Secure Relay for Tenable Identity Exposure 3.93

You install the Secure Relay component only after you install or upgrade Tenable Identity Exposure.

As of version 3.59, the Secure Relay component takes over designated tasks in the Tenable Identity Exposure platform:

• Allows you to configure domains from which it forwards the data to the Directory Listener (DL) component which collects AD objects.

• Facilitates the setup and maintenance for large infrastructures through automatic updates: No longer needs multiple DLs that require simultaneous upgrades.

• Acts a bridge between the single DL and various endpoints, such as domain controllers, SMTP or SYSLOG servers or LDAP servers for in-product authentication.

• Ties to one or several domains. The DL can manage an unlimited number of Relays.

• Requires configuration in the Tenable Identity Exposure console, such as namings and mappings (domain, SMTP, SYSLOG, LDAP authentication).

• Supports the options to install the Secure Relay on the DL server or separately from the DL.

• Supports Split Security Engine Node (SEN) Services

Before you start

Follow these guidelines for the installation of or upgrade to Tenable Identity Exposure 3.59 with Secure Relay:

1. Review the Secure Relay Architectures for On-Premises Platforms and Secure Relay Requirements.

2. Only one DL is supported in version 3.59. When upgrading the Directory Listeners (DL):

   • Keep only one DL where you can optionally install one Relay. If you select this option, combine the necessary resource requirements for the DL and Relay. For more information, see Resource Sizing.

   • You must have at least one Relay. If you don’t install it on the DL, then you have to provision a new machine to install this Relay.

   • Optionally, install Relays to replace other DLs if you previously used multiple DLs.

     For more information, see Secure Relay Architectures for On-Premises Platforms.

3. Network requirements:

   • In previous and current versions, the DL communicated to the SEN directly, using the AMQP(S) protocol.

   • In version 3.59, the Relays that replace the multiple DLs communicate with the only remaining DL over HTTPS.

   • Envoy is the reverse proxy.

   Network flows for on-premises platform using Secure Relay

   

4. Linking key: The Secure Relay installation requires a single-use linking key that contains the address of your network and an authentication token. Tenable Identity Exposure regenerates a new key after each successful Secure Relay installation.

To retrieve the linking key:

1. In the Tenable Identity Exposure console, click System on the left menu bar and select the Configuration tab > Relay.

   

2. Click to copy the linking key.

5. Role Permissions: You must be a user with role-based permissions to configure the Relay. The required permissions are the following:

   • Data entities: Entity Relay

   • Interface entities:

     • Management > System > Configuration > Application Services > Relay

     • Management > System > Relay management

     For more information, see Set Permissions for a Role.

Installation procedure

Required User Role: Administrator on the local machine

To install the Secure Relay:

1. Download the executable program for Secure Relay from Tenable’s Downloads site.

2. Double-click on the file tenable.ad_SecureRelay_v3.xx.x to start the installation wizard.

   The Welcome screen appears.

   

3. Click Next.

   The Custom Setup window appears.

   

4. Click Browse to select the disk partition you reserved for Secure Relay (separate from the system partition).

5. Click Next.

   The Relay Configuration window appears.



6. Provide the following information:

   1. In the Relay Name box, type a name for your Secure Relay.

   2. In the Linking key box, paste the linking key that you retrieved from the Tenable Identity Exposure portal.

   3. If you choose to use a proxy server, select the option Use an HTTP Proxy for your Relay calls and provide the proxy address and port number.

7. If you install the Relay on a separate (standalone) machine from the Directory Listener: the Import Relay Certificate window appears: (if you use the same machine for both the Directory Listener and Relay, go to the next step.)

   

   Click on the radio button for one of the following options:

   • Automatic upload — Retrieve the CA certificate automatically from the Directory Listener: Under Directory Listener Windows credentials, type the user name and password for the Windows account used to access the Directory Listener service.

   • Manual upload — Click ... to browse for the CA certificate that the Directory Listener uses.

8. Click Next.

   The Proxy Configuration window appears:

   

9. Select one of the following options:

   1. None: Do not use a proxy server.

   2. Unauthenticated: Type the address and port for the proxy server.

   3. Basic authentication: In addition to the address and port, type the user and password for the proxy server.

   Caution: To configure a proxy using "Unauthenticated" or "Basic authentication", the relay only supports IPv4 addresses (such as 192.168.0.1) or a proxy URI without http:// or https:// (such as myproxy.mycompany.com.) The relay does not support IPv6 addresses (such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334.)

10. Click Test Connectivity. The following can occur:

    • Green light — The connection succeeded.

    • Invalid linking key — Retrieve the linking key from the Tenable Identity Exposure portal.

    • Invalid Relay Name — This box cannot remain empty. Provide a name for the relay.

    • Connection failed — Check your internet access.

11. Click Next.

    The Ready to Install window appears.

12. Click Install.

13. After the installation completes, click Finish.

Post-installation checks

After the Secure Relay installation completes, check for the following:

List of installed Relays in Tenable Identity Exposure

To see the list of installed relays:

• In Tenable Identity Exposure, click Systems on the left menu bar and select the Relay Management tab.

  The pane shows a list of secure relays and their linked domains.

Services

After a successful installation, the following services are running:

• Tenable_Relay

• tenable_envoy

  Note: You can locate the Envoy license in Tenable Identity Exposure at Systems > Legal > Envoy license.

Environment variables

The installation also added 6 new environment variables related to Secure Relay with names beginning with "'ALSID_CASSIOPEIA_" If you selected to use a proxy server, there are 2 additional variables related to the proxy IP and port.

Logs for troubleshooting

You can find logs in the following locations:

• Installation logs: C:\Users\<your user>\AppData\Local\Temp

• Relay logs: On the VM hosting Secure Relay in the folder specified at the time of installation.

Relay configuration

• Configure the Relay

Automatic updates

After you install Secure Relay, Tenable Identity Exposure checks regularly for new versions. This process is fully automated and requires HTTPS access to your domain (TCP/443). An icon in the network tray indicates when Tenable Identity Exposure is updating Secure Relay. Once the process completes, Tenable Identity Exposure services restart and data collection resumes.

Uninstallation

To uninstall a Secure Relay:

1. In Windows, go to Settings > Apps & Features > Tenable Identity Exposure Secure Relay.

2. Click Uninstall.

   When the uninstallation completes, Tenable Identity Exposure Secure Relay services and environment variables no longer appear in your system.

3. In Tenable Identity Exposure, click Systems on the left menu bar and select the Relay Management tab.

4. Select the relay you just uninstalled and click to remove it from the list of available relays.

See also

• Troubleshoot Secure Relay Installation

• Secure Relay - FAQs