Connecting Light Agent to SVM

For the Kaspersky Security solution to function, constant interaction between the Light Agent and the Protection Server is required. If there is no connection to the Protection Server, the Light Agent cannot transfer file fragments to the Protection Server for scanning, and scanning is not performed. If Light Agent loses a connection to the Protection Server for more than 5 minutes while running scan tasks, the scan tasks stop and return an error.

To interact with the Protection Server, the Light Agent establishes and maintains a connection to the SVM on which this Protection Server is installed.

Light Agent can connect only to an SVM on which the version of the Protection Server is compatible with the version of the Light Agent. Kaspersky Endpoint Security for Linux 12.1 in Light Agent mode can connect to an SVM with version 6.1.

To connect to an SVM, Light Agent must receive information about the SVMs to which a connection can be made. Light Agent selects an available SVM that is optimal for connection according to the SVM selection algorithm.

Regardless of the algorithm used in selecting SVMs, Light Agents also take into account the following parameters:

• Availability of a valid license (a license key that is not in the denylist is added to the SVM, and the license associated with the key has not expired). Light Agent first connects to the SVM on which the solution is activated (the key is added).
• Type of the license key added to the SVM. If you add a server or desktop key to the SVM, the Light Agent first connects to the SVM on which the key type corresponds to the operating system installed on the virtual machine with Light Agent.
• Protecting the connection between the Light Agent and the Protection Server. A Light Agent for which connection protection is enabled can only connect to SVMs for which encryption of the data channel between the Light Agent and the Protection Server is enabled. A Light Agent for which connection protection is disabled can only connect to SVMs for which channel encryption is disabled or an unsecure connection between the Light Agent and the Protection Server is allowed.
• SVM connection tags. If a tag is assigned to a Light Agent, the Light Agent can only connect to SVMs that are configured to use that connection tag.

Bear in mind that the availability of some of the Light Agent functionality depends on the license edition that was used to activate the solution on the SVM:

• Functionality available under an Enterprise license is available in Light Agent only if Light Agent is connected to an SVM using the solution under an Enterprise license. When you disconnect Light Agent from the current SVM and connect to an SVM with a different license edition, the scope of functionality available in Light Agent changes.
• The Kaspersky Endpoint Detection and Response Optimum functionality is available on a Light Agent only if the Light Agent is connected to an SVM on which the solution is activated with an EDR Optimum license (an EDR Optimum license key is added on the SVM). Disconnecting the Light Agent from the current SVM and connecting to an SVM that does not have an EDR Optimum key added results in the Kaspersky Endpoint Detection and Response Optimum functionality becoming unavailable on the Light Agent.

To prevent Light Agents from switching between SVMs with different license editions, you can use connection tags or lists of SVMs available for connection.

You can obtain information about the status of the connection of Light Agent for Linux to an SVM on a protected virtual machine using the Kaspersky Endpoint Security for Linux command kesl-control --svm-info. For more information about Kaspersky Endpoint Security for Linux commands, see the Kaspersky Endpoint Security for Linux Help.

Information about the loss and restoration of the connection of the Light Agent and SVM can be saved as events in Kaspersky Security Center.

Using virtual machine snapshots taken on a running guest OS (live snapshots) is not recommended for SVMs and virtual machines with Light Agent installed. Restoring from such snapshots results in loss of the connection between Light Agents and the SVMs and degrades the performance of the virtual infrastructure. You can use virtual machine snapshots taken on a running guest OS only if the "Notify only" mode is enabled in the Light Agent settings. For more details, see the Kaspersky Endpoint Security for Linux Help.

About SVM discovery

Light Agent can discover SVMs running on the network in one of the following ways:

• Using the Integration Server. SVMs relay information about themselves to the Integration Server. The Integration Server compiles a list of SVMs available for connection, and sends this list to Light Agents.

  In a large-sized virtual infrastructure running the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, you can limit the size of the list of SVMs available for connection that the Integration Server relays to Light Agents. The Integration Server can transfer information only about the limited number of available SVMs, which you specified in the Integration Server configuration file.

  To use this method of SVM discovery, you must connect SVMs and Light Agents to the Integration Server.

• With the use of the list of SVM addresses. You can specify a list of SVM addresses to which Light Agents can connect.

If the extended SVM selection algorithm is used for the Light Agent, and large infrastructure protection mode is enabled on the SVMs, it is recommended to select the Integration Server as the method for Light Agents to discover SVMs.

Each Light Agent can only use one of two possible SVM detection methods.

You can configure the SVM discovery settings for Light Agents for Linux in a Light Agent for Linux policy (in a policy for the Kaspersky Endpoint Security for Linux application).

About the SVM selection algorithms

Light Agents can apply one of the following SVM selection algorithms for connection:

• A standard SVM selection algorithm

  If this algorithm is applied, after installing and running on a virtual machine, the Light Agent selects an SVM to connect to that is local to Light Agent.

  SVM locality relative to Light Agent is determined depending on the type of virtual infrastructure:

  • In a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer, the SVM that is considered to be local to a Light Agent is the SVM that is deployed on the same hypervisor as the virtual machine with the Light Agent installed.
  • In the virtual infrastructure running on OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, you can specify how to determine SVM locality relative to the Light Agent using the StandardAlgorithmSvmLocality parameter in the HypervisorSpecificSettings:Openstack section of the Integration Server configuration file (%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\appsettings.json).

    The StandardAlgorithmSvmLocality parameter can take the following values:

    • ServerGroup – if this value is selected, SVM is considered local for Light Agent if it is located within the same server group as the virtual machine where Light Agent is installed. This value is used by default.
    • Project – if this value is selected, SVM is considered as local for Light Agent if it is deployed within the same OpenStack project as the virtual machine with the installed Light Agent.
    • AvailabilityZone – if this value is selected, SVM is considered as local for Light Agent if it is located within the same availability zone as the virtual machine with the installed Light Agent.

  If there are no local SVMs for connection, Light Agent selects a SVM with the lowest number of Light Agent connections regardless of SVM path in the virtual infrastructure.

  The application does not determine whether the SVM is local relative to the Light Agent if large infrastructure protection mode is enabled for the Protection Server on the SVM. In this case, it is recommended to use the extended SVM selection algorithm and select the Integration Server as the SVM discovery method.

• An extended SVM selection algorithm

  If this algorithm is applied, you can specify how to determine SVM locality relative to a Light Agent in the Light Agent policy. You can also specify whether Light Agents must consider an SVM's location in the virtual infrastructure when selecting an SVM for connection.

  In a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer, an SVM can be considered local for the Light Agent in any one of the following cases:

  • The SVM is deployed on the same hypervisor as the virtual machine with the installed Light Agent.
  • The SVM is deployed on the same hypervisor cluster as the virtual machine with the installed Light Agent.
  • SVM is deployed in the same data center as the virtual machine with the installed Light Agent.

  In a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, an SVM can be considered as local for Light Agent in one of the following cases:

  • The SVM is located in the same server group as the virtual machine with the installed Light Agent.
  • The SVM is deployed within the same OpenStack project as the virtual machine with the installed Light Agent.
  • The SVM is located in the same availability zone as the virtual machine with the installed Light Agent.

  You can select SVM location type, which will be taken into the account when determining SVM locality relative to Light Agent. Light Agent can connect only to local SVMs.

  For example, if you specify hypervisor cluster as SVM path type, all SVMs deployed on this hypervisor cluster will be considered as local for Light Agent, and Light Agent can connect only to one of this SVMs. If there are no SVMs available for connection in the same cluster in which the Light Agent is running, the Light Agent does not connect to an SVM.

  You can also specify that Light Agents must not take into the account SVM path in the virtual infrastructure when selecting an SVM for connection. In this case, Light Agents can connect to any available SVMs.

  If a Light Agent uses the advanced SVM selection algorithm and a list of SVM addresses is selected as the SVM discovery method, and large infrastructure protection mode is enabled on an SVM, then connecting a Light Agent to this SVM is only possible if the SVM path is ignored.

  When selecting an SVM, Light Agents take into account the number of connected Light Agents to ensure that Light Agents are evenly distributed between SVMs that are available for connection.

You can specify which SVM selection algorithm the Light Agents will use, and configure the settings for using the extended SVM selection algorithm.