Secure Relay

I used to have multiple Directory Listeners (DLs). Can I still have multiple DLs?

No, Secure Relays replace multiple DLs). Tenable Identity Exposure now only supports one DL; multiple DLs create unknown issues.

I used to have only one machine for the DL, can I keep the same machine for the DL and the Secure Relay?

Yes, you can. However, make sure to combine the resource requirements for a DL and a Secure Relay. For example, if the RAM for a DL is 5 GB and for 1 GB for the Secure Relay, your machine must have 6 GB (5 GB + 1 GB).

You can also install the Secure Relay on a separate VM, as long as it can contact the DL.

What are the network flows that change between previous versions and this 3.59?

With the 3.59, in its simplest form, we add a Secure Relay between your Active Directory (AD) and the DL. That means:

The communication between your AD and the Secure Relay is the same as the communication between your AD and the DL previously.
The communication between the DL and the rest of the platform is the same as previously.
What changes is that Tenable Identity Exposure uses HTTPS between one or more Secure Relays and the DL. You must allow this new network flow.

Where can I find the on-premises Secure Relay installer?

In the folder C:\Tenable\Tenable.ad\DirectoryListener\Updates\.

Should I use the Secure Relay installation package available on https://www.tenable.com/downloads or the one in the folder C:\Tenable\Tenable.ad\DirectoryListener\Updates\?

You can use either one as they are usually the same version. The one in the folder C:\Tenable\Tenable.ad\DirectoryListener\Updates\ does not require a login to access the binary.

When installing/upgrading the DL, I selected “Yes” to the question “Install the Secure Relay after the DL?”, but nothing’s installed. What did I miss?

The Secure Relay installation launches after the DL server reboots, so make sure first and foremost that you did reboot after the DL installation/upgrade.

Other problems could arise from the AV/EDR blocking the installation process from running after the reboot. Make sure to review their full logs.

The timeframe to look for in these logs depends on the AV/EDR blocking the installation process, so make sure to check some time before (during the DL installation) and after the reboot.

When the relay installation fails, what elements should I collect?

Multiple elements need to be retrieved when installation fails, before any other attempt:

The installation logs: Extract these from the MSI dialog box when a failure occurs.
The Relay logs: Located in the <install path>\SecureRelay\logs\Relay.log.
The Envoy logs: Located in the <install path>\SecureRelay\logs\envoy.logs.
The envoy.yaml configuration file: Located at <install path>\SecureRelay\envoy.yaml. There’s an API key that you can redact if necessary (although we also have it in the database).
The environment variables: Fetched using one of the following commands:
Copy
```
(cmd.exe) set
(powershell.exe) ls env: | fl
```

Secure Relay - FAQs