Secure Relay

Secure Relay is a mode of transfer for your Active Directory data from your network to Tenable Identity Exposure using Transport Layer Security (TLS) instead of a VPN, as shown in this diagram. The Relay feature also supports HTTP proxy without authentication if your network requires a proxy server to reach the internet.

Tenable Identity Exposure can support multiple Secure Relays which you can map to domains according to your needs.

Note: The Secure Relay feature currently only applies if Tenable Identity Exposure provisions your platform to use Secure Relay. It is not possible to switch the provisioning manually from VPN to Secure Relay. For assistance in the migration of your platform from VPN to Secure Relay, contact your Tenable Identity Exposure customer support representative.

  • For a classic setup without a proxy server, the Relay requires the following ports:

  • For a setup using a proxy server, the Relay requires the following ports:

Virtual machine

The requirements for the virtual machine (VM) hosting the Secure Relay are the following:

Customer Size Tenable Identity Exposure Services Instance Required Memory (per instance) vCPU (per instance) Disk Topology Available Disk Space (per instance)
Any size

  • tenable_Relay

  • tenable_envoy

1 8 GB of RAM 2 vCPU Partition for logs separate from the system partition 30 GB

The VM must also have:

  • A Windows Server 2016+ operating system (no Linux)

  • Resolved internet-facing DNS queries and internet access for at least cloud.tenable.com and *.tenable.ad (TLS 1.2).

  • Local administrator privileges

  • EDR/AV configuration:

    • Sufficient CPU remaining on the VM — for example, the Windows Defender Real-Time feature consumes a considerable amount of CPU and can saturate the machine.

    • Exceptions for automatic updates:

      • Allow calls toward *.tenable.ad so that the automatic update feature can download a Relay executable file.

      • Do not delete or alter the 'Relay updater' scheduled task:

  • Proxy server (if required): Tenable Identity Exposure supports unauthenticated HTTP proxies.

    • Check that your network uses HTTP proxy. Tenable Identity Exposure does not support HTTPS/TLS proxies.

    • Check that your proxy server does not require authentication or has the appropriate exceptions to bypass authentication.

Role Permissions

You must be a user with role-based permissions to configure the Relay. The required permissions are the following:

  • Data entities: Entity Relay

  • Interface entities:

    • Management > System > Configuration > Application Services > Relay

    • Management > System > Relay management

For more information, see Set Permissions for a Role.

Automatic Updates

  • Check that there is no Group Policy Object (GPO) blocking the automatic update feature.

The Secure Relay installation requires a single-use linking key that contains the address of your network and an authentication token. Tenable Identity Exposure regenerates a new key after each successful Secure Relay installation.

To retrieve the linking key:

  1. In Tenable Identity Exposure, click Systems on the left menu bar and select the Configuration tab > Relay.

    Linking key

  2. Click to copy the linking key.

  1. In Windows, go to Settings > Apps & Features > Tenable Identity Exposure Secure Relay.

  2. Click Uninstall.

    When the uninstallation completes, Tenable Identity Exposure Secure Relay services and environment variables no longer appear in your system.

  3. In Tenable Identity Exposure, click Systems on the left menu bar and select the Relay Management tab.

  4. Select the relay you just uninstalled and click to remove it from the list of available relays.

After you install Secure Relay, Tenable Identity Exposure checks regularly for new versions. This process is fully automated and requires HTTPS access to your domain (TCP/443). An icon in the network tray indicates when Tenable Identity Exposure is updating Secure Relay. Once the process completes, Tenable Identity Exposure services restart and data collection resumes.