Download and Install the Insight Agent

Open Preview migration steps

If you have previously installed the Insight Agent with either .deb or .rpm as part of our Open Preview program, complete the required migration steps. You do not need to do anything if you have not taken part in our Open Preview program.

Linux and Mac `.sh` installer deprecation

The .sh Insight Agent installer will be deprecated on November 15, 2024. It is accessible until that date through our installation guides.

You can install the Insight Agent on your target assets using 2 required installation options that can be used interchangeably depending on the network connectivity settings of your assets. While either of the options functionally achieve the same goal of installing the agent and connecting it to the Insight Platform, this article details each of the installation options available and explains their differences so you can decide which would be most suitable for deployment in your organization.

Decide which installation option to use

There are two main Agent Installation options available that can be used interchangeably:

What is a Token?

Your token consists of two parts:

  • The region identifier - This portion identifies the region where your organization is located. For example, us is the region identifier for the United States, while ca is the region identifier for Canada.

  • The Universally Unique Identifier (UUID) - The UUID represents the token itself. The API request initiated by the installer sends this UUID to the Insight Platform in order to retrieve the JSON document that contains all the necessary dependencies noted previously.

A fully generated token appears in the following format:

<region_id>:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Note that the process of installation with a token, the Insight Agent installer will download the following dependencies onto your asset. All together, these dependencies are no more than 20KB in size:

  • client.key
  • client.crt
  • config.json
  • cafile.pem

What is the Certificate Package?

The Certificate Package contains your unique organization's configuration files, which are required for successful installation of the agent. These files are downloaded seamlessly when installing with a token, but are provided here for easy access in case some of the assets in your environment don't have direct connectivity the Insight Platform through a Rapid7 Endpoint or a Collector. We recommend installing the Insight Agent using the Certificate Package in environments with stricter network requirements.

Expired Certificates

When you download and host the Certificate Package, you will need to refresh your certificates within 5 years to ensure new installations of the Insight Agent are able to fully connect to the Insight Platform. For more information on what to do if you have an expired certificate, refer to Expired Certificates.

Certificate Package contents

Your Certificate Package ZIP file contains the following security files in addition to the installer executable:

  • client.key
  • client.crt
  • config.json
  • cafile.pem

Available installation options

The Insight Agent has several installation options that enable you to install the Insight Agents according to the specific configuration needs of your organization.

Installer Option (Windows)Installer Option (Mac and Linux)Description
CUSTOMTOKEN–tokenInstall the Insight Agent using your organization’s unique token displayed in the Insight Agent download panel.
CUSTOMCONFIGPATH--certificate_package_installationSpecify the absolute path where the contents of your organization's certificate package reside, if not using a token.
CUSTOMATTRIBUTES--attributesSet custom attributes that InsightVM will import as asset tags.
HTTPS_PROXY--https-proxySpecify the proxy IP address and port preferred for Agent-to-Platform communication.
DISABLE-UPDATES--disable-updatesDisable Insight Platform updates for all Insight Agent subcomponents.

Step 1: Download an installer from the Insight Platform

Now that you’ve determined which Insight Agent installation option you want to use, you’re ready to download the installer. You can download both installer types from the Agent Management screen in your Insight Platform user interface.

Privileges required

You must be an Insight Platform or product administrator to access Agent Management.

To download a Token or Certificate Package installer for your operating system:

File types

The contents of your download will vary depending on the installer type and operating system you select. Windows operating system files will come in a single .msi file, Mac files will be .pkg, and Linux files will be either .rpm, or .deb.

Certificate Packages come in a ZIP file and contain your necessary certificate and configuration files that the installer will reference when you execute it.

Note that after November 15, 2024, the .sh file type will be fully deprecated and no longer available to download. It is currently available in our .sh installer guide.

  1. Go to insight.rapid7.com and sign in with your Insight account email address and password.
    • If you are not directed to the Insight Platform Home page upon signing in, open the navigator in the upper left corner of your screen and click Insight Platform Home.
  2. Open the left menu and click the Data Collection Management tab, then click Agents.
  3. At the top of the screen, click the Agent Installer tab.
  4. Select the Insight Agent installation option of your choice and follow the instructions.
    • Each panel includes separate procedures for both the Token and Certificate Package installation option.
  5. Download the Insight Agent installer based on the operating system of your choice.

Step 2: Install the Insight Agent

Option 1: Install the Insight Agent using a Token

A token is your organization’s unique identifier that links the installed Insight Agents to your organization. When installing using the token, the Insight Agent reaches out to the Insight Platform to download the certificate files necessary for successful installation. This installation option requires connectivity to the Insight Platform directly through a Rapid7 Endpoint or a Collector.

If you are installing the agent in an environment with stricter network requirements, we recommend using the Certificate Package.

If you intend to install the Insight Agent using your organization’s token:

  • Your assets must be able to communicate with the Insight Platform in order for the installer to download its necessary dependencies.
  • If your assets are deployed in a network with strict URL filtering rules in place, you may need to allowlist the following token resource endpoint to ensure that the installer can pull its configuration files from the Insight Platform. Substitute <REGION> with the code that applies to your data region:
 
1
1
2
https://<REGION>.deployment.endpoint.ingress.rapid7.com/api/v1/get_agent_files

Generate a Token

The first step of any token Insight Agent deployment is to generate your organizational token.

To generate a Token (if you have not done so already):

  1. Go to insight.rapid7.com and sign in with your Insight account email address and password.
    1. If you are not directed to the Insight Platform Home page upon signing in, open the navigator in the upper left corner of the screen and click Insight Platform Home.
  2. On the left menu, click the Data Collection tab, then click the Agents tab.
  3. At the top of the screen, click the Agent Installer tab.
  4. At the bottom of the Install the Insight Agent using a Token card on the left side of the screen, click Token Management.
  5. Once in the Token Management screen, click Generate. This will create a Token ID for you to use.

Does your company have multiple Rapid7 organizations?

Keep in mind that a token is specific to one organization. If your company has multiple organizations with Rapid7, make sure you select the correct organization from the Download Insight Agent page before you generate your token.

Option 2: Install the Insight Agent using the Certificate Package

Certificate installation terminology

Note that the certificate installation was previously referred to under Advanced within the Insight Agent installation options.

You can download the latest Certificate Package from insight.rapid7.com > Data Collection Management > Agent Installer > Install the Insight Agent using the Certificate Package > Download Certificate.

Expired Certificates

If you use the certificate package installation option to install the Insight Agent, your certificates will expire after 5 years. Insight Agents that were previously installed with a valid certificate are not impacted and will continue to update their SSL certificates. New installations of the Insight Agent using an expired certificate will not be able to fully connect to the Insight Platform to run jobs in InsightVM, InsightIDR, or InsightOps.

Refresh your Certificates

If you host your certificate package on a network share, or if it is baked into a golden image for a virtual machine, redownload your certificate package within 5 years to ensure new installations of the Insight Agent run correctly.

Version History

The Insight Agent Version History has been moved into the Insight Agent user interface. You can find the Version Table at the bottom of the tab, or by navigating to the Older Versions link below this table.

Next Steps

Now that you have your desired installer in place, you’re ready to move on to the installation phase. See our dedicated documents for Windows, Mac, and Linux installation methods for further instructions.