Jump to content
randomit5

Direct external access to KSC without Connection Gateway

Recommended Posts

We are using Kaspersky Security Center 10.

We have been looking at the best way to have remote laptop users still be able to phone home / update while on the go.  I have come across the instructions for utilizing a connection gateway here: https://support.kaspersky.com/13756

My question is - is there any harm in just opening up port 13000 directly to the KSC server, without using a connection gateway?  We do not utilize a DMZ here, so if we set up a connection gateway it would be on the same LAN the KSC server is on anyway, so why not directly connect to the KSC server?

Please let me know if I need to clarify further what we are trying to do.  Thanks.

Share this post


Link to post

Hello!

If you just open the 13000 TCP, it will not help because the machines won't have the address to connect to. 

Thanks!

Share this post


Link to post

What if we used "klmover -address xxx.xxx.xxx.xxx" to point the computers to the external location?  Or  set up new clients and used the external IP?  Is there anything wrong with opening up the port for direct access externally like that?  

If that is a problem, what is the appropriate way to allow external clients to connect up to Kaspersky Security Center?

Share this post


Link to post

Hello!

KLmover utility is used to reconnect the agent to another KSC. 

If you need to connect an external agent to KSC it is better to use a VPN connection so the agent has a direct connection to the server.

Thanks!

Share this post


Link to post

The correct answer is this: Use the same DNS address for both internal and external connections to Kaspersky security center. For instance, your inside computers see av.yourdomain.com as a private IP. You create an external DNS entry for your public domain to resolve the same DNS name  av.yourdomain.com . It will resolve to your firewall IP. You port the 13000 through your firewall to the Kaspersky administration server. We have it running like this for over a year. The only risk would be if a hacker was somehow able to hack the Kaspersky open port and gain access to the Kaspersky server. I don't know how much of a risk that is in reality. By using the DNS in this way, computers can move from inside the network to outside with no need to change any settings.

Edited by FLTech

Share this post


Link to post

That was pretty much exactly what I was thinking to do, I just wanted to proof of concept it first, or see if there was any caveat I was missing.  Has this worked well for you guys?  Our license actually runs out in June and we are shopping AV vendors.  I actually like a lot of the functionality of KSC and was trying to see if it could be competitive to some of the Cloud hosted AV solutions, as far as capability for keeping an eye on all our machines.

Share this post


Link to post

Yes, as I said we have been running it this way over a year.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.