Question for a multi-site deployment

[SIIL-IT1]

We have been using KSC 10 for a long while to provide AV management across multiple locations and all the bigger locations had a local KSC instance that was a slave of the main server. After a network upgrade to improve our connections to our other locations, we have just built a KSC 11 (11.0.0.1131) server and are now in the process of deploying Endpoint Security (11.1.0.15919) & Security 4 Windows Server (10.1.1.746). As well as the endpoint protection, we are looking to utilize the disk encryption, software management/patching and mobile device management. Question 1: As we now have a decent network, what would be the better option for our larger offices?

1. Slave Server on site
2. Virtual server on the main KSC install for each location with a local distribution point on site
3. Distribution points set off the KSC instance using Administrator Groups

Question 2: We have servers in the DMZ as well as a number of remote workers who we want to protect. Will a distribution point in the DMZ be able to service both the DMZ and remote workers as long as we set the connection gateway on the distribution point to an externally resolvable DNS name? Would a slave server be a better alternative? Also, the plan is to throw mobile phones into the mix too! Does the iOS MDM server need to be in the DMZ? If so, can it be installed on the distribution point? Question 3: Am I right in thinking that external users will only need the following ports

1. TCP 13000
2. TCP 17000
3. UDP 15000
4. UDP 15111
5. TCP 13292
6. TCP 17100

Question 4: Is there a page anywhere that explains connection profiles and policy profiles Thanks in advance for any guidance

[KarDip]

Hi SIIL-IT1 and welcome to the new Kaspersky Community Forum. Lots of discussion topics, lets start below URL. https://help.kaspersky.com/KSC/11/en-US/92238.htm Thank you.

[SIIL-IT1]

Thanks for the link KarDip, I ended up going with https://help.kaspersky.com/KSC/11/en-US/92239.htm as more appropriate for our setup but I have some questions. I've done the first step, the manual install of the Network Agent, ticking the option to "Use Network Agent as connection gateway in DMZ" My problem is the next section...

1. A dedicated administration group must be created on the Administration Server; in the properties of this group, the DMZ device must be assigned the connection gateway status by address. You must not add any devices to this administration group.

I don't see any option to do this in the properties of the group? Also... For the connection gateway in the DMZ, the Administration Server creates a certificate signed with the Administration Server certificate. If the administrator decides to assign a custom certificate to the Administration Server, it must be done before a connection gateway is created in the DMZ. We've integrated with our PKI & have an external address sub.domain.com, Will it create the certificate with the external address we've already set?