Kaspersky Security Center

Scenario: Connecting out-of-office devices through a connection gateway

July 15, 2024

ID 204219

This scenario describes how to connect managed devices that are located outside of the main network to Administration Server.


The scenario has the following prerequisites:

  • A demilitarized zone (DMZ) is organized in your organization's network.
  • Kaspersky Security Center Administration Server is deployed on the corporate network.


This scenario proceeds in stages:

  1. Selecting a client device in the DMZ

    This device will be used as a connection gateway. The device that you select must meet the requirements for connection gateways.

  2. Installing Network Agent in the connection gateway role

    We recommend that you use a local installation to install Network Agent on the selected device.

    By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>

    In the Connection gateway window of the Network Agent setup wizard, select Use Network Agent as a connection gateway in DMZ. This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.

    Alternatively, you can install Network Agent on a Linux device and configure Network Agent to work as a connection gateway, but pay attention to the list of limitations of Network Agent running on Linux devices.

  3. Allowing connections in firewalls on the connection gateway

    To make sure that Administration Server can actually connect to the connection gateway in the DMZ, allow connections to TCP port 13000 in all firewalls between Administration Server and the connection gateway.

    If the connection gateway has no real IP address on the internet, but instead is located behind Network Address Translation (NAT), configure a rule to forward connections through NAT.

  4. Creating an administration group for external devices

    Create a new group under the Managed devices group. This new group will contain external managed devices.

  5. Connecting the connection gateway to Administration Server

    The connection gateway that you have configured is waiting for a connection from Administration Server. However, Administration Server does not list the device with the connection gateway among managed devices. This is because the connection gateway has not tried to establish a connection to Administration Server. Therefore, you need a special procedure to ensure that Administration Server initiates a connection to the connection gateway.

    Do the following:

    1. Add the connection gateway as a distribution point.
    2. Move the connection gateway from the Unassigned devices group to the group that you have created for external devices.

    The connection gateway is connected and configured.

  6. Connecting external desktop computers to Administration Server

    Usually, external desktop computers are not moved inside the perimeter. Therefore, you need to configure them to connect to Administration Server through the gateway when installing Network Agent.

  7. Setting up updates for external desktop computers

    If updates of security applications are configured to be downloaded from Administration Server, external computers download updates through the connection gateway. This has two disadvantages:

    • This is unnecessary traffic, which takes up bandwidth of the company's internet communication channel.
    • This is not necessarily the quickest way to get updates. It is very likely that it would be cheaper and faster for external computers to receive updates from Kaspersky update servers.

    Do the following:

    1. Move all external computers to the separate administration group that you created earlier.
    2. Exclude the group with external devices from the update task.
    3. Create a separate update task for the group with external devices.
  8. Connecting traveling laptops to Administration Server

    Traveling laptops are within the network sometimes and outside the network at other times. For effective management, you need them to connect to Administration Server differently depending on their location. For efficient use of traffic, they also need to receive updates from different sources, depending on their location.

    You need to configure rules for out-of-office users: connection profiles and network location descriptions. Each rule defines the Administration Server instance to which traveling laptops must connect, depending on their location and the Administration Server instance from which they must receive updates.

See also:

Internet access: Network Agent as connection gateway in DMZ

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.