KL 302.

11

Managing updates
Kaspersky Security Center. Scaling

Technical training
No
t to
be
co
pi
ed

www.kaspersky.com
or
re
di
st
rib
ut
ed
 Table of contents

ed
ut
Chapter 1. Update management strategies ................................................................... 2
1.1 Problems and solutions ........................................................................................................................................... 2

ib
1.2 Update and traffic management tools ..................................................................................................................... 5
Update schedule ..................................................................................................................................................... 5
Randomized task start ............................................................................................................................................ 6

r
Downloading updates in advance .......................................................................................................................... 8

st
Diff files ................................................................................................................................................................ 11
Traffic limitation rules ......................................................................................................................................... 12
Additional update sources .................................................................................................................................... 13

di
Chapter 2. Distribution points ...................................................................................... 17
2.1 What a distribution point does .............................................................................................................................. 17

re
Functions of a distribution point .......................................................................................................................... 17
Multicast .............................................................................................................................................................. 19
2.2 How to assign a distribution point ........................................................................................................................ 23
Automatic assignment .......................................................................................................................................... 23
or
Manual assignment .............................................................................................................................................. 27
2.3 How to describe subnets for distribution points .................................................................................................... 30
2.4 Distribution point settings ..................................................................................................................................... 37
Settings of an individual distribution point .......................................................................................................... 37
d

Managing settings through a policy ..................................................................................................................... 45

Monitoring distribution points ............................................................................................................................. 46
e

Chapter 3. Common configurations ............................................................................. 48

pi

3.1 Large centralized network with one Administration Server ................................................................................. 48

Distribution points for the Managed devices group ............................................................................................. 48
co

Distribution points for one network location ....................................................................................................... 49

Distribution points for multiple network locations .............................................................................................. 50
Automatic assignment of distribution points ........................................................................................................ 50
3.2 Large distributed network with one Administration Server .................................................................................. 51
be
to
t
No
2
KL 302.11 Kaspersky Security Center. Scaling

ed
Chapter 1. Update management strategies

ut
1.1 Problems and solutions

r ib
st
di
re
or
e d

When a large number of endpoints download updates over the network, this may cause various types of problems:
pi

— High consumption of resources (processor, memory, disk) by the Administration Server

Under certain update settings, the Administration Server computes the list of updates for a client, and this is
co

a resource-intensive operation.

If a server has insufficient processing resources or memory, it may respond to network requests with
delays. As a result, administrators will not be able to use the console, and client computers will not be able
to establish connections to relay events or download updates.
be

— High load on the network

Even if the server itself has sufficient resources, simultaneous attempts to download updates to a large
number of endpoints create high traffic and may lead to saturation or oversaturation of the network
infrastructure. This may become a problem in a local network, but it is especially critical for distributed
to

networks that have limited bandwidth between sites.

Due to an oversaturated network, not all client computers will be able to successfully download updates. In
addition, other network applications that are possibly critical for the organization may experience
disruptions.
t
No
 Managing updates 3
Chapter 1. Update management strategies

ed
ut
r ib
st
di
server, or both.

— Increase the interval between updates.

re
Kaspersky Security Center has tools that let you reduce the network load or the consumption of resources by the
or
For example, download updates every 3 or 6 hours instead of every hour.

This reduces the average network load and the average consumption of resources by the Administration
d

Server. However, this does not reduce load during peak demand.

The interval between updates must be increased if the time between the downloads is insufficient for
e

distributing the downloaded updates to all computers.

pi

— Randomize start of the update task.

Instead of starting the update task on all endpoints at the same time, make the task start on an endpoint at a
co

random time within the defined period after updates are downloaded.

This helps to even out the peak network loads but does not reduce the average network load. If you do not
change the interval and other update settings, the amount of data that needs to be transmitted over the
network will not change.
be

The chosen randomization interval must not exceed the interval between updates.

— Disable downloading of updates in advance (offline model).

This reduces the consumption of resources by the Administration Server because the offline model is what
requires the server to determine the set of updates for each endpoint. In other cases, the list of updates to
to

download is determined by the protection application on the client computer.

Later in this Module, we will discuss in more detail how updates are downloaded in advance.
t

— Additional sources of updates

No

This reduces the load on individual segments of the network, and reduces consumption of resources by the
Administration Server.

You can create additional sources using protection applications, a special Kaspersky update download
utility, or KSC Agents (distribution points).
4
KL 302.11 Kaspersky Security Center. Scaling

ed
ut
r ib
st
di
— Download difference files (diff files).

re
Records of new threats are not always distributed as new files. They are much more often integrated into
the existing files with databases. To update databases, you can download updated files in their entirety, or
or
download just the difference between the existing and the new version of the file (so-called difference files,
or diff files). Diff files are significantly smaller than full files, and their downloads generate less traffic.

Support for downloading diff files first appeared in Kaspersky Security Center version 11.
d

— Use rules to limit traffic1.

e

This reduces the peak network load but not the average network load.
pi

Rules limit the data transfer rate between the Administration Server and endpoints of a specific subnet.
They are applied to the cumulative data traffic in both directions between the Administration Server and the
subnet, not to the traffic between the Server and each individual endpoint.
co

— Multicast (through distribution points)

It reduces the peak and average network load.

A multicast sends one packet to many computers at the same time. Without using multicast, each endpoint
downloads updates independently and the cumulative volume of data is proportional to the number of
be

endpoints. A multicast lets you send all files once, and thereby substantially reduces traffic.

Let’s return to the method of downloading updates in advance, because it is enabled by default and for a good
reason. In contrast to all other methods, downloading updates in advance guarantees delivery of updates to
endpoints.
to

Without it, the protection application installed on the endpoint generates a list of files to download and attempts to
download them from the specified source. If network issues occur during the download, the task returns an error.

If updates are downloaded in advance, it is the Administration Server that generates a list of files to download.
Additionally, it controls the start of the update task. The Server patiently waits while the Network Agent downloads
t

all files on the endpoint, and only then starts the task.
No

1
This is explained in detail in the ‘Managing multiple administration servers’ Module of this course
 Managing updates 5
Chapter 1. Update management strategies

ed
1.2 Update and traffic management tools

ut
r ib
st
di
re
or
We now have a list of tools that we can use to regulate the network load and the consumption of resources by the
Server:
d

— Update schedule
— Interval for starting the ‘Download updates to the repository’ task
— Interval for starting the protection application update task on endpoints
e

— Task start randomization interval

— Downloading of updates in advance (offline model)
pi

— Downloading of diff files

— Traffic limitation rules for subnets
— Additional update sources created using:
co

— Protection applications (KES or KSWS)

— Updater utility
— Slave Administration Servers
— Distribution points (Network Agents)

Let’s study when, where, and how best to configure them.

be

Update schedule
to

If you notice that some computers are not able to receive updates during the period between starts of the update task,
increase this interval.

Updates involve two types of tasks:

t

— Download updates to the Administration Server repository task, which updates the Administration
Server repository (only one instance of this task exists)
No

— Protection application update tasks, which differ for different protection applications (such as KES and
KSWS), may also differ for different versions of the same application (KES 10 and KES 11) and may have
multiple instances even for the same version (in different groups).
6
KL 302.11 Kaspersky Security Center. Scaling

ed
ut
r ib
st
di
re
It is difficult to make sure that all protection application update tasks have a coordinated schedule. For this reason,
all protection application update tasks are usually scheduled to start When new updates are downloaded to the
repository2. When using this schedule, protection applications wait for the command to start the task from Network
Agents, which receive the command from the Administration Server when there are new updates to download.
or
To increase the interval between updates under these settings, all you have to do is edit the schedule of the
Download updates to repository task.

Some organizations configure periodic start for protection application update tasks instead of the When new
d

updates are downloaded to repository schedule. Normally, the start of update tasks for endpoints is configured
with the same period, but a half-hour or hour later than the Download updates to repository task. This approach
e

may have the following advantages:

pi

— More predictable start of updates on endpoints

— You can differently update different categories of devices. For example, you can update protection
co

applications on more important or more vulnerable devices more frequently.

However, this approach also has some shortcomings:

— You need to manually coordinate schedules of all update tasks.

be

— Some update optimization mechanisms, such as downloading updates in advance, work only with the
When new updates are downloaded to the repository schedule.

Randomized task start

to

If all computers attempt to download updates from the Administration Server at the same time, they will create a
bottleneck and many of them will not receive the updates. The burst in network load may create problems for other
network applications. This issue may occur when using a periodic schedule as well as when using the When new
updates are downloaded to the repository schedule.
t
No

2
The name of this schedule may slightly differ in different protection tools.
 Managing updates 7
Chapter 1. Update management strategies

ed
ut
r ib
st
di
re
The solution is not to start all updates at the same time. In Kaspersky Security Center, you can achieve this by
randomizing the task start. For example, if you specify a random delay period of 1 hour and the task starts at 12:00,
each computer will randomly choose when to start the task sometime between 12:00 and 1:00.
or
The randomization delay interval may be chosen by:

— The Administration Server (automatically)

d

This is the default behavior3. The Administration Server chooses the randomization period depending on
the number of computers to which the task applies:
e

Number of computers Randomization interval, minutes

pi

0 – 200 0 (no randomization)

200 – 500 5
500 – 1,000 10
co

1,000 – 2,000 15
2,000 – 5,000 20
5,000 – 10,000 30
be

10,000 – 20,000 60 (1 hour)

20,000 – 50,000 120 (2 hours)
50,000 – 100,000 240 (4 hours)
t to
No

3
If the administrator indicated any network size other than Fewer than 100 networked devices in the Kaspersky Security
Center Setup Wizard.
8
KL 302.11 Kaspersky Security Center. Scaling

ed
ut
r ib
st
di
— Administrator (manually)

re
To do so, clear the Use automatically randomized delay for task starts check box and select the Use
randomized delay for task starts within an interval of (min) check box in the task schedule settings.
or
A good practice is to choose an interval that is approximately twice as large as the one that the
Administration Server selects automatically. For example, for a task that is applied to 5,000–10,000 target
devices, select 60 minutes instead of 30 minutes.
d

The randomization period must be less than the task start interval; otherwise, the computers will not have
e

time to download updates before the next task starts, which will cause errors.
pi

Downloading updates in advance

co
be
tto
No
 Managing updates 9
Chapter 1. Update management strategies

Downloading updates in advance guarantees delivery of updates to endpoints but increases consumption of

ed
resources by the Administration Server. Let’s study how this works in detail.

Downloading updates in advance is efficient if the following two conditions are fulfilled:

ut
— Schedule: When new updates are downloaded to the repository

With a different schedule, advance downloading of updates cannot be used.

ib
— Source: Kaspersky Security Center

When using other sources, downloading updates in advance does not bring any benefits and creates

r
unnecessary traffic.

st
Let’s first examine how a non-advance update works with the When new updates are downloaded to the
repository schedule and Kaspersky Security Center as its source:

di
1. First the Server downloads updates to its repository.

2. Then the Server sends Network Agents a signal that the updates have been downloaded.

re
The Server does not initiate the connections with Agents; instead, it sends a wake signal over the UDP
protocol to port 15000, which the Network Agents monitor. When they receive the wake signal, the Agents
perform an unscheduled synchronization and find out that new updates have been downloaded to the
repository. If an Agent does not receive the wake signal for some reason, it finds out about the downloaded
or
updates during a scheduled synchronization.

3. The Agent starts all tasks that have the When new updates are downloaded to the repository schedule,
including the update task for the protection application.
d

From the perspective of the protection application that runs the task, the task is started manually in response
to a command from the Administration Server.
e

4. The protection application requests the list of update files (index).

pi

When Kaspersky Security Center is selected as the source, the protection application addresses all requests
to the Network Agent.
co

5. The Agent downloads the index from the Administration Server and relays it to the protection application.

6. The protection application analyzes the index and figures out which files have changed, then draws up a list
of files that need to be downloaded.

7. The protection application asks the Network Agent for the files on the list, one by one.
be

8. The Network Agent downloads the files from the Administration Server and relays them to the protection
application.

If the files take a long time to transmit because of the load on the Server or network, the update task may
to

return a timeout error. You cannot change the timeout threshold.

Now that we know how a regular update works and why it does not guarantee delivery of updates, let’s examine
what changes if we download updates in advance:
t

— At step 2 after the signal informing that updates have been downloaded to the server repository, the Agent
does not send the command to start the update task to the protection application. Instead, it postpones the
No

task start and waits for the server to send it update files.

Meanwhile, the Server begins to calculate which files will be required for each endpoint. It uses
information about the version of databases on the endpoint that was received during the last
synchronization. To generate lists of updates for all endpoints, the Server uses a lot of processing capacity
and memory resources.
10
KL 302.11 Kaspersky Security Center. Scaling

When it has the lists of files, the Server relays them to the Agents (during an unscheduled or scheduled

ed
synchronization) and the Agents begin to download the files according to the list. The Agents do not stop
attempting to download the files until they receive all files from the list. The Agent puts the downloaded
files into a special local cache.

ut
— Only after the Agent receives all the necessary files does it proceed to step 3, and instructs the protection
application to start the update task.

— Then everything proceeds as normal, with one important difference. At step 5 and step 8, when the Agent is

ib
supposed to download a file from the Server and relay it to the protection application, the Agent does not
actually query the Server but instead sends the file from its own local cache.

r
Files in the Agent’s cache are considered to be up to date if they were received during the past 25 hours. If

st
they were received earlier, the Agent deletes them and queries the KSC Server for the update files.

When downloading updates in advance, the Agent does not see which update source is selected in the protection

di
application update task. If a custom source or Kaspersky update servers were selected, at step 4 and step 7 the
protection application would not query the Agent for files, but instead would download them directly from the
configured source. Consequently, the Server would have wasted its resources and traffic on sending the files to the
Network Agent’s cache in advance.

re
That is why advance downloading of updates is applied only to computers that have an update task with the When
new updates are downloaded to the repository schedule. If the update task is configured with a different schedule,
updates are not downloaded in advance for these computers.
or
Advance downloading of updates does not use the randomized start configured for the task. If the server has fewer
than 1,000 managed devices, KSC Agents do not use a random delay when downloading updates in advance. If
there are more than 1,000 managed devices, KSC Agents apply a random delay within the synchronization interval
configured for the computer when downloading updates in advance.
e d
pi
co
be
t to
No

Downloading of updates in advance is enabled by default. If you see that the Administration Server does not have
sufficient processor and memory resources, or if the protection application update tasks do not use Kaspersky
Security Center as their source, disable advance download of updates:

1. Open the Network Agent policy.

2. Go to the Manage patches and updates section.
 Managing updates 11
Chapter 1. Update management strategies

3. Clear the Download updates and anti-virus databases from Administration Server in advance

ed
(recommended) check box and close the lock above the area containing this setting.

You can downloading of updates in advance in some groups and disable this in other groups if a group has a
different source configured or if its computers do not experience update issues.

ut
Diff files

r ib
st
di
re
or
e d

Difference files4 substantially reduce the volume of data that needs to be downloaded for updating databases. If a
pi

protection application is updated regularly every hour, updates using diff files consume approximately5 20 times less
traffic than full updates. When updates are less frequent, the benefit is lower but still substantial. If updates occur
every 6-8 hours, diff files reduce traffic approximately tenfold. If updates occur once every 24 hours, diff files
consume 5-7 times less traffic.
co

When a protection application updates from Kaspersky servers, it usually downloads diff files. It is more
complicated to set up a local source of updates with diff files.

Different files are updated at different frequencies in the databases. An update source will store diff files not only for
the last change in a file, but also for a certain number of previous changes. Otherwise, only clients that update as
be

frequently as possible would benefit from diff files.

Kaspersky Security Center 11 was the first version to support downloads of diff files to the repository and their
distribution to protection applications. Older versions of Kaspersky Security Center can distribute only full files
containing databases. This is still significantly smaller than an entire database because not all files are modified
to

during each update.

Downloading of diff files to the repository is disabled by default. To enable it:

1. Open the properties of the Download updates to the Administration Server repository task.
t

2. Go to the Settings section.

3. Click the Configure link in the Content of updates section.
No

4
Records regarding new threats are normally integrated into existing database files. To update databases, a product may
download modified files in their entirety or download only the difference between the old and new versions of a file. This is
precisely what diff files are. This mechanism is also sometimes referred to as incremental updates.
5
Depends on what exactly has changed in the databases, which depends on unpredictable activity of threat creators.
12
KL 302.11 Kaspersky Security Center. Scaling

4. Select the Download diff files check box.

ed
Advance downloading of updates does not support distribution of diff files. If advance downloading of updates is
enabled, Network Agents will download full update files from the Server and you will not see any reduction in
overall traffic.

ut
To reduce traffic, either disable advance downloading of updates in the Network Agent policy or configure an
explicit periodic schedule in the update task of the protection application.

ib
Traffic limitation rules

r
st
di
re
or
e d
pi

If the problem is in peak loads rather than overall traffic, you can smoothen out these peaks by using traffic
limitation rules.
co

Traffic limitation rules limit the cumulative traffic between the Administration Server and all Network Agents in the
selected subnet or range of IP addresses. The data transfer rate is computed and controlled by the Administration
Server. The cumulative traffic in both directions is taken into account.

The limit does not apply to traffic that is generated by other Kaspersky products installed on the computer. For
be

instance, the limit does not apply to KSN traffic, even if this traffic is sent between protection applications in the
specified subnet and the KSN Proxy service on the Administration Server.

The limit applies only to file transfer traffic and does not apply to traffic related to synchronization of settings or
relaying events and network lists6.
to

To configure traffic limitation rules:

1. Open the properties of the Administration Server node.

2. Go to the Traffic section.
t

3. Click the Add button to add a rule.

4. In the IP range to limit traffic area, specify the subnet or range of IP addresses to which the rule will
No

apply.

6
Network lists are used to transmit data regarding the endpoints’ hardware, installed applications, detected vulnerabilities,
executable files, quarantined files, active threats, and other information.
 Managing updates 13
Chapter 1. Update management strategies

5. In the Traffic limit area, specify the limit on the cumulative data transfer rate and the time during which

ed
this limit will be applied.
6. (Optional) You can select the Limit traffic for the remaining time check box and configure a different
limit for all other times.

ut
If you set a low limit, such as for a remote subnet connected by a slow channel, assess how much time you will need
to update computers of this subnet while taking into account the speed limitation. Make sure that this amount of time
is less than the update task start interval.

ib
Additional update sources

r
Additional update sources can substantially reduce traffic in a distributed network. If an organization has a remote

st
subnet whose computers are updated from the Administration Server at HQ, the volume of downloaded data will be
proportional to the number of computers. If you set up a local update source in this subnet, you will only need to
download updates from the Administration Server (or from the internet) one time.

di
You can set up a local update source by using various tools:
— Protection applications

re
— Special utility
— Slave Administration Server
— Network Agent in the distribution point role

A large portion of this Module will be devoted to distribution points. First, let’s study how to set up an update
or
source in other ways.

A local source using tools of Kaspersky Endpoint Security for Windows

e d
pi
co
be
t to

Kaspersky Endpoint Security can copy a full set of updates into a separate folder. Other instances of Kaspersky
Endpoint Security will be able to update from this folder.
No

To copy updates into a folder using Kaspersky Endpoint Security for Windows, configure a regular Update task as
follows:
1. Open the Options section.
2. Enable the Copy updates to folder setting in the Application update settings area.
14
KL 302.11 Kaspersky Security Center. Scaling

3. Enter the name of the folder7 where updates should be copied.

ed
To update protection applications on other computers from this folder, make this folder accessible over the network
in one of the following ways:
— As a shared Windows folder (SMB/CIFS protocol)

ut
— Via HTTP/FTP server

If you configure update copying in a group update task of Kaspersky Endpoint Security, all target computers of the

ib
task will start copying updates to the folder, which means they will perform slow I/O operations and occupy disk
space. If you create a separate update task for computers that you want to host update sources, this task may conflict
with the main update task because two update tasks cannot run at the same time.

r
Kaspersky Endpoint Security is usually not the best option for creating an update source.

st
A local source using tools of Kaspersky Security for Windows Servers

di
re
or
e d
pi
co

Kaspersky Security for Windows Servers can also copy updates to a folder, and has a number of advantages:
be

— Servers are better update sources than workstations.

— Updates are copied by a separate task, which does not conflict with the update task.

To copy updates by using Kaspersky Security for Windows Servers:

1. Create a new Copying updates task for Kaspersky Security for Windows Server.
to

2. Assign the task to the computers that should be sources of updates.

3. In the task properties, specify the folder where you want to copy updates in the Copying updates settings
section.
t
No

4. Select which updates to copy:

— Database updates
— Module updates

7
If the selected folder does not exist on the computer where the task is running, KES will create it.
 Managing updates 15
Chapter 1. Update management strategies

— Module updates and database updates

ed
Along with its advantages, a source based on Kaspersky Security for Windows Servers also has an important
shortcoming. It can provide updates for Kaspersky Security for Windows Servers (and related products such as
Kaspersky Embedded Systems Security), but cannot provide all updates that Kaspersky Endpoint Security for

ut
Windows needs.

Update sources based on specific protection applications are not universal.

ib
The Updater utility

r
st
di
re
or
e d
pi

A better alternative to copying updates by a protection application is a special Updater utility available on the
Technical Support website at https://support.kaspersky.com/updater3
co

It can download updates for any Kaspersky product, and you can configure it to start up together with the operating
system and run periodically. The utility has versions for Windows, Linux, and FreeBSD.

In addition to downloading updates, the utility also downloads an up-to-date list of Kaspersky products. If you have
be

installed the utility but cannot see the latest versions of products, run an update and open the list of products again.

Unlike protection applications, the updater utility can also download diff files 8.

The main shortcoming of the updater utility is that it cannot be managed through Kaspersky Security Center.
to

A source based on a slave Administration Server

In Module 1, we explained how to merge multiple Administration Servers into a single system (hierarchy), and how
t

to configure slave Servers to receive updates from the master Server. If a company has a comparatively small (fewer
No

than 1,000 endpoints) regional office with a slave Administration Server, it would absolutely make sense to use the

8
Protection tools download diff files for updating themselves, but do not copy them to a folder.
16
KL 302.11 Kaspersky Security Center. Scaling

slave Server as an update source for office computers. However, if a regional office does not have a KSC Server,

ed
deploying Kaspersky Security Center with a database only to distribute updates would probably not be the best idea.

Kaspersky Security Center has another standard method for creating additional sources: Assign a Network Agent as
a so-called distribution point9. The rest of this Module is devoted to distribution points.

ut
r ib
st
di
re
or
e d
pi
co
be
t to
No

9
In Kaspersky Security Center 10, distribution points are called Update Agents.
 Managing updates 17
Chapter 2. Distribution points

ed
Chapter 2. Distribution points

ut
2.1 What a distribution point does

ib
Functions of a distribution point

r
st
di
re
or
e d
pi
co

A distribution point is a special role of a Kaspersky Security Center Network Agent, which is another way to set up
an additional source of updates. By using distribution points, you can reduce the number of connections with the
Administration Server and more evenly distribute the network traffic.

Any computer that has the Network Agent can become a distribution point.
be
t to
No
18
KL 302.11 Kaspersky Security Center. Scaling

ed
ut
r ib
st
di
re
Unlike the update sources that we have already studied, a distribution point can do more than just distribute updates.

Distribution points can do the following:

or
— Distribute updates.
— Distribute installation packages for installation tasks.
— Perform remote installation on behalf of the Administration Server.
— Distribute policies and tasks.
Poll the network.
d

—
— Serve as a proxy server for queries sent to Kaspersky Security Network (KSN Proxy).
— Serve as a connection gateway10.
e
pi
co
be
t to
No

10
Connection gateways are described in detail in the ‘Managing computers located outside the corporate network’ Module of
this course.
 Managing updates 19
Chapter 2. Distribution points

ed
Multicast

ut
r ib
st
di
re
or
Distribution points have a unique capability. They can distribute files by a form of group communication known as
multicast.
d

Multicast11 is part of the IP standard and lets you address one packet to a group of recipients. In contrast to
broadcast packets, which are addressed to all endpoints in a subnet, multicast packets are addressed to a multicast
e

group.
To receive multicast packets, network endpoints subscribe to a specific multicast group. A group is defined by an IP
pi

address and a port. The destination address of multicast packets does not belong to the subnet where the multicast is
conducted. The multicast standard defines a special range of IP addresses for multicast packets. The address and
port comprise the address of the multicast group to which computers can subscribe.
co

Different ranges of multicast addresses are reserved for different purposes and have a different scope, from link-
local to global. Distribution points of Kaspersky Security Center use addresses from the range 239.0.0.0/8, which is
intended for limited multicasting. These packets do not go beyond the confines of the organization whose
boundaries are defined by the network hardware settings.
At the transport layer, multicasts normally use the UDP protocol, and Kaspersky Security Center is no exception.
be

In tangible terms, multicasting substantially reduces traffic between a distribution point and a router. This is because
it only has to send a piece of data once to transmit it to N computers, instead of having to send it N times based on
the number of computers.
to

If multicasting is enabled:

— The Administration Server selects a multicast address from the range 239.0.0.0/24 for distribution points.

— Network Agents within the scope of a distribution point subscribe to multicasts at the selected address and
t

port 15001.
No

— When a distribution point downloads new files to the repository, it begins multicasting these files to the
selected address and port 15001 over the UDP protocol.

11
https://en.wikipedia.org/wiki/Multicast
20
KL 302.11 Kaspersky Security Center. Scaling

— The Network Agents save the multicasted files to the local cache (the same local cache that is used when

ed
downloading updates in advance).

— Later, when the Agent on the client computer needs to download a file from the Administration Server, it
checks whether the file is available in the local cache.

ut
The Agents that received files by multicast utilize the cache instead of requesting these files over the
network.

ib
The Agents that did not receive the files for some reason (for example, the computer was off or the network
was overloaded) will request them from the distribution point over the network.

r
st
di
re
or
e d
pi

Not everything that a distribution point sends to client computers is saved in its repository, and not all data types are
multicasted:
co

— Updates in the form of complete files

are saved in the repository and multicasted. They are stored in the repository only while the Network Agent
serves as a distribution point.
be

— Updates in the form of diff files

They are stored in the repository and are available upon request, but are not multicasted. They are stored in
the repository of the distribution point while they are present in the Administration Server repository (or on
Kaspersky update servers depending on where the distribution point gets its updates).
to

— Installation packages

Like full update files, they are stored in the repository and are multicasted. They are stored as long as the
respective installation task exists on the Administration Server.
t

— Policies and tasks

No

They are multicasted, but are not stored in the repository. If a client computer did not receive a policy or
task by multicast, it will download it directly from the Administration Server during a scheduled
synchronization.
 Managing updates 21
Chapter 2. Distribution points

— Remote installation commands

ed
These are unique for each target computer, which is why multicast is not applicable to them.

— KSN cache

ut
KSN requests do not use Network Agent transport. The KSN Proxy service on a distribution point has a
separate cache that is stored in the memory and is cleared when the service restarts.

r ib
st
di
re
or
e d

Let’s study the simplest scenario of interaction between a client computer and a distribution point through the
example of an update task with the Kaspersky Security Center source. We will start with how the update
pi

downloader of protection applications downloads files from the Kaspersky Security Center source without
distribution points:
co

1. The protection application starts the update task.

2. The update downloader requests files from the Kaspersky Security Center source through the KSC
Network Agent.
3. The Network Agent requests files from the Administration Server to which it is connected over TCP port
13000.
be

If the Network Agent is included in the scope of a distribution point, the third step changes:

3. The Network Agent requests files from the distribution point over TCP port 13000.
4. The distribution point checks if the file is in its local repository.
to

4.1. If it has the file, the distribution point sends the file immediately.
4.2. If it doesn’t have the file, the distribution point requests the file from the Administration Server over
port 13000, saves it in the local repository, and at the same time seamlessly sends the file to the
requesting Agent.
t
No

The situation from step 4.2 is an exception. In most cases, the distribution point provides Agents with files from its
own local repository. To ensure this, the Administration Server notifies distribution points when new files appear in
its update repository, and distribution points download these files to their local repositories.

Let’s now examine the full update cycle when a client task uses the Kaspersky Security Center source and the
When new updates are downloaded to the repository schedule:
22
KL 302.11 Kaspersky Security Center. Scaling

1. The Administration Server starts the Download updates to the Administration Server repository task.

ed
2. The task downloads updates to the server repository.

3. The Server notifies distribution points that new update files are available.

ut
4. Distribution points download updates from the Administration Server to their local repositories.

5. The Administration Server completes the Download updates to the Administration Server repository

ib
task.

6. The Administration Server notifies Network Agents on the client computers that updates are available in

r
the server repository.

st
7. The Network Agent on the client computer starts the update task of the protection application.

8. The update downloader of the protection application requests files from the Kaspersky Security Center

di
source through the Network Agent.

9. The Network Agent requests files from the distribution point.

re
10. The distribution point sends files from its local repository.

If a file is not available in the repository of the distribution point for some reason, the distribution point
downloads the file from the Administration Server, saves it in the local repository, and sends it to the
or
requesting Agent.

If downloading of updates in advance is enabled, Agents do not start the client task in step 7 but instead download
update files based on the list provided by the Administration Server. In any case, the Agents request files from the
distribution point.
e d
pi
co
be
t to
No
 Managing updates 23
Chapter 2. Distribution points

ed
2.2 How to assign a distribution point

ut
Automatic assignment

r ib
st
di
re
or
e d

Automatic assignment of distribution points is enabled in Kaspersky Security Center by default. The Administration
Server automatically selects the scopes for distribution points, and assigns one or multiple distribution points to each
scope depending on how many client computers it includes.
pi

The Administration Server first considers how many managed computers it has in total. If there are fewer than 300,
the Administration Server does not assign distribution points automatically. If there were more than 300 but later
co

they decreased to fewer than 300, the server does not stop automatic assignment. Automatic assignment stops only if
the total number of managed computers becomes fewer than 200. Then all (remaining) automatically assigned
distribution points become ordinary managed computers.

If automatic assignment is active (not just enabled but the number of endpoints is also above the threshold), the KSC
Server selects which scopes to assign to distribution points, and then selects one or multiple distribution points for
be

each scope depending on the number of managed computers in the scope.

Kaspersky Security Center can assign distribution points to three types of scopes:

— Administration groups
to

— Broadcast domains
— Network locations

Administration groups and network locations are structures defined in the Kaspersky Security Center Console. A
broadcast domain is a logical division of a computer network in which all endpoints can exchange data by
t

broadcasting at the data link layer of the OSI network model 12.
No

Kaspersky Security Center can automatically assign distribution points either to groups or to broadcast domains. An
administrator can manually assign a distribution point to a group or network location.

12
https://en.wikipedia.org/wiki/Broadcast_domain
24
KL 302.11 Kaspersky Security Center. Scaling

The Administration Server attempts to define broadcast domains for all endpoints of the network. This is an

ed
automatic process that is performed in the background and takes multiple hours depending on the network’s
specifics. Until the KSC Server defines a broadcast domain for 70% of endpoints in the network, it assigns
distribution points to groups. As soon as the percentage of endpoints whose broadcast domain is known exceeds
70%, the KSC Server begins to assign distribution points to broadcast domains. The type of scope changes only

ut
once and is irreversible.

Regardless of the currently used scope type, the Administration Server looks at the number of endpoints in each
scope (in a group without taking its subgroups into account, or in a broadcast domain), and assigns distribution

ib
points depending on the number of endpoints in the scope:

— If there are fewer than 10 endpoints in a scope, a distribution point is not assigned.

r
— If there are more than 10 but fewer than 20 endpoints, one distribution point is assigned.
— If there are more than 20 but fewer than 300 endpoints, two distribution points are assigned.

st
— If there are more than 300 but fewer than 600 endpoints, 3 distribution points are assigned.
— For larger numbers, if there are more than 300 * N endpoints but fewer than 300×(N+1), then N+2
distribution points are assigned.

di
If there are already distribution points in a scope but the number of endpoints has decreased, the KSC Server reduces
the number of distribution points in the scope. However, it uses other threshold values:

re
— The last distribution point disappears only after fewer than 6 endpoints remain in the scope.
— One distribution point remains when the number of endpoints in a scope drops below 15.
— Two distribution points remain when the number of endpoints in a scope drops below 200.
— Three distribution points remain when the number of endpoints in a scope drops below 400.
— For larger numbers, N-1 distribution points remain when the number of endpoints in a scope drops below
or
200×(N-2).

This mechanism in which a second distribution point is added after reaching 20 endpoints in a scope but is removed
when the number of endpoints drops below 15 is designed to protect against overfrequent reassignment of
distribution points.
d

The KSC Server reviews scopes and could potentially assign or unassign a distribution point every hour.
e

All the behavior described above is regulated by special server flags that you can change through the Windows
pi

registry or klscflag.exe utility:

Setting Value Meaning

co

Automatic assignment is enabled if there are more than

KLAUTOUA_HOSTSNUM_THRESHOLD_MAX 300
300 endpoints.
Automatic assignment is disabled if there are fewer
KLAUTOUA_HOSTSNUM_THRESHOLD_MIN 200
than 200 endpoints.
2 – assign distribution points to administration groups.
be

1 – assign distribution points to broadcast domains

(BCD).
KLAUTOUA_ASSIGN_SCOPE 0
0 – first assign distribution points to groups until
automatic identification of broadcast domains
completes, then assign distribution points to BCDs.
to

Switch to assigning distribution points to broadcast

KLAUTOUA_ASSIGN_TO_BCDOMAINS_PERCENT 70 domains if the domain has been identified for more
than 70% of endpoints.
The first distribution point is assigned if there are more
KLAUTOUA_HOSTSNUM_FIRST_MAX 10
than 10 endpoints in the scope.
t

The second distribution point is assigned if there are

KLAUTOUA_HOSTSNUM_SECOND_MAX 20
No

more than 20 endpoints in the scope.

The third distribution point is assigned if there are
more than 300 endpoints in the scope.
The fourth distribution point is assigned if there are
KLAUTOUA_HOSTSNUM_NEXT_MAX 300
more than 600 (2×300) endpoints in the scope.
The fifth distribution point is assigned if there are more
than 900 (3×300) endpoints in the scope.
 Managing updates 25
Chapter 2. Distribution points

ed
Two distribution points remain in the scope if there are
fewer than 200 endpoints.
Three distribution points remain in the scope if there
KLAUTOUA_HOSTSNUM_NEXT_MIN 200
are fewer than 400 (2×200) endpoints.
Four distribution points remain in the scope if there are

ut
fewer than 600 (3×200) endpoints.
The last-but-one distribution point is revoked if there
KLAUTOUA_HOSTSNUM_SECOND_MIN 15
are fewer than 15 endpoints in the scope.

ib
The last distribution point is revoked if there are fewer
KLAUTOUA_HOSTSNUM_FIRST_MIN 6
than 6 endpoints in the scope.
The Administration Server revises the status of

r
KLAUTOUA_ASSIGN_UAS_PERIOD_SEC 3600 automatically assigned distribution points every hour
(3600 seconds).

st
di
re
or
e d
pi
co

When selecting distribution points, the KSC Server gives priority to computers with best specifications, considering:

— Processor
— Memory
— Free disk space
be

— Uptime
— Time of the last connection to the Administration Server

Laptops/notebooks (computers that have a battery device) are not assigned as distribution points.

If distribution points are assigned automatically, a distribution point is always selected from within the scope.
to

Although this restriction does not apply to manual assignment, it is still preferable to adhere to this practice.

A distribution point can be a computer running Windows, Linux, or Mac OS.

t
No
26
KL 302.11 Kaspersky Security Center. Scaling

ed
ut
r ib
st
di
re
An automatically assigned distribution point becomes an ordinary Network Agent in the following cases:

— The number of endpoints in the scope of a distribution point has dropped below the next threshold, and the
scope should now have one less distribution point.
or
— The computer serving as the distribution point has left the boundaries of the scope (group or broadcast
domain). This may be related to the physical movement of the computer as well as to changes in the
network topology (network hardware settings).
d

— The computer serving as a distribution point has not connected to the Administration Server for more than
24 hours.
e

Autoassignment of distribution points has a significant shortcoming. Kaspersky Security Center does not have a way
pi

to limit the list of computers from which distribution points are selected. All managed computers are potential
distribution points.
co

For example, a selected distribution point can be a server that is critically important for the business processes of a
company and therefore does not need any extra load. A selected distribution point can also be a computer of a senior
manager whose complaints about a slow computer or internet connection might cause some huge personnel issues.

However, you can indirectly manage the selection of distribution points through the group structure. If you separate
undesired computers into small-sized groups, they will not be assigned as distribution points to their own or other
be

groups.

To do this, use a registry key to specify that the KSC Server must assign distribution points to groups instead of
broadcast domains. However, this makes sense only if the group structure generally reflects the network topology. If
groups reflect the functional structure of the company, computers of a group may reside not only in different
subnets, but also in different countries. A distribution point assigned to such a group will be absolutely ineffective
to

and even counterproductive.

In addition, when distribution points are assigned automatically, the administrator cannot change their settings.
Some settings can be defined through a Network Agent policy. However, you cannot change the update download
source or disable multicast, for example.
t
No

For these reasons, administrators often choose against automatic selection of distribution points and assign them
manually instead.
 Managing updates 27
Chapter 2. Distribution points

ed
Manual assignment

ut
r ib
st
di
re
or
When manually selecting distribution points, adhere to roughly the same guidelines that were described as criteria
for automatic distribution:
d

— A distribution point must be near the computers that it serves (in the network topology).
— It is not recommended to assign laptops as a distribution point because they travel.
— The computer must be running constantly, or as often as possible.
e

— A server is better than a workstation.

pi

There are no restrictions regarding operating systems. A distribution point can be a Network Agent for Windows,
Linux or Mac OS. A distribution point on one operating system can serve computers with different operating
systems, as there are no such restrictions.
co

One distribution point can serve up to 10,00013 devices. However, to cope with this load, a distribution point must
be very productive:

— Intel Core i7-7700 processor (4 cores 3.6 GHz) or equivalent

— 8 GB of RAM
be

— High-performance disk (SSD or RAID)

— Network speed of 1 Gbps

There are no special memory or processing requirements for serving up to approximately 500 devices. This can be
done by any computer that meets the Network Agent installation requirements.
to

The computer must have sufficient free disk space. The exact amount of necessary space depends on how the
distribution point will be used. It is preferable to have twice as much free space as the total volume of information
that will be stored by the distribution point. The stored data consists of the following (depending on the scenario):

— Updates (approximately 1 GB)

t

— Installation packages (200 MB for KES, 50 MB for the KSC Network Agent)
No

— Updates for Windows and third-party software (depends on the selected updates, but may take up
gigabytes)

Only a Network Agent of Kaspersky Security Center 11 or later can serve 10,000 devices. For earlier versions of Network
13

Agent, the limit is 500 devices.

28
KL 302.11 Kaspersky Security Center. Scaling

ed
ut
r ib
st
di
re
The basic function of a distribution point can be performed by a Network Agent on any operating system (Windows,
Linux, or Mac OS). However, a number of additional functions are implemented only in the Windows version.

Network Agents for Linux and Mac OS serving as distribution points do not support the following:
or
— Network polling
— KSN Proxy role
— Downloading updates from Kaspersky update servers (a special task)
Remote installations using operating system tools on behalf of the Administration Server
d

Distribution points for Linux and Mac OS also cannot serve as a connection gateway 14.
e
pi
co
be
t to
No

14
For more details about connection gateways, check out Module 3 of this course.
 Managing updates 29
Chapter 2. Distribution points

The list of distribution points is provided in the properties of the Administration Server node. To assign a

ed
distribution point:

1. Enable the Manually assign distribution points mode.

ut
2. Click the Add button under the list.

3. Use the top Select button to specify the computer that you want to assign as a distribution point.

ib
There is an arrow at the right-side edge of the button. Clicking it opens a list of two options:

— Select a computer from the structure of managed devices.

r
— Specify a computer as an IP address.

st
The second option is needed for a scenario in which a computer is in the DMZ and was not detected by the
Administration Server. For more details about this, check out Module 3 of this course: "Managing
computers located outside the corporate network".

di
If you click the center of the button instead of the arrow on the right, the option to select a computer from
the structure of managed devices is used automatically.

re
4. Click the lower Select button to specify the scope for the distribution point.

This button also has an arrow and two options to continue:

or
— Select an administration group.
— Select a network location.

By default, if you click the center of the button, you are prompted to select a group.
d

Groups are usually not the best scopes for distribution points. A distribution point must be near its target computers
on the network, while groups can include computers from different subnets, offices, or even continents.
e

If the group structure reflects the network topology, use groups as the scopes for distribution points. If the group
structure does not reflect the network topology, describe the topology as network locations and use the network
pi

locations instead. This is described in detail in section 2.3 ‘How to describe subnets for distribution points’ later in
this chapter.
co

You can change the selected scope in the properties of the distribution point.
be
t to
No
30
KL 302.11 Kaspersky Security Center. Scaling

The selected number of distribution points depends on the following:

ed
— Number of scopes to which you want to assign distribution points
— Number of devices in each scope
— Performance of the computers that will be distribution points

ut
The documentation contains detailed recommendations summarized in the table on the slide. In simple words:

— Assign high-performance computers based on the calculation of one distribution point per 5,000 devices in

ib
a scope.

— Assign ordinary computers based on the calculation of one distribution point per 300 devices in a scope.

r
— Assign at least two distribution points to each scope for redundancy.

st
di
2.3 How to describe subnets for distribution points

re
For historical reasons, network locations settings are scattered throughout the Kaspersky Security Center Console.
To better understand where and what to configure, it is helpful to distinguish two types of objects:
or
— Network location descriptions
— Network locations

Despite the similar names that are easily confused, we will adhere to them because they are used in the Kaspersky
Security Center interface.
e d
pi
co
be
t to

Network locations, which you can add to the scope of a distribution point, consist of network location descriptions,
No

which are configured in a Network Agent policy (or policies) in the Connectivity | Connection profiles section.

Historically, network location descriptions were implemented into Kaspersky Security Center so that computers
could connect to different Administration Servers from different networks. For this reason, connection profiles are
always paired with network location descriptions. Connection profiles indicate to which Administration Server
address you need to connect from a specific location.
 Managing updates 31
Chapter 2. Distribution points

ed
In our example, we have one Administration Server and use network location descriptions to connect endpoints to
different distribution points. However, since we must specify a connection profile in the settings of a network
location description, we will use the standard profile <Home Administration Server>, which is actually intended for
such a case.

ut
Network location descriptions are listed in the upper half of the window. By default, no descriptions are defined. To
create a network location description, use the Add button under the list.

ib
After you configure network location descriptions, do not forget to close the lock (switch to Editing locked status)
in the upper-right corner of the area. If the lock is not closed, the settings of descriptions will be delivered to
Network Agents only one time and subsequent modifications will not be applied.

r
st
di
re
or
e d
pi
co

We will study network location descriptions in more detail in Module 3 of this course, ‘Managing computers located
outside the corporate network’. To use network location descriptions with distribution points, you need to know the
following:

— A description consists of conditions.

be

— Conditions are of the following types:

— Subnet address
— Default gateway address
— DHCP server address
— DNS server address
to

— WINS server address

— DNS suffix of the domain
— Windows domain accessibility
— Capability to resolve a DNS name
— Capability to establish an SSL connection with the specified server (based on the address, port, and
t

certificate)
No

— A description can have only one condition of each type. For instance, a description can have one Subnet
address condition and one Capability to resolve a DNS name condition.

— One condition can contain a set of values. For example, you can define multiple subnet addresses in a
Subnet address condition: 172.16.1.0/24, 172.16.5.0/24, 172.16.25.0/24
32
KL 302.11 Kaspersky Security Center. Scaling

A condition is fulfilled as long as it is fulfilled for one of the specified values. In the presented example, the

ed
Subnet address condition is considered to be fulfilled if a computer resides in one of the following subnets:
172.16.1.0/24, 172.16.5.0/24, 172.16.25.0/24

— A computer matches a network location description if it fulfills all the defined conditions. For example, if

ut
Subnet address and Capability to resolve a DNS name conditions are defined, a computer matches the
described subnet if it is included in the specified subnets AND can resolve one of the specified names.

To direct computers to the nearest distribution point, you need to define conditions for the network location

ib
description so that only computers within a specific subnet within the company perimeter will satisfy those
conditions.

r
Most of the available conditions do not let you reliably distinguish between two similar locations. For example, a
default gateway address and subnet address may match in a large number of local networks, many of which are

st
public networks in internet cafes, hotels, airports, etc.

To avoid directing traveling laptops from an airport to a distribution point within the perimeter, use a combination of

di
two types of conditions:

— Use the Capability to resolve a DNS name condition or a Capability to establish an SSL connection with the
defined settings condition to distinguish locations within the perimeter from locations outside the perimeter.

re
To do so, use the names in the company’s internal domain that cannot be resolved through public DNS
servers, or SSL servers within the company perimeter that are inaccessible from public networks. For
example, you can use the KSC Administration Server as the SSL server.
or
— Use the Subnet address condition to distinguish between different locations within the company.

If a company network is not geographically distributed, the same internal servers may be accessible from
different locations. In this case, locations can be distinguished by subnet addresses, which will normally be
d

different for different subnets within the same company.

Along with conditions, a network location description has two other important settings:
e

— Use connection profile—indicates the connection profile with the Administration Server address. In
pi

network location descriptions created for assigning distribution points, select the <Home Administration
Server> profile.
co

— Description enabled—select this check box. A network location description is not in use when disabled
(even though it is displayed in the output of the klnagchk.exe utility on a computer).
be
t to
No
 Managing updates 33
Chapter 2. Distribution points

Network location descriptions that are configured in the Network Agent policy still cannot be used as scopes of

ed
distribution points. From these network location descriptions, you need to create network locations in the
Administration Server properties.

ut
r ib
st
di
re
or
To create network locations, open the Distribution points section in the properties of the Administration Server
node and click the Configure network locations link.
d

The Configure network locations link is active only when manually assigning distribution points.
e
pi
co
be
t to
No

Click the link to open the list of network locations, which is empty by default. To create a location, click the Add
button under the list. Later, you will be able to use the Properties and Delete buttons to edit and remove network
locations.

A network location consists of a name and a list of the network location descriptions that it contains.
34
KL 302.11 Kaspersky Security Center. Scaling

In addition, you can use the check box at the bottom of the window to enable automatic assignment of distribution

ed
points within this specific network location.

This limited automatic assignment works irrespective of how many computers the KSC Server manages in total
(even if there are fewer than 300 of them), but it uses the same thresholds:

ut
— 1 distribution point after 10 devices in the scope
— 2, after 20
— 3, after 300

ib
— 4, after 600, and so on

As the number of devices decreases in a scope, distribution points are revoked according to the same thresholds that

r
are described under ‘Automatic assignment’ in section 2.2 ‘How to assign a distribution point’.

st
di
re
or
e d
pi
co

Each network location shows the full list of network location descriptions that were created in Network Agent
policies. To specify which network location descriptions to include in a network location, select these descriptions
on the list.

Be careful because the properties of a network location display enabled as well as disabled descriptions, which you
cannot distinguish just by looking at them. To find out which network location descriptions are disabled, you need to
be

look in the properties of the policy where the description is configured. Disabled network location descriptions will
not be used, meaning, Network Agents will ignore them when deciding which network locations they belong to.

The same network location description can be selected in various network locations. In other words, network
locations may intersect and computers can simultaneously belong to multiple network locations.
to

Let’s examine how exactly a computer ends up in a network location:

1. First the Network Agent installed on the computer decides which network location description the
computer matches.
t
No

1.1. It checks which network location descriptions are defined in its policy.

1.2. It compares the status of the computer with the conditions defined in the network locations, beginning
with the top network location description and continuing down the list.
 Managing updates 35
Chapter 2. Distribution points

ed
The Agent rechecks the fulfillment of conditions every 60 seconds (every minute), and every time when the
status of the computer’s network interfaces changes.

1.3. It stops on the first network location description whose conditions are fulfilled.

ut
In other words, if a computer satisfies the conditions of multiple network location descriptions, it sticks to
the one that is higher in the list.

ib
The administrator can change the order of descriptions in the Network Agent policy.

2. The Agent informs the KSC Server about which network location description matches the computer during

r
the next scheduled synchronization.

st
3. The KSC Server sees which network locations include the network location description that the computer
matches, and considers the computer to belong to all of these network locations.

di
4. During the next synchronization, the Network Agent receives a list of distribution points whose scopes
include the computer.

The computer is included in the scope of a manually assigned distribution point if the distribution point

re
scope covers the group or network location the computer belongs to.

When a computer is moved between locations, it may start to use a distribution point from the new location only
after two synchronization periods.
or
The Agent almost instantly determines which network location description the computer matches. After that, it may
take an entire synchronization period to notify the Server about the new location of the computer. And another
synchronization period to receive a new list of distribution points from the Server.
d

Then the computer selects the optimal distribution point based on the algorithm described in section 2.4 below.
e
pi
co
be
t to
No

To see which computers belong to a network location, click the View devices button in the network location
properties.

If a computer should be in a network location but is not on the list, this may be caused by the following:

— Conditions of the network location description were defined with errors.

36
KL 302.11 Kaspersky Security Center. Scaling

— The computer also satisfies the conditions of another network location description that is higher on the list

ed
of descriptions in the Network Agent policy.

— The network location description is disabled in the Network Agent policy.

ut
— The computer did not receive the Network Agent policy or is managed by a different Network Agent
policy.

— The lock is not closed in the area that contains network location descriptions in the Network Agent policy.

ib
— The Network Agent has not yet notified the Server about the new location of the computer. Wait one
synchronization period.

r
st
di
re
or
e d
pi

That was a lot of information with a lot of not-so-obvious nuances. Let’s try to break this all down into concise
co

instructions on how to configure distribution points for network locations within an organization:

1. For each geographically separate location, select an internal server with which you can establish SSL
connections. The type of server is not important. For example, this could be the KSC Administration Server
to which you can establish an SSL connection on port 13000.
be

2. Describe the geographically separate locations in Network Agent policies (preferably in all policies to
cover all computers). Use two types of conditions in each description:

2.1. One condition verifies the capability to establish an SSL connection with the internal server to make
sure that the computer is within the company network.
to

2.2. The second condition checks the subnet address to find out where exactly the computer is located
within the organization.

2.3. Select the <Home Administration Server> profile in all descriptions.

t

2.4. Do not forget to enable the descriptions and close the lock in the respective area.
No

3. Enable manual assignment of distribution points in the Distribution points section in the properties of the
Administration Server node.

4. Create network locations from the network location descriptions defined at step 2.
 Managing updates 37
Chapter 2. Distribution points

5. Add two or more distribution points to each network location. To do so, select the computers that belong to

ed
network locations and specify the corresponding network locations as the scope.

ut
2.4 Distribution point settings

ib
Settings of an individual distribution point

r
st
Distribution point scope

di
The administrator can change the settings of manually assigned distribution points, such as enable or disable
individual functions, or change the parameters.

In the automatic assignment mode, the settings of distribution points are unavailable, but some of the settings can be

re
defined in the Network Agent policy.
or
e d
pi
co
be

The scope determines which computers can connect to the distribution point. When creating a distribution point, the
administrator selects one scope: group or network location. In the properties of a distribution point, you can add as
many groups and network locations as you want to the scope.
to

However, it is recommended to add only those groups and network locations whose computers are located near the
distribution point on the network.
t
No
38
KL 302.11 Kaspersky Security Center. Scaling

How Network Agents choose from multiple distribution points

ed
ut
r ib
st
di
re
or
Even within one scope, it is recommended to have two or more distribution points. Depending on the settings, a
computer can belong to multiple network locations and receive a rather long list of distribution points from the
server. How do Network Agents decide which distribution points to connect to?
d

First the Network Agent sorts all distribution points assigned to a computer in order of priority. The priority is
determined based on the following:
e

— A distribution point for a group has a higher priority than distribution points for a network location.
pi

In other words, a distribution point whose scope includes one of the administration groups of
the computer15 has a higher priority than a distribution point whose scope does not include administration
groups of the computer (but includes only network locations of the computer).
co

— For distribution points assigned to a group: the closer the group is to the computer in the group hierarchy,
the higher the priority of the distribution point assigned to the group.

— For distribution points assigned to a network location: the closer the distribution point is to the computer
(based on the number of network hops), the higher its priority.
be

If this is not clear, we can approach it from a different angle:

— The highest priority is given to the distribution points that are assigned to the actual group of the computer.
to

— The next-best priority is given to distribution points that are assigned to the group that is one step higher in
the group hierarchy (the parent group of the computer’s group).

— The next-best priority is given to distribution points of the group that is one more step higher, and so on, all
the way up to the root ‘Managed devices’ group.
t
No

— The next-best priority is given to distribution points that are in the same network segment as the computer.

15
Of course, a computer cannot belong to multiple different administration groups. This means that the scope of a distribution
point can include the actual group of a computer or the parent group of its actual group, or even the Managed devices group
that indirectly includes all computers.
 Managing updates 39
Chapter 2. Distribution points

— Then the distribution points at a distance of one network hop.

ed
— Then at a distance of two network hops, and so on.

After all distribution points assigned to the computer have been ranked by priority, the Network Agent connects to a

ut
distribution point according to the following algorithm:

1. Selects the distribution point with the highest priority.

ib
2. If there are several of them, randomly selects one.

3. If the distribution point selected after steps 1 and 2 is inaccessible, the Agent repeats the selection among

r
the other distribution points according to the same algorithm.

st
Agents select distribution points at startup, whenever the list of distribution points changes, and when a previously
selected distribution point becomes inaccessible.

di
If a scope has multiple distribution points, you can expect that each will receive an equal percentage of devices due
to the random selection at step 2. If a distribution point becomes inaccessible, its devices switch to the remaining
distribution points. If it becomes available again, eventually some computers will connect to it as they subsequently
turn off and on.

If a distribution point is inaccessible

re
or
e d
pi
co
be

According to the algorithm described above, if a distribution point becomes inaccessible, Network Agents attempt to
to

connect to a different distribution point.

If a Network Agent cannot connect to any distribution point for some reason, it will attempt to download files
directly from the Administration Server by default.
t

Sometimes this is undesirable. For example, if the Administration Server and managed devices are in different
No

geographic locations, it is extremely undesirable to download large volumes of data over a slow channel.

To prevent Network Agents from attempting to connect to the Administration Server and have them wait until a
distribution point becomes available, select the Download files through distribution points only check box located
in the Settings section in the Network Agents policy. Do not forget to close the lock for this setting.
40
KL 302.11 Kaspersky Security Center. Scaling

Active and reserve distribution points

ed
ut
r ib
st
di
re
or
To find out if a computer is a distribution point, consult the output of the klnagchk.exe utility in the Network Agent
folder. There you may also notice that some distribution points are active and others are reserve distribution points.

Active distribution points are those that download files from the Administration Server. Reserve distribution points
d

download files from the active distribution point within the same scope.
e

If a scope only has one distribution point, it is always active. Reserve distribution points can only be in scopes where
multiple distribution points are assigned. By downloading files from another distribution point in the scope, reserve
distribution points reduce traffic from the Administration Server, which is especially important if the connection
pi

with the Server is over a slow channel.

The Administration Server decides which distribution point becomes active and which becomes the reserve.
co

Network Agents on computers within a scope do not distinguish between active and reserve distribution points. The
active or reserve status of a distribution point does not affect its priority for a computer.
be
t to
No
 Managing updates 41
Chapter 2. Distribution points

ed
Distribution of update files and installation packages

ut
r ib
st
di
re
or
Distribution points can distribute update files and installation packages to computers. The administrator can disable
either of these in the General section in the distribution point properties. For example, the administrators can decide
that they need only the KSN Proxy and network scan functions.
d

The administrator can also do the following:

e

— Change the port for accepting connections from Network Agents.

— Disable multicast, which is enabled by default.
pi

— Change the multicast address, which is selected by the Administration Server by default.
— Change the multicast port, which is 15001 by default.

Some network administrators frown upon the use of multicasting and try to disable it in applications at their first
co

opportunity. In terms of network load at least, multicast in distribution points will conserve traffic.

If multicast is enabled, the Administration Server (not Network Agents) automatically selects a multicast address
from the standard range (239.0.0.0/8) for a distribution point, and makes sure that distribution points that have the
same scope use different addresses. You can choose a custom address if you know what you are doing.
be

By default, a distribution point saves files to be distributed in the folder

%ProgramData%\KasperskyLab\adminkit\1103\$FTClTmp. The administrator can change the storage folder in the
Advanced section.
t to
No
42
KL 302.11 Kaspersky Security Center. Scaling

Source for downloading updates

ed
ut
r ib
st
di
re
or
If a distribution point is located in a remote office and connects to the Administration Server over the internet, it
makes sense to download updates to the distribution point repository from Kaspersky update servers instead of the
Administration Server.
d

To do so, in the properties of the distribution point, in the Source of updates section, select the Use task for forced
download of updates mode instead of Retrieve from Administration Server. Then specify a Download updates
e

to the repositories of distribution points task, which has the schedule, source, and other settings.

You can create this task in the distribution point properties by clicking the New task button. As a result, you will
pi

obtain a local task that can be managed only through the computer properties window.

If you need to download updates from the internet for multiple distribution points, it is better to use a group task or a
co

task for a set of computers. If you have created a group task but cannot select it in the distribution point properties,
wait for the task to switch to the Scheduled status.

The settings of the Download updates to the repositories of distribution points task are very similar to the
settings of the Download updates to the Administration Server repository task. You can define the following:
be

— Update source
Kaspersky update servers or a custom source of updates. You cannot select Kaspersky Security Center as
an update source in this task. To download updates from the Administration Server, select the Retrieve
from Administration Server mode in the properties of the distribution point.
to

— Contents of updates

In this case, you can enable downloading of diff files, which is recommended, but disabled by default.

— Schedule
t

You can select any schedule except When updates are downloaded to the repository. It doesn’t make
No

sense to wait for updates to be downloaded to the Server repository if the Server is not an update source.
— In the Other settings area, you can change the folder used for storing updates.

A task to download updates to the distribution point is only available in Network Agent for Windows.
 Managing updates 43
Chapter 2. Distribution points

ed
KSN Proxy

ut
r ib
st
di
re
or
A distribution point can serve in the KSN Proxy role:

— Receive KSN requests sent from managed protection applications.

— Forward requests.
d

— Receive responses and relay them to the requesting device.

— Cache responses for repeated use.
e

KSN Proxy at a distribution point can forward requests either to the Administration Server or to the Kaspersky
pi

Security Network service in the internet. Like KSN Proxy on the Administration Server, KSN Proxy at a distribution
point receives requests over the TCP protocol at port 13111 and over the UDP protocol at port 15111 by default.

Like on the Administration Server, the KSN Proxy function is implemented by a separate Windows service. All
co

other functions of a distribution point are implemented by the klnagent service.

If a distribution point needs internet access to download updates or forward requests to KSN, you may need to
specify the proxy server settings for internet access. They are defined in the distribution point properties in the
Internet connection settings section.
be

The KSN Proxy function is implemented only in Network Agent for Windows.
t to
No
44
KL 302.11 Kaspersky Security Center. Scaling

Network polling

ed
ut
r ib
st
di
re
or
A distribution point can poll the network and forward the results to the Administration Server. This is one way to
detect changes in subnets that the Administration Server cannot access.

A distribution point can poll the network using the same methods as the Administration Server:
d

— Windows Network polling

e

— Active directory polling

— IP ranges polling
pi

Network polling is disabled by default. To poll the network around a distribution point, enable and configure the
necessary types of polling. The settings of polling methods are the same as on the Administration Server.
co

Network polling is implemented only in Network Agent for Windows.

be
t to
No
 Managing updates 45
Chapter 2. Distribution points

The last function of a distribution point that we haven’t covered yet is a connection gateway. For more details about

ed
scenarios in which connection gateways are useful, please refer to Module 3 of this course.

What does a connection gateway do? It accepts connections from Network Agents on managed devices and tunnels
them to the Administration Server through its own connection with the Server. This pertains to all communications

ut
between Network Agents and the Server:

— Synchronizations
— Sending events and statuses

ib
— Downloading updates and installation packages
— And others

r
What does a connection gateway not do?

st
— It does not reduce the total data volume. Agents and the Server exchange the same data as they would
without a connection gateway. They just exchange it directly without a gateway.

di
— It does not cache data. If a connection gateway cannot establish a connection with the Server to tunnel the
connection from the Agent, the Agent on the managed device will get a Server connection error and will
not even begin to forward data to the connection gateway.

re
Then why use a connection gateway?

— It reduces the number of connections that the Administration Server has to process.
or
— It lets you manage computers that don’t have direct access to the Administration Server but have access to a
connection gateway.

Automatically assigned distribution points act as connection gateways by default.

d

The connection gateway function is implemented only in Network Agent for Windows.
e

Managing settings through a policy

pi
co
be
t to
No

When there are many distribution points, it is very tedious to reconfigure them one by one. Moreover, if distribution
points are assigned automatically, their properties are unavailable and you cannot edit their settings directly.
46
KL 302.11 Kaspersky Security Center. Scaling

Some settings can be defined through a Network Agent policy in the Distribution points section:

ed
— Network polling—all network polling settings.
— Internet connection settings—proxy server settings.
— KSN Proxy—all settings of the KSN Proxy functionality.

ut
— Updates—only the setting for downloading diff files from the Administration Server. You cannot switch
distribution points to use a task with a different source in a Network Agent policy.

ib
Monitoring distribution points

r
st
di
re
or
e d
pi

There are two ways to view the operating statistics of a distribution point:

— Open the list of distribution points in the Administration Server properties, select the distribution point,
co

open its properties and go to the Statistics section.

— Find the managed device that acts as the distribution point, open its properties, find Kaspersky Security
Center Network Agent in the Applications section, and open its statistics.

Distribution point statistics contain the following:

be

Setting Description
Created Date and time when the computer’s record appeared in the Administration
Server database (not when the computer became a distribution point).
to

Work folder Folder where the distribution point stores files for managed devices.
Work folder size Working directory size, in megabytes
Application database
t

Amount of information The total volume of updates that Network Agents downloaded directly from
downloaded by clients via TCP the distribution point (not counting multicasts) since the distribution point
No

protocol was created.

Amount of information Total size of updates that were sent (not necessarily delivered) by multicast
downloaded by clients via TCP
protocol
 Managing updates 47
Chapter 2. Distribution points

ed
Last synchronized with the Date and time of the last synchronization with the Administration Server
Administration Server
Percentage of data obtained Portion of updates that managed devices received by multicast instead of
through multicasting downloading them through direct requests to the distribution point

ut
Total number of synchronizations Number of synchronizations between the distribution point and the
with the Administration Server Administration Server during the life cycle of the distribution point (do not
confuse this with synchronizations between Network Agents and the
Administration Server. Synchronizations of a distribution point occur when

ib
there are files to distribute.)
Remote installation

r
Amount of information sent by Total size of installation packages that were sent (not necessarily delivered)

st
the distribution point to clients by multicast
using multicast distributions
Percentage of data obtained Portion of installation packages that managed devices received by multicast
through multicasting instead of downloading them through direct requests to the distribution

di
point
Total amount of information The total volume of installation packages that Network Agents downloaded

re
downloaded by clients from the directly from the distribution point (not counting multicasts) since the
distribution point distribution point was created.
Total size of installation packages Total volume of installation packages received by the distribution point
downloaded from the from Kaspersky Security Center (in other words, downloaded from the
Administration Server or other Administration Server or from an active distribution point)
or
distribution points
e d
pi
co
be
to

It is time-consuming and inefficient to view the statistics of each distribution point. To understand what will happen
with all distribution points at the same time, use a report on the activity of distribution points.
t

A report shows all distribution points, how many devices are in their scope, where they receive updates, which
No

volume of information they sent by multicast, and which volume of information they distributed by individual
request.

The details table lists all multicast sessions.

48
KL 302.11 Kaspersky Security Center. Scaling

ed
Chapter 3. Common configurations

ut
3.1 Large centralized network with one

ib
Administration Server

r
st
di
re
or
e d
pi

The main task in a large centralized network is to reduce the load on the Administration Server. To do so, you need
to set up additional sources of updates based on distribution points.
co

If the entire network consists of one site and all computers are connected by a shared local network with a
sufficiently high bandwidth, it is not necessary to divide the network into scopes. You can use the entire
organization as a shared scope for all distribution points and let computers independently choose any distribution
point from the overall list.
be

In all approaches listed below, multicast will let you reduce traffic within the network. To ensure its effectiveness, it
is especially important that Network Agents connect to distribution points in their own segment.

Distribution points for the Managed devices group

to

The simplest way to implement this approach is to assign all distribution points to the Managed devices group. The
main implementation plan will be as follows:

1. Determine the set of potential distribution points with roughly the same capacity.
t
No

Identical capacity is important because managed devices will randomly select their own distribution point
from the overall list, and each distribution point will serve approximately the same number of devices.

If it is not possible to select distribution points with the same capacity, at step 2 evaluate the necessary
number of distribution points based on the specifications of the least powerful computer that is likely to
serve as a distribution point.
 Managing updates 49
Chapter 3. Common configurations

2. Calculate the necessary number of distribution points based on the number of computers in the organization

ed
and the specifications of those likely to become distribution points (more powerful computers can serve
more devices).

3. Enable manual assignment of distribution points to control which computers will perform the role of a

ut
distribution point.

4. Assign the necessary number of distribution points to the Managed devices group with some reserve.

ib
In addition, it is useful to configure the following settings:

— Downloading of diff files, which lets you substantially reduce overall traffic

r
— Download files only through distribution points to avoid increasing the load on the Administration Server

st
when distribution points fail.

Advantages of this approach:

di
— There is virtually nothing you need to configure, except to select computers to serve as distribution points.

Shortcomings:

re
— All distribution points are deemed equivalent and computers do not consider the network topology when
selecting a distribution point.
or
Distribution points for one network location

To ensure that devices select the distribution point closest to them in the network topology instead of a random
d

distribution point, assign distribution points to network locations. In the simplest case:

1. Enable manual assignment of distribution points.

e

2. Describe the entire network as one network location by using a criterion such as the availability of SSL
pi

connections with one or multiple internal servers.

3. Calculate the necessary number of distribution points based on the number of computers in the organization
co

and the specifications of those likely to become distribution points (more powerful computers can serve
more devices).

4. Assign the necessary number of distribution points to the network location defined in step 2.

5. Enable
be

— Downloading of diff files

— Downloading of files through distribution points only

Advantage of this approach:

to

— Network Agents will select distribution points based on the network topology.

Shortcoming:
t

— Allocation of distribution points among network segments is neither transparent nor intuitive. It may turn
out that specific segments have many distribution points for few devices, while other segments have few
No

distribution points for many devices.

50
KL 302.11 Kaspersky Security Center. Scaling

Distribution points for multiple network locations

ed
To better understand how many devices there are in different segments, and how many distribution points they need,
it is best to describe segments as network locations in Kaspersky Security Center.

ut
Advantages of this approach:

ib
— It is not difficult to understand the allocation of distribution points based on the network topology.

— Network Agents use the distribution points of their own network segment.

r
Shortcoming:

st
— It is not convenient to describe numerous network locations in a Network Agent policy.

di
Automatic assignment of distribution points

re
You can completely avoid the headaches associated with manual assignment of distribution points and return to
using automatic assignment. Advantages of this approach:

— You don’t need to configure anything.

or
— The Administration Server guarantees a sufficient number of distribution points for each segment.

— Network Agents use the distribution points located in their own network segment.

Shortcomings
d

— Unsuitable computers could potentially become distribution points. The administrator has no good tools to
e

restrict the selection of distribution points.

pi

— Most of the settings of distribution points become unavailable.

co
be
t to
No
 Managing updates 51
Chapter 3. Common configurations

ed
3.2 Large distributed network with one
Administration Server

ut
r ib
st
di
re
or

In a distributed network, it is critical to prevent large amounts of traffic between geographically remote networks.
d

To do so, you need to configure managed devices to query the distribution points in their own network.
e

Best option in this case:

1. Describe geographically distributed offices as network locations.

pi

2. Manually assign a sufficient number of distribution points to each location.

co

3. Configure distribution points in remote locations to receive updates over the internet.

It’s not only useful but practically required to configure the following:

— Downloading of diff files to reduce overall update traffic

be

Among other benefits, this will help prevent situations when traveling laptops are slow in learning the list
of distribution points for their new location and attempt to download files from a distribution point in their
old location.

— Download files through distribution points only

to

This will protect against problems associated with inaccessible distribution points. Devices will not attempt
to download files from the Administration Server over slow communication channels between offices.

When implementing such a scenario, you should expect that immediately after a traveling laptop moves to a
t

different office, it may still exchange files with the distribution point of the previous office for some time. This
No

happens for the following reason:

— A Network Agent does not store the complete list of distribution points for all locations, but instead
receives a list of distribution points for its own location when synchronizing with the Administration
Server.

To reduce negative impacts from exchanging files with a distribution point from an old location:
52
KL 302.11 Kaspersky Security Center. Scaling

— First of all, configure downloading of diff files, which will exponentially reduce the volume of downloaded

ed
data, including between offices.

— Reduce the synchronization interval to make clients quicker obtain an up-to-date list of distribution points
for the new location.

ut
However, also keep in mind that more frequent synchronizations actually increase traffic with the
Administration Server and increase the load on the Server. Do not make any drastic changes, and carefully
monitor the load on the network and the Administration Server.

r ib
st
di
re
or
e d
pi
co
be
t to
No

1.6.1