Jump to content
saladbowl

Kaspersky Admin Kit and VPN Connectivity

Recommended Posts

Hello to all

 

Using Kaspersky Administration Kit Version: 6.0.1710

 

Kaspersky for Windows Workstations Version: 6.0.3.837

 

Running on Windows Server 2003 SP2

 

Clients are all XP machines SP2

 

I am having difficulties in connecting to machines over the VPN with Kaspersky Admin Kit, normally laptop users. These users have the Kaspersky for Windows Workstations installed on the laptops when they were in the office connected to the network, all was fine. I set the update policy for laptops to look towards the Kaspersky Lab servers first then the Admin Server. All is well so far except a small change i made in the Laptops policy is not being pushed to machines that are currently connected to the VPN, nor can i sync with them.

 

I have searched a little through this forum and the only thing i can find on this is opening UDP ports, whilst i can do this for my firewall at the office, i obviously cannot for each of the other offices or the home users who use a mixture of routers. I would have assumed Kaspersky would use a default port not needing to be configured?

 

Could one of you knowledgeable people please give me some guidance on pushing a policy update to machines connected via VPN?

 

Many thanks for any assistance you can provide.

Share this post


Link to post

Hi

 

Thanks for you response. I already read through this article before posting here, and can confirm that ports 13000 and 14000 are open on the server and listening. I cannot manually synch with any machine that is connected to our network over the vpn. The machines have the Net agent installed and the Anti virus app. Filesharing is turned on on the laptops.

 

This is what i really need some assistance with.

 

Any other advice i can try?

 

Thanks

Share this post


Link to post

No more responses?

 

I would have assumed this is an issue others would have experienced.

 

Must say dissapointed with the level of support from Kaspersky (which is why i came here) and it would seem their forum to (4 days, 104 views and only 1 generic response)

 

Can anyone provide any real-life experience of this issue and how it was overcome?

 

Many thanks

Share this post


Link to post
No more responses?

 

I would have assumed this is an issue others would have experienced.

 

Must say dissapointed with the level of support from Kaspersky (which is why i came here) and it would seem their forum to (4 days, 104 views and only 1 generic response)

 

Can anyone provide any real-life experience of this issue and how it was overcome?

 

Many thanks

 

Just wanted to point out that this is a User Forum...not a "Support" Forum. While there are some Kaspersky posters here, they are often limited in what they say. With that being said, if you really want support, you need to open a case with Kaspersky by calling them. The responses you get here are from users that may or may not have experience, or desire to respond to whatever you are describing...so just keep that in mind, because we are under no obligation to post.

 

In my experience, It's very hard to talk to laptops even if they are using VPN, and I have the same issue you do. The best guess I have is that just because you're internal router and firewall are configured for the correct ports, doesn't mean that it's configured correctly on the other side. Dealing with outside connections is just a big pain. My suggestion, keep a note of those machines that don't have the correct policy, and as they come into the office, put them on your network. Porblem solved.

Edited by Raymond Hartneck

Share this post


Link to post

I am trying to do a full scan, but keep being told incorrect user or password, but i am the only user of this computer, where am i going wrong, as i am new to using computers, and know very little as i am still learning, could you please tell me what to do, it will be so much appreciated

Share this post


Link to post

Thanks for the reply

 

Did open up a support case with Kaspersky but getting nowhere fast with it. We use Watchguard firewalls with V10 software. All the correct ports are opened and VPN access is done through the Cisco router and associated permission groups. Normally i would agree and simply wait for the user to come into the office to push any new policies, but the problem here is that we have 4 other offices in different countries. I have to sometimes configure and then send the machines to those offices, and even then the recieptant is not normally based in that office for long as they would be out meeting clients. I have gotten round part of this problem by using slave servers, but this is not a possibility in all offices as 2 of the offices are not direct employees of the company, only subcontractors, therefore a slave server is not permitted by their internal IT.

 

I do not believe this is necessarly down to the firewall i will be connecting to, as i have tested this with a standard router, with a mobile broadband data card, and with a standard, non routed single unmasked IP connection (home connection with no switch or router so no firewall or port blocking) and none will synchrinise with the Admin console over VPN.

 

Any other ideas? I can provide further details of any equipment and logs if necessary

 

Thanks

Share this post


Link to post

How are your clients attempting to connect to the Admin Kit?

 

Are they doing so via NetBIOS Name or IP address? If they are doing so by NetBIOS, then you will probably have to edit the HOSTS file on each of those machines to convert the name of your Admin Kit machine to the IP address, as in my experience VPN doesn't like NetBIOS names. You may have to do the same for your Admin Kit machine as well, try placing a few of your client machine IP addresses and names in the AK machines HOSTS file and see if you can connect to them then.

 

We had this same problem at our company, but I got around it by setting my clients' Anti-Hacker for the networks at each end to recognize both networks (10.x.x.x on one end and 192.x.x.x on the other) as Local Networks. I did this on the AK as well. I then ensured that the client could hit the AK's public shares via My Network places by IP \\192.x.x.x\KLSHARE\etc.... Once I knew that the other end could access the share, I knew that they could get updates from, and I could push policy updates to them. Since then, I've had no issues.

 

During the install of my Network Agents, I made sure to use the IP of my AK machine, so I wouldn't have a problem with where the machine was located (VPN wise), or if the machine changed its name.

Share this post


Link to post

Thank you for that post, i will give this a try to see if it works.

 

This kind of post was what i was looking for, from someone with real life experience of the problem ;)

 

Thanks

Share this post


Link to post
Thank you for that post, i will give this a try to see if it works.

 

This kind of post was what i was looking for, from someone with real life experience of the problem ;)

 

Thanks

 

You might also need to check into DNS, and what versions of software are you using ? (KAV6 ? Network Agent?)

 

If you use the admin kit, by default it will use its own server name for resolution for policies and updates, and the clients poll that server.

 

Now if the clients cant resolve that DNS name, or reach it due to VPN restrictions then it wont work - obviously.

 

Simple checks to do: From a remoted PC, test the DNS resolution of the server. Run a wireshark trace on the PC to ensure you can see the NA client talking to the server (or not).

Share this post


Link to post

Basically, there are only some conditions to check :

 

- The client has to be able to reach the server on TCP 13000 if the SSL is enabled

- The client has to be able to reach the server on TCP 14000 if the SSL is disabled

- The server has to be able to reach the client on UDP 15000 to be able to work "real time"

- The DNS name, Netbios name, IP address of the server (depending on the network agent settings) must be reachable by the client

 

I have also seen some issues related to the size of packages of the encrypted communication of the net agent through the VPN. In this case, disabling the SSL for the network agent helps to solve the issue and the agent uses the port 14000 TCP instead of 13000 TCP

 

Cheers

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.