Skip to main content

Quick start: Set up an internal network scan

Network scans use a DigiCert sensor to securely discover existing TLS/SSL certificates across your internal network, helping you build a complete inventory of certificates and endpoints in DigiCert​​®​​ Trust Lifecycle Manager.

This quick start guide shows you how to create and run an internal network scan, and then review the discovered certificates and endpoints in your inventory.

Objectives

  • Create an internal network scan using a sensor.

  • Configure scan targets and ports, then run the scan.

  • Review scan results and view the certificates and endpoints in your inventory.

sensor_scan_architecture.svg

開始する前に

  • You need an active DigiCert sensor on your network with visibility of the systems to target in the scan. See DigiCert センサー.

  • The Network Discovery feature must be enabled for your account. For help verifying or enabling this feature, contact your DigiCert account representative.

  • To configure network scans, you need the Manager user role for Trust Lifecycle Manager.

  • 必要な情報を収集する:

    • 使用するセンサーの名前

    • The business unit to use for managing the discovered certificates and the scan itself.

  • To automatically assign metadata (tags and owners) to discovered certificates, configure metadata assignment rules to use with the scan.

スキャンを設定する

Step 1: Add the scan and configure basic settings

Start by creating the scan and selecting the sensor that will run it.

  1. Trust Lifecycle Manager メインメニューで、[Discovery & automation tools > Network scans]を選択します。

  2. [ネットワークスキャン]ページで、[スキャンの追加]を選択します。

  3. [一般情報]ページで、新しいスキャンの基本プロパティを設定します。

    • [スキャン名]: 識別しやすくなるように、スキャンに名前を付けます(複数のスキャンがある場合、名前はより重要になります)。

    • [事業部門]: ネットワークスキャンの事業部門を選択します。この事業部門に割り当てられたユーザーだけが、スキャンを管理できます。

    • [スキャンタイプ]:

    • Sensor : Select the sensor to use for this scan. The sensor must have visibility of the target systems and port numbers you plan to scan.

  4. Select Next.

Step 2: Configure the scan targets

On the Scan targets screen, define which ports to inspect and which targets to include or exclude.

  1. Configure the Port numbers to scan:

    • All to include all ports in a specified range.

    • Default to include ports commonly used for TLS/SSL certificates: 110, 143, 389, 443, 465, 636, 3389, 8443.

    • Custom to include ports of your choice.

  2. If you use SNI to serve multiple domains from a single IP address, enable Server Name Indication (SNI).

  3. If you want to discover certificates on Microsoft SQL Server or SAP/Sybase ASE, enable TDS protocol scanning.

  4. Under IP addresses/FQDNs, add targets to include and exclude:

    • Include FQDNs and IP addresses: Enter targets and select Include. You can include a single IP address (10.0.0.1), a range (10.0.0.1-10.0.0.255), or a CIDR block (10.0.0.0/24).

    • Exclude FQDNs and IP addresses : Enter targets and select Exclude. You can exclude a single IP address, a range, or a CIDR block.

    • Optionally, import targets from a CSV file to include or exclude IP addresses and FQDNs.

    重要

    Make sure targets are valid and not duplicated. Wildcard domains are not supported.

  5. Select Next.

Step 3: Select your scan options

On the Scan options screen, select what information the scan collects and how it assigns metadata to discovered certificates.

  1. [スキャンオプション]ページで、スキャン結果に含める情報をカスタマイズします。

    • Optimize for best performance to collect standard TLS/SSL certificate and server information.

    • Choose what to scan to scan for custom information. Make selections for the following:

      • [設定済みの暗号スイートと TLS/SSL プロトコル]: セキュアなクライアントサーバー通信を確立するためにサーバーに対して設定された暗号スイートと TLS/SSL プロトコルを検出します。

      • [ハンドシェイク TLS/SSL プロトコル]: SSLv2、SSLv3、TLSv1.0、TLSv1.1 プロトコルがハンドシェイクで有効になっているかチェックします。

      • Don't follow HTTP redirects: Enable this option to prevent Trust Lifecycle Manager from following HTTP redirects during a network scan (for example, an HTTP 301 redirect response).

      • [ホスト IP アドレス]: スキャンを実行するたびに、ホストの IP アドレスを更新します。ホストの IP アドレスは頻繁に変更される場合に推奨されます。

      重要

      スキャンオプションをさらに追加すると、スキャンによりネットワークリソースにかかる負担が増大し、スキャン時間が長くなります。

  2. Business unit: (Optional) Assign a business unit to the discovered certificates. If selected, only admins in that business unit can manage the certificates.

  3. Certificate assignment rules: (Optional) Select rules to automatically assign metadata (tags and owners) to the discovered certificates. This helps identify and manage the certificates in inventory.

  4. [高度な設定]:

    • Aggressive (high network traffic): Run a fast network scan.

    • Balanced (default): Balance speed and scan accuracy.

    • Slow (low network traffic): Ensure complete accuracy on high-latency networks, and when there aren't any real-time constraints.

  5. (Optional) Configure miscellaneous options under Additional settings:

    • Specify ports to scan to verify host availability: If Internet Control Message Protocol (ICMP) pings are disabled on hosts, use this setting to specify which ports can be scanned to verify host availability.

  6. Select Next.

Step 4: Run or schedule the scan

On the Schedule screen, choose whether to run the scan now or schedule it for later:

  1. Select one of the following options:

  2. Stop if time exceeds: (Optional) Set a time limit in hours or days for how long an unfinished scan should run before the system terminates it.

  3. To finalize the scan, select one of the following:

次の手順

  • Your scan runs now or as scheduled. Scan completion time depends on network size and the scan performance settings selected during set up.

  • Certificates found through the scan are added to Inventory > Certificates, and the associated endpoint data for those certificates is added to Inventory > Endpoints.

  • When the scan run is complete, results appear in the scan listing on the Discovery & automation tools > Network scans page. Select the links in the Scan results column to view the discovered certificates.

Learn more

このセクションの内容: