Insight Agent using the Collector instead of direct communication

kevin_sh · June 20, 2021, 5:36pm

Hello Everyone,

Can the Insight Agent choose the primary communication with the Rapid7 using the collector instead of direct communication with the platform?

If yes, can we configure the agent to “block” the direct communication in the case when only the communication with the collector is allowed?

For Mass Deploy of the Agents using the collector as primary communication should we use Token-Based or Certificate Package Method?

RHolzer · June 21, 2021, 5:55am

Hi @kevin_sh,

as far as I know you can’t force the R7 Insight Agent to take a specific route, It’ll always check the possibilities e.g. direct route or via the collector and if there are multiple collectors, which one of those.

However, you can block the direct communication blocking the specific IP-Addresses for your Data Region, see here: Networking | Insight Agent Documentation if thats what you need.

But I wouldn’t recommend it unless you have at least two collectors set up for redundancy. I use the direct connection for redundancy purposes as well. All of my clients which can reach the collector, use the collector. Only remote/roaming computers that are not directly connected to our network go right into the Cloud.

In our environment (~ 750 Assets) we use the token-based deployment and are very happy with it (mass-deploying the Client with PDQ).

Best regards
Robert

kevin_sh · June 21, 2021, 11:18am

Thank you for your quick reply it’s very helpful.

But when I try to install the agent with this command in CMD:

msiexec /i agentInstaller-x86_64.msi /l*v insight_agent_install_log.log CUSTOMTOKEN=IDtoken HTTPSPROXY=IP of the collector:8037

After it is successfully installed, it shows me that it is directly connected to the platform and not to the collector.

Do you have any idea what changes should I make to use collector as a primary connection instead of direct route?

RHolzer · June 21, 2021, 12:41pm

Can you verify that the Collector is running and in a healthy state? You can check that on the Insight Platform at the Data Collection Management. And as I’ve said, as far as I know you can’t force the Insight Agent to use a specific route nor which route to primarily use.

I’ve double checked my environment and there are some Clients directly connected which could or should connect via the collector, but I guess the direct route is faster and that’s the reason the Insight Agent connects directly to the platform. This is okay for my environment because right now there is only one Collector running on premises and the backop route is the direct connection to the platform.

However, you can try to block the communication on the firewall (to the internet or the specific Platform Region IPs) for a test-client and see if the Insight Agent changes its route.

david_smith · June 21, 2021, 8:48pm

Hi folks, @kevin_sh

the agent management pane showing Direct to Platform when using the collector as a proxy over port 8037 is expected behavior today.

That Connection Path column will only show a collector name if port 5508 is used. Port 5508 is used as the native communication method, whereas port 8037 is the HTTPS proxy port on the collector.

We are working with the product team to enhance this behavior as you are not the first customer to stumble upon this.

Today the platform only makes a distinction between “Direct to Platform” and native Agent<->Collector communication. We don’t have the concept of a proxy connection path today. But we plan to add this.

David

kevin_sh · June 21, 2021, 10:15pm

First of all, thank you all for helping me with this issue.

A last question from my side to better understand this issue, if I want the agents to communicate with the collector, should I open the respective ports 5508, 6608, 8037(outbound to the agent) and inbound to the collector?

Or the communication between the collector and the agent is done automatically and no configuration needs to be made to and I should only run the .msi file without making any other changes (in the case of Mass Deploying of Agent with token method?

david_smith · June 21, 2021, 10:42pm

Hi Kevin,

if you don’t install using the proxy method, the agent will attempt to connect to collectors over ports 5508 for most communications, 6608 for updates. And the bootstrap component (command and control of the agent How the Insight Agent Works | Insight Agent Documentation) will use port 8037.

https://docs.rapid7.com/insight-agent/networking/#collector-proxy-requirements

If you are using the token install method and machines don’t have another route to the internet however, you will need to use the proxy parameter. In which case you must use port 8037. If the proxy is configured ports 5508 and 6608 and not used. They would only be used as a fail back if the agent cannot make a connection over port 8037.

David

iscebbi · December 2, 2021, 8:04pm

What settings did you use for the packages on PDQ deploy?

RHolzer · December 3, 2021, 5:59am

Hi Iscebbi,

we download the newest version of the client every month and use the following parameters for PDQ:

/l*v insight_agent_install_log.log /quiet CUSTOMTOKEN=XXX where XXX = the token from your environment.

This works very well for us. On the firewall port 443 is open to the specific Insight Platform reagional IPs and we also use a local collector which most of our clients are connected to.