration Server connection to the SQL Server database. The default port number is 3306.
       • In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.

       If you selected PostgreSQL or Postgres Pro in the previous step, specify the following settings:

       • In the PostgreSQL or Postgres Pro Server field, specify the name of the PostgreSQL or Postgres Pro Server instance. By default, the name is the IP address of the device on which Kaspersky Security Center is to be installed.
       • In the Port field, specify the port for Administration Server connection to the PostgreSQL or Postgres Pro Server database. The default port number is 5432.
       • In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.

       

       The Connection settings window

   11. Select the authentication mode that will be used when Administration Server connects to the SQL Server.

       View details

       Depending on the database that is selected, you can choose from the following authentication modes.

       • For SQL Express or Microsoft SQL Server, select one of the following options:
         • Microsoft Windows Authentication mode. Verification of rights uses the account used for starting Administration Server.
         • SQL Server Authentication mode. If you select this option, the account specified in the window is used to verify access rights. Fill in the Account and Password fields.
       • For MySQL or MariaDB Server, specify the account and password.
       • For PostgreSQL or Postgres Pro Server, specify the account and password.

       The application checks whether the database is available. If the database is not available, an error message is displayed, and you must provide the correct credentials.

       

       The SQL Server Authentication mode window

   12. Select the Generate the account automatically option. The application will create a new account for running the Administration Server.

       View details

       When you select the Generate the account automatically option, the application creates an account named KL-AK-* under which the kladminserver service will run. You can select this option if you plan to locate the shared folder and the DBMS on the same device as Administration Server.

       For security reasons, please do not assign the privileged status to the account under which you run Administration Server.

       If you later decide to change the Administration Server account, you can use the utility for Administration Server account switching (klsrvswch).

       

       The Account window

   13. Select the Generate the account automatically option. The application will create a new account for running the Kaspersky Security Center services.

       View details

       Kaspersky Security Center creates a local account named KlScSvc on this device in the kladmins group. The services of Kaspersky Security Center will be run under the account that has been created.

       For security reasons, do not grant privileged status to the account under which the services are run.

       The KSN proxy server service (ksnproxy), Kaspersky activation proxy server service (klactprx), and Kaspersky authentication portal service (klwebsrv) will be run under the selected account.

       

       The Account for services window

   14. Select the Create a shared folder option and specify the path to the folder.

       View details

       Define the location and name of the shared folder that will be used to do the following:

       • Store the files necessary for remote installation of applications (these files are copied to Administration Server during creation of installation packages).
       • Store updates that have been downloaded from an update source to Administration Server.

       File sharing (read-only) will be enabled for all users.

       By default, the installer creates a local Share subfolder in the application folder that contains the components of Kaspersky Security Center.

       

       The Shared folder window

   15. Keep the default settings for the connection of client devices to the Administration Server:
       • Port number: 14000
       • SSL port number: 13000
       • Encryption key length: 2048 bit

       

       The Connection settings window

   16. Specify the Administration Server address.

       View details

       Specify the Administration Server address in one of the following ways:

       • DNS domain name. You can use this method if the network includes a DNS server and client devices can use it to receive the Administration Server address.
       • NetBIOS name. You can use this method if client devices receive the Administration Server address using the NetBIOS protocol or if a WINS server is available on the network.
       • IP address. You can use this method if Administration Server has a static IP address that will not be subsequently changed.

       If you install Kaspersky Security Center on the active node of the Kaspersky failover cluster, and you have created a virtual network adapter when preparing the cluster nodes, specify the IP address of this adapter. Otherwise, enter the IP address of the third-party load balancer that you use.

       

       The Administration Server address window

   17. Select application management plug-ins to install.

       Select the management plug-in for each Kaspersky security application that you want to install. If some management plug-ins are not listed, you will be able to install them later.

   18. Click the Start MMC-based Administration Console link after the installation is complete. The Administration Console opens.

       View details

       After the Kaspersky Security Center components are configured, you can start installing files on the hard disk.

       If installation requires additional programs, the Setup Wizard will notify you, on the Installing Prerequisites page, before installation of Kaspersky Security Center begins. The required programs are installed automatically after you click the Next button.

       On the last page, you can select which console to start for work with Kaspersky Security Center:

       • Start MMC-based Administration Console
       • Start Kaspersky Security Center Web Console

   After the Wizard has finished, perform the following operations:

   • Start Kaspersky Security Center 14.2 Web Console to make sure that Kaspersky Security Center 14.2 Web Console is installed successfully, and you can log in to the application.
   • Install a Kaspersky security application (for example, Kaspersky Endpoint Security for Windows) on the Administration Server device.

     Distribution package of Kaspersky Endpoint Security for Windows is included in the downloaded distribution package of Kaspersky Security Center. Run the installation file of Kaspersky Endpoint Security for Windows, and then follow the steps of the Setup Wizard.

3. Centralized deployment of Kaspersky security applications on client devices

   You must perform the initial configuration of the Administration Server by using the Quick Start Wizard, discover all network devices, create an installation package for each Kaspersky security application that you want to install, and perform remote installation of Network Agent and the Kaspersky security applications on the client devices. You also have to install Network Agent and the Kaspersky security applications locally if the remote installation has failed or is not feasible on some devices (for example, because of an unstable network connection or a low throughput rate of the channel).

   View detailed instructions

   The instructions below enable you to deploy security applications by using MMC-based Administration Console. You can perform the same steps by using Kaspersky Security Center 14.2 Web Console.

   To deploy Kaspersky security applications:

   1. If you have not started an Administration Console at the previous steps, start the MMC-based Administration Console (Kaspersky Security Center in the list of installed applications).
   2. Run the Administration Server Quick Start Wizard, if it has not opened automatically.

      View details

      When Administration Server installation is complete, at the first connection to the Administration Server the Quick Start Wizard starts automatically. Perform initial configuration of Administration Server according to the existing requirements. During the initial configuration stage, the Wizard uses the default settings to create the policies and tasks that are required for protection deployment. If necessary, you can edit the settings of policies and tasks.

      If you plan to use the Kaspersky Security Center features that are outside the basic functionality, use the key file or activation code to activate the application. You can do this at one of the steps of the Quick Start Wizard.

   3. To make sure that the Quick Start Wizard has completed all the necessary operations successfully, check that the Download updates to the Administration Server repository task is available in Administration Server (in the Tasks folder of the console tree), as well as the policy for Kaspersky Endpoint Security for Windows (in the Policies folder of the console tree).
   4. Discover networked devices (optional).

      View details

      This step is part of the Quick Start Wizard. You can also start device discovery manually. Kaspersky Security Center receives the addresses and names of all devices detected on the network. You can then use Kaspersky Security Center to install Kaspersky applications and software from other vendors on the detected devices. Kaspersky Security Center regularly starts device discovery, which means that if any new instances appear on the network, they will be detected automatically.

   5. Check that all client devices are discovered and added to the Unassigned devices group (Administration Server > Unassigned devices). If the devices have not been added, check that they are turned on and accessible, and then perform device discovery manually.
   6. Install Network Agent and Kaspersky security applications on client devices.

      This step is part of the Quick Start Wizard. You can also install Network Agent and Kaspersky security applications manually.

      If your network consists of more than 500 client devices, we recommend that you divide the entire amount of client devices into smaller groups of 100-200 devices and to deploy the security applications to each group separately.

      You may also have to manually install management plug-ins and web management plug-ins. You can download the management plug-ins and web management plug-ins (if any) by using Administration Console or Kaspersky Security Center 14.2 Web Console. Alternatively, use the links in the application list or visit the Kaspersky Technical Support webpage.

      View details

      Make sure that you have an installation package for each application that you want to deploy. The list of installation packages is available at Advanced > Remote installation > Installation packages. If a required application is not listed, click Additional actions > View current versions of Kaspersky applications, select the required application, and then click Download and create installation package.

      Remote installation—Using the Remote Installation Wizard, you can remotely install the security application (for example, Kaspersky Endpoint Security for Windows) and Network Agent on devices that have been detected by Administration Server on the organization's network. Normally, the Remote installation task successfully deploys protection to most networked devices. However, it may return an error on some devices if, for example, a device is turned off or cannot be accessed for any other reason. In this case, we recommend that you connect to the device manually and use local installation.

      Local installation—Used on network devices on which protection could not be deployed using the remote installation task. To install protection on such devices, create a stand-alone installation package that you can run locally on those devices.

   7. Make sure that Network Agents and the Kaspersky security applications are installed on managed devices. Run a Kaspersky Lab software version report and view its results.
   8. Deploy license keys to client devices.

      View details

      Deploy license keys to client devices to activate managed security applications on those devices.

      You have several options for license key deployment. If you use only one type of security application, for example, Kaspersky Endpoint Security for Windows, you deploy the license keys automatically. If you use different managed applications, and you have to deploy a specific license key to devices, deploy it by means of the Add license key task.

   9. Make sure that the license keys are used on all client devices. Run a Key usage report and view its results.

What to do next

After the deployment is complete, the policies and tasks are configured with the default parameters, which may turn out to be suboptimal for your organization. Complete the following scenarios to fine-tune the protection and monitoring of your network:

1. Creating policies and tasks
2. Configure updating of Kaspersky databases and applications
3. Configuring notifications and other monitoring tools
4. Updating third-party software and fixing third-party software vulnerabilities (optional)