Install Tenable Identity Exposure

Tenable Identity Exposure's installation program installs the following components on three different machines:

  • A Storage Manager (SM) to host all data based on MSSQL.

  • A Directory Listener (DL) to target audited domains.

  • A Security Engine Node (SEN) to perform security analysis and serve the user interface.

    For more information about how to install the SEN on several machines, see Split Security Engine Node (SEN) Services.

All three machines and installed binaries support the application of any security update for the underlying OS, either through Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM).

For more information about different TLS setups, see Installation Options.

Installation Program

The Tenable Identity Exposure executable program from Tenable’s Downloads site is the main installer for most on-premises and SaaS (excluding SaaS-TLS) deployments.

For SaaS-TLS deployments, you must download the Tenable Identity Exposure Security Probe installer. You must also have your customized file containing the required certificates that the Tenable Identity Exposure team provides.

Starting from version 3.11, the Tenable Identity Exposure Security Probe Installer is only compatible with SaaS-TLS deployments. To install a Directory Listener node, you must use the Tenable Identity Exposure Installer file and select the "Directory Listener" component only.

Note: Tenable requires that you reboot all machines before you start a new installation.

Before you start

Reserve the following resources and have their information on hand before you install Tenable Identity Exposure:

  • Network — Private IP addresses.

  • Access — DNS name used to access Tenable Identity Exposure’s web portal.

  • Security — TLS certificate and its associated private key to secure access to the web portal.

For more information, see Network Requirements.

Installation with Secure Relay

Tenable Identity Exposure v. 3.59 introduces Secure Relay, a new secure external transfer mode using HTTPS for your Active Directory data to the rest of the platform. Internally, it continues to use Advanced Message Queuing Protocol Secure (AMQPS). If you install a Relay on a DL machine, ensure that you combine the required sizing for DL and Secure Relay. For more information, see Resource Sizing in this guide.

Another advantage of Secure Relay lies in its ability to upgrade automatically when you upgrade Tenable Identity Exposure, especially if your platform uses several DLs.

For more information, see Upgrade to Tenable Identity Exposure 3.59 with Secure Relay.

Installation log file

If the installation program cannot install Tenable Identity Exposure on a machine, you can forward the log file to our support (

This log file is in your %tmp% folder, and its name always starts with “MSI” followed by random numbers, such as MSI65931.LOG.

To generate log files in another location (for example, if you placed the installer on the desktop):

  1. In the command line of the local machine, type cd desktop.

  2. Type .\installername.exe /LOGS "c:\<path>\logsmsi1.txt".