Jump to content
Kaspersky Support Forum

deployment standardization

kav_newbie

By kav_newbie
in Kaspersky EDR Optimum

 Share

Recommended Posts

kav_newbie

kav_newbie

Posted
Posted

Dear Expert,

What is the de facto for Kaspersky Next if the requirement is to look like this?

1. endpoints are located on-premise, and some endpoints are deployed remotely

2. endpoints on-premise; some have internet access, some are part of intranet only, having no direct internet access

3. single management console for endpoints situated locally and externally with centralized repository for signature updates

I am thinking of these approaches.

a. create a distribution point

b. creating a hierarchy of Administration Servers

Creating a hierarchy of Administration Servers: adding a secondary Administration Server

 

Tahmeed702

Tahmeed702

Posted
Posted
11 hours ago, kav_newbie said:

Dear Expert,

What is the de facto for Kaspersky Next if the requirement is to look like this?

1. endpoints are located on-premise, and some endpoints are deployed remotely

2. endpoints on-premise; some have internet access, some are part of intranet only, having no direct internet access

3. single management console for endpoints situated locally and externally with centralized repository for signature updates

I am thinking of these approaches.

a. create a distribution point

b. creating a hierarchy of Administration Servers

Creating a hierarchy of Administration Servers: adding a secondary Administration Server

 

Simply put, if every workstation in your infrastructure can be connected to a central server, it can be managed by on-premise KSC, you don't need to configure Distribution Point, Configuring DP/Master-Slave is difficult, and sometimes connections break down easily and are difficult to troubleshoot, I would recommend using on-premise KSC if all workstations have centralized connectivity with a server and not deploying through Master-Slave or DP Architecture until Workstations do not require internet access to stay up to date; updates are downloaded from KSC.

kav_newbie

kav_newbie

Posted
  • Author
Posted

Thank you.@Tahmeed702 for always giving your best shot.

Having said that, in your reply I haven't read how the KSC On-prem manages endpoints that are part of my network but spend most of their time working outside of our network. How our Kaspersky on-prem could enforce policies?

Tahmeed702

Tahmeed702

Posted
Posted
17 minutes ago, kav_newbie said:

Thank you.@Tahmeed702 for always giving your best shot.

Having said that, in your reply I haven't read how the KSC On-prem manages endpoints that are part of my network but spend most of their time working outside of our network. How our Kaspersky on-prem could enforce policies?

Then You may deploy in two schemas , One using KSC on-prem and for workstation which are out of network but has internet you can deploy using cloud.kaspersky.com or ksc.kaspersky.com

kav_newbie

kav_newbie

Posted
  • Author
Posted

Then You may deploy in two schemas , One using KSC on-prem and for workstation which are out of network but has internet you can deploy using cloud.kaspersky.com or ksc.kaspersky.com ---- the draw back here would be how to control the license. what would be the treatment in terms of licensing if I have one activation code loaded for on-prem and cloud management? e.g I have 350 endpoints.

 

Tahmeed702

Tahmeed702

Posted
Posted
On 6/16/2025 at 8:21 PM, kav_newbie said:

Then You may deploy in two schemas , One using KSC on-prem and for workstation which are out of network but has internet you can deploy using cloud.kaspersky.com or ksc.kaspersky.com ---- the draw back here would be how to control the license. what would be the treatment in terms of licensing if I have one activation code loaded for on-prem and cloud management? e.g I have 350 endpoints.

 

There is no problem with deployment in two schemas: on-premises and cloud. If you deploy on-premises, I recommend using a keyfile and cloud through an activation code, but you can manage the same workstation from both on-premises and cloud. For example, 100 workstations connected to an on-premises KSC cannot be managed by cloud simultaneously, but the remaining 250 can be managed by cloud if they have internet connectivity.

kav_newbie

kav_newbie

Posted
  • Author
Posted

thank you so much for your invaluable insights. kudos to you

kav_newbie

kav_newbie

Posted
  • Author
Posted

@Tahmeed702

Is it possible or is it a good practice to do port forwarding (virtual IP) in my firewall so that endpoints outside of my network can reach my on-prem KSC through its NATed IP? I will allow only the allowed services (1300-1500 TCP/UDP) to enforce security. With this, I have a single management console only to access, whether I need to modify the settings or policy of endpoints for internal and external. 

 

Tahmeed702

Tahmeed702

Posted
Posted
1 hour ago, kav_newbie said:

@Tahmeed702

Is it possible or is it a good practice to do port forwarding (virtual IP) in my firewall so that endpoints outside of my network can reach my on-prem KSC through its NATed IP? I will allow only the allowed services (1300-1500 TCP/UDP) to enforce security. With this, I have a single management console only to access, whether I need to modify the settings or policy of endpoints for internal and external. 

 

Are you configuring IPSEC tunneling so that workstation can communicate with KSC server.... If you do that that's okay. But you cannot expose KSC to internet or publicly interfaced , so that can be vulnerable to exploits. 

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...