Main installation scenario
Nov 27, 2023
Following this scenario, you can deploy Administration Server, as well as install Network Agent and security applications on networked devices. You can use this scenario both for a closer look at the application and for the application installation for further work.
Installation of Kaspersky Security Center consists of the following steps:
- Preparation work
- Installation of Kaspersky Security Center and a Kaspersky security application on the Administration Server device
- Centralized deployment of Kaspersky security applications on client devices
Deployment of Kaspersky Security Center in cloud environments and deployment of Kaspersky Security Center for service providers are described in other Help sections.
We recommend that you assign a minimum of one hour for Administration Server installation and a minimum of one working day for completion of the scenario. We also recommend that you install a security application, such as Kaspersky Security for Windows Server or Kaspersky Endpoint Security, on the computer that will act as Kaspersky Security Center Administration Server.
Upon completion of the scenario, protection will be deployed on the organization's network in the following way:
- The DBMS will be installed for the Administration Server.
- Kaspersky Security Center Administration Server will be installed.
- All required policies and tasks will be created; the default settings of policies and tasks will be specified.
- Security applications (for example, Kaspersky Endpoint Security for Windows) and Network Agent will be installed on managed devices.
- Administration groups will be created (possibly combined into a hierarchy).
- Mobile device protection will be deployed, if necessary.
- Distribution points will be assigned, if necessary.
Kaspersky Security Center installation proceeds in stages:
- Getting the necessary files
Make sure that you have a license key (activation code) for Kaspersky Security Center or license keys (activation codes) for Kaspersky security applications.
Unpack the archive that you received from your vendor. This archive contains the license keys (KEY files), activation codes, and the list of Kaspersky applications that can be activated by each license key.
If you first want to try out Kaspersky Security Center, you can get a free 30-day trial at the Kaspersky website.
For detailed information about the licensing of the Kaspersky security applications that are not included in Kaspersky Security Center, you can refer to the documentation of those applications.
- Selecting a structure for protection of an organization
Find out more about the Kaspersky Security Center components. Select the protection structure and the network configuration which suit your organization best. Based on the network configuration and throughput of communication channels, define the number of Administration Servers to use and how they must be distributed among your offices (if you run a distributed network).
To obtain and maintain optimum performance under varying operational conditions, please take into account the number of networked devices, network topology, and set of Kaspersky Security Center features that you require (for more details, refer to the Kaspersky Security Center Sizing Guide).
Define whether a hierarchy of Administration Servers will be used in your organization. To do this, you must evaluate whether it is possible and expedient to cover all client devices with a single Administration Server or it is necessary to build a hierarchy of Administration Servers. You may also have to build a hierarchy of Administration Servers that is identical to the organizational structure of the organization whose network you want to protect.
Make sure that the devices that you selected as Administration Servers, as well as those for Administration Console installation, meet all the hardware and software requirements.
- Preparation for the use of custom certificates
If your organization's Public Key Infrastructure (PKI) requires that you use custom certificates issued by a specific certification authority (CA), prepare those certificates and make sure that they meet all the requirements.
- Preparation for Kaspersky Security Center licensing
If you plan to use a Kaspersky Security Center version with Mobile Device Management, Integration with SIEM systems, and/or with Vulnerability and patch management support, make sure that you have a key file or activation code for the application licensing.
- Preparation for licensing of managed security applications
During protection deployment, you have to provide Kaspersky with the active license keys for the applications that you intend to manage through Kaspersky Security Center (see the list of manageable security applications). For detailed information about the licensing of any security application, you can refer to the documentation of this application.
- Selecting the hardware configuration of the Administration Server and DBMS
Plan the hardware configuration for the DBMS and the Administration Server, taking into account the number of devices on your network.
- Selecting a DBMS
When selecting a DBMS, take into account the number of managed devices to be covered by this Administration Server. If your network includes fewer than 10 000 devices and you do not plan to increase this number, you can choose a free-of-charge DBMS, such as SQL Express, or MySQL, and install it on the same device as Administration Server. Alternatively, you can choose the MariaDB DBMS that allows you to manage up to 20 000 devices. If your network includes more than 10 000 devices (or if you plan to expand your network up to that number of devices), we recommend that you choose a paid-for SQL DBMS and install it on a dedicated device. A paid DBMS can work with multiple Administration Servers, but a DBMS that is free of charge can work with only one.
If you select SQL Server DBMS, note that you can migrate the data stored in the database to MySQL, MariaDB, or Azure SQL DBMS. To perform the migration, back up your data and restore it into the new DBMS.
- Installing the DBMS and creating the database
Find out more about the accounts for work with the DBMS and install your DBMS. Write down and save the DBMS settings because you will need them during Administration Server installation. These settings include the SQL Server name, number of the port used for connecting to SQL Server, and account name and password for accessing the SQL Server.
If you decide to install PostgreSQL or Postgres Pro DBMS, ensure that you specified a password for the superuser. If the password is not specified, Administration Server might not be able to connect to the database.
By default, the Kaspersky Security Center Installer creates the database for storage of Administration Server information, but you can opt out of creating this database and use a different database instead. In this case, make sure that the database has been created, you know its name, and the account under which the Administration Server will gain access to this database has the db_owner role for it.
If necessary, contact your DBMS administrator for more information.
- Configuring ports
Make sure that all the necessary ports are open for interaction between components in accordance with your selected security structure.
If you have to provide Internet access to the Administration Server, configure the ports and specify the connection settings, depending on the network configuration.
- Checking accounts
Make sure that you have all local administrator rights required for successful installation of Kaspersky Security Center Administration Server and further protection deployment on the devices. Local administrator rights on client devices are required for Network Agent installation on these devices. After Network Agent is installed, you can use it to install applications on devices remotely, without using the account with the device administrator rights.
By default, on the device selected for Administration Server installation, the Kaspersky Security Center Installer creates three local accounts under which Administration Server and the Kaspersky Security Center services will be run:
- KL-AK-*: Administration Server service account
- NT Service/KSC*: Account for other services from the Administration Server pool
- KlPxeUser: Account for deployment of operating systems
You can opt out of creating accounts for the Administration Server services and other services. You use your existing accounts instead, such as domain accounts, if you plan to install Administration Server on a failover cluster, or plan to use domain accounts instead of local accounts for any other reason. In this case, make sure that the accounts intended for running Administration Server and the Kaspersky Security Center services have been created, are non-privileged and have all permissions required for access to the DBMS. (If you plan further deployment of operating systems on devices through Kaspersky Security Center, do not opt out of creating accounts.)
Installation of Kaspersky Security Center and a Kaspersky security application on the Administration Server device
- Installing the Administration Server, Administration Console, Kaspersky Security Center Web Console, and management plug-ins for security applications
Download Kaspersky Security Center from the Kaspersky website. You can download the full package, Web Console only, or Administration Console only.
Install Administration Server on the device that you selected (or multiple devices, if you plan to use multiple Administration Servers). You can select standard or custom installation of Administration Server. Administration Console will be installed together with Administration Server. It is recommended to install the Administration Server on a dedicated server instead of a domain controller.
Standard installation is recommended if you want to try out Kaspersky Security Center by, for example, testing its operation on a small area within your network. During standard installation, you only configure the database. You can also install only the default set of management plug-ins for Kaspersky applications. You can also use standard installation if you already have some experience working with Kaspersky Security Center and are able to specify all relevant settings after standard installation.
Custom installation is recommended if you plan to modify the Kaspersky Security Center settings, such as a path to the shared folder, accounts and ports for connection to the Administration Server, and database settings. Custom installation enables you to specify which Kaspersky management plug-ins to install. If necessary, you can start custom installation in silent mode.
Administration Console and the server version of Network Agent are installed together with Administration Server. You can also choose to install Kaspersky Security Center Web Console during the installation.
If you want, install Administration Console and/or Kaspersky Security Center Web Console on the administrator's workstation separately to manage Administration Server over the network.
- Initial setup and licensing
When Administration Server installation is complete, at the first connection to the Administration Server the quick start wizard starts automatically. Perform initial configuration of Administration Server according to the existing requirements. During the initial configuration stage, the wizard uses the default settings to create the policies and tasks that are required for protection deployment. However, the default settings may be less than optimal for the needs of your organization. If necessary, you can edit the settings of policies and tasks (Configuring protection on a client organization's network, Scenario: Configuring network protection).
- Checking Administration Server installation for success
When all the previous steps are complete, Administration Server is installed and ready for further use.
Make sure that Administration Console is running and you can connect to the Administration Server through Administration Console. Also, make sure that the Download updates to the repository of the Administration Server task is available in Administration Server (in the Tasks folder of the console tree), as well as the policy for Kaspersky Endpoint Security (in the Policies folder of the console tree).
When the check is complete, proceed to the steps below.
Centralized deployment of Kaspersky security applications on client devices
- Discovering networked devices
This step is part of the quick start wizard. You can also start the device discovery manually. Kaspersky Security Center receives the addresses and names of all devices detected on the network. You can then use Kaspersky Security Center to install Kaspersky applications and software from other vendors on the detected devices. Kaspersky Security Center regularly starts device discovery, which means that if any new instances appear in the network, they will be detected automatically.
- Installing Network Agent and security applications on networked devices
Deployment of protection (Configuring protection on a client organization's network, Scenario: Configuring network protection) of an organization's network entails installation of Network Agent and security applications (for example, Kaspersky Endpoint Security) on devices that have been detected by Administration Server during the device discovery.
Security applications protect devices against viruses and/or other programs posing a threat. Network Agent ensures communication between the device and Administration Server. Network Agent settings are configured automatically by default.
Before you start install Network Agent and the security applications on networked devices, make sure that these devices are accessible (that is, turned on). You can install Network Agent on virtual machines as well as on physical devices.
Security applications and Network Agent can be installed remotely or locally.
Remote installation—Using the Protection deployment wizard, you can remotely install the security application (for example, Kaspersky Endpoint Security for Windows) and Network Agent on devices that have been detected by Administration Server in the organization's network. Normally, the Remote installation task successfully deploys protection to most networked devices. However, it may return an error on some devices if, for example, a device is turned off or cannot be accessed for any other reason. In this case, we recommend that you connect to the device manually and use local installation.
Local installation—Used on network devices on which protection could not be deployed using the remote installation task. To install protection on such devices, create a stand-alone installation package that you can run locally on those devices.
Network Agent installation on devices running Linux and macOS operating systems is described in the documentation for Kaspersky Endpoint Security for Linux and Kaspersky Endpoint Security for Mac, respectively. Although devices running Linux and macOS operating systems are considered less vulnerable than devices running Windows, we recommend that you nonetheless install security applications on such devices.
After installation, make sure that the security application is installed on managed devices. Run a Kaspersky software version report and view its results.
- Deploying license keys to client devices
Deploy license keys to client devices to activate managed security applications on those devices.
- Configuring mobile device protection
This step is part of the quick start wizard.
- Creating an administration group structure
In some cases, deploying protection on networked devices in the most convenient way may require you to divide the entire pool of devices into administration groups taking into account the structure of the organization. You can create moving rules to distribute devices among groups, or you can distribute devices manually. You can assign group tasks for administration groups, define the scope of policies, and assign distribution points.
Make sure that all managed devices have been correctly assigned to the appropriate administration groups, and that there are no longer any unassigned devices on the network.
- Assigning distribution points
Kaspersky Security Center assigns distribution points to administration groups automatically, but you can assign them manually, if necessary. We recommend that you use distribution points on large-scale networks to reduce the load on the Administration Server, and on networks that have a distributed structure to provide the Administration Server with access to devices (or device groups) communicated through channels with low throughput rates. You can use devices running Linux as distribution points, as well as devices running Windows.