Contents
Light Agent mode
The settings described in this section apply only if Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments.
Running Kaspersky Endpoint Security in Light Agent mode requires constant interaction between the Light Agent and the Protection Server installed on the SVM. If there is no connection to the Protection Server, the Light Agent cannot transfer file fragments to the Protection Server for scanning, and scanning is not performed.
To interact with the Protection Server, the Light Agent establishes and maintains a connection to the SVM on which this Protection Server is installed.
You can configure the following settings for connecting the Light Agent to the SVM:
- SVM detection method. You can select the method that Light Agents use to discover SVMs available to connect to. The Light Agent can discover SVMs running on the network in one of the following ways:
- Using the Integration Server. SVMs transmit information about themselves to the Integration Server. The Integration Server generates a list of SVMs available for connection and provides it to Light Agents.
To use this method of detecting SVMs, you need to connect SVMs and Light Agents to the Integration Server.
- Using a list of SVM addresses. You can specify a list of SVM addresses to which Light Agents can connect.
- Using the Integration Server. SVMs transmit information about themselves to the Integration Server. The Integration Server generates a list of SVMs available for connection and provides it to Light Agents.
- SVM selection algorithm for connecting. After receiving information about available SVMs, the Light Agent selects the optimal SVM to connect to in accordance with the SVM selection algorithm. You can specify which algorithm Light Agents should use when selecting an SVM to connect to.
- Connection tags. You can use connection tags to control Light Agents' connection to SVMs. If you use connection tags, Light Agent can only connect to SVMs that are configured to use that connection tag.
- Protection of the connection between the Light Agent and the Protection Server. You can use encryption to protect the connection between Light Agents and Protection Servers.
For more information about the settings for connecting the Light Agent to the SVM, refer to the Help for Kaspersky Hybrid Cloud Security for Virtualization Light Agent.
Page topConnection to the Integration Server
The settings described in this section apply only if Kaspersky Endpoint Security is used in Light Agent mode for protecting virtual environments.
A connection to the Integration Server is required if you want Light Agents to receive information about the SVM through the Integration Server, or if you want to protect the connection between the Protection Server and the Light Agent.
This window displays the current settings for connecting Light Agents to the Integration Server: address and port for connecting. The Edit button opens the Connection to the Integration Server window, where you can configure the connection to the Integration Server.
Page topConnection to the Integration Server window
In this window, you can specify or change the settings for connecting Light Agents to the Integration Server.
Integration Server connection settings
|
Setting |
Description |
|---|---|
|
Address |
IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed. If the device on which Kaspersky Security Center Administration Console is installed is part of a domain, the field indicates the domain name of this device by default. If the device on which the Kaspersky Security Center Administration Console is installed is not part of a domain or the Integration Server is installed on another device, the field must be filled in manually. If a NetBIOS name, "localhost", or 127.0.0.1 is specified as the address, the connection to the Integration Server fails with an error. |
|
Port |
Port for connecting to the Integration Server. Port 7271 is used by default. |
Verify Integration Server certificate window
This window appears if the SSL certificate received from the Integration Server contains an error or is not trusted.
You can click the link in the window to view the details of the received certificate.
If you encounter problems with an SSL certificate, we recommend to make sure that the data transmission channel you are using is secure.
To continue connecting to the Integration Server, click the Ignore button. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed.
Page topAuthentication on the Integration Server window
This window appears if the device hosting the Kaspersky Security Center Administration Console does not belong to a domain or your account does not belong to the KLAdmins local or domain group or to the local administrator group.
Specify the password of the Integration Server administrator (password of the admin account) and click the OK button.
It is recommended to make sure that the password complexity and anti-bruteforce mechanisms ensure that the password cannot be guessed within 6 months.
After connecting to the Integration Server with administrator rights, the policy automatically receives the password of the agent account, which is used to connect Light Agents to the Integration Server.
SVM discovery settings
The settings described in this section apply only if Kaspersky Endpoint Security is used in Light Agent mode for protecting virtual environments.
In this window, you can select the method that Light Agents use to discover SVMs available to connect to.
SVM discovery settings
|
Setting |
Description |
|---|---|
|
Use the Integration Server |
If this option is selected, Light Agent connects to Integration Server to get a list of SVMs available for connection and their details. If you want to use the Integration Server, you need to configure the settings for connecting Light Agents to the Integration Server. |
|
Use a custom list of SVM addresses |
If this option is selected, you can specify a list of SVMs that Light Agents managed by this policy can connect to. Light agents will only connect to SVMs specified in the list. |
|
List of SVMs |
A list of IP addresses in IPv4 format or fully qualified domain names (FQDNs) of the SVMs to which Light Agents managed by the policy can connect. Click Add to open a window in which you can specify the IP address in IPv4 format or the fully qualified domain name (FQDN) of the SVM. You can enter multiple IP addresses or FQDNs of SVMs on a new line. Specify only fully qualified domain names (FQDNs) that map to a single IP address. Using a fully qualified domain name that corresponds to multiple IP addresses can lead to errors in the application. You can delete addresses selected in the list by clicking the Delete button. The list of SVM addresses is displayed if the Use a custom list of SVM addresses option is selected. |
If you select the Use a custom list of SVM addresses option, the Light Agent is using the extended SVM selection algorithm, and large infrastructure protection mode is enabled on an SVM (for more information, see the Kaspersky Security for Virtualization Light Agent Help), then connecting a Light Agent to this SVM is only possible if the SVM path is ignored. In the SVM selection algorithm section, you need to set the SVM path setting to Ignore SVM path. If any other value is set, Light Agents will not be able to connect to the SVM.
Page topSVM connection tag
In this window, you can enable the Light Agent to use tags and assign a tag that the Light Agent will use to connect.
Make sure that the use of connection tags is also configured in the Protection Server settings: For more information, see the Help for Kaspersky Security for Virtualization Light Agent. Light Agents assigned a tag can only connect to SVMs that are allowed to connect to Light Agents with that tag.
Settings for using connection tags
|
Setting |
Description |
|---|---|
|
Use tags for connecting Light Agents |
The check box enables or disables the use of SVM connection tags by the Light Agent. |
|
Tag |
A tag that is assigned to Light Agents. You can enter a text string of up to 255 characters as a tag. You can use any character except the This field is available if the Use tags for connecting Light Agents check box is selected. |
SVM selection algorithm
- In this window, you can specify which SVM selection algorithm Light Agents for Linux should use, and configure the settings for using the extended SVM selection algorithm.
SVM selection algorithm
Setting
Description
Use the standard SVM selection algorithm
If this option is selected, after installing and running on a virtual machine, the Light Agent selects an SVM to connect to that is local to Light Agent. For more details, refer to the Help for Kaspersky Hybrid Cloud Security for Virtualization Light Agent.
If there are no local SVMs available for connection, the Light Agent selects the SVM that has the fewest Light Agents connected, regardless of the location of the SVM in the virtual infrastructure.
This option is selected by default.
Use the extended SVM selection algorithm
If this option is selected, you can use the SVM path slider to specify how the SVM's location in the virtual infrastructure will be taken into account when determining whether the SVM is local relative to the Light Agent. The Light Agent will only be able to connect to SVMs that are local.
You can also specify that the SVM path in the virtual infrastructure should not be taken into account when selecting an SVM to connect to.
When selecting an SVM, Light Agents consider the number of Light Agents connected to the SVM to ensure an even distribution of Light Agents among the SVMs available to connect to.
SVM path
Allows you to specify the type of SVM path in the virtual infrastructure, which is taken into account when selecting SVMs for connection:
- Hypervisor. The Light Agent selects an SVM to connect to that meets the criteria (depending on the type of virtual infrastructure):
- The SVM is deployed on the same hypervisor as the virtual machine with the installed Light Agent (in a virtual infrastructure running on the Microsoft Hyper-V, Citrix Hypervisor, VMware vSphere, KVM, Proxmox VE, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, ALT Virtualization Server, or Astra Linux platform).
- SVM is located in the same server group, as the virtual machine with the installed Light Agent (in virtual infrastructure running on TIONIX Cloud Platform or OpenStack platform).
If there are no SVMs available for connection on the same hypervisor or in the same Server Group where the virtual machine with the Light Agent is located, the Light Agent does not connect to the SVM.
- Cluster. The Light Agent selects an SVM to connect to that meets the criteria (depending on the type of virtual infrastructure):
- The SVM is deployed in the same hypervisor cluster as the virtual machine with the Light Agent installed (in a virtual infrastructure on Microsoft Hyper-V, Citrix Hypervisor, VMware vSphere, KVM, Proxmox VE, Scala-R, HUAWEI FusionSphere, Nutanix Acropolis, ALT Virtualization Server, or Astra Linux);
- The SVM is deployed in the same OpenStack project as the virtual machine with the Light Agent installed (in a virtual infrastructure managed by the TIONIX Cloud Platform or the OpenStack platform).
If there are no SVMs available for connection in the same hypervisor cluster or within the same OpenStack project where the virtual machine with the Light Agent is located, the Light Agent does not connect to the SVM.
- Data center. The Light Agent selects an SVM to connect to that meets the criteria (depending on the type of virtual infrastructure):
- The SVM is deployed in the same data center as the virtual machine with the Light Agent installed (in a virtual infrastructure on Microsoft Hyper-V, Citrix Hypervisor, VMware vSphere, KVM, Proxmox VE, Scala-R, HUAWEI FusionSphere, Nutanix Acropolis, ALT Virtualization Server or Astra Linux).
- The SVM is located in the same Availability Zone as the virtual machine with the Light Agent installed (in a virtual infrastructure managed by the TIONIX Cloud Platform or the OpenStack platform).
If there are no SVMs available for connection in the same data center or Availability Zone where the virtual machine with the Light Agent is located, the Light Agent does not connect to the SVM.
- Ignore SVM path. When selecting an SVM, the Light Agent does not consider its location.
The Hypervisor option is selected by default.
The option is available if the Use the extended SVM selection algorithm option is selected.
- Hypervisor. The Light Agent selects an SVM to connect to that meets the criteria (depending on the type of virtual infrastructure):
If a Light Agent uses the extended SVM selection algorithm and a list of SVM addresses is selected as the SVM discovery method, and large infrastructure protection mode is enabled on an SVM (for more information, see the Kaspersky Security for Virtualization Light Agent Help), then connecting a Light Agent to this SVM is only possible if the SVM path is ignored. You need to set the SVM path setting to Ignore SVM path. If any other value is set, Light Agents will not be able to connect to the SVM.
Page topProtecting the connection
In this window, you can enable encryption of the data transmission channel between the Light Agent and the Protection Server
Make sure that encryption of the data transmission channel between the Light Agent and the Protection Server is enabled in the Protection Server settings on the SVM. For more details, refer to the Help for Kaspersky Hybrid Cloud Security for Virtualization Light Agent.
Connection protection settings
|
Setting |
Description |
|---|---|
|
Encrypt data channel between Light Agent and the Protection Server |
Use encryption to protect the connection between Light Agents and Protection Servers. If the check box is selected, an encrypted connection is established between the Light Agent, which is managed by policy, and the Protection Server on the SVM that the Light Agent is connecting to. A Light Agent for which connection protection is enabled can only connect to an SVM on which connection protection is enabled or an unprotected connection to the Protection Server is allowed. If the check box is cleared, an unprotected connection is established between the Light Agent and the Protection Server on the SVM that the Light Agent is connecting to. This check box is cleared by default. |