At this step of tenant security infrastructure deployment, you can perform the following actions:
About SVM location and Protection Server policy
You can deploy SVMs that will protect tenant virtual machines in any folder or administration group on the main Kaspersky Security Center Administration Server.
It is not recommended to deploy SVMs and Protection Server policy in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <tenant name> node.
If you want the SVM to protect virtual machines of only particular tenants, restrict the Light Agent access to SVM in one of the following ways:
It is not recommended to configure connection tags in Light Agent policies located in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <tenant name> node.
It is not recommended to configure the list of SVM addresses in Light Agent policies located in the policy hierarchy above the policies enabling and disabling protection, as well as in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <tenant name> node.
In accordance with the order of Kaspersky Security Center policy inheritance on all SVMs in the hierarchy of administration groups, the default Protection Server policy is applied. It is created in the Managed devices folder on the main Administration Server as a result Kaspersky Security MMC plug-ins installation. If you want to configure specific operation settings for the SVMs that will protect tenant virtual machines, create a Protection Server policy in the folder where the SVM that protects tenant virtual machines is located.
If you want to centrally enable Kaspersky Security Network usage to protect tenant virtual machines, make sure that the personal data of tenants is lawfully processed.
About Light Agent policies
To configure the general settings of all Light Agents that will be installed on the virtual machines of all tenants, you can create Light Agent policies in the Multitenancy KSV LA folder.
To configure the general settings of all Light Agents that will be installed on the virtual machines of one tenant, it is recommended to use the policies that enable tenant protection and are created automatically as a result of creation of a virtual Administration Server in the Multitenancy KSV LA → <tenant name> folder.
Using the "lock" attribute in a policy, you can block changing of settings or groups of settings in the local application settings, task settings, or in policies of the nested hierarchy level (for nested administration groups and slave Administration Servers). Tenant administrators cannot configure "locked" settings.
It is not recommended to lock the settings in the SVM discovery settings section in the Light Agent policies that are located in the policy hierarchy above the policies enabling and disabling tenant protection. This could result in application operation errors. SVM discovery settings are specified separately for each tenant using the policies enabling and disabling tenant protection, which are located in the Multitenancy KSV LA → <tenant name> folder.
It is not recommended to delete and rename policies enabling protection and policies disabling protection, or to create new Light Agent policies in the Multitenancy KSV LA → <tenant name> folder. Only one Light Agent for Windows policy and one Light Agent for Linux policy can be active in a folder or in an administration group at a time. Policies enabling protection or policies disabling protection can be active in the Multitenancy KSV LA → <tenant name> folder, depending on the tenant status.
If the policies enabling protection or policies disabling protection are deleted, they can be created again automatically in the Multitenancy KSV LA → <tenant name> folder. In this case, all policy settings are set to the default values.
Page top