Support

Support for business applications

Kaspersky Security Center 14

Kaspersky Security Center 14.2

Other routine work

Managing Administration Servers

Configuring an allowlist of IP addresses to connect to Administration Server

Kaspersky Security Center
Нет результатов
Нет результатов
Knowledge Base Online Help
Advice & Solutions FAQ Download Buy Renew Forum Contact support Recovery tools

Configuring an allowlist of IP addresses to connect to Administration Server

April 17, 2024

ID 231374

Get as PDF

By default, users can log in to Kaspersky Security Center under any device where they can open Kaspersky Security Center Web Console (hereinafter referred to as Web Console) or where MMC-based Administration Console is installed. However, you can configure Administration Server so that users can connect to it only from devices with allowed IP addresses. In this case, even if an intruder steals a Kaspersky Security Center account, he or she will not be able to log in to Kaspersky Security Center because the IP address of the intruder's device is not in the allowlist.

The IP address is verified when a user logs in to Kaspersky Security Center or runs an application that interacts with Administration Server via Kaspersky Security Center OpenAPI. At this moment, a user's device tries to establish a connection with Administration Server. If the IP address of the device is not in the allowlist, an authentication error occurs and the KLAUD_EV_SERVERCONNECT event notifies you that a connection with Administration Server has not been established.

Requirements for an allowlist of IP addresses

IP addresses are verified only when the following applications try to connect to Administration Server:

  • Web Console Server

    If you sign in to Web Console on one device and the Web Console Server is installed on another device, you can configure a firewall on the device where the Web Console Server is installed by using the standard means of the operating system. Then, if someone tries to log in to Web Console, a firewall helps prevent intruders from interfering.

  • Administration Console
  • Applications interacting with Administration Server via klakaut automation objects
  • Applications interacting with Administration Server via OpenAPI, such as Kaspersky Anti Targeted Attack Platform or Kaspersky Security for Virtualization

Therefore, specify addresses of the devices on which the applications listed above are installed.

You can set IPv4 and IPv6 addresses. You cannot specify ranges of IP addresses.

How to establish an allowlist of IP addresses

If you have not set an allowlist earlier, follow the instructions below.

To establish an allowlist of IP addresses to log in to Kaspersky Security Center:

  1. On the Administration Server device, run the command prompt under an account with administrator rights.
  2. Change your current directory to the Kaspersky Security Center installation folder (usually, <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center).
  3. Enter the following command, using administrator rights:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP addresses>" -t s

    Specify IP addresses that meet the requirements listed above. Several IP addresses must be separated by a semicolon.

    Example of how to allow only one device to connect to Administration Server:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0" -t s

    Example of how to allow multiple devices to connect to Administration Server:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0; 198.51.100.0; 203.0.113.0" -t s

  4. Restart the Administration Server service.

You can find out whether you have successfully configured the allowlist of IP addresses in Kaspersky Event Log on the Administration Server.

How to change an allowlist of IP addresses

You can change an allowlist just as you did when you first established it. For this purpose, run the same command and specify a new allowlist:

klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP addresses>" -t s

If you want to delete some IP addresses from the allowlist, rewrite it. For example, your allowlist includes the following IP addresses: 192.0.2.0; 198.51.100.0; 203.0.113.0. You want to delete the 198.51.100.0 IP address. To do this, enter the following command at the command prompt:

klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0; 203.0.113.0" -t s

Do not forget to restart the Administration Server service.

How to reset a configured allowlist of IP addresses

To reset an already configured allowlist of IP addresses:

  1. Enter the following command at the command prompt, using administrator rights:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "" -t s

  2. Restart the Administration Server service.

After that, IP addresses are not verified any more.

Kaspersky Security Center: Optimization of daily routine tasks
A powerful administration console, with an additional flexible web-based interface that’s available wherever you are. Buy as part of Endpoint Security for Business Advanced.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.