Kaspersky Security Center

Remotely connecting to the desktop of a client device

15 July 2024

ID 195218

The administrator can obtain remote access to the desktop of a client device through a Network Agent installed on the device. Remote connection to a device through the Network Agent is possible even if the TCP and UDP ports of the client device are closed.

Upon establishing the connection with the device, the administrator gains full access to information stored on this device and can manage applications installed on it.

Remote connection must be allowed in the operating system settings of the target managed device. For example, in Windows 10, this option is called Allow Remote Assistance connections to this computer (you can find this option at Control PanelSystem and SecuritySystemRemote settings). If you have a license for the Vulnerability and patch management feature, you can enable this option forcibly when you establish connection to a managed device. If you do not have the license, enable this option locally on the target managed device. If this option is disabled, remote connection is not possible.

To establish remote connection to a device, you must have two utilities:

  • Kaspersky utility named klsctunnel. This utility must be stored on the administrator's workstation. You use this utility for tunneling the connection between a client device and the Administration Server.

    Kaspersky Security Center allows tunneling TCP connections from Administration Console via the Administration Server and then via Network Agent to a specified port on a managed device. Tunneling is designed for connecting a client application on a device with Administration Console installed to a TCP port on a managed device—if no direct connection is possible between Administration Console and the target device.

    Connection tunneling between a remote client device and Administration Server is required if the port used for connection to Administration Server is not available on the device. The port on the device may be unavailable in the following cases:

    • The remote device is connected to a local network that uses the NAT mechanism.
    • The remote device is part of the local network of Administration Server, but its port is closed by a firewall.
  • Standard Microsoft Windows component named Remote Desktop Connection. Connection to a remote desktop is established through the standard Windows utility mstsc.exe in accordance with the utility's settings.

    Connection to the current remote desktop session of the user is established without the user's knowledge. Once the administrator connects to the session, the device user is disconnected from the session without an advance notification.

To connect to the desktop of a client device:

  1. In MMC-based Administration Console, in the context menu of the Administration Server, select Properties.
  2. In the Administration Server properties window that opens, go to Administration Server connection settings → Connection ports.
  3. Make sure that the Open RDP port for Kaspersky Security Center Web Console option is enabled.
  4. In Kaspersky Security Center Web Console, go to Devices → Managed devices.
  5. In the Current path field above the list of managed devices, click the path link.
  6. In the left-side pane that opens, select the administration group that contains the device to which you want to obtain access.
  7. Select the check box next to the name of the device to which you want to obtain access.
  8. Click the Connect to Remote Desktop button.

    The Remote Desktop (Windows only) window opens.

  9. Enable the Allow remote desktop connection on managed device option. In this case, the connection will be established even if remote connections are currently prohibited in the operating system settings on the managed device.

    This option is only available if you have a license for the Vulnerability and patch management feature.

  10. Click the Download button to download the klsctunnel utility.
  11. Click the Copy to clipboard button to copy the text from the text field. This text is a Binary Large Object (BLOB) that contains settings required to establish connection between the Administration Server and the managed device.

    A BLOB is valid for 3 minutes. If it has expired, reopen the Remote Desktop (Windows only) window to generate a new BLOB.

  12. Run the klsctunnel utility.

    The utility window opens.

  13. Paste the copied text into the text field.
  14. If you use a proxy server, select the Use proxy server check box, and then specify the proxy server connection settings.
  15. Click the Open port button.

    The Remote Desktop Connection login window opens.

  16. Specify the credentials of the account under which you are currently logged in to Kaspersky Security Center Web Console.
  17. Click the Connect button.

When connection to the device is established, the desktop is available in the Remote Desktop Connection window of Microsoft Windows.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.