 SOLUTION ARCHITUCTURE DIAGRAM

Deployment Architecture
 SYSTEM REQUIRMENTS

 Hardware and software requirements

Requirements for the Kaspersky Security Center

Master KSC (up to 25 000 endpoints):

 CPU: 24 vCPU (virtual threads).
 RAM: 36 GB.
 Disk subsystem – 500 GB free disk space.
 One network adapters

Hardware requirements for the MS SQL (If Dedicated) :

 CPU: 24 vCPU (virtual threads).

 RAM: 24 GB.
 Disk subsystem: 1TB of free space.
 One network adapter

Slave KSC (UP to 5000):

 CPU: 12 vCPU
 RAM: 16 GB.
 Disk subsystem – 300 GB free disk space.
 One network adapter

Supported OS:

 Windows Server 2008 R2

 Windows Server 2012
 Windows Server 2012 R2
 Windows Server 2016
 Windows Server 2019

Supported MS SQL:

 MS SQL Server 2008 R2

 MS SQL Server 2012
 MS SQL Server 2014
 MS SQL Server 2016

Requirements for the Kaspersky Endpoint Security

Hardware requirements for installing all Kaspersky Endpoint Security components

 Minimum configuration:
 CPU: 2 core 2 GHz or higher.
 RAM: 2 GB.
 Disk subsystem: 2 GB of free space.
 One network adapter.

Supported client OS:

 Windows 7 SP1 Enterprise x86 x64.
 Windows 8.1.1 Enterprise x86 x64.
 Windows 10 RS3 Enterprise x86 x64.
 Windows 10 RS4 Enterprise x86 x64.
 Windows 10 RS5 Enterprise x86 x64.
 Windows 10 RS6 Enterprise x86 x64.

Supported server OS:

 Windows Server® 2008 R2 Enterprise x64.
 Windows Server 2012 Standard x64.
 Windows Server 2012 R2 Standard x64.
 Windows Server 2016 Standard x64.

Requirements for Network Agent

Requirements for Network agent the same as for KES.

For Network Agent with Distribution Point Role requirements are:

 CPU: 4 core ( for example, i7-7600).

 RAM: 8 GB.
 Disk subsystem: 2 GB of free space.
 One network adapter.
  Ports used by Kaspersky Security Center

TLS
Name of the (except
Port
Device process that Protocol for Port purpose Scope
number
opens the port UDP
ports)

Administration Transmitting
Server published Publishing
8060 Klcsweb TCP No installation installation
packages to packages
client devices
Transmitting
published Publishing
8061 Klcsweb TCP Yes installation installation
packages to packages
client devices

Working
Receiving with Kaspersky
inbound Security Center
9000 CSWebInterf
TCP Yes connections 12 Web
* ace
from the Console and
Apache server Self Service
Portal

1300 Klserver TCP Yes Receiving Managing

0 connections client devices
from Network and slave
Agents and Administration
slave Servers
Administration
Servers; also
used on slave
Administration
Servers for
receiving
connections
from the
master
Administration
Server (for
example, if the
slave
Administration
Server is in
DMZ)
 Receiving
information
1300 about devices Managing
Klserver UDP Null
0 that were client devices
turned off from
Network Agents
Receiving
connections
from Managing
1329
Klserver TCP Yes Administration Administration
1
Console to Server
Administration
Server
Receiving
Mobile
1329 connections
Klserver TCP Yes Device
2 from mobile
Management
devices
Receiving
Managing
connections
1329 UEFI
Klserver TCP Yes from UEFI
4* protection
protection
client devices
devices
Receiving
connections
from Kaspersky
Security Center
12 Web
Kaspersky
Console to the
Security
1329 Administration
klserver TCP Yes Center 12 Web
9 Server;
Console,
receiving
OpenAPI
connections to
the
Administration
Server over
OpenAPI
Receiving
1400 connections Managing
Klserver TCP No
0 from Network client devices
Agents
Receiving
requests from
1311 KSN proxy
Ksnproxy TCP No managed
1* server
devices to KSN
proxy server
1511 Ksnproxy UDP Null Receiving KSN proxy
1* requests from server
managed
devices to KSN
proxy server
 Receiving
connections for
application Activation
1700 activation from proxy server
Klactprx TCP Yes
0 managed for non-mobile
devices (except devices
for mobile
devices)
Receiving
Activation
connections for
1710 proxy server
Klactprx TCP Yes application
0* for mobile
activation from
devices
mobile devices

Delivering
Multicasting
Network 1500 updates and
Klnagent UDP Null for Network
Agent 0 installation
Agents
packages

Delivering
Multicasting
1500 updates and
Klnagent UDP Null for Network
1 installation
Agents
packages

Distribution
point
Managing
Receiving client devices,
1300 connections delivering
Klnagent TCP Yes
0 from Network updates and
Agents installation
packages
 Kaspersky
Security Center
12 Web
Console Server Receiving
(may be the connections
Kaspersky
same device from browser
8080 Security Center
where the Node.js TCP Yes to Kaspersky
* 12 Web
Administration Security Center
Console
Server is 12 Web
running, or Console
may be a
different
device)

Using exclusively assigned distribution points

If you plan to use certain specific devices as distribution points (that is, exclusively assigned servers),
you can opt out of using automatic assignment of distribution points. In this case, make sure that the
devices that you intend to make distribution points have sufficient volume of free disk space, are not
shut down regularly, and have Sleep mode disabled.

Number of exclusively assigned distribution points in a network that contains a single network
segment, based on the number of networked devices

Number of client devices in the network Number of distribution points

segment

Less than 300 0 (Do not assign distribution points)

More than 300 Acceptable: (N/10,000 + 1), recommended:

(N/5,000 + 2), where N is the number of
networked devices
Number of exclusively assigned distribution points in a network that contains multiple network
segments, based on the number of networked devices

Number of client devices per network Number of distribution points

segment

Less than 10 0 (Do not assign distribution points)

10... 100 1

More than 100 Acceptable: (N/10,000 + 1), recommended:

(N/5,000 + 2), where N is the number of
networked devices
Using standard client devices (workstations) as distribution points

If you plan to use standard client devices (that is, workstations) as distribution points, we
recommend that you assign distribution points as shown in the tables below in order to avoid
excessive load on the communication channels and on Administration Server:

Number of workstations functioning as distribution points in a network that contains a single

network segment, based on the number of networked devices

Number of client devices in the network Number of distribution points

segment

Less than 300 0 (Do not assign distribution points)

More than 300 (N/300 + 1), where N is the number of

networked devices; there must be at least 3
distribution points
Number of workstations functioning as distribution points in a network that contains multiple
network segments, based on the number of networked devices

Number of client devices per network Number of distribution points

segment

Less than 10 0 (Do not assign distribution points)

10... 30 1

31... 300 2

More than 300 (N/300 + 1), where N is the number of

networked devices; there must be at least 3
distribution points
If a distribution point is shut down (or not available for some other reason), the managed devices in
its scope can access the Administration Server for updates.