Installation Solution for Machines Using Private IP

LouisLewis · August 22, 2023

Hello, perhaps my title doesn't quite accurately reflect this situation.

Our customers currently have the following server setup: 5 servers located in an office in Vietnam, 3 AWS servers (1 in Asia, 1 in the EU, 1 in China), and 1 server placed in a different office.

They plan to install Kaspersky Security Center on the AWS server in the EU. However, the machines located in the office in Vietnam are currently using Private IP addresses and are unable to ping back and forth between the client and the server (the server located in the Vietnam office can still remote desktop to the AWS EU server). I would like to inquire in this scenario, if only ports (KSC used) are opened, will the server and client be able to communicate with each other? (Ping protocol is blocked)

Many thanks,

ElvinE5 · August 22, 2023

good day

I think this is quite possible, requests are not particularly needed for echo to work ... here is a summary of all ports used by KSC

https://support.kaspersky.com/KSC/14.2/en-US/158830.htm

here is more detailed information on the interaction

https://support.kaspersky.com/KSC/14.2/en-US/158520.htm

in particular client-server

https://support.kaspersky.com/KSC/14.2/en-US/158525.htm

with such a spread of sites, I would suggest using a hierarchy of servers, if this is acceptable in your case and available in your license (not lower than advanced)

https://support.kaspersky.com/KSC/14.2/en-US/3304.htm

https://support.kaspersky.com/KSC/14.2/en-US/158529.htm

in this way, clients will connect to their local server, and it will already be a slave to the server in the EC

https://support.kaspersky.com/KSC/14.2/en-US/183051.htm

LouisLewis · August 22, 2023

1 hour ago, ElvinE5 said:

good day

I think this is quite possible, requests are not particularly needed for echo to work ... here is a summary of all ports used by KSC

https://support.kaspersky.com/KSC/14.2/en-US/158830.htm

here is more detailed information on the interaction

https://support.kaspersky.com/KSC/14.2/en-US/158520.htm

in particular client-server

https://support.kaspersky.com/KSC/14.2/en-US/158525.htm

with such a spread of sites, I would suggest using a hierarchy of servers, if this is acceptable in your case and available in your license (not lower than advanced)

https://support.kaspersky.com/KSC/14.2/en-US/3304.htm

https://support.kaspersky.com/KSC/14.2/en-US/158529.htm

in this way, clients will connect to their local server, and it will already be a slave to the server in the EC

https://support.kaspersky.com/KSC/14.2/en-US/183051.htm

Thank you for your assistance. Based on what I've read in the documents you provided above, if we only open port 13000 on the KSC server, would that be sufficient? I noticed that port 13000 is responsible for communication between the client and server.

Because the number of client machines at this time is also quite small. Thank you.

ElvinE5 · August 22, 2023

in principle yes, but in the future you may need something else

TCP 13000 - both directions

UDP 15000 - from server to clients (for sending push notifications, for forced synchronization)

LouisLewis · August 22, 2023

36 minutes ago, ElvinE5 said:

in principle yes, but in the future you may need something else

TCP 13000 - both directions

UDP 15000 - from server to clients (for sending push notifications, for forced synchronization)

I'd like to inquire a bit further. Because currently the server won't be able to pool client machines for remote KES installation, am I correct in assuming that I will need to create a stand-alone installation package from the KSC server and then manually install it on the clients?

In the case where I have opened port 13000 on both sides and port 15000 on the KSC server, the network agent from the client machines will automatically connect to the KSC, is that correct?

Thank you,

ElvinE5 · August 22, 2023

3 минуты назад, LouisLewis сказал:

am I correct in assuming that I will need to create a stand-alone installation package from the KSC server and then manually install it on the clients?

in general terms, yes, the main thing is to ensure that the administration agent on the client can connect to the server on port 13000

5 минут назад, LouisLewis сказал:

and port 15000 on the KSC server,

I'll clarify... UDP 15000 from server to clients (clients will not call the server on this port, they will only listen on it)

8 минут назад, LouisLewis сказал:

the network agent from the client machines will automatically connect to the KSC, is that correct?

yes if all settings are correct ... and the server is available for clients

LouisLewis · September 1, 2023

On 8/22/2023 at 1:03 PM, ElvinE5 said:

good day

I think this is quite possible, requests are not particularly needed for echo to work ... here is a summary of all ports used by KSC

https://support.kaspersky.com/KSC/14.2/en-US/158830.htm

here is more detailed information on the interaction

https://support.kaspersky.com/KSC/14.2/en-US/158520.htm

in particular client-server

https://support.kaspersky.com/KSC/14.2/en-US/158525.htm

with such a spread of sites, I would suggest using a hierarchy of servers, if this is acceptable in your case and available in your license (not lower than advanced)

https://support.kaspersky.com/KSC/14.2/en-US/3304.htm

https://support.kaspersky.com/KSC/14.2/en-US/158529.htm

in this way, clients will connect to their local server, and it will already be a slave to the server in the EC

https://support.kaspersky.com/KSC/14.2/en-US/183051.htm

Hello, I followed your instructions and successfully installed it on machines using the Windows operating system. However, I'm encountering a slight issue with machines running MacOS.

With Windows machines, when I create a stand-alone installation package, there's an .exe file for installation. But for the MacOS installation package, I end up with 2 .sh files after creating it.

I'd like to know if there's a way for me to install it locally on a MacOS machine. I've gone through the documentation, but it's still quite unclear to me.

ElvinE5 · September 1, 2023

I can’t boast that I had the opportunity to install the solution on MacOS, in my environment they are not very common.

As for the instructions

I would start from here ... https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/118670.htm

or here - https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/127691.htm

about installing via SSH ... here - https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/127692.htm

I think that you can basically just copy the "SH" created by you to your device and run it as an administrator,

./install.sh --accept_eula

only both the agent and the security solution if you want to manage them from the center ... check the correctness of the agent connection settings before creating a standalone package

if I were you, I would try to deploy the solution remotely, using the appropriate tasks

Edited September 1, 2023 by ElvinE5

LouisLewis · September 13, 2023

On 9/1/2023 at 2:11 PM, ElvinE5 said:

I can’t boast that I had the opportunity to install the solution on MacOS, in my environment they are not very common.

As for the instructions

I would start from here ... https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/118670.htm

or here - https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/127691.htm

about installing via SSH ... here - https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/127692.htm

I think that you can basically just copy the "SH" created by you to your device and run it as an administrator,

./install.sh --accept_eula

only both the agent and the security solution if you want to manage them from the center ... check the correctness of the agent connection settings before creating a standalone package

if I were you, I would try to deploy the solution remotely, using the appropriate tasks

Thank you, I run 2 command

sudo sh ./klmacagent

sudo sh ./kesmac11.3.0.320.sh --accpet_eula

and it's work for me.

And, I would like to ask if there is any way to prevent the Kaspersky client from self-deactivating?

ElvinE5 · September 13, 2023

there is one point here

Спойлер

otherwise no, if the user is on the device root, he will be able to disable and remove the solution

LouisLewis · September 14, 2023

14 hours ago, ElvinE5 said:

there is one point here

Hide contents

otherwise no, if the user is on the device root, he will be able to disable and remove the solution

Can we force start the solution from server??

ElvinE5 · September 14, 2023

I think yes, using the remote installation task

Спойлер

Of course, you will need root permissions to install the Network Administration Agent

Edited September 14, 2023 by ElvinE5

LouisLewis · September 14, 2023

So, we don't have any way to prevent users from closing the Kaspersky application, even on the Windows version?

But what I meant is that the client doesn't completely uninstall the application, it just exits (becomes inactive), but from the server side, I can't reactivate it myself (by clicking the start button). These client machines I mentioned earlier only open ports 13000 and 15000. Could this be the reason why I can't start the application from the server?

Can we set up an admin password to prevent clients from closing the application?

ElvinE5 · September 14, 2023

for Windows solutions you can set a password

agent

Спойлер

KES (you can specify a domain user with different rights)

Спойлер

26 минут назад, LouisLewis сказал:

These client machines I mentioned earlier only open ports 13000 and 15000. Could this be the reason why I can't start the application from the server?

yes, make sure they are available between the server and the client for interaction. Of course, to run the application you need the agent to be connected and accept requests on UDP port 15000

LouisLewis · September 14, 2023

3 minutes ago, ElvinE5 said:

for Windows solutions you can set a password

agent

Hide contents

KES (you can specify a domain user with different rights)

Hide contents

yes, make sure they are available between the server and the client for interaction. Of course, to run the application you need the agent to be connected and accept requests on UDP port 15000

Thank you very much, that's what i was looking for

LouisLewis · September 14, 2023

My client reports that after installing the endpoint, Google Chrome keeps refreshing every 30 seconds, but this issue goes away when KES is exited. Do you know what might be causing this?

ElvinE5 · September 14, 2023

No, I have not encountered such behavior. try contacting technical support.

https://companyaccount.kaspersky.com

First, fix all sorts of classic problems in the application. Reboot your device.

Installation Solution for Machines Using Private IP

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Please sign in to comment