How do I install a Scanner Appliance in Azure? (Malaysia DC only)

Holm Security has developed a Scanner Appliance image for Microsoft Azure.

The image is distributed as an Azure Virtual Machine Image and allows any of our customers to spin up a Scanner appliance within their own Azure account. 

Azure has no UI support to share images, so there is a set of Azure CLI commands for the customer to initiate a Scanner Appliance in Azure. To make this as easy as possible, we have developed a single script that handles the majority of commands automatically. 

Preparation for the Scanner Appliance in Security Center

Ensure you have added a new Cloud Azure Scanner Appliance in Security Center. 

Note down the token that you received, and it will be used when initiating the virtual machine in Azure.

Steps to set up Scanner appliance in Azure

1. Ensure you have access to Azure CLI or Azure Web CLI. 
   1. To use Azure Web CLI, you will need to run before anything else "pip install azure-cli"
      Read more:
      https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-apt?view=azure-cli-latest
   2. To execute this locally, ensure you can execute bash scripts and have Azure CLI installed. 
2. Share the following information with support@holmsecurity.com (where the Scanner Appliance will run in your Azure account):
   • Azure Region name (e.g. Northern Europe)
3. Wait for confirmation from Support that the Scanner Appliance image is ready within your region.
4. Support will share the information required to initiate Scanner Appliance

Find your Azure tenant ID (aka customer tenant id)

1. Go to Azure portal home and search for "Active Directory".
2. Go to Manage / Properties
3. Copy "Directory ID"
   1. Directory ID is what we refer to as the customer tenant id

Allow your Azure account to access Scanner Appliance image from Holm Security

1. Replace the Customer tenant ID (Azure tenant ID) and the AppID you received from support in the link below.
2. Visit the below link once you have replaced the proper values. This will enable the access required.
   • https://login.microsoftonline.com/<CustomerTenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=https://portal.azure.com

Once the link has been visited. Login to your Azure account and perform the following steps:

1. Select (or create) the resource group on your Azure account which will be used to initiate Holm Security Scanner Appliance 
2. In the resource group, select Access control (IAM), click on Add and select Add role assignment
3. Fill in the following fields:
   • Role = "Contributor"
   • Access to = "Azure AD user, group, or service principal"
   • In the third field, select the target scannershare (this name comes from Holm Security Azure account)
   • Save
4. If you want to use your own subnet (vnet) for this Scanner Appliance add same scannershare permission to that vnet, as in step 3.

Steps to initiate Scanner Appliance as a virtual machine (VM) in Azure

Prerequisites: 

1. Support has shared a link to download the script named start_scanner.sh, which will run the required azure cli commands to initiate the Scanner Appliance as a VM.
2. Support has shared the information required to be used as input arguments to this script. 

Note: If you have Managed Identities enabled, you need to run the script using the Azure Local CLI (not the Azure Cloud Shell)

Steps to proceed:

1. Download start_scanner.sh using the link provided by Support (e.g. using wget)
2. Input arguments with required customer information
   • vm-name
     Name of the VM that is initiated with the Scanner Appliance
   • rg-name
     Resource group name created in customer Azure account 
   • cust-tenant
     Customer tenant ID which was identified in a previous step
   • vm-size
     Valid Azure VM size ID. Default is Standard_B2ms
   • probe-token
     Scanner appliance token from the entry in Security Center

Optional input arguments

1. • subnet
     Subnet to use for the new VM. Use the whole ResourceID path
   • nsg
     NSG to use for the new VM. Use the name or ID of NSG.
     
   • vmvar 
     Any additional argument that Azure supports for the "az vm create" command (Docs found here: https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az-vm-create-required-parameters)
2. Proceed to execute the start_scanner.sh 

• Note: Please ensure that no special characters are used in the VM name as it might lead to validation errors
• To receive more information about the input arguments you can run:

  sh ./start_scanner.sh --help

Example command:

sh ./start_scanner.sh --cust-tenant="nnn-n-n-n-nnn" --holm-tenant="nnn-n-n-n-nnn" --app-id="nnn-n-n-n-nnn" --secret-token="xyz" --vm-name="example-vm-holm" --rg-name="abc" --image-url="/insert/image/url" --probe-token="yyyyyy"

sh ./start_scanner.sh --cust-tenant="nnn-n-n-n-nnn" --holm-tenant="nnn-n-n-n-nnn" --app-id="nnn-n-n-n-nnn" --secret-token="xyz" --vm-name="example-vm-holm" --rg-name="abc" --image-url="/insert/image/url" --probe-token="yyyyyy" --subnet=” /subscriptions/<id>/resourceGroups/<id>/providers/Microsoft.Network/virtualNetworks/<vbet>/subnets/<subnet>”

sh ./start_scanner.sh --cust-tenant="nnn-n-n-n-nnn" --holm-tenant="nnn-n-n-n-nnn" --app-id="nnn-n-n-n-nnn" --secret-token="xyz" --vm-name="example-vm-holm" --rg-name="abc" --image-url="/insert/image/url" --probe-token="yyyyyy" --api-url="https://onprem.address:8004" --nvt-url="https://onprem.address:8007" --apt-url="http://onprem.address:8044" --trust-certificates="1"

If using a valid certificate, the "trust_certificates" line should be removed.

When adding Scanner Appliance for OnPrem:
The TLS certificate hostname on the OnPrem must be the same as API-URL. If it's not the registration will fail.