Deploying Qualys Virtual Scanner Appliance in VMware vSphere (vCenter)

Document created by Qualys Documentation Employee on Jan 10, 2013Last modified by Qualys Documentation Employee on Aug 5, 2019
Version 16Show Document
  • View in full screen mode

This document details deployment instructions of the Qualys Virtual Scanner Appliance in VMware vSphere (vCenter). 

 

We also recommend: How to Use VMware OVF Tool for vApp

 

Prerequisites

1) Download the Qualys Virtual Scanner image for VMware vApp, qVSA.i386<version>.vApp.ova (e.g. qVSA.i386-2.5.34-2.vApp.ova)

2) Obtain a personalization code from your Qualys subscription for a new Virtual Scanner Appliance

 

Network Requirements

1) For single-network scanning, ensure the destination network for LAN is configured to allow outbound HTTPS (port 443) access to the internet for communicating with the Qualys Cloud Platform.

2) For split-network scanning, ensure the destination network for the WAN is configured to allow outbound HTTPS (port 443) access to the internet for communicating with the Qualys Cloud Platform.

3) While conducting a scan, the virtual scanner sends probes to target assets, i.e. hosts and/or web applications. The virtual scanner must be placed in a network where it can access the target assets for scanning.

 

Deploy Qualys Virtual Scanner Appliance

1) Launch VMware vSphere client and log into vCenter.

2) Click on your selected Data Center > Right-Click > Deploy OVF Template.

3) Click on Local File and choose the downloaded Qualys Virtual Scanner ova.

 

Deploy OVF Template - Select an OVF template

 

4) Continue with the wizard template to select compute resource and data storage.

5) For Single Network scanning, select the desired Destination Network for LAN; WAN will not be used. Ensure the Destination Network is configured to allow HTTPS (443) outbound access to the internet.

 

Deploy OVF Template - Select networks

 

6) For Split Network scanning, select different Destination Networks for WAN and LAN. Ensure the Destination Network for WAN is configured to allow HTTPS (443) outbound access to the internet.

 

Deploy OVF Template - Select networks with different destination networks

 

7) Customize template – enable properties settings appropriate for your environment:

 

SECTIONDESCRIPTION
Personalization CodeREQUIRED: Provide the 14-digit Personalization code obtained from Qualys
Enable WAN InterfaceOptional: Enable for Split-Network scanning
HTTP Proxy

Optional: Add the proxy server URL to communicate with Qualys Cloud Platform via SSL proxy, supports both IP and FQDN for the proxy server configuration.

Formatting:

Specify the proxy server URL as username:password@proxyhost:port

If authentication is not used, the format is proxyhost:port
where proxyhost is the IPv4 address or the FQDN of the proxy server, port is the port the proxy server is running on

Examples:

jdoe:abc12345@10.40.1.123:3128
jdoe:abc12345@myproxy.qualys.com:3128
LAN IPOptional: Defaults to DHCP, otherwise, enter static IP address for LAN interface
LAN Default VLANOptional: Defaults to 0. Enter VLAN ID if needed
LAN NetmaskOptional: Defaults to 255.255.255.0
LAN GatewayOptional: Defaults to DHCP. For static LAN IP, enter LAN Gateway address
LAN DNS ServersOptional: For static LAN IP, enter LAN DNS servers
WAN IPOptional: Defaults to DHCP, otherwise enter static IP address WAN interface – applicable to Split Network configuration
WAN NetmaskOptional: Defaults to 255.255.255.0 - applicable to Split Network configuration
WAN GatewayOptional: Defaults to DHCP. For static WAN IP, enter WAN Gateway address – applicable to Split Network configuration
WAN DNS ServersOptional: For static WAN IP, enter WAN DNS servers – applicable to Split Network configuration
WINS 1Optional: Primary WINS address
WINS 2Optional: Secondary WINS address
WINS DOMAINOptional: WINS Domain

 

8) Power on the Virtual Scanner Appliance

 

 

Powering on the Virtual Scanner Appliance

Once you power on the Virtual Scanner Appliance, the Qualys service completes the activation process. It may take a few minutes for this activation to complete. The virtual scanner attempts to make a connection to the Qualys platform using its current configuration (network and proxy settings).

 

We recommend the following steps to check the appliance status within VMware vCenter:

 

Step 1: Log into vCenter and launch the Virtual Scanner Appliance remote console

You will see system messages within the console during the startup and activation process. You will see the friendly name and IP address after the appliance successfully connected to the Qualys Cloud Platform. This also means the virtual scanner is ready to be used for scanning. If a network error appears, you need to troubleshoot the issue at this time.

 

Qualys Scanner Console with friendly name and IP

 

Step 2: Check the network settings

Press Enter to access the main menu. (Tip: Use the Up and Down arrows to navigate the menu.) Press the Right arrow to display the network settings configured for the virtual scanner. Press the Left arrow to return to the main menu.

 

Qualys Scanner Console with Show network settings option

 

Step 3: Check the scanner status in Qualys

To confirm that the scanner is ready to use, check the virtual scanner status in Qualys. Go to Scans > Appliances, and find your scanner in the list. Check that the scanner's status is Connected.


Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.

 

Appliances list in Qualys UI

 


Enabling WAN for Split Network Configuration

If the virtual scanner appliance is already deployed and you would like to enable WAN for split-Network scanning configuration, the Destination Network settings need to be first configured on the virtual machine’s hardware settings and then in the vApp option.

We recommend the following steps to enable split-network scanning configuration within VMware vCenter:

 

Step 1: Log into vCenter and power off the Virtual Scanner Appliance

Power off the virtual scanner appliance.

 

Step 2 : Edit the Virtual Scanner Appliance Hardware Settings

Modify the network adapters’ destination networks. For split-network setting, Network Adapter 1 should be set to the LAN destination network and Network Adapter 2 should be set to the WAN destination network.

 

Edit Hardware Settings

 

Step 3: Edit the Virtual Scanner Appliance vApp Options

Modify the virtual scanner appliance's vApp options as appropriate.


Enable_WAN_Interface

Click on Enable_WAN_Interface and then click on ‘Set Value’. Toggle on to enable.

 

Enable WAN interface

 

LAN_Network_Name and WAN_Network_Name

Update destination networks for LAN_Network_Name and WAN_Network_Name. Their destination network should match the virtual scanner’s hardware settings set in Step 1. To modify the destination network, click on ‘LAN_Network_Name’ and then ‘Edit’. Repeat the same step for ‘WAN_Network_Name’.

 

It is imperative that you set the virtual scanner’s hardware network settings first, as mentioned in Step 1, and then in the vApp option for it to take effect.

 

LAN Network Name

WAN Network Name

 

Step 4: Power on the Virtual Scanner Appliance

Power on the virtual scanner appliance.

 

Changing Network Adapter Settings

If you need to modify the destination networks for the network adapters, you would need to update both the virtual appliance hardware settings and in the vApp options.

We recommend the following steps to modify the destination networks within VMware vCenter:

 

Step 1: Log into vCenter and power off the Virtual Scanner Appliance

Power off the virtual scanner appliance.

 

Step 2: Edit the Virtual Scanner Appliance Hardware Settings

Modify the network adapters' destination networks as appropriate.

 

Step 3: Edit the Virtual Scanner Appliance vApp Options

Modify the virtual scanner appliance's vApp options as appropriate.

Update destination networks for LAN_Network_Name and/or WAN_Network_Name. Their destination network should match the virtual scanner’s hardware settings set in Step 1. To modify the destination network, click on ‘LAN_Network_Name’ and/or ‘WAN_Network_Name’ and then ‘Edit’.

 

It is imperative that you set the virtual scanner’s hardware network settings first, as mentioned in Step 1, and then in the vApp option for it to take effect.

 

 


Still have questions?

Check out our Scanner Appliance FAQs.

1 person found this helpful

Attachments

    Outcomes