Coda Footprint Internal Scanner is now part of the AWS Marketplace
Have a running MSP Console instance that is reachable on HTTPS from the Internal Scanner that is to be deployed.
Configure a FQDN for the MSP Console that can be resolved by the Internal Scanner.
Have IP [OSI Layer 3] reachability from the AWS Subnet where the scanner is provisioned to the future Scan Target / Destination Subnets.
Allow access from the Scanner to the Console Machine over HTTPS, TCP/15671, TCP/15672, TCP/5671, TCP/5672
Note: Restricting traffic would should inaccurate Scan Results as not all ports would be reachable
Attention: Scanning over VPN or Firewall may produce overhead and performance issues. Make sure to configure scans to run outside business hours.
In order to deploy an Internal Scanner in the AWS Marketplace you would need to follow the below instructions:
Connect to your AWS Management Console and choose “Launch a virtual machine”.
This would take you the the following screen:
Step 1: Choose an Amazon Machine Image (AMI)
Pick AWS Marketplace and write “Footprint Cloud Appliance” in the search bar
Click “Select” and proceed to the next step.
The minimum specifications for the Footprint Cloud Appliance are 2 CPUs and 4GB of RAM. The Recommended ones are 4 CPUs and 8 GB of RAM. Ideally we would want a machine with at least 2 CPUs and 8 GB of RAM for a larger Scan Surface target.
Step 2: Choose an Instance Type
For this deployment we may choose a t3.large.
Click “Next: Configure Instance Details“
Step 3: Configure Instance Details
Select the correct VPC and Subnet. If needed also assign a Public IP.
Make sure to assign an IP and write it down for later. Otherwise we will look for the DHCP IP after the deployment.
Click “Next: Add Storage”
Step 4: Add Storage
Check to have the minimal 50GB of disk space.
Click “Next:Add Tags“
Step 5: Add Tags
Add any relevant tags that may be used to identify this machine later and click “Next: Configure Security Group”
Step 6: Configure Security Group
Make sure to allow SSH and HTTP TCP/8080 traffic inbound in order to configure the scanner. Later you may remove the ports or add restrictions to access only from your organizations source IPs.
Important: Make sure to edit the Security Group and add your own real source IPs as the default AWS is to allow access only from 220.127.116.11 Custom. You need to provision at least HTTP 8080
You will also need to allow all outbound ports for better visibility into scans. Remember to also allow access into other Security Groups from the Internal Scanners IP address in order to be able to scan other subnets.
Note: The Internal Scanner needs to be able to reach it’s Scan Targets over as many ports as the possible, but at least the well known services ports and especially the ports that you know your are using for your provisioned applications.
Click “Review and Launch”
Click “Launch” and proceed to select a key pair to use for SSH management of this machine.
Check “I acknowledge” and proceed with clicking “Launch instances”
The instance is being provisioned and when it is ready either connect from a Bastion Host o it’s Private IP or from an Elastic Public IP to it’s TCP/8080 interface using HTTPS.
Remember to Edit the Security Group and allow access to the console machine or “FQDN URL” for HTTPS and TCP/15671, TCP/15672, TCP/5671, TCP/5672.
After the instance is provisioned you need to connect and assign the FQDN URL and TOKEN ID presented in the Scan Surface > Agentless Surface > Setup Scanners tab.
Add the Name, FQDN and TOKEN and press Save. Within a few minutes the scanner should change state to Online. The Internal Scanner will now pull all required updates.
Note: The scanner would need to be configured from http://<hostip>:8080 with the correct Console FQDN and Token.
Click Scan Surface > Agentless Surface > Deployed Scanners
Look for the new Internal Scanner by name and check that the State is Active to confirm that it is fully operational and can be used to add Scan Surface targets selecting this scanner.