Secure Relay for Tenable Identity Exposure 3.59

You install the Secure Relay component only after you install or upgrade Tenable Identity Exposure.

As of version 3.59, the Secure Relay component takes over designated tasks in the Tenable Identity Exposure platform:

  • Allows you to configure domains from which it forwards the data to the Directory Listener (DL) component which collects AD objects.

  • Facilitates the setup and maintenance for large infrastructures through automatic updates: No longer needs multiple DLs that require simultaneous upgrades.

  • Acts a bridge between the single DL and various endpoints, such as domain controllers, SMTP or SYSLOG servers or LDAP servers for in-product authentication.

  • Ties to one or several domains. The DL can manage an unlimited number of Relays.

  • Requires configuration in the Tenable Identity Exposure console, such as namings and mappings (domain, SMTP, SYSLOG, LDAP authentication).

  • Supports the options to install the Secure Relay on the DL server or separately from the DL.

  • Supports Split Security Engine Node (SEN) Services

Follow these guidelines for the installation of or upgrade to Tenable Identity Exposure 3.59 with Secure Relay:

  1. Review the Secure Relay Architectures for On-Premises Platforms and Secure Relay Requirements.

  1. Only one DL is supported in version 3.59. When upgrading the Directory Listeners (DL):

    • Keep only one DL where you can optionally install one Relay. If you select this option, combine the necessary resource requirements for the DL and Relay. For more information, see Resource Sizing.

    • You must have at least one Relay. If you don’t install it on the DL, then you have to provision a new machine to install this Relay.

    • Optionally, install Relays to replace other DLs if you previously used multiple DLs.

      For more information, see Secure Relay Architectures for On-Premises Platforms.

  2. Network requirements:

    • In previous and current versions, the DL communicated to the SEN directly, using the AMQP(S) protocol.

    • In version 3.59, the Relays that replace the multiple DLs communicate with the only remaining DL over HTTPS.

    • Envoy is the reverse proxy.

  3. Linking key: The Secure Relay installation requires a single-use linking key that contains the address of your network and an authentication token. Tenable Identity Exposure regenerates a new key after each successful Secure Relay installation.

To retrieve the linking key:

  1. In the Tenable Identity Exposure console, click System on the left menu bar and select the Configuration tab > Relay.

  2. Click to copy the linking key.

  1. Role Permissions: You must be a user with role-based permissions to configure the Relay. The required permissions are the following:

    • Data entities: Entity Relay

    • Interface entities:

      • Management > System > Configuration > Application Services > Relay

      • Management > System > Relay management

      For more information, see Set Permissions for a Role.

Required User Role: Administrator on the local machine

To install the Secure Relay:

  1. Download the executable program for Secure Relay from Tenable’s Downloads site.

  2. Double-click on the file tenable.ad_SecureRelay_v3.xx.x to start the installation wizard.

    The Welcome screen appears.

  3. Click Next.

    The Custom Setup window appears.

  4. Click Browse to select the disk partition you reserved for Secure Relay (separate from the system partition).

  5. Click Next.

    The Relay Configuration window appears.

  7. Provide the following information:

    1. In the Relay Name box, type a name for your Secure Relay.

    2. In the Linking key box, paste the linking key that you retrieved from the Tenable Identity Exposure portal.

    3. If you choose to use a proxy server, select the option Use an HTTP Proxy for your Relay calls and provide the proxy address and port number.

  8. Click Next.

    The Proxy Configuration window appears:

  9. Select one of the following options:

    1. None: Do not use a proxy server.

    2. Unauthenticated: Type the address and port for the proxy server.

    3. Basic authentication: In addition to the address and port, type the user and password for the proxy server.

    Caution: To configure a proxy using "Unauthenticated" or "Basic authentication", the relay only supports IPv4 addresses (such as 192.168.0.1) or a proxy URI without http:// or https:// (such as myproxy.mycompany.com.) The relay does not support IPv6 addresses (such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334.)

  1. Click Test Connectivity. The following can occur:

    • Green light — The connection succeeded.

    • Invalid linking key — Retrieve the linking key from the Tenable Identity Exposure portal.

    • Invalid Relay Name — This box cannot remain empty. Provide a name for the relay.

    • Connection failed — Check your internet access.

      Tips:
      - When the connection fails, verify the environment variable 'ALSID_CASSIOPEIA_CETI_Service__Broker__Host' on the Directory Listener server.
      - Ensure that it is set to the IP address of the Security Engine Node. If the variable is set to the default '127.0.0.1', it causes the Secure Relay installation to fail.
      - After you update the environment variable 'ALSID_CASSIOPEIA_CETI_Service__Broker__Host', restart the Ceti service.
      - Begin the Secure Relay installation again. Otherwise, it will roll back and leave the Relay and Envoy services installed and block any further installation.

  2. Click Next.

    The Ready to Install window appears.

  3. Click Install.

  4. After the installation completes, click Finish.

After the Secure Relay installation completes, check for the following:

List of installed Relays in Tenable Identity Exposure

To see the list of installed relays:

  • In Tenable Identity Exposure, click Systems on the left menu bar and select the Relay Management tab.

    The pane shows a list of secure relays and their linked domains.

Services

After a successful installation, the following services are running:

  • Tenable_Relay

  • tenable_envoy

    Note: You can locate the Envoy license in Tenable Identity Exposure at Systems > Legal > Envoy license.

Environment variables

The installation also added 4 new environment variables related to Secure Relay with names beginning with "ALSID." If you selected to use a proxy server, there are 2 additional variables related to the proxy IP and port.

Logs for troubleshooting

You can find logs in the following locations:

  • Installation logs: C:\Users\<your user>\AppData\Local\Temp

  • Relay logs: On the VM hosting Secure Relay in the folder specified at the time of installation.

After you install Secure Relay, Tenable Identity Exposure checks regularly for new versions. This process is fully automated and requires HTTPS access to your domain (TCP/443). An icon in the network tray indicates when Tenable Identity Exposure is updating Secure Relay. Once the process completes, Tenable Identity Exposure services restart and data collection resumes.

To uninstall a Secure Relay:

  1. In Windows, go to Settings > Apps & Features > Tenable Identity Exposure Secure Relay.

  2. Click Uninstall.

    When the uninstallation completes, Tenable Identity Exposure Secure Relay services and environment variables no longer appear in your system.

  3. In Tenable Identity Exposure, click Systems on the left menu bar and select the Relay Management tab.

  4. Select the relay you just uninstalled and click to remove it from the list of available relays.

See also