Changing settings of Kaspersky Security

You can use the procedure for changing settings of the Kaspersky Security to perform the following actions:

• Change the settings for connecting the Integration Server to VMware NSX Manager in which the Integration Server registers Kaspersky Security services.
• Change the address and port used by VMware NSX Manager to transmit information to the Integration Server.
• Change the SVM images that were specified during registration of Kaspersky Security services. If you changed the location of the SVM image or selected a different SVM configuration, the Integration Server re-registers the service with the new settings. After the Reconfiguration Wizard finishes, you can update the deployed service in the VMware vSphere Web Client console (Networking & Security → Installation and Upgrade section, Service Deployments tab, Upgrade action). As a result, the new SVMs will be deployed in the virtual infrastructure.
• If you registered only one of the two services when performing the Kaspersky Security service registration procedure, specify the SVM image for registration of the Kaspersky Security service that was not registered. After the Reconfiguration Wizard finishes, you can perform the procedure for deploying the Kaspersky Security service on VMware clusters to deploy SVMs.
• Change the following SVM configuration settings:
  • IP address of the Kaspersky Security Center Administration Server and SSL port that the SVM will use to connect to Kaspersky Security Center.
  • Address and port used for connecting SVMs to Integration Server.
  • Configuration password and root account password on the SVM.
  • Time zone that is used on all SVMs.
  • Settings for connecting SVMs to network data storage.

  The listed settings are applied for configuration of new SVMs that you deploy after the Wizard finishes, and for reconfiguration of previously deployed SVMs with installed components of Kaspersky Security for Virtualization 6.0 Agentless.

  If the localization language of previously deployed SVMs differs from the localization language of the Integration Server Console in which you start the Kaspersky Security reconfiguration procedure, the localization language of SVMs changes as a result of this procedure. The localization language of the Integration Server Console is applied on SVMs.

  If you want to reconfigure SVMs that have installed components of the previous version of Kaspersky Security, you need a separately installed Kaspersky Security Center Administration Console and administration plug-in of the previous version of the application. For information on the SVM reconfiguration procedure for the previous version of the application, please refer to the documentation of the previous version of Kaspersky Security.

To change settings of Kaspersky Security:

1. Start the Integration Server Console.

   The Virtual infrastructure protection section opens.

2. In the list, select the VMware vCenter Server and expand the list of available actions by clicking the address or name of the VMware vCenter Server in the Address column.
3. In the Manage protection section, select Change settings of Kaspersky Security.

This starts the Reconfiguration Wizard. Follow the wizard instructions.

Changing the connection settings for interaction between the Integration Server and VMware NSX Manager

At this step, you can edit the following settings:

• The settings for connecting the Integration Server to VMware NSX Manager in which the Integration Server registers Kaspersky Security services.
• Address and port used by VMware NSX Manager to transmit information to the Integration Server.

If you want to change the settings for connecting the Integration Server to VMware NSX Manager:

1. Select the Change VMware NSX Manager connection settings check box.
2. Specify the following connection settings:
   • IP address in IPv4 format or the fully qualified domain name (FQDN) of VMware NSX Manager.
   • Name and password of the user account used to connect to VMware NSX Manager. The Enterprise Administrator role must be assigned to this user account.

If you want to change the address and port used for connecting VMware NSX Manager to Integration Server:

1. Select the Change settings for connecting VMware NSX Manager to Integration Server check box.
2. Specify the new IP address or fully qualified domain name (FQDN) of the computer on which the Integration Server is installed, and the connection port.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to VMware NSX Manager and to the Integration Server using the specified settings.

When establishing the connection to VMware NSX Manager, the Integration Server verifies the SSL certificate received from VMware NSX Manager. If the received certificate contains an error, the Wizard displays an error message. Click the View certificate link to view information about the received certificate.

If a connection error occurs because the certificate received from VMware NSX Manager is not trusted for the Integration Server but the received certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and establish a connection. To do so, click the Install certificate button. The received certificate is saved as a trusted certificate for the Integration Server.

Certificates that are trusted in the operating system in which the Integration Server is installed are also considered to be trusted for the Integration Server.

If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

If checking the Integration Server connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

Changing the SVM image for the file system protection service

At this step, you can select the SVM image with the File Threat Protection component. If the selected SVM image differs from the image specified when the file system protection service (Kaspersky File Antimalware Protection) was registered, the Integration Server re-registers the file system protection service in VMware NSX Manager. After the Reconfiguration Wizard finishes, you can update the deployed file system protection service on VMware clusters. As a result, SVMs from the new image will be deployed on hypervisors.

If the file system protection service was not previously registered, the Integration Server registers the file system protection service in VMware NSX Manager. After the Reconfiguration Wizard finishes, you can deploy the file system protection service on VMware clusters. As a result, SVMs with the File Threat Protection component will be deployed on the hypervisors.

The application distribution kit includes several SVM images with the File Threat Protection component installed that you can use to deploy SVMs with the necessary configuration (according to the number of processors and RAM allocated for an SVM).

All files of the SVM image with the installed File Threat Protection component must be located in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol.

In order to indicate or edit the path to the SVM image, follow these steps:

1. Select the Specify or change the SVM image for the file system protection service check box.
2. In the field, specify the address of the SVM images description file (XML file) or the address of the SVM image OVF file corresponding to the necessary SVM configuration.
3. Click the Validate button.

   The Wizard validates the SVM image. If the image is corrupted or the image version is not supported, the Wizard displays an error message.

   If the SVM image validation is successful, the following details of the selected SVM image will appear in the lower part of the window:

   • SVM configuration. The number of processors and RAM allocated for the SVM.

     If you specified the address of the SVM image description file (XML file), you can select the necessary SVM configuration in the drop-down list in the SVM configuration field.

   • Application name. Name of the application that is installed on the SVM.
   • SVM version. Number of the SVM version.
   • Vendor. Vendor of the application that is installed on the SVM.
   • Description. Brief description of the application.
   • Required disk space. Amount of disk space required for deployment of the SVM in the data storage.

Proceed to the next step of the wizard.

Changing the SVM image for the network protection service

At this step, you can select the SVM image with the Network Threat Protection component. If the selected SVM image differs from the image specified when the network protection service (Kaspersky Network Protection) was registered, the Integration Server re-registers the network protection service in VMware NSX Manager. After the Reconfiguration Wizard finishes, you can update the deployed network protection service on VMware clusters. As a result, SVMs from the new image will be deployed on hypervisors.

If the network protection service was not previously registered, the Integration Server registers the network protection service in VMware NSX Manager. After the Reconfiguration Wizard finishes, you can deploy the network protection service on VMware clusters. As a result, SVMs with the Network Threat Protection component will be deployed on the hypervisors.

The application distribution kit includes several SVM images with the Network Threat Protection component installed that you can use to deploy SVMs with the necessary configuration (according to the number of processors and RAM allocated for an SVM).

All files of the SVM image with the installed Network Threat Protection component must be located in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol.

In order to indicate or edit the path to the SVM image, follow these steps:

1. Select the Specify or change the SVM image for the network protection service check box.
2. In the field, specify the address of the SVM images description file (XML file) or the address of the SVM image OVF file corresponding to the necessary SVM configuration.
3. Click the Validate button.

   The Wizard validates the SVM image. If the image is corrupted or the image version is not supported, the Wizard displays an error message.

   If the SVM image validation is successful, the following details of the selected SVM image will appear in the lower part of the window:

   • SVM configuration. The number of processors and RAM allocated for the SVM.

     If you specified the address of the SVM image description file (XML file), you can select the necessary SVM configuration in the drop-down list in the SVM configuration field.

   • Application name. Name of the application that is installed on the SVM.
   • SVM version. Number of the SVM version.
   • Vendor. Vendor of the application that is installed on the SVM.
   • Description. Brief description of the application.
   • Required disk space. Amount of disk space required for deployment of the SVM in the data storage.

Proceed to the next step of the wizard.

Viewing information about the traffic processing mode for the Network Threat Protection component

This step displays information about the traffic processing mode that was selected during registration of the network protection service:

• Standard mode. If this mode is selected, the virtual filter (VMware DVFilter) intercepts the traffic of virtual machines and sends it to Kaspersky Security to be scanned. When Kaspersky Security detects signs of intrusions or attempts to access dangerous or undesirable web addresses, it performs the action that is specified in policy settings and relays information about events to the Kaspersky Security Center Administration Server.
• Monitoring mode. If this mode is selected, Kaspersky Security receives a copy of traffic of virtual machines. When signs of intrusions or attempts to access dangerous or undesirable web addresses are detected, Kaspersky Security does not take any actions to prevent the threats but only relays information about the events to the Kaspersky Security Center Administration Server.

You cannot change the traffic processing mode for a Network Threat Protection component installed on already deployed SVMs. To select a different traffic processing mode, you will have to remove the SVMs, unregister the network protection service, and then re-register the network protection service with the new traffic processing mode and deploy new SVMs.

Proceed to the next step of the wizard.

Changing the connection settings for an SVM

At this step, you can edit the following connection settings for SVMs:

• IP address of the Kaspersky Security Center Administration Server and SSL port that the SVM will use to connect to Kaspersky Security Center.
• Address and port used for connecting SVMs to Integration Server.

If you want to change the IP address and port used for connecting SVMs to the Kaspersky Security Center Administration Server:

1. Select the Change settings for connecting SVMs to Kaspersky Security Center check box.
2. Specify the new IP address of the Kaspersky Security Center Administration Server and SSL port that the SVM will use to connect to Kaspersky Security Center.

If you want to change the address and port used for connecting SVMs to the Integration Server:

1. Select the Change settings for connecting SVMs to Integration Server check box.
2. Specify the new IP address or fully qualified domain name (FQDN) of the computer on which the Integration Server is installed, and the connection port.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to the Kaspersky Security Center and to the Integration Server using the specified settings.

If checking the connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

Changing passwords for accounts on SVMs

At this step you can change the password for the klconfig user account (configuration password) and the root account password. The specified passwords will be used on all SVMs that you deploy after re-registration of Kaspersky Security services, and on previously deployed SVMs. The configuration password is required for SVM reconfiguration. The root account is used for accessing the operating system on SVMs and for accessing SVM trace files.

If you want to change the configuration password:

1. Select the Change the klconfig account password (configuration password) check box.
2. Enter a new password in the Password and Confirm password fields.

If you want to change the root user account password:

1. Select the Change the root account password check box.
2. Enter a new password in the Password and Confirm password fields.

The passwords should be up to 60 characters long. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

Proceed to the next step of the wizard.

Changing the time zone for SVMs

At this step, you can change the time zone used on SVMs. The specified time zone will be used on all SVMs that you deploy after re-registration of Kaspersky Security services, and on previously deployed SVMs.

To change the time zone on SVMs, select the Change the time zone for SVMs check box and select a value from the drop-down list.

Proceed to the next step of the wizard.

Changing settings for connecting to network data storage

At this step, you can configure the following settings for using network data storage:

• Allow or block the use of network data storage for SVMs.
• Define or change previously specified settings for connecting SVMs to network data storage.

Network data storage can be used for storing backup copies of files that have been moved to Backups on SVMs.

If you want to configure the settings for using network data storage:

1. Select the Change settings for connecting to network data storage check box.
2. If SVMs must not use network data storage, select the Do not use network data storage option.
3. If you want to allow the use of network data storage for SVMs, select the Use network data storage option and define the following settings for connecting to storage:
   • Network data storage address in UNC format.

     The defined address cannot be localhost or 127.0.0.1.

   • Account used by SVMs to connect to the network data storage, in the format <domain>\<user name>.
   • Connection account password.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to the network data storage using the specified settings.

If checking the connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

Starting Kaspersky Security reconfiguration

At this step, you can view information about the settings that will be changed as a result of the procedure.

The list of modified settings shows the SVM localization language if the localization language of the Integration Server Console in which you are starting the Kaspersky Security reconfiguration procedure differs from the localization language of previously deployed SVMs. The localization language of the Integration Server Console will be used on all SVMs.

Proceed to the next step of the Wizard to start changing the parameters.

Kaspersky Security reconfiguration process

This step displays information about operations that are performed by the Integration Server to apply new settings.

If an error occurred during such operations, the Wizard displays the relevant information. The Wizard performs rollback of changes.

After all operations have been completed, proceed to the next step of the Wizard.

Exiting the wizard

This step displays information about the results of the changed settings of Kaspersky Security.

If the settings were successfully changed, exit the Wizard.

If reconfiguration ended with an error, the Wizard displays information about the error. If this is the case, exit the Wizard, eliminate the cause of the error, and restart the procedure. For detailed information about errors, you can view the Integration Server trace files (if you enabled the logging of information to Integration Server trace files).