Recommendations for installing the Network Agent and Kaspersky Security for Virtualization Light Agent 5 on a golden image for Virtual Desktop Infrastructure
Show applications and versions that this article concerns
- Kaspersky Security Center 14.2 (version 14.2.0.26967)
- Kaspersky Security Center 14.0 (version 14.0.0.10902)
- Kaspersky Security for Virtualization 5.2 Light Agent (version 5.2.27.319)
- Kaspersky Security for Virtualization 5.1 Light Agent (version 5.1.44.295)
Prerequisites
- One of the following versions of Kaspersky Security Center:
- Kaspersky Security Center 14.2 (version 14.2.0.26967)
- Kaspersky Security Center 14.0 (version 14.0.0.10902)
- The Kaspersky Security for Virtualization Light Agent components are installed on the Administration Server.
- Secure Virtual Machines are installed on all Hyper-Visors that will run VDI machines and are located in a separate group of managed computers.
- If the VDI infrastructure is used in a Citrix environment, you need to install XenApp and XenDesktop 7.15 or Citrix Virtual Apps and Desktops 7 1903.
Pre-installation settings
- Create a new group of managed devices. All created device objects for Virtual Desktops will move to it.
- Exclude the administration group from all inherited tasks: Find Vulnerabilities and Window Updates task and Fix Vulnerabilities and required Updates task.
Network Agent Policy
- Create a Network Agent policy.
- Go to the Repositories tab. Clear all selected options and lock them:
- Details of Windows Update updates
- Details of software vulnerabilities and corresponding updates
- Hardware registry details
- Details of installed applications
- Go to Software updates and vulnerabilities.
- Select Disabled for the Windows Update search mode setting and lock it.
- Clear the Scan executable files for vulnerabilities when running them check box and lock the setting.
Secure Virtual Machine Policy
- Create a Secure Virtual Machine policy in the group of managed computers where SVMs are located.
- Open Update settings and clear the Update Application Modules check box. Close the lock.
- Go to Settings for connecting SVMs to the Integration Server and specify the IP address (or FQND) of the machine with the Integration Server (the IP address of the Administration Server). Close the lock.
- Verify that the policy is applied on the Secure Virtual Machines.
Windows Light Agent Policy
- Create the policy for the Light Agent for Windows.
- Open the policy properties and go to Anti-Virus protection → General Protection Settings.
- In the Exclusions and trusted applications section, click Settings.
- If the VDI infrastructure is used in a Citrix environment, enable exclusions and trusted applications for Citrix Virtual Apps and Desktops (Citrix XenApp and XenDesktop), Citrix Provisioning (Citrix Provisioning Services), Citrix Profile Manager.
If they're not in the list, create a new policy and add them at the Exclusions step. - If the VDI infrastructure is used in a VMware environment, enable exclusions and trusted applications for VMware Tools and VMware Horizon View. If they're not in the list, create a new policy and add them at the Exclusions step.
- If roaming user profiles are used, specify the path of the network folder where the profiles are located to avoid scanning on both a network and local level.
- Go to the SVM discovery settings section. Make sure that Use Integration Server is selected and that the lock is closed.
- Go to Integration Server connection settings.
- Specify the IP address (or FQDN) of the machine where Integration Server is installed (the IP address of the Administration Server). Close the lock.
Installation of the Network Agent and Kaspersky Security for Virtualization Light Agent 5 on a golden image
- Launch local installation of Kaspersky Network Agent on the golden image.
- At the Advanced settings step, clear the Automatically install applicable updates and patches for components that have the Undefined status check box.
- Select the Enable dynamic mode for VDI. and Optimize the Kaspersky Security Center Network Agent settings for the virtual infrastructure check boxes.
- Wait until the installation of the Network Agent finishes. Open the Services snap-in (services.msc) and launch the Network Agent service manually.
- Launch the local installation of Kaspersky Security for Virtualization Light Agent on the golden image:
- If you are using Citrix XenDesktop, select the Ensure compatibility with Citrix Provisioning (Citrix Provisioning Services) and Installation on the template for temporary VDI pools check boxes.
- If you are using VMware Horizon View, select the checkbox Installation on the template for temporary VDI pools.
We do not recommend selecting the Installation on the template for temporary VDI pools check box if the template will be used for creating a VDI infrastructure of one of the following types:
- The static dedicated catalog with local drives in Citrix Virtual Apps and Desktops (Citrix XenApp and XenDesktop)
- VMware Horizon View automated pool of the full clone type
If the Installation on the template for temporary VDI pools check box is selected, updates that require a protected virtual machine to restart will not be installed on the virtual machines deployed using this template. At the same time, Kaspersky Security Center will send messages that database and application modules updates are required on the template.
What to do after the installation
- Verify that the Windows Light Agent policy has been applied.
If the policy does not apply to a gold image device, check the location of the device in the administration groups and configure to automatically move devices to managed groups. - Open the Support window locally in the interface of the Light Agent for Windows. Verify that the Light Agent is connected to the SVM.
- Restart the golden image device.
- Sign in to the system once it has restarted.
- Shut down the golden Image.
You can now deploy VDI machines from this golden image.