Upgrade to Tenable Identity Exposure 3.59 with Secure Relay

Upgrading Tenable Identity Exposure to version 3.59 entails making several important changes for a seamless transition. Significant changes in the upgrade involve the Relay taking over the following tasks:

  • Direct receipt of Active Directory (AD) feeds, which requires at least one Relay installation.

  • Syslog and SMTP alert management

  • LDAP authentication

The guideline to upgrade to Tenable Identity Exposure 3.59 with Secure Relay is the following:

  1. When upgrading the Directory Listeners (DL):

    1. Keep only one DL where you can optionally install one Relay. If you select this option, ensure that you add the necessary resource requirements for the DL and Relay. For more information, see Resource Sizing.

      Note: Beginning with version 3.59, Tenable Identity Exposure only supports one DL.
    2. You must have at least one Relay. If you don’t install it on the DL, then you have to provision a new machine to install this Relay.

    3. Optionally, install the Secure Relay to replace other DLs if you previously used multiple DLs.

  2. When you install a Relay, use the following guidelines:

    • TLS for the Secure Relay is mandatory, and it is based on the TLS choice you make when checking the "expert mode" checkbox. The only exception is the "No TLS" option, which falls back to "Default TLS" for the Secure Relay. This means that every component communicates in plain text, except for the Secure Relay that interacts with the DL.

    • When you enter the normal (not "expert") installation mode, or if you choose "Default TLS" or "No TLS", you must first install the public part of the Certificate Authority (CA) generated during the installation located at C:\Tenable\Tenable.ad\DirectoryListener\envoy_server\certs on each machine where you install the Relay.

    • When you enter the "expert" installation mode and select either "TLS with peer verification" or "TLS without peer verification," you must first supply the CA that signed the provided server certificate on each machine where you intend to install the Relay. Tenable does not provide the specific path, as it is assumed that you have access to the CA.

  3. Consider network requirement changes:

    • In previous and current versions, the DL communicated to the SEN directly, using the AMQP(S) protocol.

    • However, starting with version 3.59, the Relays that replace the multi-DLs communicate with the only remaining DL over HTTPS.

  1. To use Secure Relay, you must make the following configurations in the Tenable Identity Exposure user interface (UI). For more information, see Configure the Relay in the Tenable Identity Exposure Administrator Guide.

    • Domain Mapping: Replace multiple-DL application settings or network environment variables with necessary domain settings (the number of edits may vary). For more information, see Configure the Relay in the Tenable Identity Exposure Administrator Guide.

    • Alert Mapping: