Jump to content

Installation Solution for Machines Using Private IP


Go to solution Solved by ElvinE5,

Recommended Posts

Posted

Hello, perhaps my title doesn't quite accurately reflect this situation.

Our customers currently have the following server setup: 5 servers located in an office in Vietnam, 3 AWS servers (1 in Asia, 1 in the EU, 1 in China), and 1 server placed in a different office.

They plan to install Kaspersky Security Center on the AWS server in the EU. However, the machines located in the office in Vietnam are currently using Private IP addresses and are unable to ping back and forth between the client and the server (the server located in the Vietnam office can still remote desktop to the AWS EU server). I would like to inquire in this scenario, if only ports (KSC used) are opened, will the server and client be able to communicate with each other? (Ping protocol is blocked)

Many thanks,

  • Solution
Posted

good day

I think this is quite possible, requests are not particularly needed for echo to work ... here is a summary of all ports used by KSC

https://support.kaspersky.com/KSC/14.2/en-US/158830.htm

here is more detailed information on the interaction

https://support.kaspersky.com/KSC/14.2/en-US/158520.htm

in particular client-server

https://support.kaspersky.com/KSC/14.2/en-US/158525.htm

 

with such a spread of sites, I would suggest using a hierarchy of servers, if this is acceptable in your case and available in your license (not lower than advanced)

https://support.kaspersky.com/KSC/14.2/en-US/3304.htm

https://support.kaspersky.com/KSC/14.2/en-US/158529.htm

in this way, clients will connect to their local server, and it will already be a slave to the server in the EC

https://support.kaspersky.com/KSC/14.2/en-US/183051.htm

 

  • Thanks 1
Posted
1 hour ago, ElvinE5 said:

good day

I think this is quite possible, requests are not particularly needed for echo to work ... here is a summary of all ports used by KSC

https://support.kaspersky.com/KSC/14.2/en-US/158830.htm

here is more detailed information on the interaction

https://support.kaspersky.com/KSC/14.2/en-US/158520.htm

in particular client-server

https://support.kaspersky.com/KSC/14.2/en-US/158525.htm

 

with such a spread of sites, I would suggest using a hierarchy of servers, if this is acceptable in your case and available in your license (not lower than advanced)

https://support.kaspersky.com/KSC/14.2/en-US/3304.htm

https://support.kaspersky.com/KSC/14.2/en-US/158529.htm

in this way, clients will connect to their local server, and it will already be a slave to the server in the EC

https://support.kaspersky.com/KSC/14.2/en-US/183051.htm

 

Thank you for your assistance. Based on what I've read in the documents you provided above, if we only open port 13000 on the KSC server, would that be sufficient? I noticed that port 13000 is responsible for communication between the client and server.

Because the number of client machines at this time is also quite small. Thank you.

Posted

in principle yes, but in the future you may need something else

TCP 13000 - both directions

UDP 15000 - from server to clients (for sending push notifications, for forced synchronization)

  • Thanks 1
Posted
36 minutes ago, ElvinE5 said:

in principle yes, but in the future you may need something else

TCP 13000 - both directions

UDP 15000 - from server to clients (for sending push notifications, for forced synchronization)

I'd like to inquire a bit further. Because currently the server won't be able to pool client machines for remote KES installation, am I correct in assuming that I will need to create a stand-alone installation package from the KSC server and then manually install it on the clients?

In the case where I have opened port 13000 on both sides and port 15000 on the KSC server, the network agent from the client machines will automatically connect to the KSC, is that correct?

Thank you,

Posted
3 минуты назад, LouisLewis сказал:

am I correct in assuming that I will need to create a stand-alone installation package from the KSC server and then manually install it on the clients?

in general terms, yes, the main thing is to ensure that the administration agent on the client can connect to the server on port 13000

 

5 минут назад, LouisLewis сказал:

and port 15000 on the KSC server,

I'll clarify... UDP 15000 from server to clients (clients will not call the server on this port, they will only listen on it)

8 минут назад, LouisLewis сказал:

the network agent from the client machines will automatically connect to the KSC, is that correct?

yes if all settings are correct ... and the server is available for clients

  • Thanks 1
  • 2 weeks later...
Posted
On 8/22/2023 at 1:03 PM, ElvinE5 said:

good day

I think this is quite possible, requests are not particularly needed for echo to work ... here is a summary of all ports used by KSC

https://support.kaspersky.com/KSC/14.2/en-US/158830.htm

here is more detailed information on the interaction

https://support.kaspersky.com/KSC/14.2/en-US/158520.htm

in particular client-server

https://support.kaspersky.com/KSC/14.2/en-US/158525.htm

 

with such a spread of sites, I would suggest using a hierarchy of servers, if this is acceptable in your case and available in your license (not lower than advanced)

https://support.kaspersky.com/KSC/14.2/en-US/3304.htm

https://support.kaspersky.com/KSC/14.2/en-US/158529.htm

in this way, clients will connect to their local server, and it will already be a slave to the server in the EC

https://support.kaspersky.com/KSC/14.2/en-US/183051.htm

 

Hello, I followed your instructions and successfully installed it on machines using the Windows operating system. However, I'm encountering a slight issue with machines running MacOS.

With Windows machines, when I create a stand-alone installation package, there's an .exe file for installation. But for the MacOS installation package, I end up with 2 .sh files after creating it.

I'd like to know if there's a way for me to install it locally on a MacOS machine. I've gone through the documentation, but it's still quite unclear to me.

z4652850173174_2f7d3f508a717ec6a6cf81d1fc8e9b60.jpg

Posted (edited)

I can’t boast that I had the opportunity to install the solution on MacOS, in my environment they are not very common.

As for the instructions

I would start from here ... https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/118670.htm

or here - https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/127691.htm

about installing via SSH ... here - https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/127692.htm

 

I think that you can basically just copy the "SH" created by you to your device and run it as an administrator,

./install.sh --accept_eula

 

only both the agent and the security solution if you want to manage them from the center ... check the correctness of the agent connection settings before creating a standalone package

 

if I were you, I would try to deploy the solution remotely, using the appropriate tasks

 

Edited by ElvinE5
  • Thanks 1
  • 2 weeks later...
Posted
On 9/1/2023 at 2:11 PM, ElvinE5 said:

I can’t boast that I had the opportunity to install the solution on MacOS, in my environment they are not very common.

As for the instructions

I would start from here ... https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/118670.htm

or here - https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/127691.htm

about installing via SSH ... here - https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/127692.htm

 

I think that you can basically just copy the "SH" created by you to your device and run it as an administrator,

./install.sh --accept_eula

 

only both the agent and the security solution if you want to manage them from the center ... check the correctness of the agent connection settings before creating a standalone package

 

if I were you, I would try to deploy the solution remotely, using the appropriate tasks

 

Thank you, I run 2 command

sudo sh ./klmacagent

sudo sh ./kesmac11.3.0.320.sh --accpet_eula

and it's work for me.

 And, I would like to ask if there is any way to prevent the Kaspersky client from self-deactivating?

 

z4689221600369_61a4f6803cb3176a8b843435838d52c3.jpg

Posted

there is one point here

Спойлер

image.thumb.png.949625ae4818d59311935231941bc756.png

otherwise no, if the user is on the device root, he will be able to disable and remove the solution

  • Thanks 1
Posted
14 hours ago, ElvinE5 said:

there is one point here

  Hide contents

image.thumb.png.949625ae4818d59311935231941bc756.png

otherwise no, if the user is on the device root, he will be able to disable and remove the solution

Can we force start the solution from server??

Posted (edited)

I think yes, using the remote installation task

Спойлер

image.thumb.png.2b5deea403e0528ced7b5ea3da560adf.png

Of course, you will need root permissions to install the Network Administration Agent

Edited by ElvinE5
  • Thanks 1
Posted

So, we don't have any way to prevent users from closing the Kaspersky application, even on the Windows version?

But what I meant is that the client doesn't completely uninstall the application, it just exits (becomes inactive), but from the server side, I can't reactivate it myself (by clicking the start button). These client machines I mentioned earlier only open ports 13000 and 15000. Could this be the reason why I can't start the application from the server?

Can we set up an admin password to prevent clients from closing the application?

Posted

for Windows solutions you can set a password

agent

Спойлер

image.thumb.png.59c6b418bb78f224dc4077654a2d0fbb.png

 

KES (you can specify a domain user with different rights)

Спойлер

image.thumb.png.2d7c063e5eac41aa2e52e3a788b2b126.png

 

26 минут назад, LouisLewis сказал:

These client machines I mentioned earlier only open ports 13000 and 15000. Could this be the reason why I can't start the application from the server?

yes, make sure they are available between the server and the client for interaction. Of course, to run the application you need the agent to be connected and accept requests on UDP port 15000

 

  • Thanks 1
Posted
3 minutes ago, ElvinE5 said:

for Windows solutions you can set a password

agent

  Hide contents

image.thumb.png.59c6b418bb78f224dc4077654a2d0fbb.png

 

KES (you can specify a domain user with different rights)

  Hide contents

image.thumb.png.2d7c063e5eac41aa2e52e3a788b2b126.png

 

yes, make sure they are available between the server and the client for interaction. Of course, to run the application you need the agent to be connected and accept requests on UDP port 15000

 

Thank you very much, that's what i was looking for

Posted

My client reports that after installing the endpoint, Google Chrome keeps refreshing every 30 seconds, but this issue goes away when KES is exited. Do you know what might be causing this?

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...