Installing the application

Installation of Kaspersky Security consists of the following steps:

1. Installation of the Kaspersky Security administration plug-in(s) and Integration Server.

   Regardless of the selected application usage option, you need to install the Kaspersky Security main administration plug-in, Integration Server, and Integration Server Console.

   If you want to use the application in multitenancy mode, you need to also install Kaspersky Security administration plug-in for tenants.

   When the Kaspersky Security Center Administration Console starts for the first time after the Kaspersky Security administration plug-ins are installed, the Quick Start Wizard for the managed application is automatically started. The Wizard lets you create default policies and tasks.

   If the Quick Start Wizard for the managed application was not started automatically, it is recommended to start it manually. Default policies let you register events and display protected virtual machines in the Kaspersky Security Center Administration Console immediately after installing the application.

2. Configuring the settings for connecting the Integration Server to one or more virtual infrastructure administration servers.
3. Registering Kaspersky Security services in VMware NSX Manager.

   If you want to install the File Threat Protection component, you need to register the file system protection service (Kaspersky File Antimalware Protection).

   If you want to install the Network Threat Protection component, you need to register the network protection service (Kaspersky Network Protection).

   The settings required for registration and deployment of Kaspersky Security services are entered through a Wizard that is started from the Integration Server Console. When you have finished entering the settings, Integration Server registers the Kaspersky Security services in VMware NSX Manager.

   In the VMware vSphere Web Client console, you can verify that registration of Kaspersky Security services completed successfully.

4. Deploying SVMs with the File Threat Protection component and SVMs with the Network Threat Protection component on VMware ESXi hypervisors. Deployment of SVMs is performed in the VMware vSphere Web Client console.

   After SVMs are deployed, the Integration Server sends each new SVM the configuration settings that you specified when you registered Kaspersky Security services.

   Kaspersky Security Center places the deployed SVMs to KSC clusters.

5. Configuration of NSX Security Groups and NSX Security Policies.

   To protect virtual machines, you need to do the following in the VMware vSphere Web Client console:

   1. Include virtual machines into one or multiple NSX Security Groups.
   2. Configure one or multiple NSX Security Policies and apply the security policies to the NSX Security Groups.
6. Getting started.

   After the application is installed, you must activate the application on all new SVMs, make sure that the application databases have been updated on all new SVMs, and configure the application operation settings by using a policy.

If you want to use the application in multitenancy mode, you need to configure protection of tenant organizations after the application is installed.

Installation of the Kaspersky Security main administration plug-in and Integration Server

Prior to beginning installation of the Kaspersky Security main administration plug-in, Integration Server, and Integration Server Console, it is recommended to close the Kaspersky Security Center Administration Console.

You can install the Kaspersky Security main administration plug-in, Integration Server, and the Integration Server Console by using one of the following methods:

• In interactive mode using the Wizard
• In silent mode via the command line

The main administration plug-in for Kaspersky Security and Integration Server components should be installed using an account that has software installation privileges (for example, an account from the group of local administrators).

The Kaspersky Security main administration plug-in and Integration Server Console must be installed on the computer on which the Kaspersky Security Center Administration Console is installed. The Integration Server must be installed on the computer on which the Administration Server of Kaspersky Security Center is installed.

The Microsoft .NET Framework 4.6.1 platform is required for installation of the Integration Server, Integration Server Console, and Kaspersky Security administration plug-in. You can install the Microsoft .NET Framework 4.6.1 platform in advance or it will be installed automatically during the installation of Kaspersky Security application components. If there are any problems with the installation of Microsoft .NET Framework 4.6.1, make sure that Windows updates KB2919442 and KB2919355 have been installed on the computer.

Depending on the availability of Kaspersky Security Center components installed on the computer, the following operations are performed once installation is started:

• If only the Administration Console of Kaspersky Security Center is installed on the computer, the Kaspersky Security administration plug-in and the Integration Server Console are installed.
• If the Kaspersky Security Center Administration Server and the Administration Console of Kaspersky Security Center are installed on the computer, the Kaspersky Security administration plug-in, the Integration Server, and the Integration Server Console are installed.

A secure SSL connection is used for interaction between the Integration Server and the Integration Server Console, SVMs, the VMware vCenter Server, and VMware NSX Manager. To eliminate known vulnerabilities in the operating system for the SSL protocol, during installation of the Integration Server changes described in the Microsoft technical support database are made to the operating system registry. These changes result in the disabling of the following encryption ciphers and protocols:

• SSL 3.0
• SSL 2.0
• AES 128
• RC2 40/56/128
• RC4 40/56/64/128
• 3DES 168

While the Integration Server is being installed, the Integration Server's self-signed SSL certificate used for establishing a secure connection with the Integration Server is installed in the operating system registry. If necessary, you can replace the SSL certificate of the Integration Server (the certificate replacement procedure is described in the Knowledge Base).

If the Integration Server was previously installed in your virtual infrastructure and you removed it but saved data used in the operation of the Integration Server, this data is used automatically when you install the Integration Server again.

Installation in interactive mode

To install the Kaspersky Security main administration plug-in and Integration Server components in interactive mode using the Wizard:

1. On the computer hosting the Administration Console and Administration Server of Kaspersky Security Center, start the ksv-components_6.0.0.XXX_mlg.exe file, where 6.0.0.XXX is the application version number. This file is included in the distribution kit.

   If the Kaspersky Security Center Administration Server is not installed on a computer, the Integration Server will not be installed on that computer. Only the Kaspersky Security administration plug-in and Integration Server Console will be installed.

   The Kaspersky Security Components Installation Wizard will start.

2. Select the localization language of the Wizard and of the Kaspersky Security components and proceed to the next step of the Wizard.

   By default, the window uses the localization language of the operating system installed on the computer where the Wizard was started.

3. Read the End User License Agreement concluded between you and Kaspersky, and the Privacy Policy describing the handling and transmission of data.

   To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy. To confirm, select both check boxes in the window of the Wizard.

   Proceed to the next step of the wizard.

4. If the Kaspersky Security Center Administration Server is installed on the computer running the Wizard and this computer does not belong to an Active Directory domain, you must create a password for the Integration Server administrator account. The Integration Server administrator account (admin) is used for managing the Integration Server.

   Enter a password in the Password and Confirm password fields. The account name cannot be edited.

   A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

   Proceed to the next step of the wizard.

5. If the Kaspersky Security Center Administration Server is installed on the computer running the Wizard and port 7271 used to connect to the Integration Server by default is busy, you must specify a port number for connecting to the Integration Server.

   In the Port field, specify a port number in the range of 1025–65536 and proceed to the next step of the Wizard.

6. Review the information about the actions that the Wizard will perform and click Next to begin performing the listed actions.
7. Wait for the wizard to finish.

   If an error occurs during wizard operation, the wizard rolls back the changes made.

8. Click Finish to close the Wizard window.

Information about the work of the Wizard is written to Kaspersky Security Components Installation Wizard trace files. If the Wizard ended with an error, you can use these files when contacting Technical Support.

Installing via the command line

Prior to installing the administration plug-in, it is recommended to carefully read the text of the End User License Agreement and the Privacy Policy. To do so, type the following command in the command line:

ksv-components_6.0.0.XXX_mlg.exe --lang=<language ID> --show-EulaAndPrivacyPolicy

where 6.0.0.XXX is the number of the application version.

The text of the End User License Agreement and the Privacy Policy is output to the EulaAndPrivacyPolicy_<language ID>.txt file in the %temp% folder.

To install the Kaspersky Security main administration plug-in and Integration Server components via the command line,

type one of the following commands in the command line:

• if the computer on which installation is performed belongs to an Active Directory domain:

  ksv-components_6.0.0.XXX_mlg.exe -q --lang=<language ID> --accept-EulaAndPrivacyPolicy=yes

• if the computer on which installation is performed does not belong to an Active Directory domain:

  ksv-components_6.0.0.XXX_mlg.exe -q --lang=<language ID> --accept-EulaAndPrivacyPolicy=yes --viisPass=<password>

where:

• 6.0.0.XXX is the number of the application version.
• <language ID> is the ID of the language of components to install.

  The language ID must be indicated in the following format: ru, en, de, fr, zh-Hans, ja. It is case sensitive.

• <password> is the password of the Integration Server administrator account. If the computer on which Integration Server is installed does not belong to an Active Directory domain, the Integration Server administrator account (admin) is used to manage the Integration Server.

  A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

• accept-EulaAndPrivacyPolicy=yes means that you accept the terms of the End User License Agreement and the Privacy Policy describing the handling and transmission of data. By setting the value to yes, you confirm the following:
  • You have fully read, understand, and accept the provisions and terms of the End User License Agreement.
  • You have fully read and understand the Privacy Policy, you understand and consent that your data will be processed and transmitted (including to third-party countries) in accordance with the Privacy Policy.

  You must accept the terms of the End User License Agreement and Privacy Policy if you want to install the Kaspersky Security administration plug-in and Integration Server components.

Port number 7271 is used by default for connecting to the Integration Server. If you want to use a different port to connect to the Integration Server, specify --viisPort=<port number in the range of 1025–65536> in the command.

Installation of the Kaspersky Security main administration plug-in and Integration Server components may take some time. Information about the installation result is written to Kaspersky Security Components Installation Wizard trace files. If installation ended with an error, you can use these files when contacting Technical Support.

Installation of the Kaspersky Security administration plug-in for tenants

The actions described in this section must be performed only if you are using the application in multitenancy mode.

Prior to beginning installation of the Kaspersky Security administration plug-in for tenants, it is recommended to close the Kaspersky Security Center Administration Console.

You can install the Kaspersky Security administration plug-in for tenants in one of the following ways:

• In interactive mode using the Wizard
• In silent mode via the command line

The administration plug-in for tenants should be installed using an account that has software installation privileges (for example, an account from the group of local administrators).

The Kaspersky Security administration plug-in for tenants must be installed on the same computer on which the Kaspersky Security Center Administration Console is installed.

Installation in interactive mode

To install the Kaspersky Security administration plug-in for tenants in interactive mode using the Wizard:

1. On the computer where the Kaspersky Security Center Administration Console is installed, start the file named ksv-t-components_6.0.0.XXX_mlg.exe (6.0.0.ХХХ represents the application version number). This file is included in the distribution kit.

   The Installation Wizard starts for the Kaspersky Security administration plug-in for tenants.

2. Select the localization language of the Wizard and the Kaspersky Security administration plug-in for tenants and proceed to the next step of the Wizard.

   By default, the window uses the localization language of the operating system installed on the computer where the Wizard was started.

3. Read the End User License Agreement concluded between you and Kaspersky, and the Privacy Policy describing the handling and transmission of data.

   To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy. To confirm, select both check boxes in the window of the Wizard.

   Proceed to the next step of the wizard.

4. Review the information about the actions that the Wizard will perform and click Next to begin performing the listed actions.
5. Wait for the wizard to finish.

   If an error occurs during wizard operation, the wizard rolls back the changes made.

6. Click Finish to close the Wizard window.

Information about the work of the Wizard is written to Kaspersky Security administration plug-in for tenants Installation Wizard trace files. If the Wizard ended with an error, you can use these files when contacting Technical Support.

Installing via the command line

Prior to installing the administration plug-in, it is recommended to carefully read the text of the End User License Agreement and the Privacy Policy. To do so, type the following command in the command line:

ksv-t-components_6.0.0.ХХХ_mlg.exe --lang=<language ID> --show-EulaAndPrivacyPolicy

where 6.0.0.XXX is the number of the application version.

The text of the End User License Agreement and the Privacy Policy is output to the EulaAndPrivacyPolicy_<language ID>.txt file in the %temp% folder.

To install the Kaspersky Security administration plug-in for tenants, enter the following command in the command line:

ksv-t-components_6.0.0.ХХХ_mlg.exe -q --lang=<language ID> --accept-EulaAndPrivacyPolicy=yes

where:

• 6.0.0.XXX is the number of the application version.
• <language ID> is the ID of the language of components to install.

  The language ID must be indicated in the following format: ru, en, de, fr, zh-Hans, ja. It is case sensitive.

• accept-EulaAndPrivacyPolicy=yes means that you accept the terms of the End User License Agreement and the Privacy Policy describing the handling and transmission of data. By setting the value to yes, you confirm the following:
  • You have fully read, understand, and accept the provisions and terms of the End User License Agreement.
  • You have fully read and understand the Privacy Policy, you understand and consent that your data will be processed and transmitted (including to third-party countries) in accordance with the Privacy Policy.

  You must accept the terms of the End User License Agreement and Privacy Policy if you want to install the Kaspersky Security administration plug-in.

Information about the installation result is written to Kaspersky Security administration plug-in for tenants Installation Wizard trace files. If installation ended with an error, you can use these files when contacting Technical Support.

Result of installation of the Kaspersky Security administration plug-ins and Integration Server

Installation of the Kaspersky Security main administration plug-in and Integration Server components includes the following:

1. In the Kaspersky Security Center Administration Console, the following link is created for starting the Integration Server Console: Manage Kaspersky Security for Virtualization 6.0 Agentless. The link is displayed in the workspace of the Administration Server node on the Monitoring tab in the Deployment section.
2. When the Kaspersky Security Center Administration Console is started for the first time after the administration plug-in is installed, the Managed Application Quick Start Wizard starts and creates the default main policy and tasks in the Managed devices folder of the main Administration Server. The Wizard can also be started manually.
3. The Kaspersky Security main administration plug-in appears in the list of installed administration plug-ins in the properties of the Kaspersky Security Center Administration Server.

Installation of the Kaspersky Security administration plug-in for tenants results in the following:

1. When the Kaspersky Security Center Administration Console is started for the first time after the administration plug-in is installed, the Managed Application Quick Start Wizard starts and creates the default tenant policy in the Managed devices folder of the main Administration Server. The Wizard can also be started manually.
2. The Kaspersky Security administration plug-in for tenants appears in the list of installed administration plug-ins in the properties of the Kaspersky Security Center Administration Server.

Viewing the list of installed administration plug-ins

To view the list of installed administration plug-ins:

1. In the Kaspersky Security Center Administration Console, select the Administration Server node.
2. Open the Administration Server properties window in one of the following ways:
   • Select Properties in the context menu of the node.
   • In the workspace in the Administration Server section, click the Administration Server properties link.

   The Properties: Administration Server window opens.

3. In the Administration Server properties window in the Additional section, select the Information about the installed application administration plug-ins subsection.

   The Kaspersky Security main administration plug-in of Kaspersky Security for Virtualization 6.0 Agentless is displayed in the list of installed administration plug-ins in the right part of the window.

   If you installed the Kaspersky Security administration plug-in for tenants, Kaspersky Security for Virtualization 6.0 Agentless (for tenants) is also displayed.

Starting the Quick Start Wizard for the managed application

When the Kaspersky Security Center Administration Console starts for the first time after the Kaspersky Security main administration plug-in is installed, the Quick Start Wizard for the managed application is automatically started. The Wizard will result in the creation of a default main policy, application database update task, and Full Scan task for virtual machines that are not part of a vCloud Director organization in the Managed devices folder of the main Administration Server of Kaspersky Security Center.

If you also installed the Kaspersky Security administration plug-in for tenants, the Quick Start Wizard for the managed application is started again and automatically creates a default tenant policy in the Managed devices folder of the main Administration Server.

A default tenant policy is not created automatically on a virtual Administration Server of Kaspersky Security Center.

If the Quick Start Wizard for the managed application was not started automatically, it is recommended to start it manually. Default policies let you register events and display protected virtual machines in the Kaspersky Security Center Administration Console immediately after installing the application.

To manually start the Initial Configuration Wizard:

1. In the Kaspersky Security Center Administration Console, select the Administration Server node.
2. In the context menu of the node, select All Tasks → Managed Application Quick Start Wizard.
3. In the window of the welcome screen, click Next.
4. At the next step, select the managed application: Kaspersky Security for Virtualization 6.0 Agentless and click Next.
5. Wait for the Wizard to finish and close the Wizard window.
6. If you use the application in a multitenancy mode, repeat steps 1–3, and select the managed application at the next step: Kaspersky Security for Virtualization 6.0 Agentless (for tenants). Then click Next.
7. Wait for the Wizard to finish and close the Wizard window.

Default policies and tasks

As a result of the Initial Configuration Wizard for the managed application, the following policies and tasks are created in the Managed devices folder of the main Kaspersky Security Center Administration Server.

Default main policy

This policy is displayed in the workspace of the Managed devices folder of the main Administration Server on the Policies tab and is named KSV Agentless 6.0 default policy.

Default policy settings take the following values:

• File Threat Protection disabled (a protection profile is not assigned to objects of the protected infrastructure).
• SNMP monitoring of the status of SVMs is disabled.
• Use of Backup is enabled. Storage period for backup copies of files is 30 days.
• Use of Kaspersky Security Network is disabled.
• Network Threat Protection is disabled.

If you want to use the default main policy for virtual machine protection, you need to enable anti-virus protection and configure Network Threat Protection in this policy.

All settings of the default main policy can be redefined in nested policies (all "locks" are open).

The availability of a default main policy lets you use the following capabilities of Kaspersky Security Center immediately after SVM deployment and before you manually create a policy:

• Display the list of protected virtual machines in KSC cluster properties.
• Register events that occur during scans and protection of virtual machines that are not part of vCloud Director organizations.
• Display information about the virtual machines whose protection involves the use of license keys in a key report.
• Display information about protected virtual machines in a protection status report.

If you want to delete the default main policy, make sure that one of the policies created by you is applied on all SVMs. If the main policy is not applied on an SVM, Kaspersky Security Center does not register this SVM's events that occur during scans and protection of virtual machines that are not part of vCloud Director organizations, and does not display these virtual machines in reports.

Default tenant policy

This policy is created only on the main Kaspersky Security Center Administration Server if you installed the Kaspersky Security administration plug-in for tenants.

This policy is displayed in the workspace of the Managed devices folder of the main Administration Server on the Policies tab and is named KSV Agentless 6.0 (for tenants) default policy.

The settings of this policy are not used directly for the protection of virtual machines. However, the settings of the main protection profile and KSN usage settings configured in this policy may be inherited in tenant policies located in nested administration groups, for example, in the Managed devices folder of the virtual Administration Server.

If you want to centrally enable the use of KSN for protection of all virtual machines of tenants, you need to first obtain the consent of tenants to send KSN usage information and other information to Kaspersky depending on the KSN usage mode that you selected (standard KSN or extended KSN).

All settings of the default tenant policy can be redefined in nested policies (all "locks" are open).

There must be a tenant policy in the Managed devices folder of the main Administration Server of Kaspersky Security Center to register events that occur during scans and protection of virtual machines of tenants, and to display virtual machines of tenants within the protected infrastructure of the KSC cluster and in the list of virtual machines protected by SVMs.

In the default tenant policy, you can configure the settings for notifications about events that occur during scans and protection of virtual machines of tenants.

Application database default update task

This task is displayed in the workspace of the Managed devices folder of the main Administration Server on the Tasks tab and is named Program database update.

The task is started each time an update package is downloaded to the storage of Kaspersky Security Center Administration Server, and it lets you update the databases on all SVMs.

Default Full Scan task

This task is displayed in the workspace of the Managed devices folder of the main Administration Server on the Tasks tab and is named Default Full Scan task.

This task lets you scan all virtual machines that are within the entire protected infrastructure but are not part of a vCloud Director organization.

The settings of the full scan task take the following values:

• Security level – Recommended:
  • Archive scanning is disabled.
  • Scanning of self-extracting archives and embedded OLE objects is enabled.
  • Kaspersky Security does not scan compound files larger than 8 MB.
  • File scan duration is unlimited.
  • Kaspersky Security scans files of virtual machines to detect viruses, worms, Trojans, malicious tools, auto-dialers, adware, and multi-packed files.
• Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.
• Kaspersky Security does not scan powered-off virtual machines, virtual machine templates, or files on optical drives.
• The scan task ends 120 minutes after the task was started.
• Scan task exclusions are not defined.

You can manually run this task.

Configuring the Integration Server

After installing the Integration Server, you must configure the settings for connecting the Integration Server to the virtual infrastructure.

The settings of the Integration Server can be configured in the Integration Server Console.

Starting the Integration Server Console

If the computer hosting the Integration Server Console belongs to an Active Directory domain, make sure that your domain account belongs to the KLAdmins group or the group of local administrators on the computer where the Integration Server is installed.

To install the Integration Server Console:

1. In the Kaspersky Security Center Administration Console, select the Administration Server node.
2. Start the Integration Server Console by clicking the Manage Kaspersky Security for Virtualization 6.0 Agentless link on the Monitoring tab in the Deployment section.
3. If one of the following conditions is satisfied, a window opens for entering the Integration Server connection settings:
   • If the computer hosting the Integration Server Console does not belong to an Active Directory domain.
   • If the computer hosting the Integration Server Console belongs to a domain but a connection to the Integration Server could not be established using the connection address and port specified in the Integration Server Console settings.

   Specify the following connection settings:

   • Address and port of the Integration Server to which the connection is established.
   • User account for connecting to the Integration Server:
     • If the computer hosting the Integration Server Console belongs to a domain or your domain account belongs to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, you can use the domain account. To do so, select the Use domain account check box.

       If you want to use the account of an Integration Server administrator (admin), enter the administrator account password in the Password field.

     • If the computer hosting the Integration Server Console does not belong to a domain, or the computer belongs to a domain but your domain account does not belong to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, you can use only the account of the Integration Server administrator (admin). Enter the password of the Integration Server administrator account in the Password field.

   Click the Connect button.

4. The console checks the SSL certificate received from the Integration Server. If the received certificate is not trusted or does not match the previously installed certificate, the Certificate verification window with the appropriate message opens. Click a link in this window to view the details of the certificate received. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

   To continue connecting to the Integration Server, click the Consider certificate to be trusted button in the Certificate verification window. The certificate that has been received is installed as a trusted certificate. The certificate is saved in the registry of the operating system on the computer hosting the Integration Server Console.

The Integration Server Console opens.

Configuring the settings for connecting the Integration Server to the virtual infrastructure administration server

Depending on the virtual infrastructure that you want to protect using Kaspersky Security, you need to configure a connection to the following virtual infrastructure administration servers:

• To protect a virtual infrastructure managed by one or multiple VMware vCenter Servers, you need to configure the connection of the Integration Server to each of these VMware vCenter Servers.
• To protect a virtual infrastructure managed by VMware vCenter Servers connected to the VMware vCloud Director Server, you need to configure connection of the Integration Server to each of these VMware vCenter Servers, and to the VMware vCloud Director Server.

The connection to each virtual infrastructure administration server is established separately.

In an infrastructure managed by VMware vCloud Director, you can connect the Integration Server to VMware vCenter Servers and VMware vCloud Director Servers in any order. The Integration Server automatically determines whether each added VMware vCenter Server is a standalone server or if it is connected to a VMware vCloud Director Server.

To configure the settings for connecting the Integration Server to the virtual infrastructure administration server:

1. Start the Integration Server Console.
2. In the Virtual infrastructure protection section, click the Add button.
3. In the opened Connection to virtual infrastructure window, select the type of virtual infrastructure administration server to which you need to configure a connection, and click Next.
4. Specify the following settings:
   • IP address in IPv4 format or fully qualified domain name (FQDN) of the virtual infrastructure administration server to which the Integration Server connects.
   • Name and password of the account that the Integration Server uses to connect to the virtual infrastructure administration server.

   The entered connection settings (except the password) are saved in the registry of the operating system in encrypted form.

5. Click the Validate button. The Integration Server checks the specified connection settings and the SSL certificate received from the virtual infrastructure administration server. If a connection could not be established or certificate errors are detected during the connection, the window displays an error message.

   If a connection error occurs because the certificate received from the virtual infrastructure administration server is not trusted for the Integration Server, the Certificate validation window opens. If the received certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and establish the connection. To do so, click the Install certificate button in the opened window. The received certificate is saved as a trusted certificate for the Integration Server.

   Certificates that are trusted in the operating system in which the Integration Server is installed are also considered to be trusted for the Integration Server.

   If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

6. After establishing a connection with the virtual infrastructure administration server, click OK in the Connection to virtual infrastructure window.

   The entered address or name of the virtual infrastructure administration server is displayed in the table in the Virtual infrastructure protection section.

   If you configured a connection to the VMware vCloud Director Server and to the VMware vCenter Servers connected to it, the rows containing information about these VMware vCenter Servers are automatically grouped into a list located above the row of this VMware vCloud Director.

For each virtual infrastructure administration server, the table displays a list of actions that you can perform when configuring a connection to this server and for subsequent deployment of virtual infrastructure protection. You can expand or collapse the list of possible actions by clicking on the address or name of the virtual infrastructure administration server in the Address column.

If necessary, you can change or delete previously enter settings for connecting the Integration Server to the virtual infrastructure administration server.

To change the settings for connecting the Integration Server to the virtual infrastructure administration server:

1. Expand the list of possible actions for the selected virtual infrastructure administration server by clicking on the address or name of the virtual infrastructure administration server in the Address column.
2. Depending on the type of virtual infrastructure administration server, select Change VMware vCenter Server connection settings or Change VMware vCloud Director connection settings. The Connection to virtual infrastructure window opens.
3. Enter the new connection settings and verify the capability to connect, as described in the procedure for configuring the settings for connecting the Integration Server to the virtual infrastructure administration server (see items 4–6 of the previous instructions).

To delete the settings for connecting the Integration Server to the virtual infrastructure administration server:

1. Expand the list of possible actions for the selected virtual infrastructure administration server by clicking on the address or name of the virtual infrastructure administration server in the Address column.
2. Depending on the type of virtual infrastructure administration server, select Remove VMware vCenter Server from list or Remove VMware vCloud Director from list.
3. Confirm the deletion in the window that opens.

   In an infrastructure managed by a VMware vCenter Server and VMware NSX Manager, removal of a VMware vCenter Server from the list is possible only if Kaspersky Security services are not registered in VMware NSX Manager.

After configuring the connection between the Integration Server and one or several VMware vCenter Servers, you can proceed to deploying protection in the VMware virtual infrastructure.

Changing passwords of Integration Server accounts

If necessary, in the Integration Server user accounts section you can change passwords for Integration Server user accounts:

• Password of the Integration Server administrator account (admin).
• Password of the account used for connecting SVMs to the Integration Server (svm).

  Svm account password is required in order to configure the connection between the SVM with the File Threat Protection component and the Integration Server that will support interaction between the VMware vCenter Server and the SVM.

• Account password for interaction between VMware NSX Manager and the Integration Server (NSX_220E116B-B6D5-42).

Account names cannot be edited.

To change the password of the Integration Server account:

1. Start the Integration Server Console.
2. In the list on the left, select the Integration Server user accounts section.
3. In the table, select the name of the account whose password you want to change.
4. Click the Change the account password link to open the Account password window and enter the new password in the Password and Confirm password fields.

   A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

5. In the Account password window, click OK.

Viewing Integration Server settings

To view Integration Server settings:

1. Start the Integration Server Console.
2. In the list on the left, select the Integration Server settings section.

The right part of the Console shows the following settings of the Integration Server to which the connection has been established:

• Integration Server version.
• Name of the user account that was used to establish the connection to the Integration Server.
• Type of authentication used when connecting to the Integration Server.
• New IP address in IPv4 format or the fully qualified domain name (FQDN) of the Integration Server.

If you enabled the logging of information to the Integration Server trace file, you can view this file by clicking the View trace file link. The trace file can be viewed with the Notepad text editor.

Registration of Kaspersky Security services

After configuring the connection between the Integration Server and the VMware vCenter Server, you must start the Kaspersky Security service registration process and enter the settings required for completing the following steps of application installation:

• Registration of Kaspersky Security services in VMware NSX Manager: the file system protection service (Kaspersky File Antimalware Protection) and the network protection service (Kaspersky Network Protection)
• Deployment of Kaspersky Security services
• Initial configuration of new SVMs after deployment of Kaspersky Security services

Registration of Kaspersky Security services in VMware NSX Manager and configuration of new SVMs is performed by the Integration Server.

To enter the settings required for registration and deployment of Kaspersky Security services:

1. Start the Integration Server Console.

   The Virtual infrastructure protection section opens.

2. In the list, select the VMware vCenter Server and expand the list of available actions by clicking the address or name of the VMware vCenter Server in the Address column.
3. In the Manage protection section, select Register Kaspersky Security services.

This starts the Registration of Kaspersky Security Services Wizard. Follow the wizard instructions.

Connecting to VMware NSX Manager

At this step, specify the settings for connecting the Integration Server to VMware NSX Manager:

• IP address in IPv4 format or the fully qualified domain name (FQDN) of VMware NSX Manager.
• Name and password of the user account used to connect to VMware NSX Manager. The Enterprise Administrator role must be assigned to this user account.

At this step, you can also configure the settings used by VMware NSX Manager to transmit information to the Integration Server. The settings that the Integration Server Console used for connecting to the Integration Server are set by default. The Address field contains the fully qualified domain name (FQDN) of the computer on which the Integration Server is installed (if the computer is in a domain), the name of the computer in a Windows workgroup (if the computer is not in a domain), or the computer IP address.

Make sure that VMware NSX Manager can connect to the Integration Server using the default settings or change those settings. To change the settings, select the Specify the settings for connecting VMware NSX Manager to Integration Server check box, and specify the IP address or fully qualified domain name of the computer on which the Integration Server is installed and the connection port.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to VMware NSX Manager and to the Integration Server using the specified settings.

When establishing the connection to VMware NSX Manager, the Wizard verifies the SSL certificate received from VMware NSX Manager. If the received certificate contains an error, the Wizard displays an error message. Click the View certificate link to view information about the received certificate.

If a connection error occurs because the certificate received from VMware NSX Manager is not trusted for the Integration Server but the received certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and establish a connection. To do so, click the Install certificate button. The received certificate is saved as a trusted certificate for the Integration Server.

Certificates that are trusted in the operating system in which the Integration Server is installed are also considered to be trusted for the Integration Server.

If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

If checking the Integration Server connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

Selecting an SVM image for the file system protection service

If you want to install the File Threat Protection component, at this step you must specify the SVM image with the installed File Threat Protection component. The Integration Server registers the file system protection service (Kaspersky File Antimalware Protection) in VMware NSX Manager. After registration finishes, you can deploy the file system protection service on VMware clusters. As a result, SVMs with the File Threat Protection component will be deployed on the hypervisors.

The application distribution kit includes several SVM images with the File Threat Protection component installed that you can use to deploy SVMs with the necessary configuration (according to the number of processors and RAM allocated for an SVM).

All files of the SVM image with the installed File Threat Protection component must be located in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol.

To specify the SVM image, perform the following actions:

1. In the field, specify the address of the SVM images description file (XML file) or the address of the SVM image OVF file corresponding to the necessary SVM configuration.
2. Click the Validate button.

   The Wizard validates the SVM image. If the image is corrupted or the image version is not supported, the Wizard displays an error message.

   If the SVM image validation is successful, the following details of the selected SVM image will appear in the lower part of the window:

   • SVM configuration. The number of processors and RAM allocated for the SVM.

     If you specified the address of the SVM image description file (XML file), you can select the necessary SVM configuration in the drop-down list in the SVM configuration field.

   • Application name. Name of the application that is installed on the SVM.
   • SVM version. Number of the SVM version.
   • Vendor. Vendor of the application that is installed on the SVM.
   • Description. Brief description of the application.
   • Required disk space. Amount of disk space required for deployment of the SVM in the data storage.

If you do not want to install the File Threat Protection component, clear the Register the file system protection service check box.

Proceed to the next step of the wizard.

Selecting an SVM image for the network protection service

If you wish to install the Network Threat Protection component, you must specify the SVM image with the installed Network Threat Protection component at this stage. The Integration Server registers the network protection service (Kaspersky Network Protection) in VMware NSX Manager. After registration finishes, you can deploy the network protection service on VMware clusters. As a result, SVMs with the Network Threat Protection component will be deployed on the hypervisors.

The application distribution kit includes several SVM images with the Network Threat Protection component installed that you can use to deploy SVMs with the necessary configuration (according to the number of processors and RAM allocated for an SVM).

All files of the SVM image with the installed Network Threat Protection component must be located in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol.

To specify the SVM image, perform the following actions:

1. In the field, specify the address of the SVM images description file (XML file) or the address of the SVM image OVF file corresponding to the necessary SVM configuration.
2. Click the Validate button.

   The Wizard validates the SVM image. If the image is corrupted or the image version is not supported, the Wizard displays an error message.

   If the SVM image validation is successful, the following details of the selected SVM image will appear in the lower part of the window:

   • SVM configuration. The number of processors and RAM allocated for the SVM.

     If you specified the address of the SVM image description file (XML file), you can select the necessary SVM configuration in the drop-down list in the SVM configuration field.

   • Application name. Name of the application that is installed on the SVM.
   • SVM version. Number of the SVM version.
   • Vendor. Vendor of the application that is installed on the SVM.
   • Description. Brief description of the application.
   • Required disk space. Amount of disk space required for deployment of the SVM in the data storage.

If you do not want to install the Network Threat Protection component, clear the Register the network protection service check box.

Proceed to the next step of the wizard.

Selecting the traffic processing mode for the Network Threat Protection component

If you specified an SVM image with the installed Network Threat Protection component at the previous step, at this step you need to select the traffic processing mode for the Network Threat Protection component. The traffic processing mode determines the settings of the application installed on an SVM with the Network Threat Protection component.

You can select one of the following traffic processing modes:

• Standard mode. If this mode is selected, the virtual filter (VMware DVFilter) intercepts the traffic of virtual machines and sends it to Kaspersky Security to be scanned. When Kaspersky Security detects signs of intrusions or attempts to access dangerous or undesirable web addresses, it performs the action that is specified in policy settings and relays information about events to the Kaspersky Security Center Administration Server.

  This option is selected by default.

• Monitoring mode. If this mode is selected, Kaspersky Security receives a copy of traffic of virtual machines. When signs of intrusions or attempts to access dangerous or undesirable web addresses are detected, Kaspersky Security does not take any actions to prevent the threats but only relays information about the events to the Kaspersky Security Center Administration Server.

After network protection service registration and SVM deployment, the traffic processing mode cannot be changed. To select a different traffic processing mode, you will have to remove the SVMs, unregister the network protection service, and then re-register the network protection service with the new traffic processing mode and deploy new SVMs.

Proceed to the next step of the wizard.

Configuring the connection settings for an SVM

At this step, specify the IP address of the Kaspersky Security Center Administration Server and SSL port that the SVM will use to connect to Kaspersky Security Center.

At this step, you can also configure the settings for connecting an SVM to the Integration Server. The settings that the Integration Server Console used for connecting to the Integration Server are set by default. The Address field contains the fully qualified domain name (FQDN) of the computer on which the Integration Server is installed (if the computer is in a domain), the name of the computer in a Windows workgroup (if the computer is not in a domain), or the computer IP address.

Make sure that SVM can connect to the Integration Server using the default settings or change those settings. To change the settings, select the Specify the settings for connecting SVMs to Integration Server check box, and specify the IP address or fully qualified domain name of the computer on which the Integration Server is installed, and the connection port.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to the Kaspersky Security Center and to the Integration Server using the specified settings.

If checking the connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

Creating passwords for accounts on SVMs

At this step, create a password for the klconfig user account (configuration password) and a password for the root user account on SVMs. The configuration password is required for SVM reconfiguration. The root account is used for accessing the operating system on SVMs and for accessing SVM trace files.

Enter a password for each user account in the Password and Confirm password fields.

The passwords should be up to 60 characters long. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

To prevent unauthorized access to an SVM after SVM deployment, it is recommended to change the configuration password regularly. You can change the configuration password by using the Kaspersky Security reconfiguration procedure.

Proceed to the next step of the wizard.

Selecting the time zone for SVMs

At this step, you can select the time zone that will be used on all SVMs. By default, the time zone for SVMs corresponds to the time zone that has been set on the computer on which the Integration Server Console is installed.

If you need to change the time zone for SVMs, select a value from the drop-down list.

Proceed to the next step of the wizard.

Configuring the settings for connecting to network data storage

At this step, you can configure the following settings for using network data storage:

• Allow or block the use of network data storage for SVMs.
• Specify the settings for connecting SVMs to network data storage.

Network data storage can be used for storing backup copies of files that have been moved to Backups on SVMs. By default, SVMs do not use network data storage.

If you want to allow the use of network data storage for SVMs, select the Use network data storage option and define the following settings for connecting to storage:

• Network data storage address in UNC format.

  The defined address cannot be localhost or 127.0.0.1.

• Account used by SVMs to connect to the network data storage, in the format <domain>\<user name>.
• Connection account password.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to the network data storage using the specified settings.

If checking the connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

Confirming Kaspersky Security settings

At this step, check the entered settings of Kaspersky Security.

Proceed to the next step of the wizard to start registration of Kaspersky Security services.

Registration of Kaspersky Security services

This step displays information about operations that are performed by the Integration Server in order to register Kaspersky Security services and prepare the configuration settings that will be distributed to new SVMs after they are deployed.

If an error occurred during such operations, the Wizard displays the relevant information. The Wizard performs rollback of changes.

After all operations have been completed, proceed to the next step of the Wizard.

Exiting the wizard

This step displays information about the result of Kaspersky Security service registration.

If the services were registered successfully, exit the Wizard.

If registration of services ended with an error, the Wizard displays information about the error. If this is the case, exit the Wizard, eliminate the cause of the error, and restart the procedure. For detailed information about errors, you can view the Integration Server trace files (if you enabled the logging of information to Integration Server trace files).

Viewing registered services in the VMware vSphere Web Client console

Registration of Kaspersky Security services in VMware NSX Manager is performed by the Integration Server.

You can view the list of registered services in the VMware vSphere Web Client console in the Networking & Security → Service Definitions section on the Services tab.

The Integration Server is registered as Kaspersky Service Manager in VMware NSX Manager.

You can view the list of registered Service Managers in the VMware vSphere Web Client console in the Networking & Security → Service Definitions section on the Service Managers tab.

For more details about viewing registered services and Service Managers, please refer to the Knowledge Base.

Deploying SVMs with the File Threat Protection and Network Threat Protection components

To deploy SVMs with Kaspersky Security components on VMware ESXi hypervisors, you need to deploy Kaspersky Security services on VMware clusters. Deployment of Kaspersky Security services is performed in the VMware vSphere Web Client console.

To deploy SVMs with Kaspersky Security components:

1. In the VMware vSphere Web Client console, start the Deployment Wizard for network services and protection services for virtual machines (the Networking & Security → Installation and Upgrade section on the Service Deployments tab).
2. Use the Wizard to specify the following settings:
   1. In the table, select the service that you need to deploy:
      • Kaspersky File Antimalware Protection service, if you want to deploy an SVM with the File Threat Protection component
      • Kaspersky Network Protection service, if you want to deploy an SVM with the Network Threat Protection component

      You can select both Kaspersky Security services if you need to deploy an SVM with the File Threat Protection component and an SVM with the Network Threat Protection component on the same hypervisors and assign the same settings to them. If the SVM settings or the hypervisors on which the SVMs will be deployed must be different, you need to separately deploy the Kaspersky Security services.

   2. Select one or more VMware clusters on which you want to deploy SVMs with Kaspersky Security components.
   3. If required, change the default settings for all SVMs that will be deployed on hypervisors within every selected VMware cluster:
      • Network that will be used by SVMs.
      • Storage for SVM deployment.
      • Method of assigning IP addresses. By default, SVMs receive network settings via the DHCP protocol. You can configure a static pool of IP addresses that will be used for assigning IP addresses to the SVMs.
3. Finish the Wizard and wait for deployment of Kaspersky Security services to complete.

SVMs with the File Threat Protection component and SVMs with the Network Threat Protection component will be deployed on each hypervisor within each VMware cluster that you selected.

For more details about the procedure for deploying SVMs with Kaspersky Security components, please refer to the Knowledge Base.

Configuring NSX Security Groups

NSX Security Groups are configured in the VMware vSphere Web Client console. You must include all virtual machines that you want to protect with Kaspersky Security into one or multiple NSX Security Groups.

To configure an NSX Security Group:

1. In the VMware vSphere Web Client console, start the NSX Security Group Wizard in the Networking & Security → Service Composer section on the Security Groups tab.
2. Using the Wizard, enter the name of the new NSX Security Group (for example, "Kaspersky Security Group" or "Protected by Kaspersky") and configure the rules for including virtual machines into the group.

   Virtual machines can be included into an NSX Security Group using the following methods:

   • Dynamic inclusion of virtual machines into the NSX Security Group. The group includes all virtual machines that meet these criteria.
   • Inclusion of specified VMware virtual infrastructure objects into the NSX Security Group. You can select objects to be included in the group, such as a Datacenter object, VMware cluster, resource pool, or individual virtual machines. By default, the group includes all child objects of the specified object. You can also specify individual virtual infrastructure objects to be excluded from the NSX Security Group.

   You can combine these methods when configuring rules for including virtual machines into the NSX Security Group. For example, you can configure dynamic inclusion of virtual machines into the group based on specific criteria, and specify VMware inventory objects that must be excluded from the group.

For more details on configuring NSX security groups, please refer to the Knowledge Base.

Configuring and applying NSX Security Policies

NSX Security Policies are configured in the VMware vSphere Web Client console. The configured NSX Security Policies must be assigned for previously created NSX Security Groups.

You must configure the use of Kaspersky Security services in each NSX Security Policy:

• File system protection service (Kaspersky File Antimalware Protection), if you want to protect virtual machines from file threats.
• Network protection service (Kaspersky Network Protection), if you want to protect virtual machines from network threats.

To configure and apply an NSX security policy:

1. In the VMware vSphere Web Client console, start the NSX Security Policy Wizard in the Networking & Security → Service Composer section on the Security Policies tab.
2. If you want to protect virtual machines against file threats, at the Guest Introspection Services step of the Wizard, add the Kaspersky File Antimalware Protection service with a user-defined name and the default action (Apply).
3. If you want to scan outbound traffic of virtual machines, at the Network Introspection Services step of the Wizard, add the Kaspersky Network Protection service and specify the following values for its settings:
   • User-defined name
   • Redirection of traffic to the network protection service (Kaspersky Network Protection) is enabled (Redirect to service setting)
   • Source – Policy's Security Groups (selected by default)
   • Destination – Any (selected by default)
4. If you want to scan inbound traffic of virtual machines, at the Network Introspection Services step of the Wizard, add the Kaspersky Network Protection service and specify the following values for its settings:
   • User-defined name
   • Redirection of traffic to the network protection service (Kaspersky Network Protection) is enabled (Redirect to service setting)
   • Source – Any
   • Destination – Policy's Security Groups
5. Finish the NSX Security Policy Wizard.
6. In the list of NSX security policies on the Security Policies tab, apply the policy (Apply) to the NSX Security Group that includes the protected virtual machines.

For more details about configuring NSX security policies, please refer to the Knowledge Base.

Configuring protection of tenant organizations

The actions described in this section must be performed only if you are using the application in multitenancy mode.

To configure protection of tenant organizations, you need to do the following after installing the application:

1. In the Kaspersky Security Center Administration Console, for each tenant whose virtual machines need to be protected, create a virtual Administration Server and account that will be used by the tenant administrator to connect to the virtual Administration Server.
2. In the Kaspersky Security Center Administration Console, create the account that the Integration Server will use to connect to the Kaspersky Security Center Administration Server. This connection is required for obtaining information about virtual Administration Servers created in Kaspersky Security Center, and for configuring mappings between virtual Administration Servers and vCloud Director organizations that contain virtual machines of tenants.
3. In the Integration Server Console, connect the Integration Server to the Kaspersky Security Center Administration Server and configure the list of mappings of vCloud Director organizations to virtual Administration Servers of Kaspersky Security Center.

   If a vCloud Director organization is not mapped to a virtual Administration Server, Kaspersky Security does not protect the virtual machines that are part of this vCloud Director organization.

4. Provide the following information to the tenant administrator:
   • Integration Server address.
   • Address of the virtual Administration Server configured for this tenant.
   • Name and password of the account used to connect to the virtual Administration Server.
5. Make sure that the application is prepared for operation and that policies are configured for the protection of the virtual infrastructure of each tenant:
   • For File Threat Protection, a tenant policy must be configured on each virtual Administration Server of Kaspersky Security Center corresponding to the tenant organization.
   • For Network Threat Protection, there must be a configured main policy whose scope includes the virtual machines of the tenant.

Creating a virtual Administration Server for a tenant

The actions described in this section must be performed only if you are using the application in multitenancy mode.

A virtual Administration Server is required for managing the protection of virtual machines that are part of a vCloud Director organization.

The virtual Administration Server needs to be created in the Administration Servers subfolder within the administration group that contains the "VMware vCloud Director Agentless" cluster. A cluster must correspond to the VMware vCloud Director Server managed by the vCloud Director organization containing the virtual machines of the tenant.

To create a virtual Administration Server of Kaspersky Security Center:

1. In the Kaspersky Security Center Administration Console, in the Managed devices folder, select the administration group containing the "VMware vCloud Director Agentless" cluster and then select the Administration Servers subfolder.
2. In the workspace of the Administration Servers folder, click the Add virtual Administration Server link.

   The New Virtual Administration Server Wizard starts.

3. At the first step of the Wizard, specify the name of the created virtual Administration Server.

   The name of a virtual Administration Server cannot contain more than 255 characters or the following special characters: " * < > ? \ : |.

   Proceed to the next step of the wizard.

4. Please specify the Kaspersky Security Center Administration Server address on which the virtual administration server is created, and proceed to the next step of the Wizard.
5. Specify the account that the tenant administrator will use to connect to the virtual Administration Server. You can specify a previously created account of an internal user of Kaspersky Security Center or create an account by using the Create button.

   Proceed to the next step of the wizard.

6. Start the creation of the virtual Administration Server by clicking Next.
7. At the next step, clear the All packages check box (installation packages are not required for application operation), proceed to the next step, and finish the Wizard.

A node named Administration Server – <Virtual Server name> will be created in the console tree.

For more details about working with virtual Administration Servers, please refer to the Kaspersky Security Center documentation.

Connecting the Integration Server to the Kaspersky Security Center Administration Server

The actions described in this section must be performed only if you are using the application in multitenancy mode.

The Integration Server must be connected to the Kaspersky Security Center Administration Server to receive information about virtual Administration Servers created in Kaspersky Security Center.

To connect the Integration Server to the Kaspersky Security Center Administration Server:

1. Start the Integration Server Console.
2. In the list on the left, select the Manage protection of tenant organizations section.
3. In the Settings for connecting to Kaspersky Security Center section, specify the connection settings:
   • IP address in IPv4 format or fully qualified domain name (FQDN) of the Kaspersky Security Center Administration Server.
   • Name and password of the account used by the Integration Server to connect to the Kaspersky Security Center Administration Server.
4. Click the Connect button. The status of the connection between the Integration Server and the Kaspersky Security Center Administration Server is displayed in the Kaspersky Security Center connection status in the upper part of the window.

After connecting the Integration Server to the Kaspersky Security Center Administration Server, you can map virtual Administration Servers to vCloud Director organizations containing virtual machines of tenants.

If a connection was already established and you want to change the connection settings, you can disconnect the current connection by using the Disconnect button located in the Kaspersky Security Center connection status section and then connect with the new settings.

If the Kaspersky Security Center Administration Server includes one or multiple virtual Administration Servers that are mapped to vCloud Director organizations, a warning is displayed when there is a disconnection attempt. If there is no connection, you cannot set new mappings between virtual Administration Servers and vCloud Director organizations. The previously set mappings are retained.

Configuring a list of mappings of vCloud Director organizations to virtual Administration Servers

The actions described in this section must be performed only if you are using the application in multitenancy mode.

The list of mappings of vCloud Director organizations to virtual Administration Servers is configured in the Integration Server Console. In the list of mappings, you can do the following:

• Map vCloud Director organizations to virtual Kaspersky Security Center Administration Servers.
• View the list of mappings.
• Cancel mapping.

To open the list of mappings of vCloud Director organizations to virtual Administration Servers:

1. Start the Integration Server Console.
2. In the list on the left, select the Manage protection of tenant organizations section and make sure that the Integration Server is connected to the Kaspersky Security Center Administration Server. Connect if a connection is not already established.

   If the Integration Server is not connected to the Kaspersky Security Center Administration Server, you cannot set new mappings between virtual Administration Servers and vCloud Director organizations. Previously set mappings are retained, but you can cancel them.

3. Open the list of mappings of vCloud Director organizations to virtual Administration Servers by using one of the following methods:
   • In the Virtual infrastructure protection section, expand the list of available actions for a VMware vCloud Director Server that manages a vCloud Director organization, and click the Map vCloud Director organizations link. This opens the list of mappings for vCloud Director organizations that are managed by one VMware vCloud Director Server.
   • In the Manage protection of tenant organizations section, click the Open list button located in the vCloud Director organizations to virtual administration Servers mapping list section. This opens the list of mappings for vCloud Director organizations that are managed by all VMware vCloud Director servers.

   The vCloud Director organizations to virtual administration Servers mapping list window opens.

The list of mappings is displayed as a table. Each row of the table contains the following data:

• Virtual Server – name of the virtual Administration Server mapped to an organization from the vCloud Director organization column. If no mapping to a vCloud Director organization is set for this virtual Administration Server, the column displays the value none.
• vCloud Director organization is the name of the vCloud Director organization mapped to the virtual Administration Server from the Virtual Server column. If no mapping to a virtual Administration Server is set for this vCloud Director organization, the column displays the value none.
• VMware vCloud Director – IP address or name of the VMware vCloud Director Server that manages the organization from the vCloud Director organization column. If a vCloud Director organization is not indicated in this row of the table, the column displays the value none.

When viewing the list of mappings, you can use the following capabilities:

• Filter. To apply a filter, you can use the following links located above the table:
  • All – show all rows in the table. This value is selected by default.
  • Mapped – show only rows displaying the name of a vCloud Director organization and the name of the virtual Administration Server that is mapped to it.
  • Not mapped – show only rows displaying the name of a vCloud Director organization or the name of a virtual Administration Server that is not mapped.
• Search any column of the table. You can enter a search criterion in the search bar located above the table to find a vCloud Director organization, virtual Administration Server, or VMware vCloud Director Server. The search starts as you enter characters. The table displays all rows that contain a value that satisfies the search criteria. To reset the search results, delete the contents of the search field.

Mapping a vCloud Director organization to a virtual Administration Server

The actions described in this section must be performed only if you are using the application in multitenancy mode.

To map a vCloud Director organization to a virtual Administration Server:

1. Start the Integration Server Console.
2. Select the Manage protection of tenant organizations section and make sure that the Integration Server is connected to the Kaspersky Security Center Administration Server. Connect if a connection is not already established.
3. Open the list of mappings of vCloud Director organizations to virtual Administration Servers.
4. Do one of the following:
   • If you want to set mapping for a vCloud Director organization, in the table find the row that contains the name of the vCloud Director organization, and click the link located in the Virtual Server column. The Select a virtual Administration Server window opens. The window displays a list of all virtual Administration Servers that have not yet been mapped to a vCloud Director organization.
   • If you want to set mapping for a virtual Administration Server, in the table find the link that contains the name of the virtual Administration Server, and click the link located in the vCloud Director organization column. The Select a vCloud Director organization window opens. The window displays a list of all vCloud Director organizations that have not yet been mapped to a virtual Administration Server. The list of vCloud Director organizations is grouped by VMware vCloud Director servers.

   To search for the relevant row in the table, you can use the filter or search bar.

5. In the opened window, select the virtual Administration Server or vCloud Director organization and click OK.

   The selection window closes, the new mapping appears in the vCloud Director organizations to virtual administration Servers mapping list window.

Page top

Unmapping a vCloud Director organization from a virtual Administration Server

The actions described in this section must be performed only if you are using the application in multitenancy mode.

If a vCloud Director organization was removed from VMware vCloud Director or if the virtual machines that are part of a vCloud Director organization no longer need to be protected, you can cancel a previously set mapping between a vCloud Director organization and a virtual Administration Server.

To cancel mapping between a vCloud Director organization and a virtual Administration Server:

1. Start the Integration Server Console.
2. Open the list of mappings of vCloud Director organizations to virtual Administration Servers.
3. In the table, find the row containing the vCloud Director organization and virtual Administration Server whose mapping you want to cancel.

   To search for the relevant row in the table, you can use the filter or search bar.

4. Click the icon located in the row, and confirm the unmapping in the opened window.
5. Close the vCloud Director organizations to virtual administration Servers mapping list window.

If a vCloud Director organization is not mapped to a virtual Administration Server, Kaspersky Security does not protect the virtual machines that are part of this vCloud Director organization.

Page top