Assigning distribution points manually
Kaspersky Security Center allows you to manually assign devices to act as distribution points.
We recommend that you assign distribution points automatically. In this case, Kaspersky Security Center will select on its own which devices must be assigned distribution points. However, if you have to opt out of assigning distribution points automatically for any reason (for example, if you want to use exclusively assigned servers), you can assign distribution points manually after you calculate their number and configuration.
Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.
To manually assign a device to act as distribution point:
- In the main menu, click the settings icon () next to the name of the required Administration Server.
The Administration Server properties window opens.
- On the General tab, select the Distribution points section.
- Select the Manually assign distribution points option.
- Click the Assign button.
- Select the device that you want to make a distribution point.
When selecting a device, keep in mind the operation features of distribution points and the requirements set for the device that acts as distribution point.
- Select the administration group that you want to include in the scope of the selected distribution point.
- Click the OK button.
The distribution point that you have added will be displayed in the list of distribution points, in the Distribution points section.
- Click the newly added distribution point in the list to open its properties window.
- Configure the distribution point in the properties window:
- The General section contains the setting of interaction between the distribution point and client devices:
- In the Scope section, specify the scope to which the distribution point will distribute updates (administration groups and/or network location).
Only devices running a Windows operating system can determine their network location. Network location cannot be determined for devices running other operating systems.
- If the distribution point works on a machine other than Administration Server, in the Source of updates section, you can select a source of updates for the distribution point:
- In the Internet connection settings subsection, you can specify the internet access settings:
- In the KSN Proxy section, you can configure the application to use the distribution point to forward KSN requests from the managed devices:
- If the distribution point works on a machine other than Administration Server, in the Connection gateway section, you can configure the distribution point to act as a gateway for connection between Network Agent instances and Administration Server:
- Connection gateway
- Establish connection to gateway from Administration Server (if gateway is in DMZ)
- Open local port for Kaspersky Security Center Web Console
When connecting mobile devices to Administration Server via the distribution point that acts as a connection gateway, you can enable the following options:
- Open port for mobile devices (SSL authentication of the Administration Server only)
- Open port for mobile devices (two-way SSL authentication)
In both cases, the certificates are checked during the TLS session establishment on distribution point only. The certificates are not forwarded to be checked by the Administration Server. After a TLS session with the mobile device is established, the distribution point uses the Administration Server certificate to create a tunnel for synchronization between the mobile device and Administration Server. If you open the port for two-way SSL authentication, the only way to distribute the mobile device certificate is via an installation package.
- Configure the polling of Windows domains, Active Directory, and IP ranges by the distribution point:
- In the Advanced section, specify the folder that the distribution point must use to store distributed data:
- Click the OK button.
The selected devices act as distribution points.