Registration of Kaspersky Security services

After configuring the connection between the Integration Server and the VMware vCenter Server, you must start the Kaspersky Security service registration process and enter the settings required for completing the following steps of application installation:

• Registration of Kaspersky Security services in VMware NSX Manager: the file system protection service (Kaspersky File Antimalware Protection) and the network protection service (Kaspersky Network Protection)
• Deployment of Kaspersky Security services
• Initial configuration of new SVMs after deployment of Kaspersky Security services

Registration of Kaspersky Security services in VMware NSX Manager and configuration of new SVMs is performed by the Integration Server.

To enter the settings required for registration and deployment of Kaspersky Security services:

1. Start the Integration Server Console.

   The Virtual infrastructure protection section opens.

2. In the list, select the VMware vCenter Server and expand the list of available actions by clicking the address or name of the VMware vCenter Server in the Address column.
3. In the Manage protection section, select Register Kaspersky Security services.

This starts the Registration of Kaspersky Security Services Wizard. Follow the wizard instructions.

Connecting to VMware NSX Manager

At this step, specify the settings for connecting the Integration Server to VMware NSX Manager:

• IP address in IPv4 format or the fully qualified domain name (FQDN) of VMware NSX Manager.
• Name and password of the user account used to connect to VMware NSX Manager. The Enterprise Administrator role must be assigned to this user account.

At this step, you can also configure the settings used by VMware NSX Manager to transmit information to the Integration Server. The settings that the Integration Server Console used for connecting to the Integration Server are set by default. The Address field contains the fully qualified domain name (FQDN) of the computer on which the Integration Server is installed (if the computer is in a domain), the name of the computer in a Windows workgroup (if the computer is not in a domain), or the computer IP address.

Make sure that VMware NSX Manager can connect to the Integration Server using the default settings or change those settings. To change the settings, select the Specify the settings for connecting VMware NSX Manager to Integration Server check box, and specify the IP address or fully qualified domain name of the computer on which the Integration Server is installed and the connection port.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to VMware NSX Manager and to the Integration Server using the specified settings.

When establishing the connection to VMware NSX Manager, the Wizard verifies the SSL certificate received from VMware NSX Manager. If the received certificate contains an error, the Wizard displays an error message. Click the View certificate link to view information about the received certificate.

If a connection error occurs because the certificate received from VMware NSX Manager is not trusted for the Integration Server but the received certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and establish a connection. To do so, click the Install certificate button. The received certificate is saved as a trusted certificate for the Integration Server.

Certificates that are trusted in the operating system in which the Integration Server is installed are also considered to be trusted for the Integration Server.

If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

If checking the Integration Server connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

Selecting an SVM image for the file system protection service

If you want to install the File Threat Protection component, at this step you must specify the SVM image with the installed File Threat Protection component. The Integration Server registers the file system protection service (Kaspersky File Antimalware Protection) in VMware NSX Manager. After registration finishes, you can deploy the file system protection service on VMware clusters. As a result, SVMs with the File Threat Protection component will be deployed on the hypervisors.

The application distribution kit includes several SVM images with the File Threat Protection component installed that you can use to deploy SVMs with the necessary configuration (according to the number of processors and RAM allocated for an SVM).

All files of the SVM image with the installed File Threat Protection component must be located in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol.

To specify the SVM image, perform the following actions:

1. In the field, specify the address of the SVM images description file (XML file) or the address of the SVM image OVF file corresponding to the necessary SVM configuration.
2. Click the Validate button.

   The Wizard validates the SVM image. If the image is corrupted or the image version is not supported, the Wizard displays an error message.

   If the SVM image validation is successful, the following details of the selected SVM image will appear in the lower part of the window:

   • SVM configuration. The number of processors and RAM allocated for the SVM.

     If you specified the address of the SVM image description file (XML file), you can select the necessary SVM configuration in the drop-down list in the SVM configuration field.

   • Application name. Name of the application that is installed on the SVM.
   • SVM version. Number of the SVM version.
   • Vendor. Vendor of the application that is installed on the SVM.
   • Description. Brief description of the application.
   • Required disk space. Amount of disk space required for deployment of the SVM in the data storage.

If you do not want to install the File Threat Protection component, clear the Register the file system protection service check box.

Proceed to the next step of the wizard.

Selecting an SVM image for the network protection service

If you wish to install the Network Threat Protection component, you must specify the SVM image with the installed Network Threat Protection component at this stage. The Integration Server registers the network protection service (Kaspersky Network Protection) in VMware NSX Manager. After registration finishes, you can deploy the network protection service on VMware clusters. As a result, SVMs with the Network Threat Protection component will be deployed on the hypervisors.

The application distribution kit includes several SVM images with the Network Threat Protection component installed that you can use to deploy SVMs with the necessary configuration (according to the number of processors and RAM allocated for an SVM).

All files of the SVM image with the installed Network Threat Protection component must be located in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol.

To specify the SVM image, perform the following actions:

1. In the field, specify the address of the SVM images description file (XML file) or the address of the SVM image OVF file corresponding to the necessary SVM configuration.
2. Click the Validate button.

   The Wizard validates the SVM image. If the image is corrupted or the image version is not supported, the Wizard displays an error message.

   If the SVM image validation is successful, the following details of the selected SVM image will appear in the lower part of the window:

   • SVM configuration. The number of processors and RAM allocated for the SVM.

     If you specified the address of the SVM image description file (XML file), you can select the necessary SVM configuration in the drop-down list in the SVM configuration field.

   • Application name. Name of the application that is installed on the SVM.
   • SVM version. Number of the SVM version.
   • Vendor. Vendor of the application that is installed on the SVM.
   • Description. Brief description of the application.
   • Required disk space. Amount of disk space required for deployment of the SVM in the data storage.

If you do not want to install the Network Threat Protection component, clear the Register the network protection service check box.

Proceed to the next step of the wizard.

Selecting the traffic processing mode for the Network Threat Protection component

If you specified an SVM image with the installed Network Threat Protection component at the previous step, at this step you need to select the traffic processing mode for the Network Threat Protection component. The traffic processing mode determines the settings of the application installed on an SVM with the Network Threat Protection component.

You can select one of the following traffic processing modes:

• Standard mode. If this mode is selected, the virtual filter (VMware DVFilter) intercepts the traffic of virtual machines and sends it to Kaspersky Security to be scanned. When Kaspersky Security detects signs of intrusions or attempts to access dangerous or undesirable web addresses, it performs the action that is specified in policy settings and relays information about events to the Kaspersky Security Center Administration Server.

  This option is selected by default.

• Monitoring mode. If this mode is selected, Kaspersky Security receives a copy of traffic of virtual machines. When signs of intrusions or attempts to access dangerous or undesirable web addresses are detected, Kaspersky Security does not take any actions to prevent the threats but only relays information about the events to the Kaspersky Security Center Administration Server.

After network protection service registration and SVM deployment, the traffic processing mode cannot be changed. To select a different traffic processing mode, you will have to remove the SVMs, unregister the network protection service, and then re-register the network protection service with the new traffic processing mode and deploy new SVMs.

Proceed to the next step of the wizard.

Configuring the connection settings for an SVM

At this step, specify the IP address of the Kaspersky Security Center Administration Server and SSL port that the SVM will use to connect to Kaspersky Security Center.

At this step, you can also configure the settings for connecting an SVM to the Integration Server. The settings that the Integration Server Console used for connecting to the Integration Server are set by default. The Address field contains the fully qualified domain name (FQDN) of the computer on which the Integration Server is installed (if the computer is in a domain), the name of the computer in a Windows workgroup (if the computer is not in a domain), or the computer IP address.

Make sure that SVM can connect to the Integration Server using the default settings or change those settings. To change the settings, select the Specify the settings for connecting SVMs to Integration Server check box, and specify the IP address or fully qualified domain name of the computer on which the Integration Server is installed, and the connection port.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to the Kaspersky Security Center and to the Integration Server using the specified settings.

If checking the connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

Creating passwords for accounts on SVMs

At this step, create a password for the klconfig user account (configuration password) and a password for the root user account on SVMs. The configuration password is required for SVM reconfiguration. The root account is used for accessing the operating system on SVMs and for accessing SVM trace files.

Enter a password for each user account in the Password and Confirm password fields.

The passwords should be up to 60 characters long. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

To prevent unauthorized access to an SVM after SVM deployment, it is recommended to change the configuration password regularly. You can change the configuration password by using the Kaspersky Security reconfiguration procedure.

Proceed to the next step of the wizard.

Selecting the time zone for SVMs

At this step, you can select the time zone that will be used on all SVMs. By default, the time zone for SVMs corresponds to the time zone that has been set on the computer on which the Integration Server Console is installed.

If you need to change the time zone for SVMs, select a value from the drop-down list.

Proceed to the next step of the wizard.

Configuring the settings for connecting to network data storage

At this step, you can configure the following settings for using network data storage:

• Allow or block the use of network data storage for SVMs.
• Specify the settings for connecting SVMs to network data storage.

Network data storage can be used for storing backup copies of files that have been moved to Backups on SVMs. By default, SVMs do not use network data storage.

If you want to allow the use of network data storage for SVMs, select the Use network data storage option and define the following settings for connecting to storage:

• Network data storage address in UNC format.

  The defined address cannot be localhost or 127.0.0.1.

• Account used by SVMs to connect to the network data storage, in the format <domain>\<user name>.
• Connection account password.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to the network data storage using the specified settings.

If checking the connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

Confirming Kaspersky Security settings

At this step, check the entered settings of Kaspersky Security.

Proceed to the next step of the wizard to start registration of Kaspersky Security services.

Registration of Kaspersky Security services

This step displays information about operations that are performed by the Integration Server in order to register Kaspersky Security services and prepare the configuration settings that will be distributed to new SVMs after they are deployed.

If an error occurred during such operations, the Wizard displays the relevant information. The Wizard performs rollback of changes.

After all operations have been completed, proceed to the next step of the Wizard.

Exiting the wizard

This step displays information about the result of Kaspersky Security service registration.

If the services were registered successfully, exit the Wizard.

If registration of services ended with an error, the Wizard displays information about the error. If this is the case, exit the Wizard, eliminate the cause of the error, and restart the procedure. For detailed information about errors, you can view the Integration Server trace files (if you enabled the logging of information to Integration Server trace files).