Set a Scan Engine proxy for the Security Console

If you need to route communications from a Scan Engine to your Security Console through a proxy to satisfy a network security policy or other communication preference, you can do so by setting the NSE_PROXY_URI environment variable on your Scan Engines. This variable allows you to route communications from a Scan Engine to the Security Console through an HTTP proxy server.

This proxy capability supports the following authentication schemes:

  • Basic
  • Digest
  • NTLM

Configuring this variable ensures that data collected and assessed on the Scan Engine gets routed through the specified proxy address.

IMPORTANT

Care should be taken when setting custom properties. If you are not familiar with custom properties, we recommend contacting Rapid7 Support for assistance.

Requirements

To use this proxy functionality, your Scan Engine must be configured to communicate with your Security Console using the engine-to-console (also known as "reverse") method. If you want to verify that your Scan Engine meets this requirement or adjust the current communication method, you can do so through Administration in InsightVM.

Proxy configuration instructions

To set the NSE_PROXY_URI environment variable on a local or distributed Scan Engine:

  1. Access the host machine of the Scan Engine using SSH or your preferred method.

    • If you want to set the property on the local Scan Engine, access the Security Console host itself.
  2. Locate the CustomEnvironment.properties file within the Scan Engine installation directory. Default locations for this directory are as follows:

    • Linux - /opt/rapid7/nexpose/nse

    • Windows - C:\Program Files\rapid7\nexpose\nse

      TIP

      If the CustomEnvironment.properties file does not exist, create it with a text editor.

  3. Open CustomEnvironment.properties with a text editor. On a new line, add NSE_PROXY_URI with the following attributes (note that any special characters for user or password must be URL encoded):

    • {scheme} - This must be either http or https.

    • {user} (optional) - The username to use for the proxy, optionally prefixed with the domain for NTLM authentication.

    • {password} (optional) - The password to use for the proxy. Any special characters in the password must be URL encoded.

    • {proxy-domain} - The address of the proxy.

    • {proxy-port} - The port that the proxy should be reached through.

      If your proxy requires authentication, your finished NSE_PROXY_URI variable declaration should match the following format:

      1
      NSE_PROXY_URI={scheme}://{user}:{password}@{proxy-domain}:{proxy-port}

      If your proxy does not require authentication, your finished NSE_PROXY_URI variable declaration should match the following format:

      1
      NSE_PROXY_URI={scheme}://{proxy-domain}:{proxy-port}
  4. Save and close CustomEnvironment.properties and restart the Scan Engine service to finish.