Secure Relay

Secure Relay is a mode of transfer for your Active Directory data from your network to Tenable Identity Exposure using Transport Layer Security (TLS) instead of a VPN, as shown in this diagram. The Relay feature also supports HTTP proxy with or without authentication if your network requires a proxy server to reach the internet.

Tenable Identity Exposure can support multiple Secure Relays which you can map to domains according to your needs.

Note: The Secure Relay feature currently only applies if Tenable Identity Exposure provisions your platform to use Secure Relay. It is not possible to switch the provisioning manually from VPN to Secure Relay. For assistance in the migration of your platform from VPN to Secure Relay, contact your Tenable Identity Exposure customer support representative.

Network Flows

TLS Requirements

To use TLS 1.2, your Relay server must support at least one of the following cipher suites as of 24 January 2024:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Also, ensure that your Windows configuration aligns with the specified cipher suites for compatibility with the Relay feature.

Before you start

Allowed Files and Processes

For the Relay to operate smoothly, allow certain files and processes for third-party security tools such as antivirus and/or EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response).

Linking key

The Secure Relay installation requires a single-use linking key that contains the address of your network and an authentication token. Tenable Identity Exposure regenerates a new key after each successful Secure Relay installation.

Installation

Uninstallation

Automatic Updates

After you install Secure Relay, Tenable Identity Exposure checks regularly for new versions. This process is fully automated and requires HTTPS access to your domain (TCP/443). An icon in the network tray indicates when Tenable Identity Exposure is updating Secure Relay. Once the process completes, Tenable Identity Exposure services restart and data collection resumes.

See also

For complete information about Secure Relay, see Secure Relay in the Tenable Identity Exposure Administrator Guide.