Welcome

Connect Cloud Data

Connect On-Prem Data

Connect Web App Data (CRC Advanced)

Understand and Report on Risk

Learn More

Product Documentation

Deployment Considerations

Access to the Insight Platform

Before the deployment can commence, an Insight Platform account is required. Please visit this URL and verify that you have an account provisioned: insight.rapid7.com/login.

If you do not have access, please contact your Rapid7 representative before the deployment, to ensure that the account is created in-time for your deployment.

System Requirements

InsightCoudSec does not require local infrastructure, but InsightVM and InsightAppSec have specific requirements for on-premises systems.

InsightVM

The following system requirements are necessary to ensure you have the best experience with InsightVM and Nexpose.

Hardware requirements

The Security Console and Scan Engine hardware requirements are different because the Security Console uses significantly more resources.

InsightVM does not support running the Security Console in a container. However, the Scan Engine is available as a container image on Docker Hub.

Security Console requirements:

At this time, we only support x86_64 architecture.

Asset volume	Processor	Memory	Storage
5,000	4 cores	16 GB	1 TB
20,000	12 cores	64 GB	2 TB
150,000	12 cores	128 GB	4 TB
400,000	12 cores	256 GB	8 TB

Scan Engine requirements:

At this time, we only support x86_64 architecture.

Asset volume per day	Processor	Memory	Storage
5,000 assets/day	2 cores	8 GB	100 GB
20,000 assets/day	4 cores	16 GB	200 GB

Operating Systems

We require an English operating system with English/United States regional settings.

64-bit versions of the following platforms are supported:

Platform	Versions
Linux	Ubuntu Linux 22.04 LTS (Recommended) Ubuntu Linux 20.04 LTS Ubuntu Linux 18.04 LTS Ubuntu Linux 16.04 LTS Oracle Linux 8 Oracle Linux 7 SUSE Linux Enterprise Server 12
Microsoft Windows	Windows Server Desktop experience only. Core not supported. Microsoft Windows Server 2022 Microsoft Windows Server 2019 Microsoft Windows Server 2016 Microsoft Windows Server 2012 R2 Microsoft Windows 8.1
RedHat	Red Hat Enterprise Linux Server 9 Red Hat Enterprise Linux Server 8 Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux Server 6
CentOS	CentOS 7

Browsers

We support the most recent version of the following browsers:

Google Chrome (Recommended)
Mozilla Firefox
Mozilla Firefox ESR
Microsoft Edge

Firewall requirements

Security Console firewall requirements:

You must configure your firewall rules to allow outbound connectivity using Port 443. This ensures you can successfully upload data from the Security Console to the Insight Platform.

Region	Region URL	S3 (Agent Downloads only)
United States - 1	`us.api.endpoint.ingress.rapid7.com` `us.deployment.endpoint.ingress.rapid7.com` `us.exposure-analytics.insight.rapid7.com`	`s3.amazonaws.com`
United States - 2	`us2.api.endpoint.ingress.rapid7.com` `us2.deployment.endpoint.ingress.rapid7.com` `us2.exposure-analytics.insight.rapid7.com`	`s3.us-east-2.amazonaws.com`
United States - 3	`us3.api.endpoint.ingress.rapid7.com` `us3.deployment.endpoint.ingress.rapid7.com` `us3.exposure-analytics.insight.rapid7.com`	`s3.us-west-2.amazonaws.com`
Europe	`eu.api.endpoint.ingress.rapid7.com` `eu.deployment.endpoint.ingress.rapid7.com` `eu.exposure-analytics.insight.rapid7.com`	`s3.eu-central-1.amazonaws.com`
Canada	`ca.api.endpoint.ingress.rapid7.com` `ca.deployment.endpoint.ingress.rapid7.com` `ca.exposure-analytics.insight.rapid7.com`	`s3.ca-central-1.amazonaws.com`
Japan	`ap.api.endpoint.ingress.rapid7.com` `ap.deployment.endpoint.ingress.rapid7.com` `ap.exposure-analytics.insight.rapid7.com`	`s3-ap-northeast-1.amazonaws.com` `s3.ap-northeast-1.amazonaws.com`
Australia	`au.api.endpoint.ingress.rapid7.com` `au.deployment.endpoint.ingress.rapid7.com` `au.exposure-analytics.insight.rapid7.com`	`s3-ap-southeast-2.amazonaws.com` `s3.ap-southeast-2.amazonaws.com`

For additional IP addresses for each region see Connectivity requirements.

Scan Engine firewall requirements:

If firewalls are present on your network, make sure you whitelist the necessary ports for your Security Console and Scan Engine host according to the communication method of your choice. Consult the following table for port whitelist requirements.

	Source	Destination	Port	Protocol
Console-to-Engine	Console	Scan Engine	40814	TCP
Engine-to-Console	Engine	Console	40815	TCP

Ports

The ports shown in this table are the default ports used by the Security Console and Scan Engine. If you modify these default ports during the deployment procedure, make sure your firewall rules match your port modifications.

InsightAppSec (Cloud Risk Complete Advanced)

The following system requirements are necessary to ensure you have the best experience with InsightAppSec and AppSpider Pro.

Hardware requirements

Hardware	Minimum
Processor	Quad-core
RAM	6 GB
Disk space	500 GB
Network interface	1

Scan Engine requirements

Hardware	Minimum
Processor	Quad-core
RAM	6 GB
Disk space	100 GB
Network interface	1

Operating Systems

InsightAppSec and AppSpider Pro

Platform	Versions
Microsoft Windows Server	Microsoft Windows Server 2022 Microsoft Windows Server 2019 Microsoft Windows Server 2016
Microsoft Windows	Microsoft Windows 11 Microsoft Windows 10 Pro/Enterprise

AppSpider Enterprise

Platform	Versions
Microsoft Windows Server	Microsoft Windows Server 2022 Microsoft Windows Server 2019 Microsoft Windows Server 2016
Microsoft SQL Server Database	Microsoft SQL Server 2012 Family including Express Edition Microsoft SQL Server 2014 Microsoft SQL Server 2016 Microsoft SQL Server 2017 Microsoft SQL Server 2019 Microsoft SQL Server 2022

Browsers

We support the most recent version of the following browsers:

Google Chrome (latest)
Mozilla Firefox (latest)
Microsoft Edge (latest)

Additional requirements for AppSpider Pro

Microsoft .NET Framework 4.8 Redistributable Package

Additional requirements for AppSpider Enterprise

Microsoft ASP.NET Pages Microsoft Internet Information Services (IIS) 7.5 or later with the following:

It is recommended to create SQL server account to be used by AppSpider Enterprise
It is recommended to install MS SQL Server Management Studio
To successfully install AppSpider Enterprise, you must have installed IIS 6.0 Management Compatibility on your IIS 7.0 machine. For more information, including instructions for installing IIS 6.0 Management Compatibility, please see the Microsoft Knowledge Base articles
Microsoft .NET Framework 4.8 Redistributable Package
Run the ASP.NET IIS Registration tool in order to register the .NET Framework with IIS and create application pools that use the .NET Framework 4
To successfully permit users to authenticate using Lightweight Directory Access Protocol AppSpider Enterprise supports integration with Active Directory and ADAM servers that have one of the following values of capabilities exposed by DCs on the supported Capabilities attribute of the rootDSE: '1.2.840.113556.1.4.800' or '1.2.840.113556.1.4.1851'
To successfully install, you will need more free hard disk space than the size of the installer itself. For more specific information about the space requirements, please contact support

Communication through ports and IP addresses

InsightCoudSec

InsightCloudSec communicates through the following ports.

Destination	Port
*.endpoint.ingress.rapid7.com	TCP 443
*.insight.rapid7.com	TCP 443
(Optional) Collector Server	TCP 443 TCP 6608 TCP/UDP 8037
`52.64.24.140` `13.55.81.47` `13.236.168.124`	TCP 443
`103.4.8.209` `18.182.167.99`	TCP 443

InsightVM

InsightVM communicates through the following port for different sources.

Security Console

The Security Console is the source for the following destinations.

Source	Destination	Port
Content and feature updates	updates.rapid7.com	TCP 443
Uploaded PGP-encrypted diagnostic information	support.rapid7.com	TCP 443
Region: United Stated (US-1)	exposure-analytics.insight.rapid7.com s3.amazonaws.com data.insight.rapid7.com	TCP 443
Region: United Stated (US-2)	us2.exposure-analytics.insight.rapid7.com s3.us-east-2.amazonaws.com us2.data.insight.rapid7.com	TCP 443
Region: United Stated (US-3)	us3.exposure-analytics.insight.rapid7.com s3.us-west-2.amazonaws.com us3.data.insight.rapid7.com	TCP 443
Region: Canada (CA)	ca.exposure-analytics.insight.rapid7.com ca.data.insight.rapid7.com s3.ca-central-1.amazonaws.com	TCP 443
Region: Europe (EU)	eu.exposure-analytics.insight.rapid7.com (EU) eu.data.insight.rapid7.com (EU) s3.eu-central-1.amazonaws.com (EU)	TCP 443
Region: Japanese (JA)	ap.exposure-analytics.insight.rapid7.com (JAP) ap.data.insight.rapid7.com (JAP) s3-ap-northeast-1.amazonaws.com (JAP) s3.ap-northeast-1.amazonaws.com (JAP)	TCP 443
Region: Australia (AUS)	eu.exposure-analytics.insight.rapid7.com (AUS) eu.data.insight.rapid7.com (AUS) s3-ap-southeast-2.amazonaws.com (AUS) s3.ap-southeast-2.amazonaws.com (AUS)	TCP 443
SMTP Relay Server	Internal SMTP Relay. If report distribution through an SMTP relay is enabled, the Security Console must be able to communicate through these channels to reach the relay server.	TCP 25 or 465
Scan activity on Scan Engines and the retrieval of scan data	InsightVM Scan Engines	TCP 40814

Scan Engines

Scan Engines use the following ports for different sources.

Source	Destination	Port
InsightVM Admins	Security Console Server	TCP 3780
InsightVM Scan Engines	Security Console Server	TCP 40815
Security Console	InsightVM Scan Engines	TCP 40814
Collector Server	US https://data.insight.rapid7.com https://s3.amazonaws.com EMEA https://eu.data.insight.rapid7.com https://s3.eu-central-1.amazonaws.com CA https://ca.data.insight.rapid7.com https://s3.ca-central-1.amazonaws.com AU https://au.data.insight.rapid7.com https://s3.ap-southeast-2.amazonaws.com AP https://ap.data.insight.rapid7.com https://s3.ap-northeast-1.amazonaws.com	TCP 443

As an alternative to configuring a firewall rule that allows traffic for this URL, you can instead configure firewall rules to allow traffic to the following IP addresses and CIDR blocks for your selected region.

Region	IP address
US-1	`34.226.68.35` `54.144.111.231` `52.203.25.223` `34.236.161.191` `193.149.136.0/24`
US-2	`13.58.19.32` `3.131.127.126` `3.139.243.230`
US-3	`44.242.59.199` `52.41.171.59` `54.213.168.123`
Canada	`52.60.40.157` `52.60.107.153`
Europe	`3.120.196.152` `3.120.221.108` `18.192.78.218`
Japan	`103.4.8.209` `18.182.167.99`
Australia	`52.64.24.140` `13.55.81.47`

Ticketing (Optional)

InsightVM uses the following static IP addresses to allow traffic from the Insight Platform to on-premises JIRA or container registries.

Region	IP address
US-1	`52.87.0.92` `34.203.6.73` `34.202.19.138` `52.2.37.56`
US-2	`3.132.61.192` `3.137.118.102` `3.14.210.196`
US-3	`44.235.43.237` `52.10.164.197` `52.88.123.237`
Canada	`35.182.161.111` `52.60.69.60`
Europe	`52.28.227.72` `52.58.219.32`
Japan	`13.113.44.15` `52.69.171.127`
Australia	`13.55.206.11` `13.54.208.29` `52.63.226.244`

Insight Agent

Before deploying the Insight Agent, make sure that the Agent can successfully connect and transfer data to the Insight Platform. The Insight Agent communicates through the following ports.

Destination	Port
*.endpoint.ingress.rapid7.com	TCP 443
*.insight.rapid7.com	TCP 443
(Optional) Collector Server	TCP 443 TCP 6608 TCP/UDP 8037
`52.64.24.140` `13.55.81.47` `13.236.168.124`	TCP 443
`103.4.8.209` `18.182.167.99`	TCP 443

Did this page help you?