Deployment Considerations

Access to the Insight Platform

Before the deployment can commence, an Insight Platform account is required. Please visit this URL and verify that you have an account provisioned: insight.rapid7.com/login.

If you do not have access, please contact your Rapid7 representative before the deployment, to ensure that the account is created in-time for your deployment.

System Requirements

InsightCoudSec does not require local infrastructure, but InsightVM and InsightAppSec have specific requirements for on-premises systems.

InsightVM

The following system requirements are necessary to ensure you have the best experience.

Hardware requirements

The Security Console and Scan Engine hardware requirements are different because the Security Console uses significantly more resources.

The Security Console does not support running in a container. However, the Scan Engine is available as a container image on Docker Hub.

Security Console requirements:

At this time, we only support x86_64 architecture.

Asset volumeProcessorMemoryStorage
5,0004 cores16 GB1 TB
20,00012 cores64 GB2 TB
150,00012 cores128 GB4 TB
400,00012 cores256 GB8 TB

Scan Engine requirements:

At this time, we only support x86_64 architecture.

Asset volume per dayProcessorMemoryStorage
5,000 assets/day2 cores8 GB100 GB
20,000 assets/day4 cores16 GB200 GB
Operating Systems

We require an English operating system with English/United States regional settings.

64-bit versions of the following platforms are supported:

PlatformVersions
Linux
  • Ubuntu Linux 22.04 LTS (Recommended)
  • Ubuntu Linux 20.04 LTS
  • Ubuntu Linux 18.04 LTS
  • Ubuntu Linux 16.04 LTS
  • Oracle Linux 8
  • Oracle Linux 7
  • SUSE Linux Enterprise Server 12
  • Alma Linux 9
Microsoft Windows
  • Windows Server Desktop experience only. Core not supported.
    • Microsoft Windows Server 2022
    • Microsoft Windows Server 2019
    • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 8.1
RedHat
  • Red Hat Enterprise Linux Server 9
  • Red Hat Enterprise Linux Server 8
  • Red Hat Enterprise Linux Server 7
  • Red Hat Enterprise Linux Server 6
CentOS
  • CentOS 7
Browsers

We support the most recent version of the following browsers:

  • Google Chrome (Recommended)
  • Mozilla Firefox
  • Mozilla Firefox ESR
  • Microsoft Edge
Firewall requirements

Security Console firewall requirements:

You must configure your firewall rules to allow outbound connectivity using Port 443. This ensures you can successfully upload data from the Security Console to the Insight Platform.

RegionRegion URLS3 (Agent Downloads only)
United States - 1us.api.endpoint.ingress.rapid7.com

us.deployment.endpoint.ingress.rapid7.com

us.exposure-analytics.insight.rapid7.com
s3.amazonaws.com
United States - 2us2.api.endpoint.ingress.rapid7.com

us2.deployment.endpoint.ingress.rapid7.com

us2.exposure-analytics.insight.rapid7.com
s3.us-east-2.amazonaws.com
United States - 3us3.api.endpoint.ingress.rapid7.com

us3.deployment.endpoint.ingress.rapid7.com

us3.exposure-analytics.insight.rapid7.com
s3.us-west-2.amazonaws.com
Europeeu.api.endpoint.ingress.rapid7.com

eu.deployment.endpoint.ingress.rapid7.com

eu.exposure-analytics.insight.rapid7.com
s3.eu-central-1.amazonaws.com
Canadaca.api.endpoint.ingress.rapid7.com

ca.deployment.endpoint.ingress.rapid7.com

ca.exposure-analytics.insight.rapid7.com
s3.ca-central-1.amazonaws.com
Japanap.api.endpoint.ingress.rapid7.com

ap.deployment.endpoint.ingress.rapid7.com

ap.exposure-analytics.insight.rapid7.com
s3-ap-northeast-1.amazonaws.com

s3.ap-northeast-1.amazonaws.com
Australiaau.api.endpoint.ingress.rapid7.com

au.deployment.endpoint.ingress.rapid7.com

au.exposure-analytics.insight.rapid7.com
s3-ap-southeast-2.amazonaws.com

s3.ap-southeast-2.amazonaws.com

For additional IP addresses for each region see Connectivity requirements.

Scan Engine firewall requirements:

If firewalls are present on your network, make sure you whitelist the necessary ports for your Security Console and Scan Engine host according to the communication method of your choice. Consult the following table for port whitelist requirements.

SourceDestinationPortProtocol
Console-to-EngineConsoleScan Engine40814TCP
Engine-to-ConsoleEngineConsole40815TCP

Ports

The ports shown in this table are the default ports used by the Security Console and Scan Engine. If you modify these default ports during the deployment procedure, make sure your firewall rules match your port modifications.

InsightAppSec (Cloud Risk Complete Advanced)

The following system requirements are necessary to ensure you have the best experience with InsightAppSec and AppSpider Pro.

Hardware requirements

HardwareMinimum
ProcessorQuad-core
RAM6 GB
Disk space500 GB
Network interface1

Scan Engine requirements

HardwareMinimum
ProcessorQuad-core
RAM6 GB
Disk space100 GB
Network interface1

Operating Systems

InsightAppSec and AppSpider Pro

PlatformVersions
Microsoft Windows Server
  • Microsoft Windows Server 2022
  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
Microsoft Windows
  • Microsoft Windows 11
  • Microsoft Windows 10 Pro/Enterprise

AppSpider Enterprise

PlatformVersions
Microsoft Windows Server
  • Microsoft Windows Server 2022
  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
Microsoft SQL Server Database
  • Microsoft SQL Server 2012 Family including Express Edition
  • Microsoft SQL Server 2014
  • Microsoft SQL Server 2016
  • Microsoft SQL Server 2017
  • Microsoft SQL Server 2019
  • Microsoft SQL Server 2022

Browsers

We support the most recent version of the following browsers:

  • Google Chrome (latest)
  • Mozilla Firefox (latest)
  • Microsoft Edge (latest)

Additional requirements for AppSpider Pro

  • Microsoft .NET Framework 4.8 Redistributable Package

Additional requirements for AppSpider Enterprise

Microsoft ASP.NET Pages Microsoft Internet Information Services (IIS) 7.5 or later with the following:

  • It is recommended to create SQL server account to be used by AppSpider Enterprise
  • It is recommended to install MS SQL Server Management Studio
  • To successfully install AppSpider Enterprise, you must have installed IIS 6.0 Management Compatibility on your IIS 7.0 machine. For more information, including instructions for installing IIS 6.0 Management Compatibility, please see the Microsoft Knowledge Base articles
  • Microsoft .NET Framework 4.8 Redistributable Package
  • Run the ASP.NET IIS Registration tool in order to register the .NET Framework with IIS and create application pools that use the .NET Framework 4
  • To successfully permit users to authenticate using Lightweight Directory Access Protocol AppSpider Enterprise supports integration with Active Directory and ADAM servers that have one of the following values of capabilities exposed by DCs on the supported Capabilities attribute of the rootDSE: '1.2.840.113556.1.4.800' or '1.2.840.113556.1.4.1851'
  • To successfully install, you will need more free hard disk space than the size of the installer itself. For more specific information about the space requirements, please contact support

Communication through ports and IP addresses

InsightCoudSec

InsightCloudSec communicates through the following ports.

DestinationPort
*.endpoint.ingress.rapid7.comTCP 443
*.insight.rapid7.comTCP 443
(Optional) Collector ServerTCP 443
TCP 6608
TCP/UDP 8037
52.64.24.140
13.55.81.47
13.236.168.124
TCP 443
103.4.8.209
18.182.167.99
TCP 443
InsightVM

InsightVM communicates through the following port for different sources.

Security Console

The Security Console is the source for the following destinations.

SourceDestinationPort
Content and feature updatesupdates.rapid7.comTCP 443
Uploaded PGP-encrypted diagnostic informationsupport.rapid7.comTCP 443
Region: United Stated (US-1)exposure-analytics.insight.rapid7.com
s3.amazonaws.com
data.insight.rapid7.com
TCP 443
Region: United Stated (US-2)us2.exposure-analytics.insight.rapid7.com
s3.us-east-2.amazonaws.com
us2.data.insight.rapid7.com
TCP 443
Region: United Stated (US-3)us3.exposure-analytics.insight.rapid7.com
s3.us-west-2.amazonaws.com
us3.data.insight.rapid7.com
TCP 443
Region: Canada (CA)ca.exposure-analytics.insight.rapid7.com
ca.data.insight.rapid7.com
s3.ca-central-1.amazonaws.com
TCP 443
Region: Europe (EU)eu.exposure-analytics.insight.rapid7.com (EU)
eu.data.insight.rapid7.com (EU)
s3.eu-central-1.amazonaws.com (EU)
TCP 443
Region: Japanese (JA)ap.exposure-analytics.insight.rapid7.com (JAP)
ap.data.insight.rapid7.com (JAP)
s3-ap-northeast-1.amazonaws.com (JAP)
s3.ap-northeast-1.amazonaws.com (JAP)
TCP 443
Region: Australia (AUS)eu.exposure-analytics.insight.rapid7.com (AUS)
eu.data.insight.rapid7.com (AUS)
s3-ap-southeast-2.amazonaws.com (AUS)
s3.ap-southeast-2.amazonaws.com (AUS)
TCP 443
SMTP Relay ServerInternal SMTP Relay.
If report distribution through an SMTP relay is enabled, the Security Console must be able to communicate through these channels to reach the relay server.
TCP 25 or 465
Scan activity on Scan Engines and the retrieval of scan dataInsightVM Scan EnginesTCP 40814

Scan Engines

Scan Engines use the following ports for different sources.

SourceDestinationPort
InsightVM AdminsSecurity Console ServerTCP 3780
InsightVM Scan EnginesSecurity Console ServerTCP 40815
Security ConsoleInsightVM Scan EnginesTCP 40814
Collector Server

US

  • https://data.insight.rapid7.com
  • https://s3.amazonaws.com


EMEA

  • https://eu.data.insight.rapid7.com
  • https://s3.eu-central-1.amazonaws.com


CA

  • https://ca.data.insight.rapid7.com
  • https://s3.ca-central-1.amazonaws.com


AU

  • https://au.data.insight.rapid7.com
  • https://s3.ap-southeast-2.amazonaws.com


AP

  • https://ap.data.insight.rapid7.com
  • https://s3.ap-northeast-1.amazonaws.com

TCP 443

As an alternative to configuring a firewall rule that allows traffic for this URL, you can instead configure firewall rules to allow traffic to the following IP addresses and CIDR blocks for your selected region.

RegionIP address
US-134.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
193.149.136.0/24
US-213.58.19.32
3.131.127.126
3.139.243.230
US-344.242.59.199
52.41.171.59
54.213.168.123
Canada52.60.40.157
52.60.107.153
Europe3.120.196.152
3.120.221.108
18.192.78.218
Japan103.4.8.209
18.182.167.99
Australia52.64.24.140
13.55.81.47

Ticketing (Optional)

InsightVM uses the following static IP addresses to allow traffic from the Insight Platform to on-premises JIRA or container registries.

RegionIP address
US-152.87.0.92
34.203.6.73
34.202.19.138
52.2.37.56
US-23.132.61.192
3.137.118.102
3.14.210.196
US-344.235.43.237
52.10.164.197
52.88.123.237
Canada35.182.161.111
52.60.69.60
Europe52.28.227.72
52.58.219.32
Japan13.113.44.15
52.69.171.127
Australia13.55.206.11
13.54.208.29
52.63.226.244
Insight Agent

Before deploying the Insight Agent, make sure that the Agent can successfully connect and transfer data to the Insight Platform. The Insight Agent communicates through the following ports.

DestinationPort
*.endpoint.ingress.rapid7.comTCP 443
*.insight.rapid7.comTCP 443
(Optional) Collector ServerTCP 443
TCP 6608
TCP/UDP 8037
52.64.24.140
13.55.81.47
13.236.168.124
TCP 443
103.4.8.209
18.182.167.99
TCP 443