Mobile, Distributed Workforce

Tenable recommends deploying agents for a mobile workforce, because agents eliminate the need for your employees to VPN into your organization's headquarters for their devices to be scanned. In this scenario, active scanning over WAN or VPN connections incurs risks of low link speed, high encryption overhead, and possible problems with link stability. Agents can reduce scan times from hours to minutes.

To support a mobile workforce, Tenable recommends that you:

  • Deploy the manager in the DMZ and assign it a publicly facing IP address that the agents can use to communicate. All communication between agent and manager occurs via TLS encrypted communication.
  • Configure appropriate scan windows for agent scans. The scan window is the period of time where agents conduct their scans and report their results back to the manager. Any scan requests or results submitted after the scan window are discarded, and the system is marked as not scanned.

    This approach helps ensure accurate security data while also reducing the need for duplicative and irrelevant scanning. For example, an employee returning from a two-week vacation won’t have to endure 14 queued scans (one for each day his/her system was offline).