General Considerations

The following are some common questions that you should answer before deploying Tenable Agents:

Note: In addition to these deployment considerations, Tenable recommends reviewing the Tenable Agent General Best Practices

  • What operating system do you plan to deploy the Tenable Agent on?

    • Linux (Debian/RHEL/Fedora/Ubuntu)
    • Windows (Win 10, Win Server 2012/2016 R2)
    • OS X (10.8+)
  • How many Tenable Agents do you plan to deploy?
    • Fewer than 1,000
    • More than 1,000 and fewer than 5,000
    • More than 5,000 and fewer than 10,000
    • More than 10,000

    Note: In deployment scenarios with more than 10,000 agents you should consider optimizing performance with agent group sizing and scan staggering as discussed in Large-Scale Deployments.

  • What are the typical hardware specifications of the hosts where you want to install Tenable Agents? For example, consider disk space, disk type and speed, CPU, cores, and RAM.
  • Are there any countermeasures that exist on the host that would prevent the egress communications from the Tenable Agent to the Tenable Nessus Manager (DST: TCP/8834 [default, customizable])?
  • Are there any countermeasures that exist on the host that would prevent the agent process from executing?

    Note: See File and Process Allow List for a list of files and processes to allow per operating system.

  • How do you plan to deploy Tenable Agents across the enterprise? For example, do you want to use an enterprise deployment technology such as Active Directory, SMS, Microsoft SCCM, and/or Red Hat Satellite?
  • Do you want to deploy Tenable Agents to virtual or non-persistent systems? If so, consider adding the agent to your base device template. Tenable recommends that you review your organization's process for commissioning and decommissioning virtual/non-persistent hosts to ensure successful activation or deactivation of the Tenable Agents.
  • How do you plan to track the ratio of potentially deployable agent assets to actual assets with deployed agents?
  • How do you plan to track the health and status of the agent on the host? For example, you might want to monitor for condition x (where x is the status of the service or the registration status of the agent); if that condition is present, you might then trigger an action or notification.
  • What naming schema would best fit the infrastructure where deployed agents exist? It is important to plan how you would like to organize the breakdown of hosts running agents.
  • Do you plan to supplement agent-based scanning with network scans? How do you plan to maintain vulnerability information across agent and network scans? How do you plan to manage multiple repositories?