Secure Relay
Secure Relay is a mode of transfer for your Active Directory data from your network to Tenable Identity Exposure using Transport Layer Security (TLS) instead of a VPN, as shown in this diagram. The Relay feature also supports HTTP proxy without authentication if your network requires a proxy server to reach the internet.
Tenable Identity Exposure can support multiple Secure Relays which you can map to domains according to your needs.

Virtual machine
The requirements for the virtual machine (VM) hosting the Secure Relay are the following:
Customer Size | Tenable Identity Exposure Services | Instance Required | Memory (per instance) | vCPU (per instance) | Disk Topology | Available Disk Space (per instance) |
---|---|---|---|---|---|---|
Any size |
|
1 | 8 GB of RAM | 2 vCPU | Partition for logs separate from the system partition | 30 GB |
The VM must also have:
-
A Windows Server 2016+ operating system (no Linux)
-
Resolved internet-facing DNS queries and internet access for at least cloud.tenable.com and *.tenable.ad (TLS 1.2).
-
Local administrator privileges
-
EDR/AV configuration:
-
Sufficient CPU remaining on the VM — for example, the Windows Defender Real-Time feature consumes a considerable amount of CPU and can saturate the machine.
-
Exceptions for automatic updates:
-
- Proxy server (if required): Tenable Identity Exposure supports unauthenticated HTTP proxies.
Check that your network uses HTTP proxy. Tenable Identity Exposure does not support HTTPS/TLS proxies.
Check that your proxy server does not require authentication or has the appropriate exceptions to bypass authentication.
Role Permissions
You must be a user with role-based permissions to configure the Relay. The required permissions are the following:
-
Data entities: Entity Relay
-
Interface entities:
-
Management > System > Configuration > Application Services > Relay
-
Management > System > Relay management
-
For more information, see Set Permissions for a Role.
Automatic Updates
-
Check that there is no Group Policy Object (GPO) blocking the automatic update feature.

The Secure Relay installation requires a single-use linking key that contains the address of your network and an authentication token. Tenable Identity Exposure regenerates a new key after each successful Secure Relay installation.
To retrieve the linking key:

-
Choose an installation method:

-
In Windows, go to Settings > Apps & Features > Tenable Identity Exposure Secure Relay.
-
Click Uninstall.
When the uninstallation completes, Tenable Identity Exposure Secure Relay services and environment variables no longer appear in your system.
-
In Tenable Identity Exposure, click Systems on the left menu bar and select the Relay Management tab.
-
Select the relay you just uninstalled and click
to remove it from the list of available relays.

After you install Secure Relay, Tenable Identity Exposure checks regularly for new versions. This process is fully automated and requires HTTPS access to your domain (TCP/443). An icon in the network tray indicates when Tenable Identity Exposure is updating Secure Relay. Once the process completes, Tenable Identity Exposure services restart and data collection resumes.