Connecting to devices through Windows Desktop Sharing

The administrator can obtain remote access to the desktop of a client device through a Network Agent installed on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP ports of the client device are closed.

The administrator can connect to an existing session on a client device without disconnecting the user in this session. In this case, the administrator and the session user on the device share access to the desktop.

To establish remote connection to a device, you must have two utilities:

• Kaspersky utility named klsctunnel. This utility must be stored on the administrator's workstation. You use this utility for tunneling the connection between a client device and the Administration Server.

  Kaspersky Security Center allows tunneling TCP connections from Administration Console via the Administration Server and then via Network Agent to a specified port on a managed device. Tunneling is designed for connecting a client application on a device with Administration Console installed to a TCP port on a managed device—if no direct connection is possible between Administration Console and the target device.

  Connection tunneling between a remote client device and Administration Server is required if the port used for connection to Administration Server is not available on the device. The port on the device may be unavailable in the following cases:

  • The remote device is connected to a local network that uses the NAT mechanism.
  • The remote device is part of the local network of Administration Server, but its port is closed by a firewall.
• Windows Desktop Sharing. When connecting to an existing session of the remote desktop, the session user on the device receives a connection request from the administrator. No information about remote activity on the device and its results will be saved in reports created by Kaspersky Security Center.

  The administrator can configure an audit of user activity on a remote client device. During the audit, the application saves information about files on the client device that have been opened and/or modified by the administrator.

To connect to the desktop of a client device through Windows Desktop Sharing, the following conditions must be met:

• Microsoft Windows Vista or later is installed on the administrator's workstation. The type of operating system of the device hosting Administration Server imposes no restrictions on connection through Windows Desktop Sharing.

  To check whether the Windows Desktop Sharing feature is included in your Windows edition, make sure that there is CLSID\{32BE5ED2-5C86-480F-A914-0FF8885A1B3F} key in the Windows Registry.

• Microsoft Windows Vista or later is installed on the client device.
• Kaspersky Security Center uses a license for Vulnerability and patch management.

To connect to the desktop of a client device through Windows Desktop Sharing:

1. In MMC-based Administration Console, in the context menu of the Administration Server, select Properties.
2. In the Administration Server properties window that opens, go to Administration Server connection settings → Connection ports.
3. Make sure that the Open RDP port for Kaspersky Security Center Web Console option is enabled.
4. In Kaspersky Security Center Web Console, go to Devices → Managed devices.
5. In the Current path field above the list of managed devices, click the path link.
6. In the left-side pane that opens, select the administration group that contains the device to which you want to obtain access.
7. Select the check box next to the name of the device to which you want to obtain access.
8. Click the Windows Desktop Sharing button.

   The Windows Desktop Sharing wizard opens.

9. Click the Download button to download the klsctunnel utility, and wait for the download process to complete.

   If you already have the klsctunnel utility, skip this step.

10. Click the Next button.
11. Select the session on the device to which you want to connect, and then click the Next button.
12. On the target device, in the dialog box that opens, the user must allow a desktop sharing session. Otherwise, the session is not possible.

    After the device user confirms the desktop sharing session, the next page of the wizard opens.
    

13. Click the Copy to clipboard button to copy the text from the text field. This text is a Binary Large OBject (BLOB) that contains settings required to establish connection between the Administration Server and the managed device.

    A BLOB is valid for 3 minutes. If it has expired, generate a new BLOB.

14. Run the klsctunnel utility.

    The utility window opens.

15. Paste the copied text into the text field.
16. If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection settings.
17. Click the Open port button.

Desktop sharing starts in a new window. If you want to interact with the device, click the menu icon () in the upper-left corner of the window, and then select Interactive mode.