How to configure a scanner appliance for Holm Security VMP On Prem?

Avatar
Daniel Bezzina
Follow

This guide assumes that you have installed and configured Holm Security OnPrem Gen 2 with a valid license activated.

All the required network configuration needs to be in place for the communication to work properly.

This installation guide is applicable for holm Security OnPrem Gen 2.

Virtual machine images

VMWare:
Shared by Holm Security

HyperV:

Shared by Holm Security

 

Endpoint configuration password

Changing the endpoints on a Scanner appliance requires authorization:

Password: appliancebox

 

Version supported

Minimum supported Scanner appliance version:

Revision 35

 

Security Center - Scanner Appliance – Create new

  1. Login to Security Center.
  2. Click Scanner appliance > Add appliance
  3. Select the option to proceed with based on if you have the image ready or not.
  4. You should see the screen with scanner name and appliance token, please write down the appliance token. This will be used to register the scanner appliance.

Scanner Appliance – Network configuration

  1. When the appliance boots, you will see on its screen a Holm Security Configurator menu
  2. Choose Probe status using arrow keys and press enter (you can always use the highlighted character or navigate using arrows and enter). Make sure you see information about interfaces and IP addresses and that the IP settings look correct. Press enter to go back to main menu. If settings are correct you can proceed to Endpoint configuration
  3. If there were no IP addresses or the setting were incorrect, then the next step is to configure your network. Then choose Configuration > Network in main menu and press enter.
  4. You will see a list of interfaces to configure, usually just one. Choose interface and press enter.
  5. Choose if you want to use DHCP or if you want to assign a static IP address to the Scanner Appliance. Choose dhcp or static option and press enter or Cancel to go back.
  6. If you clicked dhcp, the Scanner Appliance will directly try to obtain new IP addresses. This might take a few minutes. Click OK to return to main menu. Please check status under Probe status to verify the settings.

    If you clicked static, you need to fill out the following values manually:
    • IPv4
      • IPv4 address
      • IPv4 network
      • IPv4 gateway
      • IPv4 dns-nameservers
    • IPv6
      • IPv6 address
      • IPv6 network
      • IPv6 gateway
      • IPv6 dns-nameservers

You may just configure at least IPv4 or IPv6l, you don't need to configure both. Click OK when you are done, and you will be returned to the main menu after scanner appliance have rebooted / refreshed interfaces. 

Scanner Appliance – NTP

In order to configure Network Time Protocol (NTP) servers for the scanner appliance follow these instructions:

  1. In the main menu go to Configuration > NTP using your arrow keys and press enter.
  2. Enter the NTP configuration settings.
  3. Press the tab key on your keyboard and select 
    • Make sure to use the tab key on the keyboard as you otherwise could risk resetting the settings
  4. The scanner appliance will no reboot and your settings will be applied.
  5. Done!


Note:

NTP are normally set and used when using static IP for the network configuration. When using DHCP the NTP configuration is often provided by the DHCP. 
If you are using DHCP and is setting the NTP configuration, it might not get applied due to this reason.

 

Scanner Appliance – Endpoints

Before proceeding with the endpoints, make sure you have applied a valid network configuration and connected the network interface to the virtual machine in your hypervisor.

  1. In the main menu go to Configuration > Endpoints using your arrow keys and press enter
  2. Enter the password and press OK to proceed
  3. The listed endpoints are the following
    • API
    • NVT (download feed)
    • APT (note the use of HTTP and not HTTPS)
    • SSH (optional: only required for NAT mode. See below for more information)

  4. The endpoints to be used can be found in the Web administration user interface of the OnPrem system under the General section.
    Make sure the protocol and port is correct before saving.
  5. Use Tab and Press OK/Save
  6. It will ask you to trust the certificate in case the endpoint server uses a self-signed certificate. Confirm that you want to trust it.
    NOTE: It only displays this option if the endpoints are reachable.
  7. Confirm and proceed with rebooting the scanner appliance.

Configuring for NAT (optional)

Configuring a scanner appliance for NAT mode is required if the scanner appliance is connecting to the core system on a different IP (e.g NAT) than what the core system is configured to listen on in its network configuration. If SSH endpoint is not set the primary IP of the core is used.

To configure NAT, the SSH endpoint needs to be set with the IP which the scanner appliance can use to reach the core system. The other endpoints are also using the NAT IP of the core.

Example:

·         (Zone A)
Core system IP: 192.168.1.10

·         (Zone B)
Scanner appliance IP: 10.1.1.15
Core system IP: 10.1.1.10 (which is NAT to 192.168.1.10)
SSH endpoint will be set to: 10.1.1.10

 

Scanner Appliance – Validating connectivity

  1. In the configurator go to Status > Connectivity using your arrow keys and press enter.
  2. Select Yes, when asked if you want to run the connectivity test.
  3. You will now recieve the info on where the appliance fails to connect.
  4. You can use the PgDn & PgUp keys to see the different areas of the results window.
  5. Make sure that at a minimum these have a result as OK
    • API
    • NVT (download feed)
    • SSH
    • APT
    • NTP
    • DNS
  6. Done!

Scanner Appliance – Registration

  1. Make sure you have the correct firewall settings according to the requirements.
  2. Choose option Probe registration and input the registration token you wrote down in step 4 (“Scanner Appliance – Create new”) and press OK.
  3. You are now ready to start registration procedure. Click Register. The scanner appliance sends registration requests and retrieves configuration response from the platform. You should see a confirmation that probe has been successfully registered and configured. Click OK, to get back to the main menu.
  4. In Security Center, you can click Check activation button to make sure scanner was registered correctly.
  5. Done!

Note: that it can take up to 10 minutes before Security Center indicates that a connection is established. The total time depends on the amount of updates that are being applied.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.