Jump to content
chillicane

KSC9 - Agent connection via Internet IP

Recommended Posts

Hi!

 

Ive noticed that in KSC9 compared to admin kit 8 that the server side will only attempt to connect to clients via the ip listed as simply IP Address, that is to say, the 'LAN' ip reported by the client. Since we have 150odd machines connecting via the internet, i need to have the server connecting to these machines via the IP that is listed as 'IP address of the connection'.

I can still get a connection by queuing up tasks that get excuted when the client network agents report in but its a real pain having to wait for that to occur. It also means the admin kit is constantly trying to connect to 'LAN IPs' which dont exist or are not actually the correct computer. My Kaspersky event logs all full of failed connections and a netstat shows the attempted connections constantly in progress which seems somewhat wasteful.

 

If im unable to configure the KSC9 server to connect via the Internet IP rather than the LAN IP then it would be nice to disable the server side connecting to clients for certain groups so at least its not attempting to connect and failling constantly.

 

I hope this makes sense, im happy to clarify if ive worded this badly.

Share this post


Link to post

Does your server resolve through DNS? Does it do so outside of your environment? If so, you might try pointing your nagent to that DNS name. Just a thought.

Share this post


Link to post

Yeah im having trouble conveying my point i think.

 

Outside nagents connecting into the server is working fine, using external DNS and its all working swimmingly.

 

Its the server connecting to the outside clients that is the problem.

 

 

I see the architecture as having 2 methods of communication, clients into server (usually on a timer, say 15 minute intervals) and server connecting to client which i should be able to 'force' a syncronisation thru and also use the tunneling feature.

Its the server to client connection direction im having trouble with.

 

 

Share this post


Link to post

if I understand this correctly:

- there wont be problem for the client (agent) to contact server, as they agent has the fixed IP/Name of Server to contact

- but, the Server doesnt have any Fixed IP of client to contact

 

so, unless there are frequent policy changes, let the client connect to server at a reasonable time (2-4 times a day)

Share this post


Link to post

Ive not been able to fix or workaround this.

 

You know what the frequency of updates isnt an issue but one thing that is definetly happening is the Security Center side is trying to open connections to each of these machines via the lan IP constantly, which isnt that actual machine. Ive actually had an instance where 10s of thousands of connections in negotation state where hanging around on the windows server trying to connect to these machines on the bogus IP.

 

Best case scenario would be for me to able to tell the KSC to use the Internet IP based on some policy.

 

Even then, i would like to be able to tell the KSC to stop trying to connect to the client machines since i know its going to fail on the lan IP anyway.

Share this post


Link to post

Hello,

 

You just have to create a network agent policy, and disable communications from the Administration Server to managed hosts on port UDP 15000, it should help to get ride of such connections.

To manage your computers through the Internet, you can rely on the client > server connections which happens every 15 minutes (this setting can be changed), but it won't be "real-time" management. If you want to achieve this, there is an option in the properties of each host to "maintain connection which the computer" so the server can connect to it like if the computer were in the LAN.

 

Hope this helps.

 

Share this post


Link to post

I could live with that, ive already slightly reduced the 'phone home' time for the policy in the clients.

 

Now, where exactly in the network agent policy do i disable 'server' > 'client' communications. The section for UDP port you alluded to in your post has the following in help

 

Use UDP port

If this check box is selected, the connection of the client computer to the Administration Server is established through a UDP port.

By default, this check box is selected.

 

so if i was to disable this it simply force clients to phone home via TCP?

 

color me confused

Share this post


Link to post

I think there is something wrong in the help file because that port is used by the Administration Server to "wake up" managed hosts in case something (policy, tasks ...) has been changed on the server side.

Then, computers connect to their server through the standard port which is TCP 13000 by default.

 

It is completely useless to have this option "Use UDP port" enabled when computers are managed through the Internet, because as you highlighted, the Administration Server will try to reach them using their private IP address and that's impossible.

 

Let's try disable this option and keep us posted.

Share this post


Link to post

Alright, heres the test

 

Currently on the admin server, the kaspersky admin kit event log is filling up with Warning events such as

 

#1561 Host 'http://192.168.100.x:15000' is not responding

 

Which i am assuming is the kladminserver attempting to connect to external clients.

 

What i have now done is to create a network agent policy in my group which contains only external clients. This policy has all settings inherited from the base policy - except for the UDP port option which is now turned off.

Theoretically, after 30 mins or so when all my clients have recieved the new policy and it has been resolved on both sides, my admin kit should stop trying to connect to these guys!

 

Ill check the event log again in an hour or so and see if we have a resolution.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.