DeepSurface: Outbound Proxy

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

outbound proxy

DeepSurface supports the use of a system-wide proxy that can be used to access services used in day-to-day operation. When an outbound proxy is configured, the following interactions will always use the proxy:

Additionally, a number of other interactions can optionally be configured to use the system proxy:

Limitations

DeepSurface currently supports only HTTP proxies (not HTTPS or SOCKS). The HTTP CONNECT method must be enabled on the proxy. (HTTP CONNECT allows for end-to-end HTTPS encryption even though the HTTP proxy interaction is not encrypted.)

HTTP Basic authentication to the proxy is supported, if needed, but no other HTTP authetication methods (such as NTLM or Digest) are currently supported.

Command Line Configuration

If you need to use an outbound proxy in order to complete installation or to configure a subordinate scanner, then you will likely need to enter this information from the command line.

To configure an outbound proxy from the command line, run the sudo deepsurface-configure-proxy command. This command will be automatically run during system installation (from within the deepsurface-install command and, depending on the specific hypervisor platform, from other scripts as well). However, you can run the command directly if you need to make changes after installation or if you're running into trouble with the normal installation flow.

This command will first give you a choice whether to use a proxy at all. If you choose to use a proxy, then you must enter the IP address or hostname of the proxy server as well as proxy port. You may optionally specify a username and password.

Note that there is not a well-standardized TCP port for HTTP proxies, but it is common to see ports 8080 or 3128 in use. Check with your network administration team to find out what specific settings should be used.

Web Console Configuration

For DeepSurface main console systems, it is possible to add or edit the outbound proxy configuration through the web interface after the initial installation is complete. Simply navigate to Setup > General Settings > Outbound Proxy and enter the appropriate details. If you wish to configure authentication to the proxy, enter a username and password. Otherwise, leave both of these fields blank.

Once a proxy is configured, you may also enable or disable the use of this proxy for specific API interactions. For instance, navigate to Scanning > Settings > Vuln. Scanners. When adding or editing a vulnerability scanner API configuration, you will find a checkbox labeled "Use Outbound Proxy". If this is enabled, the global outbound proxy settings will be used for that specific API. This setting is available for each Vulnerability Scanner API configuration and each Cloud API configuration.

More Information

For general information on HTTP proxies, see the following:

  • Wikipedia: Proxy Server
  • Mozilla: HTTP CONNECT Method