Recommendations for the installation of Network Agent and Kaspersky Security for Virtualization Light Agent 5.x on a golden image for Virtual Desktop Infrastructure
This article concerns:
- Kaspersky Security for Virtualization 5.2 Light Agent (version 5.2.27.319)
- Kaspersky Security for Virtualization 5.1 Light Agent (version 5.1.44.295)
Prerequisites:
- One of the following versions of Kaspersky Security Center:
- Kaspersky Security Center 13.2 (version 13.2.0.1511)
- Kaspersky Security Center 13.1 (version 13.1.0.8324)
- Kaspersky Security Center 13.1 (version 13.0.0.11247)
- Kaspersky Security Center 12 (version 12.0.0.7734)
- The Kaspersky Security for Virtualization 5.x Light Agent components are installed on the Administration Server.
- XenApp and XenDesktop 7.15 or Citrix Virtual Apps and Desktops 7 1903.
- Kaspersky Secure Virtual Machines are installed on all Hyper-Visors that will have VDI machines running and are located in a separate group of managed computers.
Pre-installation settings
- Create a new group of managed computers. All created Virtual Desktops will move into it.
- Exclude this group from all inherited tasks: Find Vulnerabilities and Window Updates task and Fix Vulnerabilities and required Updates task.
Network Agent Policy
- Create a Network Agent policy.
- Go to the Repositories tab. Clear all selected options and lock them.
- Details of Windows Update updates
- Details of software vulnerabilities and corresponding updates
- Hardware registry details
- Details of installed applications
- Go to Software updates and vulnerabilities.
- Select Disabled for the Windows Update search mode setting and lock it.
- Clear the Scan executable files for vulnerabilities when running them checkbox and lock the setting.
Secure Virtual Machine Policy
- Create a Secure Virtual Machine policy in the group of managed computers where SVMs are located.
- Open Update settings and clear the Update Application Modules checkbox. Close the lock.
- Go to Settings for connecting SVMs to the Integration Server and specify the IP address (or FQND) of the machine with the Integration Server (the IP address of the Administration Server). Close the lock.
- Verify that the policy is applied on the Secure Virtual Machines.
Windows Light Agent Policy
- Create the policy for the Light Agent for Windows.
- Open the policy properties and go to Anti-Virus protection → General Protection Settings.
- In the Exclusions and trusted applications section, click Settings.
- If the VDI infrastructure is used in a Citrix environment, enable exclusions and trusted applications for Citrix Virtual Apps and Desktops (Citrix XenApp and XenDesktop), Citrix Provisioning (Citrix Provisioning Services), Citrix Profile Manager. If they're not in the list, create a new policy and add them at the Exclusions step.
- If the VDI infrastructure is used in a VMware environment, enable exclusions and trusted applications for VMware Tools and VMware Horizon View. If they're not in the list, create a new policy and add them at the Exclusions step.
- If roaming user profiles are used, specify the path of the network folder where the profiles are located to avoid scanning on both a network and local level.
- Go to the SVM discovery settings section. Make sure that Use Integration Server is selected and that the lock is closed.
- Go to Integration Server connection settings.
- Specify the IP address (or FQDN) of the machine where Integration Server is installed (the IP address of the Administration Server). Close the lock.
Installation of Kaspersky Network Agent and Kaspersky Security for Virtualization Light Agent 5.x on a golden image
- Launch local installation of Kaspersky Network Agent on the golden image.
- At the Advanced settings step, clear the checkbox Automatically install applicable updates and patches for components that have the Undefined status.
- Select the checkboxes Enable dynamic mode for VDI. and Optimize the Kaspersky Security Center Network Agent settings for the virtual infrastructure. Disable vulnerability scan and inventory of applications and hardware.You can edit the current settings through Network Agent policies.
- After Network Agent has installed, open services.msc and launch Network Agent manually.
- Launch the local installation of Kaspersky Security For Virtualization 5.x Light Agent on the golden image.
- If you are using Citrix XenDesktop, select the checkboxes Ensure compatibility with Citrix Provisioning (Citrix Provisioning Services) and Installation on the template for temporary VDI pools.
- If you are using VMware Horizon View, select the checkbox Installation on the template for temporary VDI pools.
If the Installation on the template for temporary VDI pools checkbox is selected, updates that require a protected virtual machine to restart will not be installed on the virtual machines deployed using this template. At the same time, Kaspersky Security Center will send messages that database and application modules updates are required on the template.
We do not recommend selecting the Installation on the template for temporary VDI pools checkbox if the template will be used for creating a VDI infrastructure of one of the following types:
- The static dedicated catalog with local drives in Citrix Virtual Apps and Desktops (Citrix XenApp and XenDesktop)
- VMware Horizon View automated pool of the full clone type
What to do after the installation
- Verify that the Windows Light Agent policy has been applied. The golden image should have been handled by relocation rule created in Kaspersky Security Center. If the golden image does not meet the conditions of the relocation rule, move it manually into the managed group created for virtual machines.
- Verify that the Light Agent is connected to the SVM: open the Support window locally in the interface of the Light Agent for Windows.
- Restart the golden image.
- Sign in to the system once it has restarted.
- Shut down the golden image.
You can now deploy VDI machines from this golden image.