Azure Scan Engines

You can deploy a Scan Engine in the form of an Azure VM from Microsoft's Azure marketplace. This article guides you through the deployment and configuration process.

Setting up your scan engine

  1. Log in to your Azure portal.
  2. Click the Marketplace tile.
  3. Search for "Rapid7 VM Scan Engine" within the Marketplace search and select the Rapid7 VM Scan Engine.
  4. Click Create.
  5. Give your new VM a name (without any spaces) and some information about who will be managing the engine. This is also where you will select the authentication method.
  6. Click OK.
  7. Choose a D2_V2 or larger VM.
  8. No changes are needed on the Settings screen, but check your Network security group (firewall) to make sure it is configured correctly based on your pairing method.
    • For console-to-engine pairing, you must allow inbound access from your console's IP on port 40814. Navigate to the Network Security Group section in your settings, select Create New, and provide a name. Select Add an inbound rule and allow inbound access on port 40814 for Any Source and Custom Service.
    • If you need a public IP address, select Public IP address on the left side panel. Then, select an existing public IP address or click Create New and enter a name.
    • For engine-to-console pairing, you don’t need to add any new rules.
  9. Click OK > Purchase to launch the instance.

After a few minutes, you’ll see the Scan Engine available under Virtual Machines. The public IP address (if added) will be on the overview tab.

Connecting the Scan Engine to the Security Console

Choose how you want to connect the engine to the console, console-to-engine or engine-to-console communication.

Console-to-engine communication

Log in to the Security Console via the web browser, and to the Azure instance via SSH. For help, see https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-linux-ssh-from-windows/.

Follow the normal instructions for pairing a console.

Engine-to-console communication

  1. Log in to the Security Console.
  2. Get a pre-shared key.
    • On the Administration page, in the Scans > Scan Engines section, click Manage Scan Engines.
    • Click Generate.
  3. Make sure the console’s firewall accepts incoming connections from the engine on port 40815.
  4. SSH to the scan engine.
  5. Stop the Scan Engine service with the following command:
 
1
sudo service nexposeengine stop
  1. Create an /opt/rapid7/nexpose/nse/conf/consoles.xml file that looks like this:
 
1
<?xml version='1.0' encoding='utf-8'?>
2
<Consoles>
3
   <console id="1" enabled="1" connectTo="1" name="UNAVAILABLE" lastAddress="CONSOLE_IP" port="40815" plaintext_sharedSecret="CONSOLE_SHARED_SECRET">
4
      <cert></cert>
5
   </console>
6
</Consoles>
  1. Replace CONSOLE_IP and CONSOLE_SHARED_SECRET above with the corresponding values from the console.
  2. Restart the engine service with the following command:
 
1
sudo service nexposeengine start
  1. Wait approximately 20 minutes for the engine to start and pair with the Security Console.

Set up scan engines outside of the Azure environment to scan inside the environment

You should completely open the firewall of scan targets so that the scan engine can scan all ports.

  1. In the Azure portal, go to Virtual Machines.
  2. Select a Virtual Machine scan engine.
  3. Select Network interfaces.
  4. Select the attached network interface.
  5. Select Network security group.
  6. Select the security group.
  7. Click Create port rule to add an inbound security rule.
  8. Fill in the necessary information then click Add.
  9. Add your selected scan engine's IP address to the form.