This guide explains how to deploy an AppCheck Private Scan Hub on your internal network. AppCheck provides private scan hubs to allow clients to scan target infrastructure and applications from inside their organisation’s perimeter firewall boundary (while AppCheck’s public scan hubs allow scanning from outside, over the public internet).
These instructions assume you are deploying to a VM on your own server. If you are deploying to a cloud environment see Deploying an AppCheck Private Scan Hub on a Cloud Platform.
The scan hub software is designed to be installed on servers and to be always online. Installing hubs on personal computers and switching hubs off or disconnecting them from the internet for significant periods of time is not recommended and can result in the hub failing to update.
If you encounter any issues with hub deployment or configuration, please refer to Troubleshooting Problems Setting Up an AppCheck Scan Hub; if this does not resolve your issue you can contact our technical support team via https://appcheck-ng.com/get-help/.
Do not modify the AppCheck scan hub directly post-installation. This includes installing additional software (such as agents), updating existing software, or disabling services. The scan hub is designed to be treated as an appliance; any changes not managed by AppCheck may cause a failure.
Requirements
See Private Scan Hub Requirements
Process
- Download Image
- Create VM
- Install Hub Software
- Start Hub
- Complete Setup Wizard in Web Browser
- Wait for the Hub to Provision
- Inform AppCheck Support
- Configure FQDN Resolution
- Perform a Test Scan
Download Image
To get started download the latest version of the installer ISO:
Download Link: | https://assets.appcheck-ng.com/packages/install.iso |
SHA256: | https://assets.appcheck-ng.com/packages/install.iso.sha256 |
Create VM
The exact process to create a new VM will depend on your hypervisor/VM platform. Create a VM in accordance with the requirements.
Install Hub Software
Boot the VM from the ISO
With the AppCheck ISO image inserted into the virtual optical drive, start the VM. It will boot from the virtual DVD:
Wait while the kernel and installer load. You may briefly see an error referring to getty but if this is replaced by the menu then it can be ignored.
Begin The Installation
Press Tab to highlight items in the menu and Enter to select them. Select Install.
The next screen will validate system requirements. If they all pass, select Network Setup:
Configure the Network
Here you can choose whether to use DHCP or static IP address assignment.
You must configure the necessary network access for the VM before proceeding. See Private Scan Hub Requirements - VM Network Access
The default settings will use DHCP and Google's DNS servers. If you are happy with these then you do not need to change anything.
You can also select your own DNS servers, but be aware these are not used to resolve scan targets - they are used only once scans have been complete to reverse-lookup scanned IP addresses in order to display hostnames in scan results. Also be aware that access to Google DNS is still required even if not selected as the DNS server.
Once you are happy with your settings, select Save to continue, then Test Settings to test them.
Once they are confirmed working, you can proceed to Disk Setup.
Install the AppCheck Firmware to the Virtual Hard Disk
Select Fresh Install if installing a new hub, or Upgrade Existing if upgrading an existing AppCheck scan hub.
Installation can take some time, during which you will see logs scroll past. At the end you should see a success message:
Boot from the Virtual Hard Disk
Eject the ISO from the virtual optical drive and reboot the VM. The scan hub firmware will now be running, ready to begin provisioning.
Start Hub
After booting from the virtual hard disk the VM will show you a command line log in screen:
You do not need to log in here, all you need is the URL mentioned on the first line (in the above example https://192.168.0.8:8080/). Note this down or bookmark it - this is the URL of the hub's local dashboard, where the remainder of the setup process, and future maintenance, will take place (though it is not where you will configure scans - that all happens in the main AppCheck customer portal)
It is possible for this screen to load before the VM has finished establishing its network connection, in which case the IP address will be incorrect (it will use one of the hub’s internal containers’ addresses, often a 198.51 address). To ensure you’re seeing the actual address you can press enter (without typing anything in the login prompt) a few times to reload the screen. If it still does not show the desired IP address then move on to Configure Hub’s Network Access.
Complete Setup Wizard in Web Browser
Access the Hub Setup GUI
With the IP address correctly assigned you should now be able to access the hub’s Graphical User Interface (GUI) in your web browser, using the URL listed on the CLI login screen as detailed previously in the guide. For example, when the hub’s IP address is 192.168.1.151 the URL for the GUI is https://192.168.1.151:8080. You will need to enter the URL exactly, including the scheme (HTTPS) and the port number (8080).
If everything is working as expected you should see a login screen as below:
Log in with the following username:
admin@appcheck-ng.com
Contact AppCheck Support if you have not been provided with the password. Note that both the username and password are case sensitive.
Confirm Outbound Connectivity
The setup wizard will confirm the required outbound connectivity is in place. If the required access is not in place you will need to go back to the step Open Outbound Firewall Access.
Insert License Key
Once connectivity is confirmed, click Next and you will be asked to enter a license key. Contact your account manager if you do not have a license.
Enter your license key and click Next. Note that each license key can only be used once - if you need to rebuild your hub for any reason just contact Technical Support and a replacement key will be created.
Finish Wizard
Click “Finish” on the next screen to complete the registration process.
Wait for the Hub to Provision
Do not restart or power off the hub during this provisioning process. Doing so could corrupt the hub and necessitate deleting the VM and starting again.
The hub will now perform a full package update and start up various local services. You will first be presented with the text "Your license has been accepted and your hub is being set up. A list of expected services will appear here when provisioning starts", which after some time (see note below) will be replaced with a list of running services as shown below:
You can refresh the web interface to monitor the progress of provisioning.
Provisioning will be complete once all services* are shown in green and with a status indicating they are "Up", such as “Up 3 hours (healthy)”
* the exception to this is "scanhub_plugins_builder", which will display "Starting up" when operating.
This process typically takes between 1 and 24 hours. The time can vary significantly depending upon a number of factors (such as the bandwidth available at the client side, the resources assigned to the VM, and the current load on AppCheck's provisioning servers). If the configuration has not finished within 24 hours, please contact the AppCheck Technical Support (if you already have a support ticket open regarding the setup of your internal hub then you should update this ticket. If you do not, you can open a new ticket at https://appcheck-ng.com/get-help/).
Inform AppCheck Support
Once the hub has completed provisioning you will need to inform AppCheck Technical Support so that they can grant your account access to run scans from the new hub. Note that AppCheck will not be able to do this (and will have no visibility of the provisioning hub) until it has completed provisioning, so you must wait until the previous step is complete before informing them.
If you already have a support ticket open regarding the setup of your internal hub then you should update this ticket. If you do not, you can open a new ticket at https://appcheck-ng.com/get-help/.
Support will inform you once they have completed the necessary steps on their side. Once this is done the hub will be selectable when configuring scans, and will be listed at https://scanner.appcheck-ng.com/scan_hubs.
Configure FQDN Resolution
If you wish to specify scan targets by hostname (as opposed to by IP address) and those hostnames are not resolvable via public DNS, then you will need to add hosts-file-style entries at https://scanner.appcheck-ng.com/scan_hubs as shown in the below example. You will only be able to edit this once AppCheck Technical Support have linked to hub to your account (see previous step).
The scanning engine will not make use of your internal DNS server to resolve targets even if you have configured one in the netplan configuration file. Internal DNS servers are only refereed to after scans have completed in order to display host names alongside scanned IP addresses (using reverse lookups).
Perform a Test Scan
Once the above steps have been completed as required, it is a good idea to perform a test scan using your new hub, ideally scanning a single or small number of targets, which you know to be online and responsive.
Internal scans are configured the same way as external ones, through the same user interface at https://scanner.appcheck-ng.com/. You will need to assign your new scan hub to any scans that you wish it perform by setting the scan hub in the “Advanced Config Settings” options at the foot of your scan configuration page:
Note that if you select the hub by name and in future you need to redeploy it for any reason then the hub’s name will change, and you would need to update all your affected scans to select the new name. Therefore it is usually better to select “Any Private Hub”.
For scans that you wish to have run always from public hubs, never from your private hub, select “Any Public Hub” (the default “Auto Select” option could result in the same scan running from public hubs some times and your private hub other times).
Comments
0 comments
Article is closed for comments.