Configure vSphere Scanning

Required User Role: Administrator or organizational user with appropriate permissions. For more information, see User Roles.

You can configure a scan policy to scan the following virtual environments:

ESXi/vSphere that vCenter manages
ESXi/vSphere that vCenter does not manage
Virtual machines

Scanning ESXi/vSphere Not Managed by vCenter

To configure an ESXi/vSphere scan that vCenter does not manage:

Begin configuring a scan policy that supports credentialed access, as described in Add a Scan Policy. For more information about authentication options in scan policies, see The Authentication tab specifies authentication options during a scan..
In the left navigation menu, click Authentication.

The Authentication tab appears.
Click Add Authentication Settings.

The authentication options appear.
In the first Type drop-down box, select Miscellaneous.
In the second Type drop-down box, select VMware ESX SOAP API.
Click Select.

The VMware ESX SOAP API options appear. For more information, see VMware ESX SOAP API.
In the Username box, type the username associated with the local ESXi account.
In the Password box, type the password associated with the username you provided.
If your vCenter host includes an SSL certificate (not a self-signed certificate), disable the Do not verify SSL Certificate toggle.
Click the button.

Tenable Security Center applies the VMware ESX SOAP API authentication options to the scan policy.

What to do next:

Reference the scan policy in an active scan configuration, as described in Add an Active Scan.

Scanning vCenter Managed ESXi/vSpheres

Note: The SOAP API requires a vCenter admin account with read and write permissions. The REST API requires a vCenter admin account with read permissions, and a VMware vSphere Lifecycle manager account with read permissions.

To configure an ESXi/vSphere scan managed by vCenter:

Begin configuring a scan policy that supports credentialed access, as described in Add a Scan Policy. For more information about authentication options in scan policies, see The Authentication tab specifies authentication options during a scan..
In the left navigation menu, click Authentication.

The Authentication tab appears.
Click Add Authentication Settings.

The authentication options appear.
In the first Type drop-down box, select Miscellaneous.
In the second Type drop-down box, select VMware vCenter SOAP API.
Click Select.

The VMware vCenter SOAP API options appear. For more information, see VMware vCenter SOAP API.
In the vCenter Host box, type the IP address of the vCenter host.
In the vCenter Port box, type the port for the vCenter host.
In the Username box, type the username associated with the local ESXi account.
In the Password box, type the password associated with the username you provided.
If the vCenter host is not SSL enabled, disable the HTTPS toggle.
If your vCenter host includes an SSL certificate (not a self-signed certificate), enable the Verify SSL Certificate toggle.
Click the button.

Tenable Security Center applies the VMware vCenter SOAP API authentication options to the scan policy.

Note: When scanning vCenter-managed ESXis with API credentials, the Nessus Scan information plugin always shows Credentialed Checks: No in the vCenter scan results. To verify that the authentication was successful, check to see that the Nessus Scan Information plugin shows Credentialed Checks: Yes in the scan results of the ESXis.

What to do next:

Reference the scan policy in an active scan configuration, as described in Add an Active Scan.

Scanning Virtual Machines

You can scan virtual machines just like any other host on the network. Be sure to include the IP addresses of virtual machines you want to scan in your scan targets. For more information, see Add an Active Scan.

VMware vCenter Support Matrix

Feature	Requires Authentication	Supported vCenter Version
Vulnerability Management	No	7.x, 8.x
Auto Discovery	Yes	7.0.3+, 8.x
Audit / Compliance	Yes	6.x, 7.x, 8.x
VIB Enumeration	Yes	7.0.3+, 8.x
Active / Inactive VMs	Yes	7.0.3+, 8.x