Migrate a backup to a new Security Console host

If you need to migrate your Security Console to a new host, you can do so by running a restore operation with some additional steps.

Before you begin

  • Maintaining cloud synchronization - As an InsightVM subscriber, you need to observe some extra precautions in order to ensure that your new Security Console remains synchronized with your existing cloud data. We indicate these important steps to you throughout this procedure.
  • Read the pre-backup and restore checklist - Rapid7 strongly recommends that you review the Pre-Backup and Restore Checklist before you begin so you can verify that your environment is prepared for backup and restore tasks.

Migrate your Security Console to a new host


Complete the following steps before creating a backup of the existing Security Console:

  1. Verify that your existing host is running the latest version of the Security Console. If your existing host is not running the latest version, update your Security Console before you continue.
  2. Make sure that no scans are running. In order to maintain cloud synchronization, all local and distributed Scan Engines should be idle at this time.
  3. Disable the internet access on your existing Security Console host.

Internet access

Do not re-enable internet access on this existing console host at any time unless you need to start the entire procedure over again. If the existing console has connectivity at the same time as the new console, the Insight platform will incorrectly sync with both of them.

Create a backup of the existing Security Console

  1. Create a platform-independent backup of your existing Security Console.

Disaster recovery scenarios

If you are restoring from a backup as a result of a disaster recovery situation and creating a new backup is not an option, Rapid7 Support must deactivate your Insight platform activation for a period of 48 hours to prevent sync errors.

If your restoration scenario requires this deactivation step, contact Rapid7 Support before proceeding.

  1. Navigate to the /backups directory on your existing host and copy your newly created backup to external media:
    • Linux - /opt/rapid7/nexpose/nsc/backups
    • Windows - C:\Program Files\Rapid7\nexpose\nsc\backups
  2. Install a new Security Console on a new host and make sure to update to the latest version. You do not need to request a license key or activate your license over again in the course of your new installation.

Insight Platform

Do not activate your new Security Console on the Insight platform. Any reactivation causes synchronization issues and is unnecessary since your existing Security Console was already activated.

  1. In accordance with the pre-backup and restore checklist, create the /backups directory in the following location of your new Security Console installation:
    • Linux - /opt/rapid7/nexpose/nsc
    • Windows - C:\Program Files\Rapid7\nexpose\nsc
  2. Transfer your backup files from your external media to this new directory.
  3. In your new Security Console, expand the left menu and click the Administration tab.
  4. Click Database > Backup and Retention. Click the Backup/Restore tab.
  5. In the Restore Local Backup section, browse to your desired backup in the provided table and click the icon in the Restore column. A dialog box appears asking for confirmation.
  6. Click Restore System to continue. As noted in the pre-backup and restore checklist, the Security Console prompts you for your original keystore password if your current keystore password does not match.
  7. If prompted, enter the keystore password associated with the backup you are trying to restore and click Restore. If necessary, click Restore (No Password) to restore without providing the original keystore password. For security reasons, this method prevents your saved site credentials from being restored.

Your Security Console will restart in maintenance mode while the restore process takes place. Global Administrators can log in to the Security Console to view the restore tasks as they progress. The Security Console will automatically restart when the restore completes successfully.

Unsuccessful restoration

If the restore is unsuccessful for any reason or if the Security Console does not restart automatically, contact Rapid7 Support.

Following successful migration of the Security Console backup

  1. Reset any external authentication resources if you had them configured previously:
    • LDAP - Restart your Security Console after the restoration completes to reestablish communication with your LDAP server.
    • SAML - Respecify your Base Entity URL and reimport the metadata from your IdP. Fully restart your Security Console before allowing users to connect through your IdP again.
    • Install the CyberArk Application Identity Manager - The Application Identity Manager (AIM) must be installed on the same machine as your InsightVM instance.
  2. Verify that all your restored content is available, such as your sites and scan templates.
  3. Finally, de-provision the server that housed your previous Security Console to guard against accidental duplicate synchronization errors.

Engine pairing

  • Scan Engines paired Security Console-to-Scan Engine retain their pairing as long as the firewall rules are configured to allow the new console IP to reach the scan engine.
  • Scan Engines paired Scan Engine-to-Security Console need to have their consoles.xml modified to reflect the new IP address of the console. The file can be found here:
    • Linux - /opt/rapid7/nexpose/nse/conf/consoles.xml
    • Windows - Files\Rapid7\NeXpose\nse\conf\consoles.xml
  • Update the field lastAddress= to show the new IP of the console and restart the engine. Alternatively, you can use a DNS hostname here.