Professional Documents
Culture Documents
KL 302.11 Labs Module1 Managing Multiple Servers v1.6 en PDF
KL 302.11 Labs Module1 Managing Multiple Servers v1.6 en PDF
11
Kaspersky
Endpoint Security
and Management.
Scaling
Managing multiple KSC servers
Lab Guide
www.kaspersky.com
Table of contents
Lab 1.
How to connect a slave Administration Server of
a remote office
Scenario. You are an administrator at ABC Inc. that has two offices: Headquarters—HQ and a remote office—LO. Each
office has access to the internet. Connections between the offices are established via a VPN channel.
Each office has its own Kaspersky Security Center Administration Server: hq-ksc1 and lo-ksc. The administrators want to
monitor general protection status in both offices. To achieve this, you need to join the two servers to a hierarchy; this will
permit creating reports with aggregate information.
Contents.
In a hierarchy, policies of the master Administration Server are automatically inherited by slave servers and can change the
protection settings of their client computers. You do not want any security settings to change after the servers are joined into a
hierarchy.
Therefore, disable inheritance of settings from parent policies in the slave server policies to preserve their unique settings: Scan
exclusions, connection profiles, application control rules, and so on.
Connect the administration server of the remote office (lo-ksс.abc.lab) to the headquarters’ administration server (hq-
ksc1.abc.lab) using the Add Slave Administration Server Wizard.
Conclusion
You have added one administration server to another as a slave (created a hierarchy). The lab describes the easiest procedure
assuming that the slave server’s ports are accessible from the master and vice versa.
L–8 KASPERSKY™
KL 302.11: Kaspersky Security Center. Scaling
Lab 2.
How to collect information in a hierarchy
Scenario. Each network computer is connected to one of the two Kaspersky Security Center Administration Servers joined
into a hierarchy. You want to receive notifications about active threats on any network computer, regardless of the server it is
connected to. You need to configure notifications about active threats to achieve this.
Also, you want to be able to find all computers with the “Active threat detected” status in the console and make a selection of
these computers.
Contents.
Enable saving notifications about files that have not been processed by File Threat Protection on the lo-ksc Administration
Server.
Imitate an active threat on bob-desktop. For this purpose, make Kaspersky Endpoint Security detect a threat in a network
folder where it has no Write permissions.
In the Kaspersky Security Center Administration Console, find the computer where the file protection was not able to process
malicious files. Find out which Administration Server the computer is connected to.
Create a selection of devices with the “Active threat detected” status on the Master Administration Server. The selection is to
include devices connected to master and slave Administration Servers.
Conclusion
The lab demonstrates how to find computers from slave Administration Servers using the Search window and computer
selections.
Lab 3.
How to configure management in a hierarchy
Scenario. When creating the hierarchy, you configured it so that the policies of the master Administration Server are not
allowed to overwrite security settings on the slave Administration Server. Now, when you have centralized management on
the Master Administration Server, you want to propagate its policies to Slave Administration Servers. Also, you want to reduce
the number of policies to maintain. You also want to create a single threat scan task for all computers in the hierarchy.
L–17
Lab 3.
How to configure management in a hierarchy
Contents.
The policies of the master Administration Server are applied to slave servers by default. To apply the inherited policies to the
computers of the slave server, make the local policies of the slave Administration Server inactive.
Tasks of the master server are not applied to slave servers by default. To apply a scan task to the slave servers, enable the
distribution mode in the task properties on the master server.
After that, switch the local scan task of the slave server to the manual mode. Otherwise, both tasks will run on the slave
server’s computers and waste resources.
L–20 KASPERSKY™
KL 302.11: Kaspersky Security Center. Scaling
Conclusion
You applied the policies and tasks of the main server to the computers connected to the slave server.
With policies, you simply made the policies of the slave server inactive; after that, the policies of the master server propagated
to the computers of the slave server automatically.
In case of tasks, you enabled distribution of the required tasks to slave servers in their properties. You also switched the local
tasks of the slave server to the manual start mode to prevent running two instances of each task on the computers.
L–23
Lab 4.
How to configure updates in a hierarchy
Lab 4.
How to configure updates in a hierarchy
Scenario. You need to configure updates for all slave servers in the hierarchy. For the slave servers located in the same site as
the master Administration Server, you want to configure the master Administration Server to be the update source and enable
forced update for the slave servers. For the slave server lo-ksc, you want to use Kaspersky update servers on the internet as the
update source. Also, you need to propagate the task that updates client devices from the master server to slaves where
necessary, and delete the unnecessary update tasks on the slave servers.
Contents.
A. Configure an update source for a slave server located on the same network as the master Administration Server
B. Configure an update source for a slave server located in a remote office
C. Configure forced update for slave servers
D. Configure updating client computers throughout the hierarchy
Task A: Configure an update source for a slave server located on the same
network as the master Administration Server
In this task, you will change the update source for the slave server hq-ksc2 from Kaspersky update servers in the Internet to the
master Administration Server hq-ksc1
9. Click Add
L–25
Lab 4.
How to configure updates in a hierarchy
In this task, you will configure a source of updates for the slave Administration Server lo-ksc.
The remote office lo-office has its own connection to the internet; therefore, to optimize the load on the VPN channel between
the offices, you should leave the default update source for the Administration Server lo-ksc: Kaspersky update servers
Enable forced distribution of updates to slave administration servers in the properties of the task Download updates to the
repository on the master Administration Server.
Conclusion
You have forced distribution of updates from the master server to a slave server located in the same subnet. For a slave server
in another office with independent access to the internet, you have left the standard update source.
You also propagated an update task from the master server on a slave. With centralized management, it makes no sense to keep
several update tasks if one is enough.
To prevent a task from distributing to slave servers with autonomous administration, you can use exclusions from the task
scope in its properties. For this purpose, place the slave servers into a subgroup, since scope exclusions are specified in terms
of groups.
Lab 5.
How to change the Administration Server
Scenario. You have recently added another Administration Server to the hierarchy to reduce the load on the other servers.
Now you want to move some of the computers to the new server. Use a Change Administration Server task for this purpose. If
there is an error in the connection parameters, use the klmover.exe utility to restore computer management.
Contents.
Move the managed devices alex-desktop and tom-laptop from the master Administration Server hq-ksc1 to the slave
Administration Server hq-ksc2 using the Change Administration Server task.
L–31
Lab 5.
How to change the Administration Server
Change the administration server for the alex-desktop and tom-laptop computers from hq-ksc2 to hq-ksc1 using the klmover
utility.
Conclusion
You can change the administration server for client devices without reinstalling the Network Agent in two ways. Remotely
using the Change Administration Server task or locally via the command line using klmover.exe.