Deploying tenant protection infrastructure
January 10, 2024
The tenant protection infrastructure created using the Integration Server REST API is based on the usage of Kaspersky Security Center virtual Administration Servers. Each tenant is provided with a virtual Administration Server and an account to be used by the tenant administrator to connect to the virtual Administration Server.
One Kaspersky Security Center Administration Server can support up to 500 virtual Administration Servers.
Tenant virtual machines with Light Agents installed are located on the tenant virtual Administration Server.
Tenant administrators can perform the following actions on their virtual Administration Server:
- Centrally manage protection of their virtual machines using the Light Agent policies and group tasks.
- Receive information about their infrastructure protection status using event notifications and reports available on the virtual Administration Server.
- Work with copies of files placed in backup storage on all virtual machines of this tenant.
For more information about virtual Administration Servers, see the Kaspersky Security Center help.
The provider's administrator installs the application in their infrastructure and ensures the operation of Light Agents and other application components:
- Configures the settings for connecting Light Agents installed on the tenant virtual machines to the SVM and to the Integration Server.
- Activates the application and controls licensing restrictions.
- Updates databases and application modules.
- Configures the Protection Server settings.
The provider's administrator can also configure general protection settings of the tenant virtual machines.
During operation, information that may contain personal and confidential data is transmitted between Kaspersky Security Center and Kaspersky Security components installed in the provider's infrastructure and on the tenant virtual machines.
Before creating a tenant protection infrastructure, perform the following steps:
- Install or update Kaspersky Security.
The following components must be installed in the provider's infrastructure:
- Kaspersky Security MMC plug-ins, Integration Server, and Integration Server Console.
- Protection Server.
If you want to use the web interface to interact with Kaspersky Security Center, you also need to install web plug-ins using the Web Console.
- Prepare the application for work:
- Prepare the Protection Server for operation.
- In the Integration Server Console, change the default multitenancy account password. A multitenancy account is created automatically as a result of Integration Server installation. It is required to interact with the Integration Server REST API.
- In the Integration Server Console, configure the Integration Server connection settings to the Kaspersky Security Center Administration Server. These settings are required for authorization on the Kaspersky Security Center Administration Server when executing requests to the Integration Server REST API.
Tenant protection infrastructure deployment consists of the following steps:
- Creating a tenant and Kaspersky Security Center virtual Administration Server for the tenant.
- Configuring location of SVMs for protecting tenant virtual machines and configuring the Protection Server operation settings.
- Configuring SVM discovery settings and general operation settings for Light Agents, installed on the tenant virtual machines.
- Installing Kaspersky Security Center Network Agent and Light Agent on the tenant virtual machines and moving the virtual machines to a virtual Administration Server configured for the tenant.
- Registering the tenant virtual machines in the Integration Server database.
- Activating the tenant.
- Transferring the following Kaspersky Security Center virtual Administration Server connection settings to the tenant administrator:
- Address of the virtual Administration Server configured for the tenant.
- Administrator account settings of the virtual Administration Server.
It is recommended that the tenant administrator changes the account password received from the provider administrator.
The steps of the tenant protection infrastructure deployment can be automated using the Integration Server REST API and Kaspersky Security Center OpenAPI.
To prevent unauthorized access, it is recommended to deploy the SVM and the device on which the Kaspersky Security Center Administration Server and the Integration Server are installed in a dedicated virtual network and to configure routing with address translation (SNAT) from the tenant subnets to this subnet.