Preparing for application installation

Before installing Kaspersky Security components, perform the following:

• Check whether the Kaspersky Security Center components and VMware components meet the software requirements of Kaspersky Security.
• Prepare the VMware virtual infrastructure for the application installation.
• You can download the files required for the installation of the application from Kaspersky website.

  The file necessary for running the Kaspersky Security components Installation Wizard and SVM images are also available for downloading in the Kaspersky Security Center Administration Console in the list of current versions of Kaspersky applications. The list of up-to-date application versions is displayed in the workspace of the Administration Server node on the Monitoring tab in the Update section by clicking the View current versions of Kaspersky applications link. You can filter the list by Virtualization value.

• Make sure that the SVM images were received from a trusted source. For more detailed information about validating the SVM image, please refer to the application page in the Knowledge Base.
• Place all SVM image files in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol. For example, you can publish SVM images on the Kaspersky Security Center Web Server.
• In the settings of the network equipment or software used for monitoring traffic, open the ports that are required for operation of the application.
• Configure the settings of the accounts that are required for installation and operation of the application.
• If you are planning to use network data storage for SVMs, create a network folder for hosting the network data storage and a user account for connecting SVMs. Network data storage is used for storing backup copies of files that have been moved to Backups on SVMs. The amount of space necessary for the network data storage can be estimated based on the following formula: (N+1) GB, where N is the number of SVMs that connect to the network data storage.

  You need to make sure that the amount of space allocated for network data storage is sufficient for storing backup copies of files. Kaspersky Security does not monitor the availability of free space in your network data storage and does not notify you if backup copies of files cannot be stored. It is recommended to use third-party tools to monitor the available space in the network folder.

Preparing the VMware virtual infrastructure

Prior to installing the application in a VMware infrastructure, you must perform the following actions:

• Combine VMware ESXi hypervisors into one or several VMware clusters.
• Configure the Agent VM Settings in the properties of each hypervisor: select a network and storage for service virtual machines and SVMs. For details on configuring Agent VM Settings, please refer to the VMware product documentation.
• Deploy the Guest Introspection service on each VMware cluster on which SVMs with the File Threat Protection component will be deployed.
• On each VMware cluster on which SVMs with the Network Threat Protection component will be deployed, prepare hypervisors for network protection deployment. To do so, you must install VMware NSX components on hypervisors. Installation is performed in the VMware vSphere Web Client console in the Networking & Security → Installation and Upgrade section on the Host Preparation tab. To install VMware NSX components to hypervisors, you must select Actions → Install for the VMware cluster. Refer to the Knowledge Base for more details.
• Install the Guest Introspection driver (NSX File Introspection Driver) on each virtual machine that you want to protect using Kaspersky Security.

  To do so, you must install VMware Tools kit version 11.0.1. on virtual machines running a Windows operating system. When installing the VMware Tools package, you need to install the NSX File Introspection Driver component that is included in the package. The NSX File Introspection Driver component is not installed by default.

  Special packages are provided for installation of the NSX File Introspection Driver component on virtual machines running a Linux operating system. For more details please refer to documentation attached to VMware products.

• If you want to install the Network Threat Protection component, make sure that a license for NSX for vSphere Advanced or NSX for vSphere Enterprise is being used for VMware NSX for vSphere.

Deploying the Guest Introspection service

For proper functioning of Kaspersky Security, you must deploy the Guest Introspection service on each VMware cluster on which SVMs with the File Threat Protection component will be deployed.

After deploying the Guest Introspection service on a VMware cluster, the Guest Introspection service virtual machines are deployed on each hypervisor that is part of the cluster.

Deployment of the Guest Introspection service is performed in the VMware vSphere Web Client console.

To deploy the Guest Introspection service:

1. In the VMware vSphere Web Client console, start the Deployment Wizard for network services and protection services for virtual machines (the Networking & Security → Installation and Upgrade section on the Service Deployments tab).
2. Use the Wizard to specify the following settings for deploying the Guest Introspection service:
   1. Select the Guest Introspection service in the table.
   2. Select one or several VMware clusters on which you want to install the File Threat Protection component.
   3. If required, change the default settings for all Guest Introspection service virtual machines that will be deployed on hypervisors within the selected VMware cluster:
      • Network that will be used by the service virtual machines.
      • Storage for deployment of service virtual machines.
      • Method of assigning IP addresses. By default, service virtual machines receive network settings via the DHCP protocol. You can configure a static pool of IP addresses that will be used for assigning IP addresses to service virtual machines.
3. Finish the Wizard and wait for deployment of the Guest Introspection service to complete.

   A Guest Introspection service virtual machine will be deployed on each hypervisor within the VMware cluster that you selected.

For more details about deploying the Guest Introspection service, please refer to the Knowledge Base.

Viewing information about the license for NSX for vSphere

To utilize Network Threat Protection component functionality, you must have a current license for NSX for vSphere Advanced or NSX for vSphere Enterprise.

When using a standard NSX for vSphere license, the Network Service Insertion (Third Party Integration) function that is required for enabling protection against network threats on VMware ESXi hypervisors is unavailable.

You can view information about the utilized licenses in the VMware vSphere Web Client console in the Administration → Licenses section on the Products tab (for more details, please refer to the Knowledge Base).

For more details on working with NSX for vSphere licenses, please refer to the VMware product documentation.

Publishing SVM images on the Kaspersky Security Center Web Server

You can publish SVM images on the Kaspersky Security Center Web Server or place them on another network resource that is accessible over the HTTP or HTTPS protocol.

To publish SVM images on the Kaspersky Security Center Web Server:

1. Make sure that the Web Server is running. To do so, start the services.msc snap-in and verify that the Kaspersky Web Server service has the Running status.
2. In the shared folder of the Administration Server, create a subfolder named public.

   To find out the path to the shared folder:

   1. View the shared folder name and the name of the computer on which it is located in the Administration Server properties window in the Additional → Administration Server shared folder section.
   2. On the specified computer, run the following command in the command line: net share <shared folder name>.

      After this command is executed, the Path row will show the path to the shared folder in the file system.

3. Copy all Kaspersky Security SVM image files into the public folder.
4. Make sure that the SVM images have been published. To do so, open your browser and enter the following in the address bar:

   http://<IP address for connecting to the Kaspersky Security Center Administration Server>:8060/public

   An IP address must be specified as the Administration Server address; localhost should not be specified.

   Port 8060 is used by default. If you have modified the default settings, in the address field specify the port that is defined in the Web server section of the Kaspersky Security Center Administration Server properties window.

If publication of SVM images completed successfully, you will see a page containing a list of Kaspersky Security image files.

Ports used

To install and run application components, in the network hardware or software settings used to control network traffic between virtual machines, you must open the following ports as described in the table below.

Ports used by the application

Page top

Accounts for installing and using the application

User account for installing the Kaspersky Security administration plug-in and Integration Server

Installation of the Kaspersky Security administration plug-in and Integration Server requires an account that has software installation privileges (for example, an account from the group of local administrators).

If the computer hosting the Kaspersky Security Center Administration Console belongs to an Active Directory domain, connection to the Integration Server requires a domain account that belongs to the KLAdmins group or an account that belongs to the group of local administrators.

To prevent unauthorized access, it is recommended to ensure the security of the account that is used to connect to the Integration Server.

User accounts for deploying and removing SVMs, and for operation of the application

The following user accounts are required for deployment and removal of SVMs that have Kaspersky Security components:

• VMware vCenter Server account to which the preset system role ReadOnly has been assigned. To ensure that powered-off virtual machines can be scanned, the following privileges need to be assigned to this account:
  • Virtual machine → Change Configuration → Add existing disk
  • Virtual machine → Change Configuration → Add or remove device
  • Virtual machine → Change Configuration → Remove disk
  • ESX Agent Manager → Modify
• A VMware NSX Manager account that has been assigned the Enterprise Administrator role.
• If you want to use Kaspersky Security to protect a virtual infrastructure managed by VMware vCloud Director, you also need a VMware vCloud Director account that has the following permissions:
  • General → Perform administrator queries
  • Organization → View Organizations

Roles must be assigned to user accounts at the top level of the hierarchy of VMware virtual infrastructure objects.

For information on how to create user accounts in a VMware infrastructure, please refer to VMware documentation.

User account for connecting the Integration Server to Kaspersky Security Center

This account is used if the application is operating in multitenancy mode.

The Integration Server connects to Kaspersky Security Center to receive information about virtual Administration Servers created in Kaspersky Security Center, and to map virtual Administration Servers to vCloud Director organizations that contain virtual machines of tenants. Connecting the Integration Server to Kaspersky Security Center requires an account with read rights in the functional scope of Basic functionality → Virtual Administration Servers.

You can create and configure the account used for connecting the Integration Server to Kaspersky Security Center in the properties window of the Kaspersky Security Center Administration Server in the Security section.

By default, the Security section is not displayed in the Administration Server properties window. To enable the display of the Security section, you must select the Display security settings sections check box in the Configure interface window (View → Configure interface menu) and restart the Kaspersky Security Center Administration Console.

For more details on the rights of user accounts in Kaspersky Security Center, please refer to the Kaspersky Security Center documentation.

User account for connecting SVMs to network data storage

This user account is required if you are using network data storage for SVMs. Network data storage is used for storing backup copies of files that have been moved to Backups on SVMs.

To connect SVMs to network data storage, you need an account with read and write permissions in the network folder hosting the storage.

It is recommended to restrict access to this network folder for all other user accounts.