Amazon EC2 Pre-Authorized Scanning Appliance: Network Communications

Document created by Justin Lute on Feb 14, 2014Last modified by Qualys Documentation on Aug 12, 2016
Version 10Show Document
  • View in full screen mode

There are three major communication paths the Pre-Authorized virtual appliance must use to be successful.

 

 

Management connectivity to QualysGuard Cloud Platform
Forward proxy server support.  Note that management communications from the appliance to the Qualys Cloud Platform may be routed through a forward proxy.  The appliance can be configured as a proxy client if you provide the IP address of your proxy server and, optionally, a username/password.  See Scanner Appliance: Management Communications and Scanner Appliance FAQs: Tell Me About Proxy Support for more.
DIRECTIONDESCRIPTIONSOURCEIP ADDRESSProtocolPort / ServiceDESTINATIONIP address
OUTBOUND

What: Management polling from appliance to Platform

 

When: Every 3 minutes by default (configurable from 1 - 60 minutes)

appliance

[as configured]TCP443 (HTTPS)Appliance services @ Qualys Cloud Platform[as specified in Help> About section of UI]
INBOUNDWhat: Responses from Platform, established sessions onlyAppliance services @ Qualys Cloud Platform[as specified in Help> About section of UI]TCPany high port (>=1024)appliance[as configured]

 

 

 

Connectivity to Amazon EC2 API endpoints

Forward proxy server is not supported.  Note that the appliance's communications with the EC2 API endpoint are not "management" connections but, rather, part of the act of scanning.  Much as our appliance must contact a DNS server to resolve FQDN's to IP addresses, it must contact the EC2 API endpoint to resolve EC2 Instance IDs to IP addresses.  The communication to the EC2 API will not be routed through the proxy server that you may have configured for appliance management communications with the Qualys Cloud Platform (see above).  The scanner appliance must communicate directly to the EC2 API or through a fully transparent proxy or filtering technology.  If the appliance cannot reach the EC2 API endpoint, then any EC2 Scan job you initiate will not be able to succeed.  Your scan will conclude without scanning any of the EC2 instance targets, because the appliance will not be able to resolve the list of target instance IDs to IP addresses.

DIRECTIONDESCRIPTIONSOURCEIP ADDRESSProtocolPort / ServiceDESTINATIONIP address
OUTBOUND

What: Lookup against EC2 APIs to confirm target details.

 

When: At beginning of scan launch

appliance

[as configured]TCP443 (HTTPS)EC2 API endpoint for the Region in which scanner is deployed.  See AWS documentation for URLs.[EC2 API URLs resolve to various IP addresses]
INBOUNDWhat: Responses from EC2 API endpoint, established sessions onlyAppliance services @ Qualys Cloud Platform[EC2 API endpoint IP addresses are variable]TCPany high port (>=1024)appliance[as configured]

 

 

 

Active scanning of target instances
DIRECTIONDESCRIPTIONSOURCEIP ADDRESSProtocolPort / ServiceDESTINATIONIP address
OUTBOUND

What: Active scanning from the appliance instance to the target instances

 

When: Whenever scans are launched/scheduled.

appliance

[as configured]anyanytarget instance[as configured]
INBOUNDWhat: Responses from target instances being scannedtarget instance[as configured]anyanyappliance[as configured]

 

 

 

These articles provide some further detail on these topics:

Scanner Appliance: Management Communications

Virtual Scanner Management Communications: Amazon EC2-Classic

1 person found this helpful

Attachments

    Outcomes