External Scanning Service
Rapid7 offers access to Scan Engines provisioned through our External Scanning Service in cases where you want to avoid deploying distributed Scan Engines on your own resources. If your organization is licensed for the External Scanning Service, you must pair the provisioned Scan Engine with your Security Console before you can use it.
External Scanning Service license
If you’re not yet licensed for the External Scanning Service, contact your Customer Success Manager to learn more about adding the service to your account.
The External Scanning Service pairing procedure is different from those required by distributed Scan Engines since deployment and configuration is done for you. However, Rapid7 Support must authorize an external Scan Engine before you can scan with it.
This article explains how to provide Rapid7 Support with the information needed to authorize your external Scan Engine.
Send Rapid7 Support Your Console Address Information
IPv6
The External Scanning Service does not currently support IPv6 scanning.
After you purchase access to an external Scan Engine, you need to add the engine to your Scan Engines table. Then, provide your IP address of your Security Console to Rapid7 Support in order to authorize the engine to be used in your environment.
To add your engine and send your console address information to Rapid7 Support:
In your Security Console, browse to and click on the Administration tab in your left navigation menu.
Click Scans > Engines.
In the Scan Engines table, click New Engine.
On the Scan Engine Configuration page, give your external Scan Engine a name.
To better identify this engine, we recommend naming this engine Rapid7 External Scanning Service.
Enter the IP address of your engine host provided by Rapid7 as the engine address.
Leave the port number as the default of 40814. Click Save.
Return to the Scan Engines table, locate the engine you just added and click the icon in the Refresh column.
An error message displays:
Cannot refresh scan engine (<Your engine name here>): Unauthorized console connection from: <IP ADDRESS>
Why am I seeing an error?
Don’t be alarmed! This particular error message is expected and is part of the authorization procedure for external Scan Engines.
What if I’m seeing a different error?
If refreshing your external Scan Engine produces a different error than the one shown here, then continue with the next steps as usual. Rapid7 Support needs to see your error message in order to troubleshoot the issue.
In most cases, errors other than the one expected here are usually due to connectivity issues between your Security Console and the external Scan Engine.
Note that your firewall rules must allow your Security Console to reach the external Scan Engine address shown in step 5 on port 40814. The use of a proxy to reach your external Scan Engine is not supported.
Write down or take a screenshot of the IP address shown in this error message.
Open a case in the Customer Portal and indicate that you need an external Scan Engine authorized. Provide (or attach) the error message that includes your console IP address in the case details.
Maintenance Periods
Rapid7 performs regular maintenance of all External Scanning Service engines and other managed services. This maintenance period takes place every first Wednesday of the month from 10:00 AM EST to 2:00 PM EST. During this period, the following services will be unavailable:
- Nexpose External Scanning Service Scan Engines
- Nexpose Managed Services and PCI/ASV Scanning
Scan schedule configuration
Consider this maintenance period before configuring scan schedules that use external Scan Engines.
From a statistical standpoint, Wednesday is the lowest usage weekday for External Scanning Service engines compared to the heavier scanning periods that take place on weekends during non-business hours. Based on this data, we have chosen this maintenance period in order to best provide a seamless customer experience while maintaining the level of quality and services that you expect.
If you have concerns about this schedule, or if you would like additional information or recommendations, please reach out to Rapid7 Support.