This section outlines the main scenario for Kaspersky Security Center deployment and provides links to other deployment scenarios. Following the main scenario, you can deploy Administration Server, as well as install Network Agent and security applications on networked devices. You can use this scenario both for a closer look at the application and for the application installation for further work.
Deployment of Kaspersky Security Center requires resource planning, installation of the Administration Server, installation of Network Agent and security applications on client devices, and consolidation of devices into administration groups.
Deployment of Kaspersky Security Center in cloud environments and deployment of Kaspersky Security Center for service providers are described in the corresponding Help sections.
In this scenario, we recommend that you assign a minimum of one hour for Administration Server installation and a minimum of one working day for completion of the scenario.
Kaspersky Security Center deployment proceeds in stages:
Find out more about the Kaspersky Security Center components. Select the protection structure and the network configuration which suit your organization best. Based on the network configuration and throughput of communication channels, define the number of Administration Servers to use and how they must be distributed among your offices (if you run a distributed network).
To obtain and maintain optimum performance under varying operational conditions, please take into account the number of networked devices, network topology, and set of Kaspersky Security Center features that you require (for more details, refer to the Kaspersky Security Center Sizing Guide).
Define whether a hierarchy of Administration Servers will be used in your organization. To do this, you must evaluate whether it is possible and expedient to cover all client devices with a single Administration Server or it is necessary to build a hierarchy of Administration Servers. You may also have to build a hierarchy of Administration Servers that is identical to the organizational structure of the organization whose network you want to protect.
Make sure that the devices that you selected as Administration Servers, as well as those for Administration Console installation, meet all the hardware and software requirements.
If you plan to use a Kaspersky Security Center version with Mobile Device Management, Integration with SIEM systems, and / or with Vulnerability and Patch Management support, make sure that you have a key file or activation code for the application licensing.
During protection deployment, you have to provide Kaspersky Lab with the active keys for the applications that you intend to manage through Kaspersky Security Center (see the list of manageable security applications). For detailed information about the licensing of any security application, you can refer to the Help system of the corresponding application.
Plan the hardware configuration for the DBMS and the Administration Server, taking into account the number of devices on your network.
When selecting a DBMS, take into account the number of managed devices to be covered by this Administration Server. If your network includes fewer than 10 000 devices and you do not plan to increase this number, you can choose a free-of-charge DBMS, such as SQL Express or MySQL, and install it on the same device as Administration Server. If your network includes more than 10 000 devices (or if you plan to expand your network up to that number of devices), we recommend that you choose a paid-for SQL DBMS and install it on a dedicated device. A paid DBMS can work with multiple Administration Servers, but a DBMS that is free of charge can work with only one.
Find out more about the accounts for work with the DBMS and install your DBMS. Write down and save the DBMS settings because you will need them during Administration Server installation. These settings include the SQL Server name, number of the port used for connecting to SQL Server, and account name and password for accessing the SQL Server.
By default, the Kaspersky Security Center Installer creates the database for storage of Administration Server information, but you can opt out of creating this database and use a different database instead. In this case, make sure that the database has been created, you know its name, and the account under which the Administration Server will gain access to this database has the db_owner role for it.
If necessary, contact your DBMS administrator for more information.
Make sure that all the necessary ports are open for interaction between components in accordance with your selected security structure.
If you have to provide Internet access to the Administration Server, configure the ports and specify the connection settings, depending on the network configuration.
Make sure that you have all local administrator rights required for successful installation of Kaspersky Security Center Administration Server and further protection deployment on the devices. Local administrator rights on client devices are only required for Network Agent installation on these devices. After Network Agent is installed, you can use it to install applications on devices remotely, without using the account with the device administrator rights.
By default, on the device selected for Administration Server installation, the Kaspersky Security Center Installer creates three local accounts under which Administration Server and the Kaspersky Security Center services will be run:
KL-AK-*: Administration Server service account
KlScSvc: Account for other services from the Administration Server pool
KlPxeUser: Account for deployment of operating systems
You can opt out of creating accounts for the Administration Server services and other services. You use your existing accounts instead, such as domain accounts, if you plan to install Administration Server on a failover cluster, or plan to use domain accounts instead of local accounts for any other reason. In this case, make sure that the accounts intended for running Administration Server and the Kaspersky Security Center services have been created, are non-privileged and have all permissions required for access to the DBMS. (If you plan further deployment of operating systems on devices through Kaspersky Security Center, do not opt out of creating accounts.)
Install Administration Server on the device that you selected (or multiple devices, if you plan to use multiple Administration Servers). You can select standard or custom installation of Administration Server. Administration Console will be installed together with Administration Server.
Standard installation is recommended if you want to try out Kaspersky Security Center by, for example, testing its operation on a small area within your network. During standard installation, you only configure the database. You can also install only the default set of management plug-ins for Kaspersky Lab applications. You can also use standard installation if you already have some experience working with Kaspersky Security Center and are able to specify all relevant settings after standard installation.
Custom installation is recommended if you plan to modify the Kaspersky Security Center settings, such as a path to the shared folder, accounts and ports for connection to the Administration Server, and database settings. Custom installation enables you to specify which Kaspersky Lab management plug-ins to install. If necessary, you can start custom installation in non-interactive mode.
Administration Console and the server version of Network Agent are installed together with Administration Server. You can also choose to install Kaspersky Security Center 11 Web Console during the installation.
If you want, install Administration Console and/or Kaspersky Security Center 11 Web Console on the administrator's workstation separately to manage Administration Server over the network.
When Administration Server installation is complete, at the first connection to the Administration Server the Quick Start Wizard starts automatically. Perform initial configuration of Administration Server according to the existing requirements. During the initial configuration stage, the Wizard uses the default settings to create the policies and tasks that are required for protection deployment. However, the default settings may be less than optimal for the needs of your organization. If necessary, you can edit the settings of policies and tasks (Configuring protection in a client organization's network, Scenario: Configuring network protection).
This step is part of the Quick Start Wizard. You can also start the device discovery manually. Kaspersky Security Center receives the addresses and names of all devices detected in the network. You can then use Kaspersky Security Center to install Kaspersky Lab applications and software from other vendors on the detected devices. Kaspersky Security Center regularly starts device discovery, which means that if any new instances appear in the network, they will be detected automatically.
When all the previous steps are complete, Administration Server is installed and ready for further use.
Make sure that Administration Console is running and you can connect to the Administration Server through Administration Console. Also, make sure that the Download updates to the repository of the Administration Server task is available in Administration Server (in the Tasks folder of the console tree), as well as the policy for Kaspersky Endpoint Security (in the Policies folder of the console tree).
When the check is complete, proceed to the steps below.
Deployment of protection (Configuring protection in a client organization's network, Scenario: Configuring network protection) of an organization's network entails installation of Network Agent and security applications (for example, Kaspersky Endpoint Security) on devices that have been detected by Administration Server during the device discovery.
Security applications protect devices against viruses and / or other programs posing a threat. Network Agent ensures communication between the device and Administration Server. Network Agent settings are configured automatically by default.
Before you start install Network Agent and the security applications on networked devices, make sure that these devices are accessible (turned on).
Security applications and Network Agent can be installed remotely or locally.
Remote installation—Using the Protection Deployment Wizard, you can remotely install the security application (for example, Kaspersky Endpoint Security for Windows) and Network Agent on devices that have been detected by Administration Server in the organization's network. Normally, the Remote installation task successfully deploys protection to most networked devices. However, it may return an error on some devices if, for example, a device is turned off or cannot be accessed for any other reason. In this case, we recommend that you connect to the device manually and use local installation.
Local installation—Used on network devices on which protection could not be deployed using the remote installation task. To install protection on such devices, create a stand-alone installation package that you can run locally on those devices.
Network Agent installation on devices running Linux and MacOS operating systems is described in the documentation for Kaspersky Endpoint Security for Linux and Kaspersky Endpoint Security for Mac, respectively. (Although devices running Linux and MacOS operating systems are considered less vulnerable than devices running Windows, we recommend that you nonetheless install security applications.)
After installation, make sure that the security application is installed on managed devices. Run a Kaspersky Lab software version report and view its results.
Deploy license keys to client devices to activate managed security applications on those devices.
This step is part of the Quick Start Wizard.
If you want to manage enterprise mobile devices, deploy Mobile Device Management.
In some cases, deploying protection on networked devices in the most convenient way may require you to divide the entire pool of devices into administration groups taking into account the structure of the organization. You can create moving rules to distribute devices among groups or you can distribute devices manually. You can assign group tasks for administration groups, define the scope of policies, and assign distribution points.
Make sure that all managed devices have been correctly assigned to the appropriate administration groups, and that there are no longer any unassigned devices in the network.
Distribution points are assigned to administration groups automatically but you can assign them manually, if necessary. We recommend that you use distribution points on large-scale networks to reduce the load on the Administration Server, and on networks that have a distributed structure to provide the Administration Server with access to devices (or device groups) communicated through channels with low throughput rates.
Upon completion of the scenario, protection will be deployed in the organization's network: