Deploy a Scan Engine

Distributed Scan Engines are separate from the Security Console and are strategically provisioned and located in a way that makes your scanning environment as efficient as possible. If you intend to maintain a production deployment of the Security Console, distributed Scan Engines are an absolute necessity.

Install a scan engine

Launch the product installer to get started. Follow the initial prompts until you reach the component selection and communication direction step.

1. Select Components: Scan Engine Only

After going through the necessary acknowledgements, you’ll be prompted to select which components you want to install.

Select Scan Engine only. This tells the installer that you intend to deploy a distributed Scan Engine.

2. Select a Communication Direction: Engine-to-Console

After selecting your components, you’ll be prompted to select a communication direction.

OptionDescription
Standard (Console-to-Engine)This is the most common communication method for a distributed Scan Engine. When the Security Console determines that a scan needs to take place on your target assets, it initiates the connection to communicate with the Scan Engine.
As a result, Scan Engines must allow inbound traffic on the default port of 40814 in order to create this connection.
Reverse (Engine-to-Console)The engine-to-console communication method, which is implemented by a “reverse” pairing procedure, is useful in cases where your security policies restrict inbound connections to the network hosting the scan engine. In engine-to-console configurations, the Scan Engine routinely pings the Security Console to see if a scan job needs to be run. If the Security Console does in fact have a scan job ready, it accepts the connection from the Scan Engine and the communication channel is established.
As a result, Security Consoles must allow inbound traffic on the default port of 40815 in order to create this connection.
3. Test your connection
  1. Test your connection to ensure that your Security Console and Scan Engine can communicate properly.
  2. Continue with the rest of the Scan Engine installation.
  3. After your Scan Engine finishes installing, proceed directly to the Refresh Your New Scan Engine section of this guide.

Pair the scan engine

All new Scan Engines must be paired to the Security Console in order to be usable for scanning.

Create a standard pair for the Console-to-Engine method

In order to configure a console-to-engine pairing, the Security Console must be made aware that a new Scan Engine is available for use and must be provided with instructions on how to reach it. Consequently, the first step of all standard pairing procedures is to add your new Scan Engine to the Security Console.

To add a Scan Engine through the Administration tab:

  1. Browse to and click on the Administration tab in your left navigation menu.
  2. In the “Scans” section, click Mange scan engins.
  3. Click New Engine under Scan Engines.
  4. On the General tab, name your Scan Engine.
  5. Enter the IP address of your Scan Engine in the “Address” field.
  6. Click Save when finished.

Properly added Scan Engines generate a consoles.xml file on the Scan Engine host. You will modify this file in the next step.

Modify consoles.xml

The consoles.xml file generated on your Scan Engine host in the previous step contains an entry for the Security Console that added the Scan Engine. You must enable the console to complete the pairing.

To modify the consoles.xml file for a Linux or Windows host:

  1. Browse to the consoles.xml file in your Scan Engine directory. By default, this file is located in the following places according to the operating system of your Scan Engine host:
    • Linux - /opt/rapid7/nexpose/nse/conf/consoles.xml
    • Windows - Files\Rapid7\NeXpose\nse\conf\consoles.xml
  2. Open consoles.xml with a text editor of your choice. Navigate to the <consoles> element. The Security Console that added the Scan Engine appears as a <console> element with several attributes.
    • You can identify the correct Security Console by checking that the lastAddress attribute matches the IP address of the Security Console you want to pair with.
  3. Change the value for the enabled attribute from 0 to 1.
  4. Save and close the consoles.xml file.
  5. Restart the Scan Engine host so your changes can take effect.
Reverse Pair (Engine-to-Console)

If you took advantage of the reverse pairing configuration opportunity during your Scan Engine installation, then you’ve already completed this step! Proceed directly to the Refresh Your New Scan Engine section of this guide to verify that your Scan Engine is ready for use.

However, if you installed a Scan Engine with the Engine-to-Console method selected without completing the reverse pairing step, you must complete the pairing with a separate procedure.

Refresh the scan engine

After completing a standard or reverse pair for your Scan Engine, you must refresh its status to verify that the Security Console can communicate with it properly.

  1. Browse to and click on the Administration tab in your left navigation menu.
  2. In the “Scans" section, click Manage scan engines.
  3. In the “Scan Engines” section, click Refresh Displayed Engines. This ensures that your Scan Engine table is up-to-date.
  4. Locate the distributed Scan Engine that you paired to the Security Console.
  5. Click the icon in the “Refresh” column to complete the verification process.
Scan engine statuses

If you have properly configured and paired your Scan Engine, it now displays up-to-date version and communication status information. The “Communication Status” column itself indicates both the current communication method by arrow and connection state by color. Arrows pointing to “Engine” indicate a standard pairing, while arrows pointing to “Console” indicate reverse pairing. Additionally, arrow icons can have the following color codes:

  • Green - Scan Engine is active
  • Orange - Scan Engine status is unknown
    • An “unknown” status indicates that the Security Console and the Scan Engine could not communicate even though no error was recorded. This is often the result of a significant lapse between pings. Refresh the Scan Engine status to attempt communication again.
  • Red - There are three possibilities associated with this color code:
    • Pending Authorization - This state indicates that the Security Console has not yet been enabled on the Scan Engine.
    • Incompatible - This state indicates that the Security Console and Scan Engine are on different versions. Consoles and engines must be on the same version in order to communicate properly.
    • Down - This state indicates that the Scan Engine is offline.