Deploy One-Click Tenable Nessus Agent

Tenable now supports a one-click deployment of the Tenable Nessus Agent via the Microsoft Azure portal. This solution provides an easy way to install the latest version of Tenable Nessus Agent on Azure virtual machines (whether Linux or Windows) by either clicking on an icon within the Microsoft Azure Portal, or by writing a few lines of PowerShell script.

Before you begin:

  • Ensure you have a Tenable Vulnerability Management or Nessus Manager account.

  • Ensure you have a Microsoft Azure account with one or more Windows or Linux virtual machines.

Deploy with the Microsoft Azure Portal and Tenable Vulnerability Management user interface:

  1. Log in to Microsoft Azure.

  2. Select one of your virtual machines.

  3. In the left column click Extensions + applications.

  4. Click + Add.

  5. In the gallery, scroll down to N (for Nessus Agent) or type nessus in the search bar.

  6. Select the Nessus Agent tile and click Next.

  7. Enter configuration parameters in the Configure Nessus Agent Extension user interface.

  8. Click Review + create.

Deploy from the command-line interface:

You can deploy from the command-line interface available through PowerShell. For example, you can type:

PS> $publisherName="Tenable.NessusAgent"

PS> $typeName="Linux" (or $typeName="Windows")

PS> $name = $publisherName + "." + $typeName

PS> $version="1.0"

PS> $Settings = @{"nessusManagerApp" = "cloud"; "nessusAgentName" = "example1"; "nessusAgentGroup" = "EXAMPLE1"}

PS> $ProtectedSettings = @{"nessusLinkingKey" = "abcd1234vxyz5678abcd1234vxyz5678abcd1234vxyz5678abcd1234vxyz5678"}

PS> Set-AzVMExtension -ResourceGroupName "EXAMPLE-resource-group" -Location "East US 2" -VMName "canary-example" -Name $name -Publisher $publisherName -ExtensionType $typeName -TypeHandlerVersion $version -Settings $Settings -ProtectedSettings $ProtectedSettings

Note:Lines 1-4 identify the one-click agent extension. Lines 5-6 in the PowerShell example are equivalent to Step 5 in the user interface procedure. This is where you enter your configuration parameters for your Nessus Agent installation.

Nessus Linking Key

The most important field is the Nessus Linking Key (nessusLinkingKey). It is always required. For information on where to find the linking key, see Retrieve the Tenable Nessus Agent Linking Key. In the PowerShell interface, specify nessusLinkingKey under -ProtectedSettings so that Azure encrypts it. All other fields are passed unencrypted through -Settings. You can choose whether to link with Tenable Nessus Manager or Tenable Vulnerability Management (formerly known as Do this by setting nessusManagerApp (nessusManagerApp) to cloud, or to local in the command-line interface. You have the following two choices:

  • If you choose Tenable Nessus Manager, you must provide the Tenable Nessus Manager host (nessusManagerHost) and port number (nessusManagerPort). The extension accepts an IP address or fully qualified domain name.

  • If you choose (Tenable Vulnerability Management), there is an optional field called tenableIoNetwork.

The Agent Name (nessusAgentName) and Agent Group (nessusAgentGroup) are always optional.

Note: Both Agent Name and Agent Group are each a comma-separated list of group names.

For more definitions of these parameters, see Nessuscli Agent.


Parameter names Equivalent Nessuscli parameters Required
nessusLinkingKey --key yes
nessusManagerApp N/A (unique to One-Click Agent) yes
nessusManagerHost --host no
nessusManagerPort --port no
tenableIoNetwork --network no
nessusAgentName --name no
nessusAgentGroup --groups no