Kaspersky Security Center

Creating a hierarchy of Administration Servers: adding a secondary Administration Server

14 April 2024

ID 160043

You can add an Administration Server as a secondary Administration Server, thus establishing a "primary/secondary" hierarchy. Adding a secondary Administration Server is possible regardless of whether the Administration Server that you intend to use as secondary is available for connection through Administration Console.

When combining two Administration Servers into a hierarchy, make sure that port 13291 is accessible on both Administration Servers. Port 13291 is required to receive connections from Administration Console to the Administration Server.

Connecting an Administration Server as secondary in reference to the primary Administration Server

You can add an Administration Server as secondary by connecting it to the primary Administration Server via port 13000. You will need a device that has Administration Console installed from which TCP ports 13291 can be accessed on both Administration Servers: supposed primary Administration Server and supposed secondary Administration Server.

To add as secondary an Administration Server that is available for connection through Administration Console:

  1. Make sure that port 13000 of the supposed primary Administration Server is available for receipt of connections from secondary Administration Servers.
  2. Use Administration Console to connect to the supposed primary Administration Server.
  3. Select the administration group to which you intend to add the secondary Administration Server.
  4. In the workspace of the Administration Servers node of the selected group, click the Add secondary Administration Server link.

    The Add secondary Administration Server wizard starts.

  5. At the first step of the wizard (entering the address of the Administration Server being added to the group), enter the network name of the supposed secondary Administration Server.
  6. Follow the instructions of the wizard.

The "primary/secondary" hierarchy is built. The primary Administration Server will receive connection from the secondary Administration Server.

If you do not have a device that has Administration Console installed from which TCP ports 13291 can be accessed on both Administration Servers (if, for example, the supposed secondary Administration Server is located at a remote office and the system administrator of that office cannot open internet access to port 13291 for security reasons), you will still be able to add a secondary Administration Server.

To add as secondary an Administration Server that is not available for connection through Administration Console:

  1. Make sure that port 13000 of the supposed primary Administration Server is available for connection from secondary Administration Servers.
  2. Write the certificate file of the supposed primary Administration Server to an external device, such as a flash drive, or send it to the system administrator of the remote office where the Administration Server is located.

    The certificate file of the Administration Server is on the same Administration Server, at %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert\klserver.cer.

  3. Write the certificate file of the supposed secondary Administration Server to an external device, such as a flash drive. If the supposed secondary Administration Server is located at a remote office, contact the system administrator of that office to prompt him or her to send you the certificate.

    The certificate file of the Administration Server is on the same Administration Server, at %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert\klserver.cer.

  4. Use Administration Console to connect to the supposed primary Administration Server.
  5. Select the administration group to which you intend to add the secondary Administration Server.
  6. In the workspace of the Administration Servers node, click the Add secondary Administration Server link.

    The Add secondary Administration Server wizard starts.

  7. At the first step of the wizard (entering the address), leave the Secondary Administration Server address (optional) field blank.
  8. In the Secondary Administration Server certificate file window, click the Browse button and select the certificate file of the secondary Administration Server that you saved.
  9. When the wizard is complete, use a different instance of Administration Console to connect to the supposed secondary Administration Server. If this Administration Server is located at a remote office, contact the system administrator of that office to prompt him or her to connect to the supposed secondary Administration Server and perform further due steps.
  10. In the context menu of the Administration Server node, select Properties.
  11. In the Administration Server properties, proceed to the Advanced section and then to the Hierarchy of Administration Servers subsection.
  12. Select the This Administration Server is secondary in the hierarchy check box.

    The entry fields become available for data input and editing.

  13. In the Primary Administration Server address field, enter the network name of the supposed primary Administration Server.
  14. Select the previously saved file with the certificate of the supposed primary Administration Server by clicking the Browse button.
  15. Click OK.

The "primary/secondary" hierarchy is built. You can connect to the secondary Administration Server through Administration Console. The primary Administration Server will receive connection from the secondary Administration Server.

Connecting the primary Administration Server to a secondary Administration Server

You can add a new Administration Server as secondary so that the primary Administration Server connects to the secondary Administration Server via port 13000. This is advisable if, for example, you place a secondary Administration Server in DMZ.

You will need a device that has Administration Console installed from which TCP ports 13291 can be accessed on both Administration Servers: supposed primary Administration Server and supposed secondary Administration Server.

To add a new Administration Server as secondary and connect the primary Administration Server via port 13000:

  1. Make sure that port 13000 of the supposed secondary Administration Server is available for receipt of connections from the primary Administration Server.
  2. Use Administration Console to connect to the supposed primary Administration Server.
  3. Select the administration group to which you intend to add the secondary Administration Server.
  4. In the workspace of the Administration Servers node of the relevant administration group, click the Add secondary Administration Server link.

    The Add secondary Administration Server wizard starts.

  5. At the first step of the wizard (entering the address of the Administration Server to be added to the group), enter the network name of the supposed secondary Administration Server and select the Connect primary Administration Server to secondary Administration Server in DMZ check box.
  6. If you connect to the supposed secondary Administration Server by using a proxy server, at the first step of the wizard select the Use proxy server check box and specify the connection settings.
  7. Follow the instructions of the wizard.

The hierarchy of Administration Servers is created. The secondary Administration Server will receive connection from the primary Administration Server.

See also:

Hierarchy of Administration Servers with a secondary Administration Server in DMZ

Hierarchy of Administration Servers: primary Administration Server and secondary Administration Server

Ports used by Kaspersky Security Center

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.