Preparing the IT infrastructure for installing application components
Before installing the application, prepare your corporate IT infrastructure for the installation of components of Kaspersky Anti Targeted Attack Platform:
- Ensure that the servers, the computer intended for working with the application web interface, and the computers to be installed with the Endpoint Agent component all satisfy the hardware and software requirements.
- To protect the network from the objects being analyzed, deny access to the local network of the Sandbox server for the management network interface and the network interface used for internet access of processed objects.
- Prepare the corporate IT infrastructure in accordance with the table below:
Ports for interaction between Kaspersky Anti Targeted Attack Platform components
Source
Direction
Port or protocol
Description
Central Node
Inbound
TCP 22
Connecting to the server over SSH
TCP 443
Receiving data from workstations with Endpoint Agent
TCP 8443
Access to the web interface of the application
TCP 9081
Receiving data from Sensors installed on standalone servers
UDP 53
Communication with the Sensor server
Outgoing
TCP 80
TCP 443
TCP 1443Communication with the KSN servers and Kaspersky update servers
TCP 443
Sending objects to Sandbox for scanning
TCP 601
Sending messages to the SIEM system
UDP 53
Communication with the Sensor server
Sensor
Inbound
TCP 22
Connecting to the server over SSH
TCP 1344
Receiving traffic from the proxy server
TCP 25
Receiving SMTP traffic from the mail server
TCP 443
When Sensor is used as a proxy server for communication between workstations with Endpoint Agent and Central Node
UDP 53
Communication with the Central Node server
Outgoing
TCP 80
TCP 443Communication with the KSN servers and Kaspersky update servers
TCP 995
Integration with the mail server for secure connections
TCP 110
Integration with the mail server for unsecured connections
UDP 53
Communication with the Central Node server
Sandbox
Inbound (management
interface)TCP 22
Connecting to the server over SSH
TCP 443
Interaction with the Central Node
TCP 8443
Access to the web interface of the application
Outbound (management interface)
TCP 80
TCP 443Communication with Kaspersky update servers
Outbound (interface for internet access of processed objects)
Any
Access to the internet for analyzing the network behavior of processed objects
SCN (when using the distributed solution mode)
Outgoing
TCP 8443
For interaction between SCN and PCN over a secure link based on the IPSec protocol
Inbound and outbound
ESP, AH,
IKEv1 and IKEv2PCN (when using the distributed solution mode)
Inbound
TCP 8443
Inbound and outbound
ESP, AH,
IKEv1 and IKEv2
If you install an additional network interface that receives only mirrored traffic in a VMware ESXi virtual environment, use the E1000 network adapter or disable the LRO (large receive offload) option on a VMXNET3 network adapter.
If needed, you can designate other ports for the application components to use in the administrator menu of the server with the Central Node component. If you change the ports in the administrator menu, you need to allow connections to these ports in your corporate IT infrastructure.