Preparing the application for operation and initial configuration

After the application is installed, you must prepare the application for operation. To do so, perform the following actions:

• Activate the application on all new SVMs.
• Update the application databases on all new SVMs.
• Enable protection of virtual machines against file threats and network threats. By default, Kaspersky Security does not protect virtual machines.

Activating the application on new SVMs

To activate the application, you must add a license key to all SVMs. It is recommended to configure an activation task that will be automatically started on all new SVMs immediately after they are deployed.

If you are using a licensing scheme that is based on the number of protected virtual machines, you need to create two activation tasks for protection of virtual machines running desktop operating systems and running server operating systems: a task for adding a server key to SVMs and a task for adding a desktop key to SVMs.

To configure an activation task:

1. Add a license key to Kaspersky Security Center key storage.
2. In the tree of the Kaspersky Security Center Administration Console, select the Managed devices folder. In the workspace, select the Tasks tab and click the New task button. The New Task Wizard starts.
3. Specify the application for which the task is being created, and the type of task. To do so, in the Kaspersky Security for Virtualization 6.0 Agentless list, select Application activation.

   Proceed to the next step of the wizard.

4. Click the Select button. The Select a key window opens. Select a key from the Kaspersky Security Center key storage and click the OK button.

   Proceed to the next step of the wizard.

5. Configure the task run schedule settings:
   • In the Scheduled start drop-down list, select the Once mode. In the Start date and Start time fields, leave the default settings.
   • Select the Run skipped tasks check box.

   Proceed to the next step of the wizard.

6. Enter the name of the task and proceed to the next step of the wizard.
7. Finish the wizard.

According to the configured schedule settings, the task will start on all new SVMs immediately after they are deployed. You can view information on the results of a task in the Kaspersky Security Center Administration Console.

Updating application databases on new SVMs

After installing the Kaspersky Security administration plug-in, the application database update task is automatically created. This task is started each time an update package is downloaded to the storage of Kaspersky Security Center Administration Server, and it lets you update the application databases on all SVMs. You can use the automatically created database update task. If necessary, you can change the settings of this task or delete it, and configure the application database update task for SVMs of one or several KSC clusters belonging to one administration group.

To update the application databases after the application is installed or upgraded:

1. Make sure that a download updates to the storage task has been created in Kaspersky Security Center. If the download updates to the storage task does not exist, create it (see the Kaspersky Security Center documentation).
2. Manually start the download updates to the storage task or wait for a scheduled task to start automatically. Make sure that the download updates to the storage task has been completed successfully (see Kaspersky Security Center documentation for details).
3. Make sure that an application database update task has been created in Kaspersky Security Center.

   The application database update task that was automatically created after installation of the Kaspersky Security administration plug-in is located on the Tasks tab in the Managed devices folder.

   If the application database update task has not been created, create it.

4. Wait for the application database update task to start according to the schedule or manually start the task.
5. Make sure that the application database update task has been completed successfully.

After the application has been installed or upgraded, SVMs relay information to Kaspersky Security Center regarding the type of application databases required for the operation of Kaspersky Security. If Kaspersky Security Center has not yet downloaded the necessary databases to the storage when the database update task is started, the task could end with an error. If this is the case, you can manually start the download updates to the storage task, wait for it to complete, and then manually start the application database update task.

Kaspersky Security checks the integrity of application databases during updates. If this check is unsuccessful, the application database update task ends with an error and Kaspersky Security continues to use the previous set of application databases. If the application database update task ends with an error on new SVMs, you are advised to contact Technical Support. If application databases are missing from SVMs, Kaspersky Security will not protect the virtual machines.

Enabling protection of virtual machines

By default, Kaspersky Security does not protect virtual machines. After installing Kaspersky Security, you must enable protection of virtual machines by using a policy.

For File Threat Protection of virtual machines that are not part of vCloud Director organizations, you can use the default main policy, or create a main policy.

If the application is operating in multitenancy mode, protection of the virtual infrastructure of tenants against file threats requires that you create a tenant policy on each virtual Administration Server of Kaspersky Security Center corresponding to the tenant organization. A tenant policy can be created by the provider's administrator or the tenant's administrator. The settings for protecting the virtual infrastructure of tenants against network threats are determined by the main policy whose scope includes the virtual machines of the tenant.

File Threat Protection

To protect a virtual machine against file threats, you need to assign a protection profile to the virtual machine. A virtual machine that has no assigned protection profile is excluded from protection.

A protection profile can be assigned directly to virtual infrastructure objects (including virtual machines) or by mapping a protection profile to an NSX Profile Configuration that is applied to virtual machines.

You can assign the main protection profile that is generated automatically when a policy is created, or create and assign additional protection profiles if you want to use different protection settings for different virtual infrastructure objects. Profiles are assigned in policy properties.

Kaspersky Security protects only those virtual machines that meet all the conditions for virtual machine protection from file threats.

Network Threat Protection

To protect a virtual machine against network threats, you need to configure the settings for Intrusion Prevention and/or Web Addresses Scan in the properties of the policy whose scope includes the virtual machine.

Kaspersky Security protects only those virtual machines that meet all the conditions for virtual machine protection from network threats.

If the application is not activated or the application databases are missing on SVMs, Kaspersky Security does not protect the virtual machines.

Creating a main policy

The main policy determines the File Threat Protection settings for virtual machines that are not part of vCloud Director organizations, the Network Threat Protection settings for virtual machines, and the application operating settings.

To create the main policy:

1. In the Kaspersky Security Center Administration Console, start the New Policy Wizard:
   1. In the console tree, select the folder or administration group in which you want to create a policy.
   2. In the workspace, select the Policies tab and click the New policy button.
2. At the first step of the New Policy Wizard, select Kaspersky Security for Virtualization 6.0 Agentless from the list and proceed to the next step of the Wizard.
3. Enter the name of the new policy and proceed to the next step of the wizard.
4. The Wizard establishes a connection to the Integration Server to receive information about the VMware virtual infrastructure.

   If the computer hosting the Administration Console of Kaspersky Security Center belongs to a domain or your domain user account belongs to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, your domain user account is used by default to connect to the Integration Server. The Use domain account check box is selected by default. You can also use the Integration Server administrator account (admin). To do so, clear the Use domain account check box and enter the administrator password in the Password field.

   If the computer hosting the Kaspersky Security Center Administration Console does not belong to a domain, or the computer belongs to a domain but your domain account does not belong to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, you can use only the account of the Integration Server administrator (admin) to connect to the Integration Server. Enter the administrator password in the Password field.

   If the connection to the Integration Server is established using the Integration Server administrator account (admin), you can save the administrator password. To do so, select the Save password check box. The saved administrator password will be used the next time a connection is established with this Integration Server. If you clear the check box selected during the previous connection to the Integration Server, Kaspersky Security removes the previously saved password of the Integration Server administrator.

   The Save password check box may be unavailable if Windows updates KB 2992611 and/or KB 3000850 have been installed on the computer hosting the Kaspersky Security Center Administration Console. To restore the capability to save the administrator password, you can uninstall these Windows updates or modify the operating system registry as described in the Knowledge Base.

   Proceed to the next step of the Policy Wizard.

   The wizard checks the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

   After the connection is established, the Choice of protected infrastructure window opens. Select one of the following options:

   • If you are creating a policy in an administration group that contains the "VMware vCenter Agentless" cluster, select the One VMware vCenter Server option. Then select the listed VMware vCenter Server corresponding to this KSC cluster.

     If the selected VMware vCenter Server does not correspond to the administration group that contains the policy, Kaspersky Security does not protect virtual machines.

   • If you are creating a policy located in any other folder or administration group, select the Entire protected infrastructure option.

   Click OK in the Choice of protected infrastructure window.

5. At this step, you can change the default settings of the main protection profile.

   If a policy is being created in a group that contains the "VMware vCenter Agentless" cluster, the main protection profile is assigned to the VMware vCenter Server by default and is inherited by all child objects of the virtual infrastructure.

   Proceed to the next step of the wizard.

6. At this step, you can enable SNMP monitoring of the SVM status.

   To prevent unauthorized access to the SNMP service, you can create a list of IP addresses to which the SNMP Agent must relay SVM status information.

   Proceed to the next step of the wizard.

7. Decide on whether or not to participate in Kaspersky Security Network. To do so, carefully read the Kaspersky Security Network Statement, then perform one of the following actions:
   • If you want the application to use KSN in its operations and you agree to all the terms of the Statement, select I have read, understand, and accept the terms of this Kaspersky Security Network Statement.
   • If you do not want to participate in KSN, select the I do not accept the terms of this Kaspersky Security Network Statement option and confirm your decision in the window that opens.

   If you want the application to use Private KSN in its operations, select the Use Private KSN check box.

   If you want Kaspersky Security to use the KSN, please make sure the required KSN type is configured in Kaspersky Security Center. To use Global KSN, the KSN proxy server service must be enabled in Kaspersky Security Center. To use Private KSN, it must be enabled and configured in Kaspersky Security Center. See Kaspersky Security Center documentation for more information.

   If necessary, you will be able to change the settings for KSN usage in the application at a later time.

   Proceed to the next step of the wizard.

8. Exit the Policy Wizard.

The created policy will be displayed in the list of policies of the administration group on the Policies tab and in the Policies folder of the console tree.

After creating a policy, you can assign protection profiles to virtual machines that you want to protect.

In a policy located in an administration group that contains the "VMware vCenter Agentless" cluster, file protection is enabled by default (the main protection profile is used). In policies located in the Managed devices folder or in the administration group that contains the "VMware vCloud Director Agentless" cluster, file protection is disabled by default.

Network protection is disabled by default in all policies. You can configure Network Threat Protection settings in policy properties.

The policy will be applied to SVMs after the Kaspersky Security Center Administration Server relays the information to Kaspersky Security at the next SVM connection. Kaspersky Security will start protecting virtual machines according to the policy settings.

If no license key has been added on an SVM or the application databases are missing, the SVM does not protect the virtual machines.

Creating a tenant policy

A tenant policy is used only if the application is operating in multitenancy mode. A tenant policy lets you configure the File Threat Protection settings for virtual machines that are part of vCloud Director organizations.

To create a tenant policy:

1. In the Kaspersky Security Center Administration Console, start the New Policy Wizard:
   1. In the console tree, select the folder or administration group in which you want to create a policy.
   2. In the workspace, select the Policies tab and click the New policy button.
2. At the first step of the Wizard, select Kaspersky Security for Virtualization 6.0 Agentless (for tenants) from the list and proceed to the next step of the Wizard.
3. Enter the name of the new policy and proceed to the next step of the wizard.
4. Specify the Integration Server address and proceed to the next step of the Wizard.

   The Wizard establishes a connection to the Integration Server to receive information about the VMware virtual infrastructure.

   The wizard checks the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

5. At this step, you can change the default settings of the main protection profile.

   In the policy located in the Managed devices folder of the virtual Administration Server, the main protection profile is assigned by default to all virtual machines within the protected infrastructure of the tenant.

   Proceed to the next step of the wizard.

6. Decide on whether or not to participate in Kaspersky Security Network. To do so, carefully read the Kaspersky Security Network Statement, then perform one of the following actions:
   • If you want the application to use KSN in its operations and you agree to all the terms of the Statement, select I have read, understand, and accept the terms of this Kaspersky Security Network Statement.
   • If you do not want to participate in KSN, select the I do not accept the terms of this Kaspersky Security Network Statement option and confirm your decision in the window that opens.

   You will be able to change your decision later if necessary.

   KSN usage settings (KSN mode and type) are determined by the main policy whose scope includes the virtual machines of the tenant.

   Proceed to the next step of the wizard.

7. Exit the Policy Wizard.

The created tenant policy will be displayed in the list of policies of the administration group on the Policies tab and in the Policies folder of the console tree.

In a tenant policy that is located in the Managed devices folder of the virtual Administration Server, file protection is enabled by default (the main protection profile is used). If you want to configure different file protection settings for different virtual machines within the protected infrastructure, you need to create and assign additional protection profiles in the policy properties.

In a tenant policy that is located in the Managed devices folder of the main Administration Server or in the administration group that contains the VMware vCloud Director Agentless cluster, file protection is disabled by default.

The policy will be applied to SVMs after the Kaspersky Security Center Administration Server relays the information to Kaspersky Security at the next SVM connection. Kaspersky Security will start protecting virtual machines according to the policy settings.