Installing Kaspersky Security Center 10.0 on Windows Server 2012 Failover Cluster Version Date Author Comments 1.0 5 th March 2013 Pavel Polyansky Initial version. Introduction This document is to explain how to install Kaspersky Security Center 10.0 on Windows Server 2012 Failover Cluster. Microsoft defines a cluster as a group of two or more independent nodes that are physically connected by LAN/WAN and programmatically connected by cluster software. This group of nodes is usually managed as a single system, includes multiple network and storage connections. While connected to LAN (public network) nodes have additional connection to private network for monitoring and failover. They also have connection to common storage array. Cluster software connects nodes and provides single system view to clients. So clients are not aware that they deal with a cluster, for them it is like a single server. Application runs on one node at a time only. If some of cluster resources fail on one of the nodes, another one starts to provide service. This process is known as failover. Cluster resource is a component managed by cluster, it could be application service, disk, IP address, network name and network interface card (NIC). Quorum is another important part of cluster. Actually it is a cluster configuration database which is stored on a shared storage and accessible to all nodes. This database includes information about members (nodes) and resources. If node cannot communicate with quorum it cannot participate in cluster. The second purpose of quorum is to select the surviving part of cluster according to majority in case when network failure breaks the cluster and isolated groups of nodes try to take ownership of the cluster resources which leads to database corruption because uncoordinated changes are made against it. The Standard Edition of Windows Server 2012 includes Failover Clustering feature. However, this feature is not included by default. It must be installed separately.
Environment The following machines and applications are used for explanation: Virtual Server: VMware ESXi 5.0.0 (Build 623860). The following machines are running on it: dc.vlab. local, 172.16.133.85/16: Domain Controller, DNS, DHCP server running on Windows Server 2008 win2012nodea.vlab.local, 172.16.4.0/16: domain member server with no roles running on Windows Server 2012 win2012nodeb.vlab.local, 172.16.1.128/16: domain member server with no roles running on Windows Server 2012 SQL-server.vlab.local, 172.16.2.88/16: Microsoft SQL 2008 R2 EE server running on Windows Server 2008 R2 EE storage1.vlab.local, 172.16.6.112/16: domain member server with no roles running on Windows Server 2008 winxpkes.vlab.local: domain member workstation running on Windows XP SP3, DHCP client Installation process The cluster installation process includes certain configuration and management steps. This document does not describe the first 2 Steps, refer to Microsoft documentation for this purpose. 1. Create 2 fresh Windows Server 2012 virtual machines (named win2012nodea and win2012nodeb respectively)or use existing ones 2. Join both Windows Servers 2012 to local domain dc.vlab.local, configure DNS settings and use VLAB/Administrator account to install all other software (it is highly recommended to avoid using local accounts when installing cluster software and Kaspersky Labs software). 3. Configure Storage Server (storage1.vlab.local) this server is used for Quorum and Data to support cluster services. Install StarWind iscsi SAN solution. 4. Install and configure Microsoft Server 2012 Failover Cluster 5. Install Kaspersky Security Center 10 on this new cluster. StarWind iscsi SAN Installation and Configuration When you are going to build a Microsoft Cluster you need at least two nodes and some storage. For testing in VMware ESX environment there is free software which could be used as storage device thus avoiding implementation of expensive FC or external SCSI solutions. Please take into account the fact that you need solution which supports SCSI-3 persistent reservation disks. StarWind iscsi SAN software version 6.0. was selected for current explanation but you can use any other.
1. Log on to storage1.vlab.local with VLAB\Administrator account 2. Locate the Microsoft iscsi Initiator service, which is by default installed with Windows Server 2008 R2. Click Run-> services.msc-> Microsoft iscsi Initiator Service-> Start. 3. Click Start->Administrative Tools->iSCSI Initiator. Make sure this window opens successfully 4. Launch StarWind iscsi Server 6.0 installation and click Next on Welcome Page.
5. Read and accept License Agreement on next page. Read important information. 6. On Information page click Next 7. Select destination location.
8. Select Full Installation which includes both StarWind iscsi Service and Management Console. 9. Select Start Menu folder and create desktop icon if you need it. 10. On License key page select Request.
10.On License key screen select StarWind iscsi SAN&NAS 11. On next screen provide a key file for 30-days trial, downloaded from Starwind Website. 12. Launch StarWind Management Console after installation.
13. Under Starwind Servers localhost entry is already created by default so there s no need to create one. 14. If a license key is successfully installed during setup you will also see that local storage (127.0.0.1) appears as storage1.vlab.local and is already connected. 15. Right-click Devices in the right pane and select Add Device 16. Select Virtual Hard Disk 17. Select Image File Device.
18. Create new virtual disk which will be exported as an iscsi target. The term target is used to refer to a network storage device (it is like LUN on SAN). 19. Select virtual disk location and name for Quorum.img disk (do not forget to add.img extension when creating this virtual disk). It does not require much space and 500 Mb will be enough. The size could be even smaller but the reason is not capacity, actually the optimum minimum for NTFS is about 400-500 MB (Microsoft recommendation). Anyway other disks could be used for this purpose after installation.
20. Select No caching and click Next.
21. Provide Target Alias (i.e. Quorum). Select Allow multiple concurrent iscsi connections. Click Next 22. Repeat Steps 15-21 for Data disk which will be used to store executable files for clustered application, installation packages, updates, backups (by default), replicas, etc. Few GBs will be enough for this case but in enterprise production environment it could require up to tens of GBs. 23. After configuration is finished you will see two targets and two devices in Management Console. Microsoft Cluster Server Installation and Configuration 1. In the properties of win2012nodea VM add additional NIC which will be used for private network. Give a name to this connection (i.e. private and the first connection could be named public ) and configure TCP/IP on win2012nodea as on screenshot below.
2. Go to Server Manager -> Tools -> iscsi Initiator -> click Yes to start the service, if it is not started -> Targets -> enter Storage IP (172.16.6.112) and click Quick Connect -> connect to discovered targets.
3. In iscsi Initiator go to Volumes and Devices -> click Auto Configure -> OK.
4. Run Computer Management -> Disk Management where you will find two unknown disks. 5. Right-click on each Disk -> Online -> Initialize Disk. Wait 5 seconds and right-click on disk space - >New simple volume. Start a Wizard and follow its steps.
6. Assign Q letter to Quorum drive and S letter to Data drive.
7. After Step 5. your Disk Management screen should look like this 8. Make disks Offline.
9. On Server Manager main page click Add Roles and Features. A Wizard will start. Click Next several times and on Features page check Failover Clustering. Click Next. Click Install and wait while the Wizard installs Failover Clustering 10. Repeat the same steps for win2012nodeb but give 10.10.10.2/24 address to its private NIC. As for volumes just set the same letters for disks as it was in case with win2012nodea. 11. On win2012nodea go to Tools -> Failover Cluster Manager -> Validate Configuration -> Next -> add both nodes -> Next -> select Run all tests and click Next again. View Report to be sure that all tests are successfully passed and click Finish.
12. In Failover Cluster Manager click Create a Cluster. Provide a name for a cluster and add both nodes to it. 13. Click Next 14. Wait while the cluster is created 15. Cluster is created. Nodes/disks could be changed, removed and added later.
Kaspersky Security Center 10.0 Installation in Cluster Environment 1. Launch Kaspersky Security Center 10.0 installation on win2012nodea and click Next on Welcome Page. 2. Read and accept the terms of License Agreement. 3. Select Cluster installation.
4. Enter new virtual Server name, i.e. KSC10_CL. This name should be different to the name entered as cluster name before. Here virtual Server is not the same as Virtual Administration Server feature introduced in SC9. 5. Select public network and enter virtual Server IP address. Click Add and then click Next 6. Create a new cluster group called KSCGroup. Click Next.
7. Select storage to install virtual Server resources. Here it is S drive created earlier to store common application data. 8. Add WIN2012nodeb node. Click Next and select account for remote installation.
9. Select features you want to install. 10. Specify network size. 11. Enter Administration Server service account.
12. Select database server type. This type of installation will not offer to install and use Microsoft SQL 2005 Express. 13. Select database server and database name. 14. Provide SQL Authentication Mode 15. Create shared folder
16. Provide connection settings. 17. Provide Administration Server address via Cluster DNS name or Cluster IP-address. 20 Select Plug-ins you want to install
21. Click Install button to start the installation process 22. Watch the installation process while it completes
Installation Results After installation go to Server Manager -> Configuration -> Services and look at Kaspersky Lab services. Active node: Passive node: Opposite to installation on single server kladminserver, klnagent and klnacserver have manual startup type and managed by cluster. These cluster-aware services have _cluster suffix in their names. KSN Proxy service is also stopped on one node and then started on another node during failover but it is not clustered process and this operation is managed by Security Center. As you can see there are two Network Agent (NA) services now. One of them is a cluster-aware service which performs the same management activity as a server-side NA in case of installation on single server. It is started only on active node. Stand-alone NA is the same NA as usually installed on managed hosts. It connects to Administration Server via TCP/IP and performs host specific actions like software and hardware inventory, controls endpoint protection product installed on this host, etc. It is always started on all nodes. Open My Computer on both nodes and you will see that quorum and common data drives are connected to active node. SC installed on cluster stores its data in S:\Kaspersky Security Center. Stand-alone NA stores its data as usual in %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit. Go to Start -> Administrative Tools -> Failover Cluster Manager -> KSC10_CL -> Services and applications - > KSCGroup and look at cluster resources. Here you can move these resources to another node (right-click Cluster Group -> Move this service or application to another mode) or try to simulate a failure of one of resources (right-click Resource in Resource Group -> Simulate failure of this resource).launch Administrative Console. Now it is possible to connect to server using cluster name (KSC10).
Opposite to case with installation on single server both nodes as well as virtual servers will be in Unassigned group. Events generated by Administration Server as a whole will appear with cluster name. Node specific events (threat detection, for example) will appear with the name of this node. Troubleshooting In case of any issues Technical Support may ask you to send a SC10 component trace file. In cluster environment trace level for Administration Server is set here (it is different comparing with single server): 64bit: HKLM\Software\Wow6432Node\KasperskyLab\Components\34_cluster\1093\1.0.0.0\Debug\ 32bit: HKLM\Software\KasperskyLab\Components\34_cluster\1093\1.0.0.0\Debug\ TraceLevel could have several values depending on Technical Support request and is set in the following way: TraceLevel=dword:00000004. As result you will get $klserver-1093.log file in the installation folder on the node (not on shared drive). To disable Tracing return its value to 0 again. Trace for Clustered Network Agent service: 64bit: HKLM\Software\Wow6432Node\KasperskyLab\Components\34_cluster\1103\1.0.0.0\Debug\ 32bit: HKLM\Software\KasperskyLab\Components\34_cluster\1103\1.0.0.0\Debug\ As result you will get $klnagent_cluster-1103.log file on the node.