Download and Install the Insight Agent
Open Preview Migration Steps
If you have previously installed the agent with either .deb or .rpm as part of our Open Preview program, complete the required migration steps.
This article guides you through the different methods you can use to install and download the Insight Agent.
Linux & Mac .sh Installer Deprecation
The .sh Insight Agent installer will be deprecated on November 15, 2024. It is accessible until that date through our installation guides.
You can install the Insight Agent on your target assets using 2 required installation options that can be used interchangeably depending on the network connectivity settings of your assets. While either of the options functionally achieve the same goal of installing the agent and connecting it to the Insight Platform, this article details each of the installation options available and explains their differences so you can decide which would be most suitable for deployment in your organization.
Deciding which installation option to use
There are two main Agent Installation options available that can be used interchangeably:
Installing the Insight Agent using a Token
Choose the Token installation option when your install destination host machine can reach Rapid7 endpoints directly or via a Rapid7 collector.
If you intend to install the Insight Agent using your organization’s token:
- Your assets must be able to communicate with the Insight platform in order for the installer to download its necessary dependencies.
- As long as you verify the network connectivity requirements noted previously, this communication channel will be available for use.
- If your assets are deployed in a network with strict URL filtering rules in place, you may need to allowlist the following token resource endpoint to ensure that the installer can pull its configuration files from the Insight Platform. Substitute
<REGION>with the code that applies to your data region:
What is a Token?
A token is your organization’s unique identifier that can be used to install the Insight Agent in your environment and helps to link the installed agents to your organization. At the time of installation, the Insight Agent uses the token that you specify to pull all the necessary certificates and configuration files from the Insight Platform that pertain to your organization and uses them to configure the agent to be listed in your organization within the Insight Platform.
Your token consists of two parts:
The region identifier - This portion identifies the region where your organization is located. For example,
usis the region identifier for the United States, whilecais the region identifier for Canada.The Universally Unique Identifier (UUID) - The UUID represents the token itself. The API request initiated by the installer sends this UUID to the Insight Platform in order to retrieve the JSON document that contains all the necessary dependencies noted previously.
A fully generated token appears in the following format:
<region_id>:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Note that the process of installation with a token, the Insight Agent installer will download the following dependencies onto your asset. All together, these dependencies are no more than 20KB in size:
client.keyclient.crtconfig.jsoncafile.pem
Generate a Token
The first step of any token-based Insight Agent deployment is to generate your organizational token.
To Generate a Token (if you have not done so already):
- Go to insight.rapid7.com and sign in with your Insight account email address and password.
- If you are not directed to the Insight Platform Home page upon signing in, open the navigator in the upper left corner of the screen and click Insight Platform Home.
- On the left menu, click the Data Collection tab, then click the Agents tab.
- At the top of the screen, click the Agent Installer tab.
- At the bottom of the Install Agent using Token card on the left side of the screen, click on Token Management.
- Once in the Token Management screen, click on the Generate button. This will create a Token ID for you to use.
NOTE - Does your company have multiple Rapid7 organizations?
Keep in mind that a token is specific to one organization. If your company has multiple organizations with Rapid7, make sure you select the correct organization from the Download Insight Agent page before you generate your token.
Install the Insight Agent using the Certificate Package
Choose the Certificate Installation method when your install destination host machine can not reach Rapid7 endpoints directly or via a Rapid7 collector.
You can download the latest Certificate Package from insight.rapid7.com > Data Collection Management > Agent Installer > Install using Certificate Package > Download Certificates
What is the Certificate Package?
The certificate package comes in the form of a ZIP file that contains the necessary certificates and configuration files that pertain to your organization. You can download and use these dependencies to install the Insight Agent when the network connectivity of the asset does not allow pulling down these dependencies automatically using the token. For example, the certificate package is often the only option if you need to deploy the Insight Agent on restricted or fire-walled systems.
Expired Certificates
When you download and host the certificate package, you will need to refresh your certificates within 5 years to ensure new installations of the iInsight Agent are able to fully connect to the Insight Platform. For more information on what to do if you have an expired certificate, refer to Expired Certificates.
Certificate package contents
Your certificate package ZIP file contains the following security files in addition to the installer executable:
client.keyclient.crtconfig.jsoncafile.pem
Expired certificates
If you use the Certificate Package Installation method to install the Insight Agent, your certificates will expire after 5 years. Insight Agents that were previously installed with a valid certificate are not impacted and will continue to update their SSL certificates. New installations of the Insight Agent using an expired certificate will not be able to fully connect to the Insight Platform to run jobs in InsightVM, InsightIDR, or InsightOps.
Refresh your certificates
If you host your certificate package on a network share, or if it is baked into a golden image for a virtual machine, redownload your certificate package within 5 years to ensure new installations of the Insight Agent run correctly.
Certificates expire after 5 years
If you download and host the certificate package, you will need to refresh your certificates within 5 years to ensure new installations of the Insight Agent are able to fully connect to the Insight Platform. For more information on what to do if you have an expired certificate, refer to Expired Certificates within your respective Operating System guide of choice.
Available installation options
The Insight Agent has several installation options that enable you to install the agents according to the specific configuration needs of your organization. Learn more about the installation options available below.
| Installer Option (Windows) | Installer Option (Mac & Linux) | Description |
|---|---|---|
CUSTOMTOKEN | –token | Install the agent using your organization’s unique token displayed in the Insight Agent download panel |
CUSTOMCONFIGPATH | --certificate_package_installation | Specify the absolute path where the contents of your organization's certificate package reside, if not using token |
CUSTOMATTRIBUTES | --attributes | Set custom attributes that InsightVM will import as asset tags |
HTTPS_PROXY | --https-proxy | Specify the proxy IP address and port preferred for agent-to-platform communication |
DISABLE-UPDATES | --disable-updates | Disable Platform updates for all Insight Agent subcomponents |
Download an Installer from the Insight Platform
Now that you’ve determined which Insight Agent installation method you want to use, you’re ready to download the installer. You can download both installer types from the Agent Management screen in your Insight Platform user interface.
After you download the installer, we’ll direct you to our dedicated installation documents to cover the rest of the procedure for both installation methods.
NOTE - Privileges required
You must be a platform or product administrator to access Agent Management.
To download a token-based or certificate package installer for your desired operating system:
- Go to insight.rapid7.com and sign in with your Insight account email address and password.
- If you are not directed to the Insight Platform Home page upon signing in, open the navigator in the upper left corner of your screen and click Insight Platform Home.
- Open the left menu and click the Data Collection Management tab, then click Agents.
- At the top of the screen, click the Agent Installer tab.
- Select the Agent Installation method of your choice and follow the instructions.
- Each panel includes separate procedures for both the token and certificate package installation methods.
- Download the Insight Agent installer based on the operating system of your choice.
TIP - File types
The contents of your download will vary depending on the installer type and operating system you select. Windows operating system files will come in a single .msi file, Mac files will be .pkg, and Linux files will be either .rpm, or .deb.
Certificate packages come in a ZIP file and contain your necessary certificate and configuration files that the installer will reference when you execute it.
Note that after November 15, 2024, the .sh file type will be fully deprecated and no longer available to download. It is currently available here.
Next Steps
Now that you have your desired installer in place, you’re ready to move on to the installation phase. See our dedicated documents for Windows, Mac, and Linux installation methods for further instructions.