Set a Scan Engine proxy for the Security Console
If you need to route communications from a Scan Engine to your Security Console through a proxy to satisfy a network security policy or other communication preference, you can do so by setting the NSE_PROXY_URI
environment variable on your Scan Engines. This variable allows you to route communications from a Scan Engine to the Security Console through an HTTP proxy server.
This proxy capability supports the following authentication schemes:
- Basic
- Digest
- NTLM
Configuring this variable ensures that data collected and assessed on the Scan Engine gets routed through the specified proxy address.
IMPORTANT
Care should be taken when setting custom properties. If you are not familiar with custom properties, we recommend contacting Rapid7 Support for assistance.
Requirements
To use this proxy functionality, your Scan Engine must be configured to communicate with your Security Console using the engine-to-console (also known as "reverse") method. If you want to verify that your Scan Engine meets this requirement or adjust the current communication method, you can do so through Administration in InsightVM.
Proxy configuration instructions
To set the NSE_PROXY_URI
environment variable on a local or distributed Scan Engine:
Access the host machine of the Scan Engine using SSH or your preferred method.
- If you want to set the property on the local Scan Engine, access the Security Console host itself.
Locate the
CustomEnvironment.properties
file within the Scan Engine installation directory. Default locations for this directory are as follows:Linux -
/opt/rapid7/nexpose/nse
Windows -
C:\Program Files\rapid7\nexpose\nse
TIP
If the
CustomEnvironment.properties
file does not exist, create it with a text editor.
Open
CustomEnvironment.properties
with a text editor. On a new line, addNSE_PROXY_URI
with the following attributes (note that any special characters foruser
orpassword
must be URL encoded):{scheme}
- This must be eitherhttp
orhttps
.{user}
(optional) - The username to use for the proxy, optionally prefixed with the domain for NTLM authentication.{password}
(optional) - The password to use for the proxy. Any special characters in the password must be URL encoded.{proxy-domain}
- The address of the proxy.{proxy-port}
- The port that the proxy should be reached through.If your proxy requires authentication, your finished
NSE_PROXY_URI
variable declaration should match the following format:1NSE_PROXY_URI={scheme}://{user}:{password}@{proxy-domain}:{proxy-port}If your proxy does not require authentication, your finished
NSE_PROXY_URI
variable declaration should match the following format:1NSE_PROXY_URI={scheme}://{proxy-domain}:{proxy-port}
Save and close
CustomEnvironment.properties
and restart the Scan Engine service to finish.