Advanced settings after installation of the Application Console on another device
August 3, 2023
If the Application Console has been installed on any device in the network, other than a protected device, perform the following actions to allow users to manage Kaspersky Industrial CyberSecurity for Nodes remotely:
- Add Kaspersky Industrial CyberSecurity for Nodes users to the KICS Administrators group on the protected device.
- Allow network connections for the Kaspersky Security Management Service (kavfsgt.exe), if the protected device uses Windows Firewall or a third-party firewall.
- If the Allow remote access check box is not selected during installation of the Application Console on a device running Microsoft Windows, manually allow network connections for the Application Console via the device's firewall.
The Application Console on the remote device uses the DCOM protocol to receive information about Kaspersky Industrial CyberSecurity for Nodes events (such as objects scanned, tasks completed, etc.) from the Kaspersky Security Management Service on the protected device. You need to allow network connections for the Application Console in the Windows Firewall settings in order to establish connections between the Application Console and the Kaspersky Security Management Service.
On the remote device, where the Application Console is installed, do the following:
- Make sure that anonymous remote access to COM applications is allowed (but not remote start and activation of COM applications).
- In Windows Firewall, open TCP port 135 and allow network connections for kavfsrcn.exe, the executable file of the Kaspersky Industrial CyberSecurity for Nodes remote management process.
The device where the Application Console is installed uses TCP port 135 to access the protected device and to receive a response.
- Configure an outbound rule for Windows Firewall to allow the connection.
Unlike the traditional TCP/IP and UDP/IP services where a single protocol has a fixed port, DCOM dynamically assigns ports to remote COM objects. If a firewall exists between the client (where the Application Console is installed) and the DCOM endpoint (the protected device), a large range of ports must be opened.
The same steps should be applied to configure any other software or hardware firewall.
If the Application Console is open while you configure the connection between the protected device and the device on which the Application Console is installed:
- Close the Application Console.
- Wait until the Kaspersky Industrial CyberSecurity for Nodes remote management process kavfsrcn.exe is finished.
- Restart the Application Console.
The new connection settings will be applied.