Skip to main content

Enable network scans

Before you begin

  • The DigiCert​​®​​ Trust Lifecycle Manager Network Discovery feature must be enabled for your account in DigiCert® Account Manager. Contact your DigiCert account representative to verify or enable this feature.

  • To configure network scans, you need the Manager user role for DigiCert​​®​​ Trust Lifecycle Manager or a custom user role that includes the Network scans "Manage" permission. To learn more, see  Users and access.

  • You need an active DigiCert sensor with visibility of the scan targets on your network. See Deploy and manage sensors.

  • Gather needed information:

    • The name of the sensor to use.

    • The business unit to assign the network scan to (only users assigned to this business unit can manage the scan).

    • The ports you want to scan.

    • The FQDNs and/or IP addresses you want to scan.

    • Whether you are using Server Name Indication (SNI) to serve multiple domains from a single IP address.

Set up a scan

  1. In the Trust Lifecycle Manager main menu, select Discovery & automation tools > Network scans.

  2. On the Network scans page, select Add scan.

    Work through each page of settings and enter your selections, as described below.

    Select Next to move to the next page or Back to move to the previous page.

  3. On the General information page, configure the basic properties for the new scan:

    • Scan name: Name your scan so you can easily identify it (names become more important when you have multiple scans).

    • Business unit: Choose the network scan’s business unit. Only users assigned to this business unit can manage the scan.

    • Scan type:

      • Select Sensor scan. This option is used to securely scan a private network using a local DigiCert sensor.

      • In the Sensor dropdown, select the local DigiCert sensor to use for this scan. The sensor must have visibility of the IP addresses/FQDNs and port numbers to scan on the local network.

      Hinweis

      The Cloud scan option is used to scan public hosts on the internet and does not require a sensor. To learn more, see Cloud scans.

  4. On the Scan targets page, provide the information about the targets to scan:

    • Port numbers: Specify the ports you want to scan for TLS/SSL certificates:

      • All to include all ports in a specified range.

      • Default to include ports commonly used for TLS/SSL certificates: 110, 143, 389, 443, 465, 636, 3389, 8443.

      • Custom to include ports of your choice.

    • Server Name Indication (SNI): If you are using SNI to serve multiple domains from a single IP address, enable SNI for the scan (limited to max 10 ports per server). An SNI scan may not have IP information as part of the results.

    • TDS protocol scanning: Enable this option if you want to discover certificates on Microsoft SQL Server or SAP/Sybase ASE. After enabling it, you can configure the scan to use the Tabular Data Stream (TDS) default port 1433, or select Custom and enter a custom TDS port number to scan.

      Anmerkung

      TDS protocol scanning requires sensor version 3.9.5 or later.

    • IP addresses/FQDNs:

      Include FQDNs and IP addresses: Enter the FQDNs and IP addresses you want to include in the scan and select Include. You can include a single IP addresses (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).

      Exclude FQDNs and IP addresses: Enter the IP address you want to exclude from a range of IP addresses and select Exclude. You can exclude a single IP address (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).

      Alternatively, you can import from a CSV file to include or exclude IP addresses/FQDNs.

      Anmerkung

      Make sure the IP addresses/FQDNs added to the scan list are not duplicate entries and are valid. Wildcard domains are not supported.

      Optionally, use the actions in the Included or Excluded lists to make any needed adjustments. Select one or more IPs or FQDNs in each list and then select one of the available actions:

      • Exclude IPs/FQDNs: To move selections from the Included to the Excluded list.

      • Include IPs/FQDNs: To move selections from the Excluded to the Included list.

      • Delete: To delete selections from either list.

  5. On the Scan options page, customize the information to be included in your scan results:

    • Discovery settings:

      Optimize for best performance: The optimized scan provides basic TLS/SSL certificate and server information.

      Choose what to scan: Include custom information in your scan results.

      • Configured cipher suites and TLS/SSL protocols: Discover the cipher suites and TLS/SSL protocols configured on your server for establishing secure client-server communications.

        Anmerkung

        Cipher scan in Trust Lifecycle Manager works with sensor version 3.8.60 and later.

      • Handshake TLS/SSL protocols: Check whether the SSLv2, SSLv3, TLSv1.0, and TLSv1.1 protocols are enabled for handshaking.

      • Host IP addresses: Update the host's IP addresses each time you scan. Recommended if the host's IP addresses change frequently.

        You can also select the OS and Server Application options here for updated information about:

        • Operating system

        • Server type

        • Server application

        • Application version

      Anmerkung

      Adding more scan options increases the scan’s burden on network resources, resulting in a longer scan time.

      Business unit: (Optional) Assign a business unit to the discovered certificates.

      Tags: (Optional) Assign tags to all certificates found during the network scan. Tags help to identify and manage the certificates in Trust Lifecycle Manager.

      Certificate assignment rules: (Optional) Select assignment rules for automatically assigning metadata to the discovered certificates.

    • Advanced settings:

      Scan performance: Use the scan options (aggressive, balanced, slow) to configure how quickly the scan is completed or to limit the impact of scans on network resources. For details, see Types of scans.

      Additional settings:

      • Specify ports to scan to verify host availability: The ports you specify here are only used to verify host availability. The first step in the scan process pings the host to verify its availability. If Internet Control Message Protocol (ICMP) pings are disabled on a host, use this setting to specify the ports that can be scanned to verify host availability. The fewer ports specified, the faster your scan.

  6. On the Schedule page, configure when to run the scan:

    • Configure your scan to run now or schedule it for later.

    • To set a limit for how long an unfinished scan should run before you stop it, select Stop if scan time exceeds and select a maximum run time.

  7. Save and schedule/Save and run.

    When you are done configuring, save your scan:

    • To run it now, select Save and run.

    • To run it later, select Save and schedule.

    Once the scan starts to run, the status can be tracked in the Network scans page.

Types of scans

Aggressive scans

Use this scan when you need to run a very fast network scan. These scans place a larger burden on network resources by increasing parallelism and sending out a large number of probes resulting in high network traffic. These scans also help in reducing timeouts when waiting for a response. This may result in faster scans with reduced accuracy attributed to latency in the target network.

Aggressive scans are generally three to four times faster than slow scans and can sometimes take longer depending on the network ability to handle traffic. Using this setting might set off false alarms on Intrusion Detection System (IDS) or Intrusion Prevention System (IPS).

Balanced scans (default)

Use this scan when you want to optimize speed and scan accuracy. These scans are not as fast as aggressive scans, but put less burden on network resources.

Slow scans

Use this scan when you want to ensure complete accuracy on high-latency networks, and when there aren't any real-time constraints. These scans operate at a low speed and limit the impact of the scan on network resources. The scan sends a few probes at a time and waits longer for an acknowledgment, before sending more probes.

What’s next

Your scan runs now or as scheduled. Scan completion time depends on network size and the scan performance settings selected during set up.

Once the scan run is complete, the result appears in the Network scans page. This includes the business unit associated with the scan, the frequency scheduled for the scan, the current and last scan statuses, and the discovered assets.

Certificates found through the scan are added to your Inventory and included in your Dashboard.

In diesem Abschnitt: