Installing Kaspersky CyberTrace Service and Feed Utility on separate computers (DMZ scenario)

The following procedure describes how to configure the DMZ host and the local host for installing Kaspersky CyberTrace Service on one computer (in this section, referred to as Local) and Feed Utility on another computer (in this section, referred to as DMZ).

Configuring a DMZ host

To configure a DMZ host, do the following:

1. Install CyberTrace on the DMZ host, for easy configuration of the feeds that are supposed to be loaded to CyberTrace in an isolated environment.
2. In the Initial Setup Wizard, specify the required SIEM settings (name, connection details).

   These settings will be further used for the local host.

   Also, add a PEM-formatted certificate for configuring the Kaspersky feeds that will be used. It is not necessary to add a Kaspersky CyberTrace license key on the DMZ host, since the Community edition allows configuration of all supported feed types. Adding a license key is obligatory on the local host.

3. If necessary, add or additionally configure the feeds on the Settings > Feeds page, after specifying the settings in the Initial Setup Wizard.

   Ensure that the feeds are configured correctly by running the feeds update in CyberTrace at least once.

4. Export the settings from CyberTrace by clicking the Export configuration files button on the Settings > Service page.

   If custom feeds were previously configured in Kaspersky CyberTrace, also save the httpsrv\etc\custom_feed_list.conf file for further use.

5. Copy the %service_dir%\dmz directory to a location other than the %service_dir% directory (for example, to the C:\Users\%UserName% directory).

   Hereafter, the path to this directory will be referred as %dmz_fu%.

6. Remove CyberTrace.

   If you have to add new feeds, install CyberTrace on the DMZ host again.

7. Move sections Settings>Feeds and Settings>ProxySettings from the exported kl_feed_util.conf file (see Step 4) to the %dmz_fu%\kl_feed_util.conf file (if the section is present in the target configuration file, replace this section).

   Do not remove the instance of the kl_feed_util.conf file exported from CyberTrace, as well as the kl_feed_service.conf. These files will be used on the local host.

8. Specify accepted in the Settings>EULA tag of the %dmz_fu%\kl_feed_util.conf file.
9. Specify <WorkDir>tmp_download</WorkDir> in the Settings/WorkDir of the %dmz_fu%\kl_feed_util.conf file.
10. Add %dmz_fu%\cron_dmz.cmd to the schtasks list of tasks.

    The cron_dmz.cmd script enables downloading feeds on the DMZ host.

    In the example below, the cron_dmz.cmd script runs once in 30 minutes:

    schtasks /create /tn KasperskyFeedServiceUpdate /ru system /f /tr "\"%dmz_fu%\cron_dmz.cmd\"" /sc minute /mo 30

    You can set your own schedule to run the script.

Configuring a local host

To configure a local host, do the following:

1. Check if the DMZ host is accessible for the local host by using the RSync utility (to do this, perform the steps from section "Synchronizing directories that contain feeds").
2. On the local host, install the same version as CyberTrace that was previously installed on the DMZ host.
3. Stop CyberTrace after installation by running the sc stop cybertrace command.
4. Remove the %service_dir%\bin\.need_run_wizard file.

   This action disables the initial configuration wizard, since configuration has already been completed on the DMZ host.

5. Replace the %service_dir%\bin\kl_feed_util.conf and %service_dir%\bin\kl_feed_service.conf files with the files that were obtained in Step 4 of section "Configuring a DMZ host".

   If custom feeds were previously configured in Kaspersky CyberTrace, also replace or add (if the file was not present) the httpsrv\etc\custom_feed_list.conf file.

6. Open the %service_dir%\bin\kl_feed_util.conf file and specify the following parameters:
   • <NotifyKTFS path="../bin">true</NotifyKTFS>
   • <WorkDir>output</WorkDir>
   • <FeedsDir>../feeds/download</FeedsDir>
7. Configure the following in the %service_dir%\bin\kl_feed_service.conf file:
   • Specify settings in:
     • Configuration>InputSettings>ConnectionString
     • Configuration>GUISettings>HTTPServer>ConnectionString
     • Configuration>GUISettings>HTTPServer>ResourcesIP
   • Set 0 in the update_frequency attribute.

     This customization is applied, since the feeds files loaded on the DMZ host will be periodically synchronized by Schtasks, not CyberTrace.

8. (Recommended) Rename the %service_dir%\dmz\feeds.pem file to feeds.pem.0 to avoid incorrect feeds updating when clicking the Launch update now button.
9. Open the %service_dir%\scripts\cron_cybertrace.cmd file, and then specify the following:
   • RSYNC_USER (user name on the DMZ host for authorization).
   • RSYNC_HOST (host name/IP address of the DMZ host).
   • PATH_TO_FEEDS (path to the %dmz_fu%\download directory on the DMZ host).
   • DOWNLOAD_DIR ("output").
   • SSH_KEY (make sure that you specified the same RSA key file path as described in Step 1 of section "Synchronizing directories that contain feeds").
10. Add %service_dir%\scripts\cron_cybertrace.cmd to the list of the cron tasks.

    The cron_cybertrace.cmd script starts synchronization of the feeds files from the DMZ host. The example below shows that the cron_dmz.cmd file is launched once in 30 minutes:

    schtasks /create /tn KasperskyFeedServiceUpdate /ru %user% /rp %password% /f /tr "%service_dir%\scripts\cron_cybertrace.cmd" /sc minute /mo 30

    You can set your own schedule for synchronization.

11. Start CyberTrace.

    Run the sc start cybertrace command.

12. Open CyberTrace Web in a browser (by using the details specified in Step 7 in Configuration>GUISettings>HTTPServer>ConnectionString).
13. Make sure that the settings for the feeds on the Settings>Feeds page are similar to the settings on the DMZ host.
14. On the Settings>Feeds page, set Never for the Update frequency parameter.
15. On the Settings>Licensing page, add a license key.
16. Configure other settings that are not related to updating feeds.