DeepSurface: Outbound Proxy
DocumentationInstallation GuideOverviewLet DeepSurface Host For YouGetting StartedSystem RequirementsSelf Hosted Quick Start - Installing to Cloud PlatformsSelf Hosted - Installation Using an OVARegistration, Package Installation, and InitializationFirst Steps After Initialization of the ConsoleDeployment OptionsMain and Subordinate ConsolesAgent-Based DeploymentUser Managed Scan DeploymentCredentialed Scanning DeploymentMixed EnvironmentDeployment ToolsActive Directory Group PolicyMicrosoft Endpoint Configuration Manager (part of InTune)Tanium DeployHCL BigFixIvantiVirtual MachinesVMWareVirtual BoxVirtualBox Guest AdditionsAWS EC2 (BYOL)AWS EC2 (Usage Based)Azure CloudGoogle CloudAdditional Items to ConsiderMain Console Server CertificatesLDAPTOFUClock SyncDeepSurface CommandsMultiple Vulnerability SourcesAPI DocumentationUser GuideReportingDashboardsExportsRisk InsightHostsPatchesVulnerabilitiesVulnerability InstancesUsersRemediation Workflow ManagerPlansSettingsIntegrationsWorkflowExportingAccepted Risk PlansAccepted Risk WorkflowExploreModelPathsActivityTasksConfiguration AlertsScan LogsNotification SettingsScanningStatusAgentsUser ManagedCredentialed Scanning SettingsCredentialsScan GroupsGeneral SettingsCloud ScanningNetwork ConnectivitySubordinatesVulnerability SourcesSetupSensitive Assets: PolicesSensitive Assets: ManualAdmin SettingsSMTP SettingsCertificatesOutbound ProxyAuthentication ProvidersUsersTagsIntegrations GuideVulnerability SourcesCrowdStrike SpotlightSentinelOneCarbon Black CloudMicrosoft Defender for EndpointWazuhLansweeper CloudNessus APITenable.io APISecurity Center/Tenable.sc APIRapid7 InsightVM APIQualys APINozomi GuardianEclypsiumAWS InspectorRemediationJira SoftwareTanium (BETA)Authentication ProvidersLDAP (Active Directory)SAML (Azure Active Directory)SAML (Google)SAML (Okta)PAMCyberArkDelinea (Thycotic)Microsoft LAPSSecurity GuideFirewall ConfigurationBase Network RequirementsAgent Network RequirementsCredentialed Scanning Network RequirementsAPI Network RequirementsHow DeepSurface Scans WorkDomain (LDAP) ScanningHost Scanning RoutineReasons for the Administrative Access RequirementEndpoint Protection ConsiderationsOther ItemsScope of Data Storage and RetentionIPS/IDS ConsiderationsLoggingResetting the DSADMIN passwordProduct InformationChangelogsOpen source LicensesEnd User License Agreement (EULA)
DeepSurface supports the use of a system-wide proxy that can be used to access services used in day-to-day
operation. When an outbound proxy is configured, the following interactions will always use the proxy:
- Downloading updated system software packages, such as security updates and DeepSurface software upgrades
- Rule feed updates, which come from updates.deepsurface.com
- Communications initiated by DeepSurface subordinate scanners to the DeepSurface main console
Additionally, a number of other interactions can optionally be configured to use the system proxy:
- Downloads of vulnerability data from third-party vulnerability scanner APIs (individually configurable)
- Cloud API interactions, such as data pulled from AWS APIs (individually configurable)
Limitations
DeepSurface currently supports only HTTP proxies (not HTTPS or SOCKS). The HTTP CONNECT method must be
enabled on the proxy. (HTTP CONNECT allows for end-to-end HTTPS encryption even though the HTTP proxy interaction is not encrypted.)
HTTP Basic authentication to the proxy is supported, if needed, but no other HTTP authetication methods
(such as NTLM or Digest) are currently supported.
Command Line Configuration
If you need to use an outbound proxy in order to complete installation or to configure a subordinate scanner,
then you will likely need to enter this information from the command line.
To configure an outbound proxy from the command line, run the sudo deepsurface-configure-proxy
command. This command will be automatically run during system installation (from within the deepsurface-install
command and, depending on the specific hypervisor platform, from other scripts as well). However, you can run the command directly if you need to make changes after installation or if you're running into trouble with the normal installation flow.
This command will first give you a choice whether to use a proxy at all. If you choose to use a proxy, then you must enter the IP address or hostname of the proxy server as well as proxy port. You may optionally specify a username and password.
Note that there is not a well-standardized TCP port for HTTP proxies, but it is common to see ports 8080 or 3128 in use. Check with your network administration team to find out what specific settings should be used.
Web Console Configuration
For DeepSurface main console systems, it is possible to add or edit the outbound proxy configuration through
the web interface after the initial installation is complete. Simply navigate to Setup > General Settings > Outbound Proxy
and enter the appropriate details. If you wish to configure authentication to the proxy, enter a username and password. Otherwise, leave both of these fields blank.
Once a proxy is configured, you may also enable or disable the use of this proxy for specific API interactions. For instance, navigate to Scanning > Settings > Vuln. Scanners
. When adding or editing a vulnerability scanner API configuration, you will find a checkbox labeled "Use Outbound Proxy". If this is enabled, the global outbound proxy settings will be used for that specific API. This setting is available for each Vulnerability Scanner API configuration and each Cloud API configuration.
More Information
For general information on HTTP proxies, see the following:
Wikipedia: Proxy Server
Mozilla: HTTP CONNECT Method