Welcome to the Tenable On-Prem Connector Deployment Guide

Last updated: August 26, 2025

This document provides a comprehensive guide to deploying and configuring the Tenable On-Prem connector, an on-premises component that facilitates secure communication between the Tenable One platform and closed network environments. The Tenable On-Prem connector utilizes a WireGuard VPN tunnel over UDP port 51820 to establish this connection.

Process Overview

The Tenable On-Prem connector allows Tenable One to pull data located from isolated networks without requiring direct inbound connections to those networks.

The workflow operates as follows:

1. Establish a Secure Tunnel: The Tenable On-Prem connector initiates an outbound connection to Tenable One, creating a secure, encrypted tunnel using the WireGuard VPN protocol over UDP port 51820.

2. Communication Channel: This tunnel establishes a secure communication channel between the Tenable One platform and the Tenable On-Prem connector.

3. Data Scan Initiation: When Tenable One launches a data sync, the data is securely transmitted through the tunnel to the Tenable On-Prem connector.

4. Results Transmission: The data results are then transmitted back to Tenable One through the secure WireGuard tunnel.

5. Analysis and Reporting: Tenable One processes the scan results and provides vulnerability data, compliance information, and other security insights.

In essence, the Tenable On-Prem connector acts as a secure intermediary, allowing Tenable One to reach into closed networks without compromising their security posture. The key is that the gateway initiates the connection to Tenable One, so no inbound connections to the closed network are required.

To get started, see Install the Tenable On-Prem Connector.