Managing CPE devices
CPE devices relay traffic between your organization's locations and your customers. You can purchase KESR appliances to use them as CPE devices or deploy CPE devices as virtual machines using an image received from Kaspersky. When using virtual machines, you must make sure that they satisfy the hardware requirements.
For building the SD-WAN network, centralized management and core functionality, an OpenFlow virtual switch (virtual switch; vSwitch) is installed on CPE devices. For example, virtual switch is used to configure traffic streams.
To avoid configuring each device individually, you can specify the settings in the CPE template and then apply the template to devices when adding or manually registering them. When you edit a setting in a CPE template, that setting is automatically modified on all devices that are using the template.
When you edit a setting on a CPE device, that setting becomes independent of the template. When the same setting is edited in the CPE template, the change is not propagated to such a device.
Certain CPE device settings can only be specified in a template, for example, the port number for connecting to the orchestrator.
New CPE devices are registered automatically, which is referred to as Zero Touch Provisioning (ZTP). You add the CPE device in the orchestrator web interface, generate a URL with basic settings, and enter that URL on the device. When the CPE device connects to the orchestrator using the received settings, it is mapped to the previously added record and is automatically registered. Registration does not require connecting to Kaspersky cloud services.
You can use two-factor authentication to register the CPE device securely. Two-factor authentication records a token (security key) to the orchestrator database; the token is then placed on the CPE device using the URL with basic settings. Registration succeeds if, when the CPE device connects to the orchestrator, the token placed on the device matches the token in the orchestrator database.
When you remove a CPE device from the orchestrator web interface, the basic settings are retained on the device. If you need to register the device again, you must restart the CPE device to make it connect to the orchestrator, and when it appears in the orchestrator web interface, you must manually register the device. You cannot use two-factor authentication when re-registering a CPE device.
When adding and registering a CPE device, you can select if you want it to be automatically enabled after registration. When a CPE device is enabled, the CPE template is applied to it and the device becomes available for relaying traffic.