Configure vSphere Scanning

Note: You need administrator permissions to complete the following procedures.

You can configure a scan to scan the following virtual environments:

  • ESXi/vSphere that vCenter manages

  • ESXi/vSphere that vCenter does not manage

  • Virtual machines

Note: You must provide an IPv4 address when scanning an ESXi host. Otherwise, the scan fails.

Note: For more information on VMware/vCenter, refer to the VMware integration documentation.

Scenario 1: Scanning ESXi/vSphere Not Managed by vCenter

To configure an ESXi/vSphere scan that vCenter does not manage:

  1. Create a scan.
  2. In the Basic scan settings, in the Targets section, type the IP address or addresses of the ESXi host or hosts.

  3. Click the Credentials tab.

    The Credentials options appear.

  4. From the Categories drop-down, select Miscellaneous.

    A list of miscellaneous credential types appears.

  5. Click VMware ESX SOAP API.

    The VMware ESX SOAP API options appear. For more information, see VMware ESX SOAP API.

  6. In the Username box, type the username associated with the local ESXi account.

  7. In the Password box, type the password associated with the local ESXi account.

  8. If your vCenter host includes an SSL certificate (not a self-signed certificate), deselect the Do not verify SSL Certificate checkbox. Otherwise, select the checkbox.

  9. Click Save.

Scenario 2: Scanning vCenter-Managed ESXI/vSpheres

Note: The SOAP API requires a vCenter admin account with read and write permissions. The REST API requires a vCenter admin account with read permissions, and a VMware vSphere Lifecycle manager account with read permissions.

To configure an ESXi/vSphere scan managed by vCenter:

  1. Create a scan.
  2. In the Basic scan settings, in the Targets section, type the IP addresses of:

    • the vCenter host.

    • the ESXi host or hosts.

  3. Click the Credentials tab.

    The Credentials options appear.

  4. From the Categories drop-down, select Miscellaneous.

    A list of miscellaneous credential types appears.

  5. Click VMware vCenter SOAP API.

    The VMware vCenter SOAP API options appear. For more information, see VMware vCenter SOAP API.

  6. In the vCenter Host box, type the IP address of the vCenter host.

  7. In the vCenter Port box, type the port for the vCenter host. By default, this value is 443.

  8. In the Username box, type the username associated with the vCenter account.

  9. In the Password box, type the password associated with the vCenter account.

  10. If the vCenter host is SSL enabled, enable the HTTPS toggle.

  11. If your vCenter host includes an SSL certificate (not a self-signed certificate), select the Verify SSL Certificate checkbox. Otherwise, deselect the checkbox.

  12. Click Save.

Note: When scanning vCenter-managed ESXis with API credentials, the Nessus Scan information plugin always shows Credentialed Checks: No in the vCenter scan results. To verify that the authentication was successful, check to see that the Nessus Scan Information plugin shows Credentialed Checks: Yes in the scan results of the ESXis.

Scenario 3: Scanning Virtual Machines

You can scan virtual machines just like any other host on the network. Be sure to include the IP address or addresses of your virtual machine in your scan targets. For more information, see Create a Scan.

VMware vCenter Support Matrix

Feature Requires Authentication Supported vCenter Version

Vulnerability Management

No

7.x, 8.x

Auto Discovery

Yes

7.0.3+, 8.x

Audit / Compliance

Yes

6.x, 7.x, 8.x

VIB Enumeration

Yes

7.0.3+, 8.x

Active / Inactive VMs Yes 7.0.3+, 8.x