Contents
- Preparing to install the solution
- Files required for installing the solution
- Downloading SVM images using the wizard
- Configuring the ports to use
- Accounts for installing and using the solution
- Configuring the use of secure cryptographic algorithms, ciphers, and protocols
- Configuring rules for moving virtual machines to administration groups
Preparing to install the solution
Before installing the Kaspersky Security, you need to do the following.
General preparations
- Install one of the supported versions of Kaspersky Security Center.
- Check the virtual infrastructure components' compliance with the hardware and software requirements of the Kaspersky Security solution.
- Prepare the files required for installing the solution.
- Make sure that only secure cryptographic algorithms, cipher suites, and protocols are used on the devices where the solution components and virtual infrastructure objects are installed, to which the Integration Server connects.
- Make sure that the settings of the network equipment or software controlling traffic between virtual machines allow network traffic to pass through the ports used during installation and operation of the solution.
- Make sure that you have configured the settings of the accounts that are required for installation and operation of the solution.
- If the network uses dynamic IP addressing, ensure the capability to route network traffic from the SVM to the device on which the Kaspersky Security Center Administration Server is installed.
- Install the latest Windows updates prior to installing the Integration Server, Integration Server Console, and Kaspersky Security MMC plug-ins.
- If you want virtual machines on which the Kaspersky Security components are installed to be automatically moved into administration groups after installation of the components, create the administration groups in the Kaspersky Security Center Administration Console and configure rules for automatically moving the virtual machines to administration groups.
Preparing to install Light Agent on virtual machines
Before installing the Light Agent, you need to do the following.
- Check that the virtual machines you plan to protect with Kaspersky Security comply with the hardware and software requirements of the Kaspersky Endpoint Security for Linux application being used as a Light Agent for Linux. Install the packages and tools necessary for the application to work.
- Perform the preparatory steps necessary to install Light Agent (for more details, see the Kaspersky Endpoint Security for Linux Help).
Additional steps for Microsoft Hyper-V platform
In a virtual infrastructure on the Microsoft Hyper-V platform, you also need to perform the following steps before installing the Kaspersky Security solution:
- Ensure that the Integration Services package is installed on virtual machines that you want to protect.
- Ensure that the ADMIN$ shared network resource is enabled on the hypervisor. To enable the ADMIN$ shared network resource on Microsoft Windows Server 2012 R2 Hyper-V hypervisors, a File Server role must be assigned in advance using the server configuration wizard.
- Ensure that the drive where the ADMIN$ shared network resource is located has enough space for the SVM image. During installation of the Protection Server component, the SVM image is copied to the ADMIN$ shared network resource and then moved to the folder specified during SVM deployment.
- Ensure that hypervisors that are not included in Active Directory domain have Windows Remote Management (WinRM) Ver. 3.0 installed. Windows Remote Management (WinRM) version 3.0 is included in the Windows Management Framework 3.0 installation package that can be downloaded from the Microsoft website.
- If you want to use a domain account to connect the Integration Server to the hypervisor, make sure that the following conditions are met:
- Integration Server is able to determine the hypervisor address using the domain name service (DNS) of the domain of the hypervisor on which the SVM is deployed.
- The DNS server has forward and reverse records for the Integration Server.
- Zones containing records about the Integration Server and the hypervisor on which the SVM is deployed are integrated with Active Directory.
- The device from which SVM deployment is performed is able to resolve the names of hypervisors on which the SVM is deployed.
- If you want the hypervisor user name and password, which were specified during installation of the SVM, to be encrypted when transmitted, you can use an SSL certificate to configure a secure connection between the hypervisor on which the SVM will be deployed and the device where the Kaspersky Security Center Administration Console is installed.
Additional Steps for VMware vSphere platform
In a virtual infrastructure on the VMware vSphere platform, you also need to perform the following steps before installing the Kaspersky Security solution:
- Make sure that the VMware Tools kit is installed on the virtual machines that you want to protect.
- If a proxy server is used to connect the device hosting the Kaspersky Security Center Administration Console to the VMware vCenter Server, make sure that the virtual machines are available via the proxy server.
Additional steps for the XenServer platform
In the virtual infrastructure on the XenServer platform, before installing the Kaspersky Security solution, make sure that the XenTools package is installed on the virtual machines that you want to protect.
Additional steps for Proxmox VE platform
In a virtual infrastructure on the Proxmox VE platform, make sure that there is at least 30 GB of free space in the /var/tmp directory before installing the Kaspersky Security solution.
Additional steps for HUAWEI FusionSphere platform
In the virtual infrastructure on the HUAWEI FusionSphere platform, before installing the Kaspersky Security solution, make sure that HUAWEI Tools is installed on the virtual machines that you want to protect.
While deploying an SVM in a virtual infrastructure based on the HUAWEI FusionSphere platform, the SVM Management Wizard installs the HUAWEI Tools package on the SVM. To receive this package, the Wizard queries the HUAWEI FusionCompute hypervisor. The HUAWEI Tools package is not included in the Kaspersky Security solution's distribution kit. It is recommended to make sure that the HUAWEI Tools package is available on the HUAWEI FusionCompute hypervisor.
Additional steps for Astra Linux Platform
Prior to starting installation of the solution in a virtual infrastructure running on the Astra Linux Platform, you need to configure the account that will be used for SVM deployment, removal, and reconfiguration as follows:
- Run the following command:
$ sudo usermod -a -G kvm,libvirt,libvirt-qemu,libvirt-admin <
user_name
>
- Open the sudoers configuration file by running the following command:
sudo visudo
- Specify the following in the file:
<
user name
> ALL = (ALL) NOPASSWD: ALL
<user name> refers to the name of the user account that will be used to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration.
- Save the sudoers file and then close it.
Files required for installing the solution
Before you begin installing the Kaspersky Security solution, you need to download the files necessary for the installation and operation of the solution.
Kaspersky Security components installation wizard and the Integration Server
The Kaspersky Security Components Installation Wizard is required for the following tasks:
- Installing, updating, and removing the Integration Server and Integration Server Console;
- downloading from the Kaspersky website the SVM images required for installing the Protection Server.
To start the Kaspersky Security components installation wizard, you will need the ksvla-components_<solution version number>_mlg.exe file. You can download this file from the Kaspersky website in the Kaspersky Security for Virtualization | Light Agent section (Build → Kaspersky Security Components Installation Wizard).
SVM images
To install the Protection Server, you need an SVM image file and an image description file (a file in XML format). The Kaspersky Security distribution kit includes the following archives for installing the Protection Server in virtual infrastructures of various types:
- The ksvla-svm_microsoft-hyper-v_<solution version number>_mlg.zip file is used to install the Protection Server in a Microsoft Hyper-V infrastructure; the archive contains an SVM image in VHDX format and an image description file, ksvla-svm_manifest_<solution version number>.xml.
- The ksvla-svm_xenserver_numa-vserver_<solution version number>_mlg.zip file is used to install the Protection Server in XenServer and Numa vServer infrastructures; the archive contains an SVM image in XVA format and an image description file, ksvla-svm_manifest_<solution version number>.xml.
- The ksvla-svm_vmware-vsphere_<solution version number>_mlg.zip file is used to install the Protection Server in a VMware vSphere infrastructure; the archive contains an SVM image in OVA format and an image description file, ksvla-svm_manifest_<solution version number>.xml.
- The ksvla-svm_kvm_based_<solution version number>_mlg.zip file is used to install the Protection Server in KVM (Kernel-based Virtual Machine), OpenStack, VK Cloud platform, Proxmox VE, Basis (Skala-R), HUAWEI FusionSphere, Nutanix Acropolis, ALT Virtualization Server, and Astra Linux infrastructures. The archive contains an SVM image in QCOW2 format and an image description file, ksvla-svm_manifest_<solution version number>.xml.
You can download archives containing SVM images and SVM image description files using the Kaspersky Security Components Installation Wizard. The archives are also available on the Kaspersky website in the Kaspersky Security for Virtualization | Light Agent section.
The resulting SVM image file and image description file (file in XML format) must be placed in the same folder on the device where the Kaspersky Security Center Administration Console is installed, or in the same folder on a network resource to which the user account performing the installation has read access. If you want to install Protection Server in different types of virtual infrastructures, the SVM image file and image description file for each infrastructure must be placed in the same folder.
Light Agent for Linux
The Kaspersky Security solution uses Kaspersky Endpoint Security for Linux as the Light Agent for Linux. To install and use Kaspersky Endpoint Security for Linux in Light Agent mode, the following files are required:
- Packages for installing Kaspersky Endpoint Security for Linux:
- kesl-<application version number>-<build number>.i386.rpm, kesl_<application version number>-<build number>_i386.deb are packages for installation on 32-bit operating systems in accordance with the type of package manager.
- kesl-<application version number>-<build number>.x86_64.rpm, kesl_<application version number>-<build number>_amd64.deb are packages for installation on 64-bit operating systems in accordance with the type of package manager.
- The kesl-<application version number>.<build number>.zip archive. The archive contains files for remote installation of Kaspersky Endpoint Security for Linux using Kaspersky Security Center, as well as a file with the text of the End User License Agreement for Kaspersky Endpoint Security for Linux and the Privacy Policy (license.<language ID>) and a file with the text of the Kaspersky Security Statement Network (ksn_license.<language ID>).
You can download the files required to install the Light Agent for Linux component on the Kaspersky website in the Kaspersky Endpoint Security for Linux section.
Kaspersky Security Center and Kaspersky Security Center Network Agent
To install and manage the operation of the Kaspersky Security solution, you need to install Kaspersky Security Center.
For Light Agent components installed on virtual machines to interact with Kaspersky Security Center, you must install Network Agent on the virtual machines where Light Agent will be installed.
You can download the files required to install Kaspersky Security Center and Network Agent on the Kaspersky website in the Kaspersky Security Center section. For more information on installing Kaspersky Security Center, please refer to the Kaspersky Security Center Help.
Management MMC plug-ins
To manage solution components through Kaspersky Security Center Administration Console, you need to install management MMC plug-ins on the device where Kaspersky Security Center Administration Console is installed.
You can download MMC plug-in installation files from the Kaspersky website:
- The klcfginst.msi file is used to install the MMC plug-in for Kaspersky Security for Virtualization 6.1 Light Agent – Protection Server. The file is located on the Kaspersky website in the Kaspersky Security for Virtualization | Light Agent section.
- The KSC_KES4Linux12_1_Х.zip archive, where 12_1_Х is the version number of Kaspersky Endpoint Security for Linux. This archive is used to install the MMC plugin for Kaspersky Endpoint Security 12.1 for Linux. The archive is located on the Kaspersky website in the Kaspersky Endpoint Security for Linux section.
To install and update MMC plugins, you can also use the list of Kaspersky applications in the Administration Console (Advanced → Remote installation → Installation packages → Additional actions → View current versions of Kaspersky applications).
Management web plug-ins
To manage solution components via Kaspersky Security Center Web Console, you need to install management web plug-ins on the device where Kaspersky Security Center Web Console is installed.
To install web plug-ins, you can use the list of available plug-ins in the Web Console (Settings → Web plug-ins → Add) or download archives for installing management web plug-ins from the Kaspersky website:
- The ksvla-web_plugin_svm_<solution version number>_mlg.zip archive is used to install the web plug-in for Kaspersky Security for Virtualization 6.1 Light Agent – Protection Server.
- The kes_linux_12_1_local_<solution version number>.zip archive is used to install the Kaspersky Endpoint Security 12.1 for Linux web plug-in.
Downloading SVM images using the wizard
The Kaspersky Security Components Installation Wizard can download from the Kaspersky website the images necessary for deploying SVMs on hypervisors.
To download the SVM images:
- On the device where Administration Console and Kaspersky Security Center Administration Server are installed, run the ksvla-components_<solution version number>_mlg.exe file. This file is included in the distribution kit.
Kaspersky Security components installation Wizard starts.
- Select the localization language of the Wizard and of the Kaspersky Security components and proceed to the next step of the Wizard.
By default, the localization language of the operating system installed on the device where the Wizard was started is used.
- Select the Download SVM images option and proceed to the next step of the wizard.
- Select the type of hypervisor on which you want to deploy SVMs.
If you want to download an SVM image for deployment on the VK Cloud platform, select KVM hypervisor managed by OpenStack platform as the hypervisor type.
The archive containing the SVM image and SVM image description file (in XML format) will begin downloading in a window of the default browser.
- After the download completes, close the wizard (using the Cancel button) or return to the step for selecting the action taken by the Kaspersky Security Components Installation Wizard (using the Back button).
Information about the work of the Wizard is written to trace files of the Kaspersky Security Components Installation Wizard. If the wizard completed with an error, you can use these files when contacting Technical Support.
Page topConfiguring the ports to use
To install and operate the solution components, in the settings of the network equipment or software used to control traffic between virtual machines, you need to open the ports described in the table below.
Ports used by solution components
Port and protocol |
Direction |
Purpose and description |
---|---|---|
All platforms |
||
7271 TCP |
From the to the . |
For sending settings for connecting to the virtual infrastructure to the Integration Server. |
7271 TCP |
From the device, from which the requests are made to the Integration Server REST API, to the Integration Server. |
For automating deployment and operation of the solution in multitenancy mode using the Integration Server REST API. |
22 TCP |
From the SVM Management Wizard to an . |
For SVM reconfiguration. |
7271 TCP |
From the SVM to Integration Server. |
For interaction between the Protection Server and Integration Server. |
7271 TCP |
From the to the Integration Server. |
For interaction between Light Agent and Integration Server. |
8000 UDP |
From an SVM to the Light Agent. |
For sending information about available SVMs to Light Agents using a list of SVM addresses. |
8000 UDP |
From Light Agent to SVM. |
To provide Light Agent with information about the status of SVM. |
11111 TCP |
From Light Agent to SVM. |
For transmitting service requests (for example, to obtain license information) from the Light Agent to the Protection Server when the connection is unprotected. |
11112 TCP |
From Light Agent to SVM. |
For transmitting service requests (for example, to obtain license information) from the Light Agent to the Protection Server when the connection is protected. |
9876 TCP |
From Light Agent to SVM. |
For forwarding file scan requests from the Light Agent to the Protection Server when the connection is unprotected. |
9877 TCP |
From Light Agent to SVM. |
For transmitting file scan requests from the Light Agent to the Protection Server when the connection is protected. |
80 TCP |
From Light Agent to SVM. |
For updating databases and application modules of the solution on the Light Agent. |
15000 UDP |
From Kaspersky Security Center to SVM. |
For managing the Protection Server via Kaspersky Security Center. |
13000 TCP |
From SVM to Kaspersky Security Center. |
For managing the Protection Server via Kaspersky Security Center when the connection is protected. |
14000 TCP |
From SVM to Kaspersky Security Center. |
For managing the Protection Server via Kaspersky Security Center when the connection is unprotected. |
15000 UDP |
From Kaspersky Security Center to Light Agents. |
For managing the Light Agent via Kaspersky Security Center. |
13000 TCP |
From Light Agent to Kaspersky Security Center. |
For managing the Light Agent via Kaspersky Security Center when the connection is protected. |
14000 TCP |
From Light Agent to Kaspersky Security Center. |
For managing Light Agent via Kaspersky Security Center when the connection is unprotected. |
13111 TCP |
From the SVM to the Kaspersky Security Center Administration Server. |
For interaction between the Protection Server and KSN proxy server. |
17000 TCP |
From the SVM to the Kaspersky Security Center Administration Server. |
For interaction between the Protection Server and Kaspersky activation servers. |
123 UDP |
From the SVM to NTP servers obtained via DHCP or specified manually. |
Synchronizing time on the SVM with a time server. |
VMware vSphere platform |
||
80 TCP 443 TCP |
From the SVM Management Wizard to VMware vCenter Server. |
To deploy the SVM on a VMware ESXi hypervisor using a VMware vCenter Server. |
443 TCP |
From the SVM Management Wizard to an ESXi hypervisor. |
To deploy the SVM on a VMware ESXi hypervisor using a VMware vCenter Server. |
80 TCP 443 TCP |
From the Integration Server to the VMware vCenter Server. |
For interaction between the Integration Server and the VMware ESXi hypervisor using the VMware vCenter Server. |
Microsoft Hyper-V platform |
||
135 TCP/UDP 445 TCP/UDP |
From the SVM Management Wizard to a Microsoft Windows Server (Hyper-V) hypervisor. |
To deploy an SVM on a Microsoft Windows Server (Hyper-V) hypervisor. |
135 TCP/UDP 445 TCP/UDP 5985 TCP 5986 TCP |
From the Integration Server to the Microsoft Windows Server (Hyper-V) hypervisor. |
For interaction between the Integration Server and the Microsoft Windows Server (Hyper-V) hypervisor. |
XenServer platform |
||
80 TCP 443 TCP |
From the SVM Management Wizard to the XenServer hypervisor. |
To deploy the SVM on a XenServer hypervisor. |
80 TCP 443 TCP |
From the Integration Server to the XenServer hypervisor. |
For interaction between the Integration Server and the XenServer hypervisor. |
KVM platform |
||
22 TCP |
From the SVM Management Wizard to a KVM hypervisor. |
To deploy the SVM on a KVM hypervisor. |
22 TCP |
From the Integration Server to the KVM hypervisor. |
For interaction between the Integration Server and the KVM hypervisor. |
Proxmox VE platform |
||
22 TCP 8006 TCP |
From the SVM Management Wizard to a Proxmox VE hypervisor. |
To deploy the SVM on a Proxmox VE hypervisor. |
8006 TCP |
From the Integration Server to the Proxmox VE hypervisor. |
For interaction between the Integration Server and the Proxmox VE hypervisor. |
Basis (Skala-R) platform |
||
443 TCP |
From the SVM Management Wizard to Basis.vControl (Skala-R Management). |
To deploy an SVM on the R-Virtualization hypervisor using Basis.vControl (Skala-R Management). |
22 TCP |
From the SVM Management Wizard to an R-Virtualization hypervisor. |
To deploy an SVM on the R-Virtualization hypervisor using Basis.vControl (Skala-R Management). |
22 TCP |
From the SVM Management Wizard to Basis.vControl (Skala-R Management). |
To deploy an SVM on the R-Virtualization hypervisor using Basis.vControl (Skala-R Management). |
443 TCP |
From the Integration Server to Basis.vControl (Skala-R Management). |
For the interaction of the Integration Server with the R-Virtualization hypervisor using Basis.vControl (Skala-R Management). |
HUAWEI FusionSphere platform |
||
7443 TCP |
From the SVM Management Wizard to the HUAWEI FusionCompute VRM. |
To deploy an SVM on a HUAWEI FusionCompute CNA hypervisor using the HUAWEI FusionCompute VRM. |
8779 TCP |
From the SVM Management Wizard to a HUAWEI FusionCompute CNA hypervisor. |
To deploy an SVM on a HUAWEI FusionCompute CNA hypervisor using the HUAWEI FusionCompute VRM. |
7443 TCP |
From the Integration Server to the HUAWEI FusionCompute VRM. |
For interaction between the Integration Server and a HUAWEI FusionCompute CNA hypervisor using the HUAWEI FusionCompute VRM. |
Nutanix Acropolis platform |
||
9440 TCP |
From the SVM Management Wizard to Nutanix Prism Central. |
To deploy the SVMs on Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Central. |
9440 TCP |
From the SVM Management Wizard to Nutanix Prism Element. |
To deploy the SVMs on Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Element. |
9440 TCP |
From the Integration Server to Nutanix Prism Central. |
For interaction between the Integration Server and Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Central. |
9440 TCP |
From the Integration Server to Nutanix Prism Element. |
For interaction between the Integration Server and Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Element. |
OpenStack platform |
||
5000 TCP |
From the SVM Management Wizard to the Keystone microservice. |
To deploy the SVM on a KVM hypervisor running on the OpenStack platform. |
8774 TCP |
From the SVM Management Wizard to the Compute (Nova) microservice. |
To deploy the SVM on a KVM hypervisor running on the OpenStack platform. |
8776 TCP |
From the SVM Management Wizard to the Cinder microservice. |
To deploy the SVM on a KVM hypervisor running on the OpenStack platform. |
9292 TCP |
From the SVM Management Wizard to the Glance microservice. |
To deploy the SVM on a KVM hypervisor running on the OpenStack platform. |
9696 TCP |
From the SVM Management Wizard to the Neutron microservice. |
To deploy the SVM on a KVM hypervisor running on the OpenStack platform. |
5000 TCP |
From the Integration Server to the Keystone microservice. |
For the Integration Server’s interaction with the OpenStack platform. |
8774 TCP |
From the Integration Server to the Compute (Nova) microservice. |
For the Integration Server’s interaction with the OpenStack platform. |
VK Cloud platform |
||
5000 TCP |
From the SVM Management Wizard to the Keystone microservice. |
To deploy the SVM on a KVM hypervisor running on the VK Cloud platform. |
8774 TCP |
From the SVM Management Wizard to the Compute (Nova) microservice. |
To deploy the SVM on a KVM hypervisor running on the VK Cloud platform. |
8776 TCP |
From the SVM Management Wizard to the Cinder microservice. |
To deploy the SVM on a KVM hypervisor running on the VK Cloud platform. |
9292 TCP |
From the SVM Management Wizard to the Glance microservice. |
To deploy the SVM on a KVM hypervisor running on the VK Cloud platform. |
9696 TCP |
From the SVM Management Wizard to the Neutron microservice. |
To deploy the SVM on a KVM hypervisor running on the VK Cloud platform. |
5000 TCP |
From the Integration Server to the Keystone microservice. |
For interaction of the Integration Server with the VK Cloud platform. |
8774 TCP |
From the Integration Server to the Compute (Nova) microservice. |
For interaction of the Integration Server with the VK Cloud platform. |
TIONIX Cloud Platform |
||
5000 TCP |
From the SVM Management Wizard to the Keystone microservice. |
To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform. |
8774 TCP |
From the SVM Management Wizard to the Compute (Nova) microservice. |
To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform. |
8776 TCP |
From the SVM Management Wizard to the Cinder microservice. |
To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform. |
9292 TCP |
From the SVM Management Wizard to the Glance microservice. |
To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform. |
9696 TCP |
From the SVM Management Wizard to the Neutron microservice. |
To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform. |
5000 TCP |
From the Integration Server to the Keystone microservice. |
For interaction of the Integration Server with TIONIX Cloud Platform. |
8774 TCP |
From the Integration Server to the Compute (Nova) microservice. |
For interaction of the Integration Server with TIONIX Cloud Platform. |
ALT Virtualization Server platform |
||
22 TCP |
From the SVM Management Wizard to a hypervisor. |
To deploy the SVM on a basic hypervisor of the ALT Virtualization Server platform. |
22 TCP |
From the Integration Server to a hypervisor. |
For the Integration Server to interact with a basic hypervisor of the ALT Virtualization Server platform. |
Astra Linux Platform |
||
22 TCP |
From the SVM Management Wizard to a hypervisor. |
To deploy the SVM on a KVM hypervisor running on the Astra Linux platform. |
22 TCP |
From the Integration Server to a hypervisor. |
For interaction between the Integration Server and a KVM hypervisor running on the Astra Linux platform. |
Numa vServer platform |
||
80 TCP 443 TCP |
From the SVM Management Wizard to the Numa vServer hypervisor. |
To deploy the SVM on a Numa vServer hypervisor. |
80 TCP 443 TCP |
From the Integration Server to the Numa vServer hypervisor. |
For interaction between the Integration Server and the Numa vServer hypervisor. |
If you use the XenServer Hypervisor or VMware ESXi hypervisor, and promiscuous mode is enabled on the network adapter of the guest operating system of the virtual machine, the guest operating system receives all Ethernet frames passing through the virtual switch, if this is allowed by the VLAN policy. This mode may be used to monitor and analyze traffic in the network segment that the SVM and protected virtual machines are operating in. If you have not configured a secure connection between the SVM and the protected virtual machines, traffic between the SVM and the protected virtual machines is not encrypted and is transmitted as plaintext. For security purposes, it is not recommended to use promiscuous mode in network segments that have a running SVM. If you need to use this mode (for example, for monitoring traffic using external virtual machines to detect attempts at unauthorized network access or to correct network failures), you need to configure the appropriate restrictions to protect traffic between the SVM and the protected virtual machines from unauthorized access.
Page topAccounts for installing and using the solution
General account requirements
To install the Kaspersky Security management MMC plug-ins and the Integration Server, an account that belongs to the local administrator group on the device where installation is being performed must be used.
The following accounts can be used to start the Integration Server Console:
- If you plan to use Kaspersky Security Center Administration Console to manage the Kaspersky Security solution and the device hosting Kaspersky Security Center Administration Console belongs to the Microsoft Windows domain, you can use an account that belongs to the local or domain KLAdmins group or an account that belongs to the local administrator group to start the Integration Server Console. You can also use the Integration Server administrator account created when installing the Integration Server.
- If you plan to use Kaspersky Security Center Web Console to manage the Kaspersky Security solution, or the device on which Kaspersky Security Center Administration Console is installed is not a member of a Microsoft Windows domain or your account is not a member of the local or domain KLAdmins group or the local administrator group, you can only start the Integration Server Console using the Integration Server administrator account that was created when installing the Integration Server.
VMware vSphere platform
The following accounts are required to install and operate the solution on a VMware vSphere infrastructure:
- An administrator account with the following rights is required to deploy, delete, or reconfigure an SVM:
- Datastore.Allocate space
- Datastore.Low level file operations
- Datastore.Remove file
- Global.Cancel task
- Global.Licenses
- Host.Config.Virtual machine autostart configuration
- Host.Inventory.Modify cluster
- Network.Assign network
- Tasks.Create task
- vApp.Import
- Virtual machine.Change configuration.Add new disk (only for VMware vCenter Server 7.0 and VMware vCenter Server 6.7)
- Virtual machine.Configuration.Add new disk (only for VMware vCenter Server 6.5)
- Virtual machine.Change configuration.Add or remove device (only for VMware vCenter Server 7.0 and VMware vCenter Server 6.7)
- Virtual machine.Configuration.Add or remove device (only for VMware vCenter Server 7.0 and VMware vCenter Server 6.7)
- Virtual machine.Change configuration.Change memory (only for VMware vCenter Server 7.0 and VMware vCenter Server 6.7)
- Virtual machine.Configuration.Memory (only for VMware vCenter Server 6.5)
- Virtual machine.Interaction.Power Off
- Virtual machine.Interaction.Power On
- Virtual machine.Provisioning.Customize guest (only for VMware vCenter Server 7.0 and VMware vCenter Server 6.7)
- Virtual machine.Provisioning.Customize (only for VMware vCenter Server 6.5)
- Virtual machine.Inventory.Create new (only for VMware vCenter Server 6.5)
- Virtual machine.Inventory.Remove (only for VMware vCenter Server 6.5)
- To connect the Integration Server to the VMware vCenter Server, it is recommended to use an account that has been assigned the preset system role ReadOnly.
- Connection of the Integration Server to VMware NSX Manager requires a VMware NSX Manager account that has been assigned the Enterprise Administrator role.
Roles should be assigned to accounts at the top level of the hierarchy of VMware inventory objects, that is, at the level of VMware vCenter Server.
Microsoft Hyper-V platform
To deploy, remove, or reconfigure an SVM on a Microsoft Windows Server (Hyper-V) hypervisor, a built-in local administrator account or domain account that belongs to the Hyper-V Administrators group is required. For a domain account, you must also grant permissions for remote connection and use of the following WMI namespaces:
- root\cimv2
- root\MSCluster
- root\virtualization
- root\virtualization\v2 (for versions of Microsoft Windows server operating systems, beginning with Windows Server 2012 R2)
A built-in local administrator account or domain account that belongs to the Hyper-V Administrators group and has the permissions listed above is also used to connect the Integration Server to a Microsoft Windows Server (Hyper-V) hypervisor.
XenServer platform
The following accounts are required for installation and operation of the solution in a XenServer infrastructure:
- To deploy, remove, or reconfigure an SVM, an account with Pool Admin rights is required.
- To connect the Integration Server to the XenServer hypervisor, we recommend using an account with the Read Only role.
KVM platform
The following accounts are required for installation and operation of the solution in a KVM infrastructure:
- Deploying, removing, or reconfiguring an SVM requires a
root
account or an account that has permission to perform actions as theroot
account. - To connect the Integration Server to the KVM hypervisor, it is recommended to use an unprivileged user account with access to the "read only" Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).
Proxmox VE platform
The following accounts are required for installation and operation of the solution in a Proxmox VE infrastructure:
- To deploy, remove, or reconfigure an SVM, the
root
account is required. - To connect the Integration Server to the Proxmox VE hypervisor, it is recommended to use an account that has been granted access with the PVEAuditor role to the root directory (/) and all child directories.
Basis (Skala-R) platform
The following accounts are required for installation and operation of the solution in a Basis (Skala-R) infrastructure:
- To deploy, remove, or reconfigure an SVM, an account with the "Main Administrator" role is required.
- To connect the Integration Server to the Basis.vControl (Skala-R Management) virtual infrastructure administration server, we recommend using an account with the "Infrastructure Monitoring" role.
HUAWEI FusionSphere platform
The following accounts are required to install and operate the solution on a HUAWEI FusionSphere infrastructure:
- To deploy, remove, or reconfigure an SVM, an account with the VMManager role is required.
- To connect the Integration Server to a HUAWEI FusionCompute VRM, it is recommended to use an account with the Auditor role.
Nutanix Acropolis platform
The following accounts are required to install and operate the solution on a Nutanix Acropolis infrastructure:
- To deploy, remove, or reconfigure an SVM, an account with Cluster Admin role is required.
- To connect the Integration Server to Nutanix Prism virtual infrastructure administration server, it is recommended to use an account with the Viewer role. In the infrastructure managed by Nutanix Prism Central, an account with the Viewer role is required on the Nutanix Prism Central server and on the Nutanix Prism Element servers.
OpenStack platform, VK Cloud platform, and TIONIX Cloud Platform
The following accounts are required to install and operate the solution in an infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform:
- An account with the following permissions is required to deploy, delete, or reconfigure an SVM:
Permissions for infrastructure object operations.
Permissions for sending requests to OpenStack microservices API
Keystone
Authentication.
Querying the state of authentication token for the current user.
auth/tokens (POST/GET)
Getting a list of all OpenStack domains.
domains (GET)
Getting a list of available OpenStack projects for the current user.
auth/projects (GET)
Compute (Nova)
Getting a list of virtual machines.
servers/detail (GET)
Getting virtual machine information.
servers/{server_id} (GET)
Getting a list of virtual machine types (instance types).
flavors/detail (GET)
Getting information about available OpenStack project resources.
limits (GET)
Getting a list of server groups.
os-server-groups (GET)
Getting a list of availability zones.
os-availability-zone (GET)
Getting a list of network interface of the virtual machine.
servers/{server_id}/os-interface (GET)
Creating a network interface for the virtual machine.
servers/{server_id}/os-interface (POST)
Creating the virtual machine.
servers (POST)
Starting/stopping the virtual machine.
servers/{server_id}/action (POST)
Removing network interface of the virtual machine.
servers/{server_id}/os-interface/{port_id} (DELETE)
Removing the virtual machine.
servers/{server_id} (DELETE)
Cinder
Getting a list of volume types.
{project_id}/types (GET)
Getting disk information.
{project_id}/volumes/{volume_id} (GET)
Creating the disk.
{project_id}/volumes (POST)
Removing the disk that was created by the current user.
{project_id}/volumes/{volume_id} (DELETE)
Glance
Getting image information.
images/{image_id} (GET)
Creating the image.
images (POST)
Downloading the image.
images/{image_id}/file (PUT)
Removing the image that was created by the current user.
images/{image_id} (DELETE)
Neutron
Getting a list of networks.
networks (GET)
Getting a list of security groups.
security-groups (GET)
Creating a network port
ports (POST)
Deleting a network port
ports/{port_id} (DELETE)
Getting the ID of a network port
ports/{port_id} (GET)
- An account with the following permissions is required to connect the Integration Server to the virtual infrastructure:
Permissions for infrastructure object operations.
Permissions for sending requests to OpenStack microservices API
Keystone
Authentication.
Querying the state of authentication token for the current user.
auth/tokens (POST/GET)
Getting a list of available OpenStack projects for the current user.
auth/projects (GET)
Compute (Nova)
Getting a list of virtual machines.
servers/detail (GET)
Getting virtual machine information.
servers/{server_id} (GET)
Getting a list of server groups.
os-server-groups (GET)
Getting a list of availability zones.
os-availability-zone (GET)
Getting a list of hypervisors.
This permission is required only if you intend to apply licensing scheme that uses number of processors or number of processor cores on hypervisors, on which the protected virtual machines operate.
/os-hypervisors/detail (GET)
ALT Virtualization Server platform
The following accounts are required to install and operate the solution on an ALT Virtualization Server infrastructure:
- Deploying, removing, or reconfiguring an SVM requires a
root
account or an account that has permission to perform actions as theroot
account. - To connect the Integration Server to a basic hypervisor of the ALT Virtualization Server platform, it is recommended to use an unprivileged user account with access to the "read-only" Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).
Astra Linux Platform
The following accounts are required for installation and operation of the solution on a KVM hypervisor running on the Astra Linux platform:
- Deploying, removing, or reconfiguring an SVM requires a
root
account or an account that has permission to perform actions as theroot
account.Prior to starting installation of the solution, you need to configure the account that will be used for SVM deployment, removal, and reconfiguration.
- To connect the Integration Server to a KVM hypervisor running on the Astra Linux platform, it is recommended to use an unprivileged user account with access to the read-only Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).
Numa vServer platform
The following accounts are required for installation and operation of the solution in a Numa vServer infrastructure:
- To deploy, remove, or reconfigure an SVM, an account with Pool Admin rights is required.
- To connect the Integration Server to the Numa vServer hypervisor, we recommend using an account with the Read Only role.
Configuring the use of secure cryptographic algorithms, ciphers, and protocols
To ensure the security of network connections between the Integration Server and the virtual infrastructure, it is recommended to use the following cryptographic algorithms, cipher suites, and protocols on devices where the Integration Server and the virtual infrastructure objects to which the Integration Server connects are installed:
- Encryption algorithms: AES 256.
- Hashing algorithms:
- SHA256.
- SHA384.
- SHA512.
- Key exchange algorithms:
- Diffie-Hellman (ServerMinKeyBitLength=2048, ClientMinKeyBitLength=2048).
- ECDH (ServerMinKeyBitLength=2048, ClientMinKeyBitLength=2048).
- Protocols:
- TLS 1.2.
- TLS 1.3.
- Cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521.
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384.
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521.
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384.
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256.
- TLS_AES_128_CCM_8_SHA256.
- TLS_AES_128_CCM_SHA256.
- TLS_AES_128_GCM_SHA256.
- TLS_AES_256_GCM_SHA384.
- TLS_CHACHA20_POLY1305_SHA256.
- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256.
- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384.
- TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256.
- TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384.
- TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256.
- TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384.
- TLS_DHE_PSK_WITH_AES_128_CCM.
- TLS_DHE_PSK_WITH_AES_128_GCM_SHA256.
- TLS_DHE_PSK_WITH_AES_256_CCM.
- TLS_DHE_PSK_WITH_AES_256_GCM_SHA384.
- TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256.
- TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384.
- TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256.
- TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384.
- TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256.
- TLS_ECDHE_ECDSA_WITH_AES_128_CCM.
- TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8.
- TLS_ECDHE_ECDSA_WITH_AES_256_CCM.
- TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8.
- TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256.
- TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384.
- TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256.
- TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384.
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256.
- TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256.
- TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256.
- TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256.
- TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384.
- TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256.
- TLS_DHE_RSA_WITH_AES_128_CCM.
- TLS_DHE_RSA_WITH_AES_128_CCM_8.
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256.
- TLS_DHE_RSA_WITH_AES_256_CCM.
- TLS_DHE_RSA_WITH_AES_256_CCM_8.
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384.
- TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256.
- TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384.
- TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256.
- TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384.
- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256.
- TLS_ECCPWD_WITH_AES_128_CCM_SHA256.
- TLS_ECCPWD_WITH_AES_128_GCM_SHA256.
- TLS_ECCPWD_WITH_AES_256_CCM_SHA384.
- TLS_ECCPWD_WITH_AES_256_GCM_SHA384.
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
- TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256.
- TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384.
- TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256.
- TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384.
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.
If you do not have the latest versions of operating systems and hypervisors installed, problems may occur in the Integration Server's interactions with the virtual infrastructure due to incompatible cipher suites. In this case, we recommend to contact Technical Support.
Page topConfiguring rules for moving virtual machines to administration groups
To manage the operation of Kaspersky Security solution components via Kaspersky Security Center, you need to place devices with installed Kaspersky Security components (SVMs and protected virtual machines) into administration groups.
An administration group is a set of virtual machines combined according to some criterion for the purpose of controlling the virtual machines in the group as a unified whole.
Before starting installation of the Kaspersky Security solution, you can create administration groups in Kaspersky Security Center for the SVMs and virtual machines with Light Agents, and configure rules to automatically move managed devices to these administration groups.
If rules for moving devices to administration groups are not configured, after installing the solution components, Kaspersky Security Center places devices with installed Kaspersky Security components detected on the network in the Unassigned devices list. In this case, you need to manually move SVMs and virtual machines with Light Agents into administration groups.
You can configure the rules for moving virtual machines to administration groups using the Kaspersky Security Center Administration Console or using Kaspersky Security Center Web Console (for more details, see the Kaspersky Security Center Help).
You can use tags when creating rules for moving SVMs and virtual machines with Light Agents to administration groups. SVMs and protected virtual machines on which Kaspersky Security Center Network Agent is installed automatically relay information about tags to Kaspersky Security Center.
Page top