Azure Scan Engines

You can deploy a Scan Engine in the form of an Azure VM from Microsoft's Azure marketplace. This article guides you through the deployment and configuration process.

Setting up your scan engine

  1. Log in to your Azure portal.

  2. Click the Marketplace tile.

    Azure Marketplace

  3. Search for "Rapid7 VM Scan Engine" within the Marketplace search and select the Rapid7 VM Scan Engine.

    Rapid7 VM Scan Engine

  4. Click Create.

  5. Give your new VM a name (without any spaces) and some information about who will be managing the engine. This is also where you will select the authentication method.

    Create a new VM

  6. Click OK.

  7. Choose a D2_V2 or larger VM.

    VM size

  8. Leave the default values on the Settings screen, but you’ll want to double check your Network security group (firewall).

    If you will be using console-to-engine pairing, you’ll want to allow inbound access from your console’s IP on port 40814.

    Traffic allowance

    If you need a public IP address, you will need to provision it now as shown below:

    Provision a public IP address

    If you will be using engine-to-console pairing, you don’t need to add any new rules.

  9. Launch the instance with a few OK button clicks and one Purchase button click. You'll see this icon in your dashboard indicating that the system is in the process of deploying:

    Launching the instance

After a few minutes, you’ll see the Scan Engine available under Virtual Machines. The public IP address (if added) will be on the overview tab.

Post-deployment overview

Connecting the Scan Engine to the Security Console

Choose how you want to connect the engine to the console, console-to-engine or engine-to-console communication.

Console-to-engine communication

Log in to the Security Console via the web browser, and to the Azure instance via SSH. For help, see https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-linux-ssh-from-windows/.

Follow the normal instructions for pairing a console.

Engine-to-console communication

  1. Log in to the Security Console via the web browser.

  2. Get a pre-shared key.

    • On the Administration page, in the Scans > Scan Engines section, click Manage Scan Engines.
    • Click Generate.
  3. Make sure the console’s firewall accepts incoming connections from the engine on port 40815.

  4. SSH to the scan engine.

  5. Stop the Scan Engine service with the following command:

    1
    sudo service nexposeengine stop
  6. Create an /opt/rapid7/nexpose/nse/conf/consoles.xml file that looks like this:

    1
    <?xml version='1.0' encoding='utf-8'?>
    2
    <Consoles>
    3
    <console id="1" enabled="1" connectTo="1" name="UNAVAILABLE" lastAddress="CONSOLE_IP" port="40815" plaintext_sharedSecret="CONSOLE_SHARED_SECRET">
    4
    <cert></cert>
    5
    </console>
    6
    </Consoles>
  7. Replace CONSOLE_IP and CONSOLE_SHARED_SECRET above with the corresponding values from the console.

  8. Restart the engine service with the following command:

    1
    sudo service nexposeengine start
  9. Wait approximately 20 minutes for the engine to start and pair with the Security Console.

Scanning outside the Azure environment

You should completely open the firewall of scan targets so that the scan engine can scan all ports.

  1. In the Azure portal, go to Virtual Machines.

  2. Select a Virtual Machine scan engine.

  3. Select Network interfaces.

  4. Select the attached network interface.

  5. Select Network security group.

  6. Select the security group.

  7. Click the icon pictured below to add an inbound security rule:

    Add an inbound security rule

  8. Click the Add button.

  9. Fill out the form with the IP of your scan engine:

    Security rule details