Deployment Considerations
Access to the Insight Platform
Before the deployment can commence, an Insight Platform account is required. Please visit this URL and verify that you have an account provisioned: insight.rapid7.com/login.
If you do not have access, please contact your Rapid7 representative before the deployment, to ensure that the account is created in-time for your deployment.
System Requirements
InsightCoudSec does not require local infrastructure, but InsightVM and InsightAppSec have specific requirements for on-premises systems.
InsightVM
The following system requirements are necessary to ensure you have the best experience.
Hardware requirements
The Security Console and Scan Engine hardware requirements are different because the Security Console uses significantly more resources.
The Security Console does not support running in a container. However, the Scan Engine is available as a container image on Docker Hub.
Reserved Memory on Virtual Machines
If you intend to deploy to a virtual machine, ensure that you provision the virtual machine with sufficient reserved memory according to the system requirements. The reserved memory value must match the allocated memory. For example, if you've allocated 32GB, set the reserved memory to 32GB. Configuring a virtual machine with shared memory may cause negative performance impact including out of memory events.
Security Console requirements:
At this time, we only support x86_64 architecture.
| Asset volume | Processor | Memory | Storage |
|---|---|---|---|
| 5,000 | 4 cores | 16 GB | 1 TB |
| 20,000 | 12 cores | 64 GB | 2 TB |
| 150,000 | 12 cores | 128 GB | 4 TB |
| 400,000 | 12 cores | 256 GB | 8 TB |
Scan Engine requirements:
At this time, we only support x86_64 architecture.
| Asset volume per day | Processor | Memory | Storage |
|---|---|---|---|
| 5,000 assets/day | 2 cores | 8 GB | 100 GB |
| 20,000 assets/day | 4 cores | 16 GB | 200 GB |
Operating Systems
We require an English operating system with English/United States regional settings.
64-bit versions of the following platforms are supported:
| Platform | Versions |
|---|---|
| Linux |
|
| Microsoft Windows |
|
| RedHat |
|
| CentOS |
|
Browsers
We support the most recent version of the following browsers:
- Google Chrome (Recommended)
- Mozilla Firefox
- Mozilla Firefox ESR
- Microsoft Edge
Firewall requirements
Security Console firewall requirements:
You must configure your firewall rules to allow outbound connectivity using Port 443. This ensures you can successfully upload data from the Security Console to the Insight Platform.
| Region | Region URL | S3 (Agent Downloads only) |
|---|---|---|
| United States - 1 | us.api.endpoint.ingress.rapid7.com us.deployment.endpoint.ingress.rapid7.com us.exposure-analytics.insight.rapid7.com | s3.amazonaws.com |
| United States - 2 | us2.api.endpoint.ingress.rapid7.com us2.deployment.endpoint.ingress.rapid7.com us2.exposure-analytics.insight.rapid7.com | s3.us-east-2.amazonaws.com |
| United States - 3 | us3.api.endpoint.ingress.rapid7.com us3.deployment.endpoint.ingress.rapid7.com us3.exposure-analytics.insight.rapid7.com | s3.us-west-2.amazonaws.com |
| Europe | eu.api.endpoint.ingress.rapid7.com eu.deployment.endpoint.ingress.rapid7.com eu.exposure-analytics.insight.rapid7.com | s3.eu-central-1.amazonaws.com |
| Canada | ca.api.endpoint.ingress.rapid7.com ca.deployment.endpoint.ingress.rapid7.com ca.exposure-analytics.insight.rapid7.com | s3.ca-central-1.amazonaws.com |
| Japan | ap.api.endpoint.ingress.rapid7.com ap.deployment.endpoint.ingress.rapid7.com ap.exposure-analytics.insight.rapid7.com | s3-ap-northeast-1.amazonaws.com s3.ap-northeast-1.amazonaws.com |
| Australia | au.api.endpoint.ingress.rapid7.com au.deployment.endpoint.ingress.rapid7.com au.exposure-analytics.insight.rapid7.com | s3-ap-southeast-2.amazonaws.com s3.ap-southeast-2.amazonaws.com |
For additional IP addresses for each region see Connectivity requirements.
You must also allow the Security Console to make outbound connections to updates.rapid7.com on Port 443. The Security Console connects to updates.rapid7.com regularly to check for new product versions (every 6 hours) and vulnerability/policy content (every 2 hours). With every connection, the console uploads a JSON file containing license and usage information that helps Rapid7 understand how the Security Console is being used. This upload does not contain any vulnerability assessment data from your assets or any other sensitive information on your environment.
Scan Engine firewall requirements:
If firewalls are present on your network, make sure you whitelist the necessary ports for your Security Console and Scan Engine host according to the communication method of your choice. Consult the following table for port whitelist requirements.
| Source | Destination | Port | Protocol | |
|---|---|---|---|---|
| Console-to-Engine | Console | Scan Engine | 40814 | TCP |
| Engine-to-Console | Engine | Console | 40815 | TCP |
Ports
The ports shown in this table are the default ports used by the Security Console and Scan Engine. If you modify these default ports during the deployment procedure, make sure your firewall rules match your port modifications.
InsightAppSec (Cloud Risk Complete Advanced)
The following system requirements are necessary to ensure you have the best experience with InsightAppSec and AppSpider Pro.
Hardware requirements
| Hardware | Minimum |
|---|---|
| Processor | Quad-core |
| RAM | 6 GB |
| Disk space | 500 GB |
| Network interface | 1 |
Scan Engine requirements
| Hardware | Minimum |
|---|---|
| Processor | Quad-core |
| RAM | 6 GB |
| Disk space | 100 GB |
| Network interface | 1 |
Operating Systems
InsightAppSec and AppSpider Pro
| Platform | Versions |
|---|---|
| Microsoft Windows Server |
|
| Microsoft Windows |
|
AppSpider Enterprise
| Platform | Versions |
|---|---|
| Microsoft Windows Server |
|
| Microsoft SQL Server Database |
|
Browsers
We support the most recent version of the following browsers:
- Google Chrome (latest)
- Mozilla Firefox (latest)
- Microsoft Edge (latest)
Additional requirements for AppSpider Pro
- Microsoft .NET Framework 4.8 Redistributable Package
Additional requirements for AppSpider Enterprise
Microsoft ASP.NET Pages Microsoft Internet Information Services (IIS) 7.5 or later with the following:
- It is recommended to create SQL server account to be used by AppSpider Enterprise
- It is recommended to install MS SQL Server Management Studio
- To successfully install AppSpider Enterprise, you must have installed IIS 6.0 Management Compatibility on your IIS 7.0 machine. For more information, including instructions for installing IIS 6.0 Management Compatibility, please see the Microsoft Knowledge Base articles
- Microsoft .NET Framework 4.8 Redistributable Package
- Run the ASP.NET IIS Registration tool in order to register the .NET Framework with IIS and create application pools that use the .NET Framework 4
- To successfully permit users to authenticate using Lightweight Directory Access Protocol AppSpider Enterprise supports integration with Active Directory and ADAM servers that have one of the following values of capabilities exposed by DCs on the supported Capabilities attribute of the rootDSE: '1.2.840.113556.1.4.800' or '1.2.840.113556.1.4.1851'
- To successfully install, you will need more free hard disk space than the size of the installer itself. For more specific information about the space requirements, please contact support
Communication through ports and IP addresses
InsightCoudSec
InsightCloudSec communicates through the following ports.
| Destination | Port |
|---|---|
| *.endpoint.ingress.rapid7.com | TCP 443 |
| *.insight.rapid7.com | TCP 443 |
| (Optional) Collector Server | TCP 443 TCP 6608 TCP/UDP 8037 |
52.64.24.140 13.55.81.47 13.236.168.124 | TCP 443 |
103.4.8.209 18.182.167.99 | TCP 443 |
InsightVM
InsightVM communicates through the following port for different sources.
Security Console
The Security Console is the source for the following destinations.
| Source | Destination | Port |
|---|---|---|
| Content and feature updates | updates.rapid7.com | TCP 443 |
| Uploaded PGP-encrypted diagnostic information | support.rapid7.com | TCP 443 |
| Region: United Stated (US-1) | exposure-analytics.insight.rapid7.com s3.amazonaws.com data.insight.rapid7.com | TCP 443 |
| Region: United Stated (US-2) | us2.exposure-analytics.insight.rapid7.com s3.us-east-2.amazonaws.com us2.data.insight.rapid7.com | TCP 443 |
| Region: United Stated (US-3) | us3.exposure-analytics.insight.rapid7.com s3.us-west-2.amazonaws.com us3.data.insight.rapid7.com | TCP 443 |
| Region: Canada (CA) | ca.exposure-analytics.insight.rapid7.com ca.data.insight.rapid7.com s3.ca-central-1.amazonaws.com | TCP 443 |
| Region: Europe (EU) | eu.exposure-analytics.insight.rapid7.com (EU) eu.data.insight.rapid7.com (EU) s3.eu-central-1.amazonaws.com (EU) | TCP 443 |
| Region: Japanese (JA) | ap.exposure-analytics.insight.rapid7.com (JAP) ap.data.insight.rapid7.com (JAP) s3-ap-northeast-1.amazonaws.com (JAP) s3.ap-northeast-1.amazonaws.com (JAP) | TCP 443 |
| Region: Australia (AUS) | eu.exposure-analytics.insight.rapid7.com (AUS) eu.data.insight.rapid7.com (AUS) s3-ap-southeast-2.amazonaws.com (AUS) s3.ap-southeast-2.amazonaws.com (AUS) | TCP 443 |
| SMTP Relay Server | Internal SMTP Relay. If report distribution through an SMTP relay is enabled, the Security Console must be able to communicate through these channels to reach the relay server. | TCP 25 or 465 |
| Scan activity on Scan Engines and the retrieval of scan data | InsightVM Scan Engines | TCP 40814 |
Scan Engines
Scan Engines use the following ports for different sources.
| Source | Destination | Port |
|---|---|---|
| InsightVM Admins | Security Console Server | TCP 3780 |
| InsightVM Scan Engines | Security Console Server | TCP 40815 |
| Security Console | InsightVM Scan Engines | TCP 40814 |
| Collector Server | US
EMEA
CA
AU
AP
| TCP 443 |
As an alternative to configuring a firewall rule that allows traffic for this URL, you can instead configure firewall rules to allow traffic to the following IP addresses and CIDR blocks for your selected region.
| Region | IP address |
|---|---|
| US-1 | 34.226.68.35 54.144.111.231 52.203.25.223 34.236.161.191 193.149.136.0/24 |
| US-2 | 13.58.19.32 3.131.127.126 3.139.243.230 |
| US-3 | 44.242.59.199 52.41.171.59 54.213.168.123 |
| Canada | 52.60.40.157 52.60.107.153 |
| Europe | 3.120.196.152 3.120.221.108 18.192.78.218 |
| Japan | 103.4.8.209 18.182.167.99 |
| Australia | 52.64.24.140 13.55.81.47 |
Ticketing (Optional)
InsightVM uses the following static IP addresses to allow traffic from the Insight Platform to on-premises JIRA or container registries.
| Region | IP address |
|---|---|
| US-1 | 52.87.0.92 34.203.6.73 34.202.19.138 52.2.37.56 |
| US-2 | 3.132.61.192 3.137.118.102 3.14.210.196 |
| US-3 | 44.235.43.237 52.10.164.197 52.88.123.237 |
| Canada | 35.182.161.111 52.60.69.60 |
| Europe | 52.28.227.72 52.58.219.32 |
| Japan | 13.113.44.15 52.69.171.127 |
| Australia | 13.55.206.11 13.54.208.29 52.63.226.244 |
Insight Agent
Before deploying the Insight Agent, make sure that the Agent can successfully connect and transfer data to the Insight Platform. The Insight Agent communicates through the following ports.
| Destination | Port |
|---|---|
| *.endpoint.ingress.rapid7.com | TCP 443 |
| *.insight.rapid7.com | TCP 443 |
| (Optional) Collector Server | TCP 443 TCP 6608 TCP/UDP 8037 |
52.64.24.140 13.55.81.47 13.236.168.124 | TCP 443 |
103.4.8.209 18.182.167.99 | TCP 443 |