Connecting Light Agents to SVMs
To interact with the Protection Server, the Light Agent establishes and maintains a connection to the SVM on which this Protection Server is installed. You can configure the following settings for connecting the Light Agent to the SVM:
- SVM detection method. You can select the method used by Light Agents to detect SVMs that are available for connection.
- Connection tags. If you use connection tags, Light Agent can only connect to SVMs that are configured to use that connection tag.
- Protecting the connection between the Light Agent and the Protection Server. You can use encryption to protect the connection between Light Agents and Protection Servers.
- SVM selection algorithm for connection. You can specify the algorithm to be used by the Light Agents to select SVMs to connect to.
Page top
[Topic 254886]
Configuring SVM discovery settings
You can configure the settings for detection of SVMs by Light Agents in the Light Agent policy (in the policy of the application running in Light Agent mode). The SVM discovery settings for Light Agent for Windows are also available in the local interface of Kaspersky Endpoint Security for Windows.
You can configure the following settings for discovery of SVMs by Light Agents:
For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.
In a large-sized virtual infrastructure running the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, if you selected the Use Integration Server option, you can configure the size of the available SVMs list that the Integration Server relays to Light Agents.
To configure the size of the list of available SVMs:
- Open the Integration Server configuration file (appsettings.json) for editing. Depending on the version of the Integration Server, the file is located at one of the following paths:
- /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.
- Specify the
OpenStackMaxSvmCountToReturn setting in the HypervisorSpecificSettings:Openstack section:- If you want to limit the size of available SVM list, which the Integration Server transmits to Light Agents, then specify number of SVMs, whose information must be included into this list.
- If you want the Integration Server to transfer full list of available SVMs to Light Agents, specify a value of
0.
- Save the appsettings.json file.
- Restart the Integration Server.
Page top
[Topic 254887]
Configuring the use of connection tags
If you want to control Light Agents' connection to SVMs using connection tags, you need to do the following:
- In the Light Agent settings: enable the use of tags by Light Agent and assign the tag that Light Agent will use to connect.
- In the Protection Server settings: enable the use of tags on the SVM and specify the tags that are allowed to connect to the SVM. Only Light Agents that are assigned the specified tags will connect to the SVM. If a Light Agent is assigned a different tag or no tag is assigned, the Light Agent will not be able to connect to this SVM.
Page top
[Topic 254888]
Configuring the use of connection tags for an SVM
You can use the Web Console or the Administration Console to configure connection tags on SVMs in a Protection Server policy.
Expand all | Collapse all
How to configure the use of tags on SVMs in Kaspersky Security Center Web Console
To configure tags on SVMs:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies and policy profiles.
A list of policies opens.
- Select the administration group containing the SVM with the Protection Server whose settings you want to configure. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens.
The list displays only the policies configured for the selected administration group.
- Click on the name of the desired policy in the list.
- In the policy properties window that opens, select the Application settings tab and go to the Connection tags section.
- In the right part of the window, configure the following settings:
- Allow connection of Light Agents with specified tags
Allow SVM connections only for Light Agents that are assigned the tags specified in the field below.
If the check box is selected, only Light Agents with the specified tags can connect to the SVM.
If the check box is cleared, only Light Agents that do not have tags assigned to them can connect to the SVM.
The check box is cleared by default.
- Tag list
Only Light Agents that are assigned the tags specified in this field can connect to the SVM.
You can specify one or more tags separated by semicolons.
Only Light Agents which have been assigned the specified tags will connect to SVMs with a Protection Server managed by this policy.
- Click the Apply button.
How to configure the use of tags on SVMs in Kaspersky Security Center Administration Console
To configure tags on SVMs:
- In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVM with the Protection Server whose settings you want to configure.
- In the workspace, select the Policies tab.
- Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.
- In the policy properties window, select the Connection tags section in the list on the left.
- In the right part of the window, configure the following settings:
- Allow connection of Light Agents with specified tags
Allow SVM connections only for Light Agents that are assigned the tags specified in the field below.
If the check box is selected, only Light Agents with the specified tags can connect to the SVM.
If the check box is cleared, only Light Agents that do not have tags assigned to them can connect to the SVM.
The check box is cleared by default.
- Tag list
Only Light Agents that are assigned the tags specified in this field can connect to the SVM.
You can specify one or more tags separated by semicolons.
Only Light Agents which have been assigned the specified tags will connect to SVMs with a Protection Server managed by this policy.
- Click the Apply button.
[Topic 254929]
Assigning connection tags to Light Agents
You can configure the settings for the use of tags by Light Agents in the Light Agent policy (in the policy of the application running in Light Agent mode). The tag usage settings for Light Agent for Windows are also available in the local interface of Kaspersky Endpoint Security for Windows.
To assign a tag to a Light Agent to connect to an SVM, select the Use connection tag check box and enter the connection tag in the Tag field.
For a tag, you can enter a text string up to 255 characters long. You can use any character except the ; character.
For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.
Light Agents to which the tag is assigned can connect only to SVMs for which a connection to Light Agents with this tag is allowed.
Page top
[Topic 254928]
Protecting the connection between the Light Agent and the Protection Server
You can configure encryption of the connection between Light Agents and Protection Servers. To do this, you need to enable encryption of the data channel between the Light Agent and the Protection Server in the Protection Server settings on the SVM and in the Light Agent settings.
A Light Agent for which connection protection is enabled can only connect to SVMs for which encryption of the data channel between the Light Agent and the Protection Server is enabled. A Light Agent for which connection protection is disabled can only connect to SVMs for which channel encryption is disabled or an unsecure connection between the Protection Server and the Light Agent is allowed.
Using encryption to protect the connection may slow the performance of the Kaspersky Security solution.
Page top
[Topic 254889]
Configuring connection protection on the Protection Server
You can use the Web Console or the Administration Console to configure connection protection on the Protection Server in a Protection Server policy.
Expand all | Collapse all
How to configure connection protection on the Protection Server in Kaspersky Security Center Web Console
To configure connection protection on the Protection Server:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies and policy profiles.
A list of policies opens.
- Select the administration group containing the SVM with the Protection Server whose settings you want to configure. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens.
The list displays only the policies configured for the selected administration group.
- Click on the name of the desired policy in the list.
- In the policy properties window that opens, select the Application settings tab and go to the Connection protection section.
- In the right part of the window, configure the following settings:
- Encrypt data channel between Light Agent and the Protection Server
Encrypt the connection between Light Agents and Protection Servers.
If the check box is selected, a secure connection is established between the Light Agent and the policy-controlled Protection Server after the Light Agent connects to the SVM with this Protection Server. A Light Agent can connect to an SVM that has connection protection enabled only if the Light Agent also has connection protection enabled or the SVM allows unsecure connections.
If the check box is cleared, an unsecure connection is established between the Light Agent and the Protection Server after the Light Agent connects to the SVM with this Protection Server.
This check box is cleared by default.
- Allow nonsecure connection if secure connection cannot be established
Allow an unsecure connection between Light Agents and Protection Servers.
If the check box is selected, an unsecure connection may be established between Light Agents and policy-controlled Protection Servers if a secure connection cannot be established.
If the check box is cleared, only a secure connection can be established between Light Agents and policy-controlled Protection Servers. A Light Agent will not be able to connect to the SVM if a secure connection cannot be established to the Protection Server on this SVM.
This check box is cleared by default.
Only Light Agents for which connection protection is configured will connect to SVMs with Protection Servers managed by this policy.
- Click the Save button.
How to configure connection protection on the Protection Server in Kaspersky Security Center Administration Console
To configure connection protection on the Protection Server:
- In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVM with the Protection Server whose settings you want to configure.
- In the workspace, select the Policies tab.
- Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.
- In the policy properties window, select the Connection protection section in the list on the left.
- In the right part of the window, configure the following settings:
- Encrypt data channel between Light Agent and the Protection Server
Encrypt the connection between Light Agents and Protection Servers.
If the check box is selected, a secure connection is established between the Light Agent and the policy-controlled Protection Server after the Light Agent connects to the SVM with this Protection Server. A Light Agent can connect to an SVM that has connection protection enabled only if the Light Agent also has connection protection enabled or the SVM allows unsecure connections.
If the check box is cleared, an unsecure connection is established between the Light Agent and the Protection Server after the Light Agent connects to the SVM with this Protection Server.
This check box is cleared by default.
- Allow nonsecure connection if secure connection cannot be established
Allow an unsecure connection between Light Agents and Protection Servers.
If the check box is selected, an unsecure connection may be established between Light Agents and policy-controlled Protection Servers if a secure connection cannot be established.
If the check box is cleared, only a secure connection can be established between Light Agents and policy-controlled Protection Servers. A Light Agent will not be able to connect to the SVM if a secure connection cannot be established to the Protection Server on this SVM.
This check box is cleared by default.
Only Light Agents for which connection protection is configured will connect to SVMs with a Protection Server managed by this policy.
- Click the Apply button.
[Topic 254959]
Configuring connection protection on the Light Agent
You can configure the settings for connection protection on the Light Agent in the Light Agent policy (in the policy of the application running in Light Agent mode). Connection protection settings for Light Agent for Windows are also available in the local interface of Kaspersky Endpoint Security for Windows.
By default, protection of the connection between Light Agents and the Protection Server is disabled. To enable connection protection, select the Encrypt data channel between Light Agent and the Protection Server check box.
If the check box is selected, a secure connection is established between the Light Agent, which is managed by policy, and the Protection Server on the SVM that the Light Agent is connecting to. A Light Agent for which connection protection is enabled can only connect to an SVM on which connection protection is enabled or an unprotected connection to the Protection Server is allowed.
If the check box is cleared, an unprotected connection is established between the Light Agent and the Protection Server on the SVM that the Light Agent is connecting to.
For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.
Page top
[Topic 254958]
Configuring the SVM selection algorithm
You can specify which SVM selection algorithm Light Agents should use, and configure the settings for applying the extended SVM selection algorithm in the Light Agent policy (in the policy of the application running in Light Agent mode). For Light Agent for Windows, you can also select the algorithm in the local interface of Kaspersky Endpoint Security for Windows.
You can choose one of the following options:
- Use the standard SVM selection algorithm
If this option is selected, after installing and running on a virtual machine, the Light Agent selects an SVM to connect to that is local to Light Agent.
SVM locality relative to Light Agent is determined depending on the type of virtual infrastructure:
- In a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer, the SVM that is considered to be local to a Light Agent is the SVM that is deployed on the same hypervisor as the virtual machine with the Light Agent installed.
- In the virtual infrastructure running on OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, SVM locality is determined in accordance with the
StandardAlgorithmSvmLocality parameter in the HypervisorSpecificSettings:Openstack section of the Integration Server configuration file (appsettings.json). Depending on the version of the Integration Server, the file is located at one of the following paths:- /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.
If the default value is used, SVM is considered as local for Light Agent if it is located in the same server group, as the virtual machine with the installed Light Agent.
If there are no local SVMs for connection, Light Agent selects a SVM with the lowest number of Light Agent connections regardless of SVM path in the virtual infrastructure.
The application does not determine whether the SVM is local relative to the Light Agent if large infrastructure protection mode is enabled for the Protection Server on the SVM. In this case, it is recommended to use the extended SVM selection algorithm and select the Integration Server as the SVM discovery method.
This option is selected by default.
- Use the extended SVM selection algorithm
If this option is selected, with the SVM path slider you can specify how the SVM location in the virtual infrastructure will affect the ‘local’ status of the SVM in relation to the Light Agent. Light Agent can connect only to local SVMs.
You can also specify that SVM path in the virtual infrastructure must not be taken into the account when selecting SVM for connection.
When selecting SVMs, Light Agents consider the number of Light Agents connected to an SVM to ensure that Light Agents are evenly distributed among SVMs available for connection.
If you selected Use the extended SVM selection algorithm option, and Light Agents use the Integration Server as SVM discovery method, you can specify how SVM path in the virtual infrastructure must be taken into the account when selecting SVM for connection using the SVM path slider.
Allows to specify SVM path type in the virtual infrastructure, which is taken into the account when selecting SVM for connection:
- Hypervisor. Light Agent selects for connection a SVM that matches a particular criterion (depending on type of the virtual infrastructure):
- The SVM is deployed on the same hypervisor as the virtual machine with the Light Agent installed (in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux or Numa vServer).
- The SVM is located in the same server group as the virtual machine with the installed Light Agent (in a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform).
If there are no available SVMs on the same hypervisor or in the same server group, where the virtual machine with Light Agent is located, then Light Agent does not connect to SVM.
- Cluster. Light Agent selects for connection a SVM that matches a particular criterion (depending on type of the virtual infrastructure):
- The SVM is deployed in the same hypervisor cluster as the virtual machine with the Light Agent installed (in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux or Numa vServer).
- The SVM is deployed in the same OpenStack project as the virtual machine with the installed Light Agent (in a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform).
If there are no available SVMs on the same hypervisor cluster or within the same OpenStack project, where the virtual machine with Light Agent is located, then Light Agent does not connect to SVM.
- Data center. Light Agent selects for connection a SVM that matches a particular criterion (depending on type of the virtual infrastructure):
- The SVM is deployed in the same data center as the virtual machine with the Light Agent installed (in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux or Numa vServer).
- The SVM is located in the same availability zone as the virtual machine with the installed Light Agent (in a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform).
If there are no SVMs available for connection in the same data center or Availability Zone where the virtual machine with the Light Agent is located, the Light Agent does not connect to the SVM.
- Ignore. Light Agent selects an SVM regardless of its location.
The default selected value is Hypervisor.
The setting is available if the Use the extended SVM selection algorithm option is selected.
If a Light Agent uses the extended SVM selection algorithm and a list of SVM addresses is selected as the SVM discovery method, and large infrastructure protection mode is enabled on an SVM, then connecting a Light Agent to this SVM is only possible if the Light Agent ignores the SVM path (the Ignore value is set for the SVM path setting).
For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.
In a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, if you selected Use the standard SVM selection algorithm option, you can specify how to determine SVM locality relative to Light Agent. To do so, perform the following actions:
- Open the Integration Server configuration file (appsettings.json) for editing. Depending on the version of the Integration Server, the file is located at one of the following paths:
- /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.
- Specify the
StandardAlgorithmSvmLocality setting in the HypervisorSpecificSettings:Openstack section. This parameter can take the following values:ServerGroup – if this value is selected, SVM is considered local for Light Agent if it is located within the same server group as the virtual machine where Light Agent is installed. This value is used by default.Project – if this value is selected, SVM is considered as local for Light Agent if it is deployed within the same OpenStack project as the virtual machine with the installed Light Agent.AvailabilityZone – if this value is selected, SVM is considered as local for Light Agent if it is located within the same availability zone as the virtual machine with the installed Light Agent.
- Save the appsettings.json file.
- Restart the Integration Server.
Page top
[Topic 254885]
Viewing the list of Light Agents connected to SVMs
Information about Light Agents connected to an SVM is displayed in the properties window of the Protection Server on the SVM.
You can open the properties window of the Protection Server on the SVM using the Web Console as well as the Administration Console.
Expand all | Collapse all
How to open the list of Light Agents connected to an SVM in Kaspersky Security Center Web Console
To open the list of Light Agents connected to an SVM:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Managed devices.
The list of managed devices opens.
- Select the administration group containing the desired SVM. To do so, click the link in the Current path field located above the list of managed devices and select an administration group in the window that opens.
The list will display only managed devices in the selected administration group.
- Find the desired SVM in the list and click on the SVM name.
- In the SVM properties window that opens, select the Applications tab.
- Click on the name Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server in the list.
The properties window for the Protection Server on this SVM will open.
- Select the Application settings tab.
The window displays a table containing the list of Light Agents connected to SVMs.
How to open the list of Light Agents connected to SVMs in Kaspersky Security Center Administration Console
To open the list of Light Agents connected to an SVM:
- In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group that includes the desired SVM.
- In the workspace, select the Devices tab.
- Find the desired SVM in the list and double-click to open the Settings: <SVM name> window.
- In the displayed SVM properties window, in the list on the left, select the Applications section.
- In the right part of the window, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server in the list and open the properties window of the Protection Server on this SVM by double-clicking or using the Properties button at the bottom of the window.
- In the window that opens, in the list on the left, select the Connected Light Agents section.
The right part of the window displays a table containing the list of Light Agents connected to SVMs. The field above the table shows the time of the last request to the SVM.
The list of Light Agents displays the following information:
- VM name – name of the virtual machine on which Light Agent is installed.
- Address – IP address and port that the Light Agent uses to connect to the SVM.
- Operating system – version of the operating system on the virtual machine on which the Light Agent is installed.
- Virtual machine role – role of the virtual machine on which the Light Agent is installed: server or workstation.
- ID – identifier of the virtual machine on which Light Agent is installed.
- Path to VM – path in the virtual infrastructure to the virtual machine on which the Light Agent is installed.
If you want to update the information about Light Agents connected to SVMs, click the Refresh button.
Page top
[Topic 256383]