SUPPORT

Contact Support

OPEN A TICKET

Installing and Configuring Invicti Enterprise On-Premises

Invicti Enterprise is available as an On-Demand and On-Premises solution. The On-Premises is identical to the hosted version in terms of features and capabilities, but since it runs on your own servers and network, there are a few things to note:

  • You can scan any internal web application without the need to allow incoming access through corporate firewalls.
  • No internet connection is required.
  • Invicti Enterprise On-Premises can also be easily deployed on Amazon Web Services (AWS), Microsoft Azure, Google Cloud, or any other type of private cloud environment.
  • If your business has to adhere to strict regulatory compliance requirements and policies or you have concerns with your data being stored on our servers, you can still take advantage of Invicti Enterprise's workflow tools and scaling and scanning capabilities.
  • That is because the On-Premises edition can be installed on your own servers that are managed by your own team. No data will leave the On-Premises edition of Invicti Enterprise.

This topic explains how to install Invicti Enterprise On-Premises.

Invicti Enterprise On-Premises has five parts. 

All Invicti editions support IPv6 both as servers and agents. This means you can configure the Invicti Enterprise On-Premises server to use IPv6, and Invicti Enterprise can scan websites that use IPv6.

The Application Server

This provides the web interface that enables the efficient administration and automation of scans.

This is the application that users will see and use via the Invicti Enterprise UI.

The Agent

This is a service application that executes scans and informs the Invicti Enterprise Application Server of the results.

A single agent can only run one scan at a time. If you want to run more than one scan at a time, you will need to install more agents.  

The Authentication Verifier

This is a service application that verifies form-based login authentication configuration.

This is an optional component. If you are scanning websites that require form authentication, you need to install it.

The Authentication Verifier Service

This is a service application that establishes communication between the Authentication Verifier Agent and the Invicti Enterprise Application Server.

This is an optional component. If you are scanning websites that require form authentication, you need to install it.

The IAST Bridge

This is a service application that is used to relay information from the Shark agent to the scanning agent.

This is an optional component. If you are using Invicti Shark (IAST) for Java, .NET, and Node.js, you need to install this bridge.

Prerequisites

This section lists the minimum requirements for installing Invicti Enterprise On-Premises.

Minimum requirements for Invicti Enterprise Application Server

All components (the Application Server, the Agent, the Authentication Verifier, the Authentication Verifier Service, the IAST Bridge, and Database Server) can be installed on the same server if the hardware meets the listed requirements.

We highly recommend that you install the Agents on separate servers to maximize stability and performance.

Software requirements

  • Windows Server 2016 or above (Windows Server 2019 recommended)
  • Web Server (IIS) role should be installed on the server
  • IIS 10
  • .NET Framework 4.8

Hardware requirements

  • 1.4 GHz Processor (2 GHz or faster recommended)
  • 4 GB RAM (8 GB or higher recommended)
  • 5 GB Free Disk space (20 GB or higher recommended)

Required access for installation

  • RDP credentials and access as a user with Administrator rights
  • Can be installed by an Invicti Engineer (or the user) using the provided installer

Minimum requirements for Invicti Enterprise Agent

These are the minimum requirements for Invicti Enterprise Agent.

Software requirements

  • Windows Server 2016 or above (Windows Server 2019 recommended)
  • .NET Framework 4.8

Hardware requirements

  • 1.4 GHz Processor (2 GHz or faster recommended)
  • 4 GB RAM or higher recommended
  • 10 GB free disk space for each internal agent

Network requirements

  • Agent needs to be able to access the Invicti Enterprise Application Server’s HTTP(S) (443/80) port

Required access for installation

  • Installation of the Agent requires Administrator rights

Minimum requirements for Invicti Enterprise Authentication Verifier Service and Authentication Verifier

These are the minimum requirements for Invicti Enterprise Authentication Verifier Service and Authentication Verifier Agent.

Software requirements

  • Windows Server 2016 or above (Windows Server 2019 recommended)
  • .NET Framework 4.8

Hardware requirements

  • 1.4 GHz Processor (2 GHz or faster recommended)
  • 1 GB RAM (4 GB or higher recommended)
  • 2 GB Free Disk space (5 GB or higher recommended)

Network requirements

  • Authentication Verifier Agent needs to be able to access the Authentication Verifier Service's HTTP(S) port. (Default port: 5000)
  • Enterprise users should access the Invicti Authentication Verifier Service Hub publicly. (Default port: 5000)
  • Authentication Verifier Service needs to be able to access the Invicti Enterprise Application Server’s HTTP(S) (443/80) port

Required access for installation

  • Installation of the Authentication Verifier and Authentication Verifier Service requires Administrator rights

Minimum requirements for IAST Bridge

These are the minimum requirements for Invicti IAST Bridge.

Software requirements

  • Windows Server 2016 or above (Windows Server 2019 recommended)

Hardware requirements

  • 1.4 GHz Processor (2 GHz or faster recommended)
  • 4 GB RAM or higher recommended

Network requirements

  • IAST Bridge Service needs to be able to listen to the Invicti Enterprise Application Server’s HTTP(S) (7800) port

Required access for installation

  • Installation of the IAST Bridge requires Administrator rights

Minimum requirements for the database server

These are the minimum requirements for the Database Server.

Please note the database is not provided by Invicti. You must set it up yourself.
It is strongly recommended not to edit your database manually. Any manual changes may break your Invicti Enterprise.

Software requirements

  • Microsoft SQL Server 2016 or above (Microsoft SQL Server 2019 recommended)

Hardware requirements

  • 1.4 GHz Processor (2 GHz or faster recommended)
  • 1 GB RAM (4 GB or higher recommended)
  • 6 GB Free Disk space

Network requirements

  • Invicti Enterprise Application Server needs to access this database server for the relevant port (1433 by default) or it needs to be on the same server

Required access for installation

  • Installation for configuring the Database Server requires either administrator or RDP access
  • Alternatively, database credentials or database owner permissions are required, along with the Name of an empty SQL Server database
  • The Database Collation field should be configured as case insensitive

Downloading the installer files

The install package is conveniently downloaded in a .zip file.

How to download the installer files
  1. Download the InvictiEnterprise.zip file you were emailed to your server
  2. Extract the .zip file to a directory
  3. Check that these six files are in the directory:
    • WebAppSetup.exe (Invicti Enterprise Application Server installer)
    • AgentSetup.exe (Invicti Enterprise Agent installer)
    • AuthVerifierAgentSetup.exe (Invicti Enterprise Authentication Verifier installer)
    • AuthVerifierServiceSetup.exe (Invicti Enterprise Authentication Verifier Service installer)
    • IASTBridgeSetup.exe (Invicti IAST Bridge installer)

Installing the Invicti Enterprise Application Server

The Invicti Enterprise Application Server is installed using a wizard.

The wizard has two parts:

  • The Invicti Enterprise Web Application
  • The Authentication Verifier Service
The Authentication Verifier Service is an optional part of this installation process. You can install the Authentication Verifier Service whenever you want. For further information about installing the verifier service, see Authentication Verifier Settings.

The following instruction explains how to install the Web Application and Verifier Service at the same time.
How to install the Invicti Enterprise Application Server and Authentication Verifier Service
  1. Run the WebAppSetup.exe file and select Next.
  2. On the End-User License Agreement step, accept the license agreement, and select Next.

  1. On the Ready to Install step, select Next to install the Web Application Server, and wait for a while.

  1. The installation asks you to install the prerequisite: The Authentication Verifier Service.
  2. On the Welcome to the Prerequisites Setup Wizard window, select Next to continue.

  1. On the Select Installation Folder step, select Next to install the Authentication Verifier Service to the default folder. Or select Browse to select an installation folder. Select Next.

  1. On the Completing the Invicti Enterprise Authentication Verifier Service Setup Wizard step, select Finish to complete the installation.

  1. On the Completing the Invicti Enterprise Web Application Setup Wizard step, select Finish to complete the Web Application Setup process.

Next steps:

  1. Next, configure the Invicti Enterprise Web App (see Configuring the Invicti Enterprise Web Application Server Using the Installation Wizard.)
  2. Install Invicti Enterprise Scanner Agent (see Installing Invicti Enterprise Agent).
  3. Then, install Invicti Enterprise Authentication Verifier (see Installing Invicti Enterprise Authentication Verifier).
  4. Finally, install Invicti Enterprise IAST Bridge (see Installing Invicti IAST Bridge.)

Configuring Invicti Enterprise Web Application Server using the installation wizard

From the server URL on which the Invicti Enterprise application is installed, you need to run the Invicti Enterprise - Installation Wizard to complete the installation.

Installing the Invicti Enterprise Web Application in silent mode? See Installing Invicti Enterprise On-Premises in Silent Mode.

How to configure Invicti Enterprise Web Application Server using the installation wizard
  1. The first step of the Installation Wizard is configuring the database connection.
  2. Complete the fields to enable Invicti to build the necessary database structure and populate it with data. Select Next.
  3. On the Encryption page, select Download the Secret Key to download your key. Then, select Next.

  1. On the License page, select Import a License (.nsc file) and import your license file. Select Next.
  2. On the Account page, complete the fields to set up your account administrator account. Select Next.
  3. On the General page, the fields in the General step are already populated with some default values. You can change them as required. Select Next.
  4. On the Cloud page, if you use cloud providers like Amazon AWS, you can configure the settings in this step (see Cloud Provider Settings). (If you don't use a cloud provider, deselect the Cloud Integration checkbox.) Select Next.

  1. On the Scanner Agent Settings page, copy the Access Token if you want to install the scanner agents following the installation wizard process. These agents will be used to scan target applications.

It is possible to skip this step by selecting the Continue without installing an agent checkbox.

You can install agents whenever you want. If you want to install Agent at this step, execute the file AgentSetup.exe in the zip file. (For more information on agents, see Agents in Invicti Enterprise On-Premises.). Select Next.

  1. On the Authentication Verifier Settings page, copy the Access Token if you want to install the authentication verifier agents following the installation wizard process.

Authentication Verifier is one of the five components of Invicti Enterprise that is used to verify Form Authentication settings. It is an optional component (see Authentication Verifier Settings). If the websites you are scanning do not use form authentication, you do not need this component.

It is possible to skip this step and set up it later in Invicti Enterprise. For further information, see Installing Invicti Enterprise Authentication Verifier.

Select Next.

  1. On the Email and SMS pages, configure SMS and email notifications to inform users instantly about the status of a web application security scan, or when specific vulnerabilities are identified on the web applications you are scanning. For further information, see Managing Notifications.

To send invitations to new users or other email notifications, you need to configure SMTP settings. You also need to have a Twilio account to be able to receive SMS notifications.

It is possible to skip this step and the next step by deselecting the Enable Email Notifications and Enable SMS Notification checkboxes.

Select Finish to complete the installation wizard.

Configuring a proxy for Invicti Enterprise Web Application

You may need to configure a proxy for the Invicti Enterprise Web Application.

This instruction assumes that you installed Invicti Enterprise On-Premises to the default location, which is C:\Program Files (x86). If not, please change the relevant step in the instruction accordingly.
How to configure proxy for the Invicti Enterprise Web Application
  1. Press the Windows logo key  + E.
  2. Paste the following into the address bar: C:\Program Files (x86)\Invicti Enterprise Web Application.
  3. Open Web.config with a text editor and locate the proxy configuration line.
  <system.net>
    <!--<defaultProxy>
      <proxy usesystemdefault="True" proxyaddress="http://127.0.0.1:8888/"/>
    </defaultProxy>-->
  </system.net>
  1. Remove the comment characters from the proxy configuration line.
  2. Now, enter your proxy configuration.
  3. Save and close the Web.config file.

After saving the document, restart the IIS for changes to take effect. Setting proxy for the agent? See Setting Proxy in Scanner Agents.

In addition to the proxy address, you can also add information such as a bypass list to the proxy configuration. It looks like the following:
<system.net>  
    <defaultProxy>  
        <proxy  proxyaddress="http://127.0.0.1:8080"  
                bypassonlocal="True"/>  
        <bypasslist>  
            <add address="[a-z]+\.invicti\.com$" />  
        </bypasslist>  
    </defaultProxy>  
</system.net>

Changing the installation folder for Invicti Enterprise Web Application

While the installer does not provide an option to select the folder, you can do this once the installation is complete. To do this, follow these steps:

Make sure you have proper permissions to carry out the following instruction.
  1. Copy the installation folder (C:\Program Files (x86)\Invicti Enterprise Web Application) to the target disk.
  2. Open IIS.
  3. From Sites, select NetsparkerCloud.
  4. Select Advanced Settings.
  5. Replace the physical path with the new path.

These steps help change the installation folder for the Invicti Enterprise Web Application.

Configuring notification settings

In the Invicti Enterprise Application Server security scanner, you can configure SMS and email notifications to inform users instantly about the status of a web application security scan or when specific vulnerabilities are identified on the web applications you are scanning.

To send invitations to new users or other email notifications you need to configure SMTP settings. You also need to have a Twilio account to be able to receive SMS notifications.

For further information, see Managing Notifications.

How to configure notification settings
  1. Log in to Invicti Enterprise with an admin account.
  2. From the main menu, select Settings > Email.
  3. On the Email Settings page, complete the form. If your SMTP server does not require a username and password, you can leave these settings empty.
  4. To configure your Twilio settings, from the main menu, select Settings > SMS.
  5. On the SMS Settings page, complete the form.

Installing the Invicti Enterprise Agent

The Invicti Enterprise Agent is installed using a wizard.

Installing the Invicti Enterprise Agent in silent mode? See Installing the Invicti Enterprise Agent in Silent Mode.

How to install the Invicti Enterprise Agent
  1. Run the AgentSetup.exe file.
  2. On the Invicti Enterprise Agent Setup window, select Next.
  3. On the Select Installation Folder step, select Next to install the Agent to the default folder. Or select Browse to select an installation folder. Select Next.

  1. On the Agent Settings window, enter the Agent Name, API URL, and API Token. The Agent Name and API URL fields are already completed. (Agent Name can be configured to any value to help distinguish them from one another, and the API URL should point to the WebApp URL.) Select Next.

If you have already configured SSL/TLS for your NE Application Server, then you should enter that URL and ensure that you use HTTPS (for example: https://ncserver/).
To find your API Token, from the main menu, go to Agents > Manage Agents > Configure New Agent. Copy the Agent Token.
  1. On the Ready to Install step, select Install.

  1. Select Finish to complete the installation.
How to prevent the Agent from starting automatically

Once the agent is installed in your environment via the wizard or the command prompt, the agent starts automatically. If you prefer to prevent this, you need to take the following steps:

  1. Open a command prompt in Administrator mode
  2. Run cd to navigate the folder containing AgentSetup.exe.
  3. Run AgentSetup.exe LAUNCH_SERVICE_PROP = 0

If you want to start the agent later, there are two methods available:

Method 1:
  1. Open a command prompt in Administrator mode
  2. Run cd to navigate the folder containing AgentSetup.exe.
  3. Run AgentSetup.exe -s
Method 2:
  1. Press Windows+R, type 'services.msc' and press Enter
  2. Find 'Netsparker Enterprise Scanning Service - [YOUR_AGENT_NAME]'.
  3. Right-click on it, and select Properties.
  4. Make sure the Startup type is set to Automatic, and click Start.

Configuring Agent Selection

If you wish, you can select a specific agent while launching a scan.

How to configure Agent selection
  1. Log in to the Invicti Enterprise Application Server with an admin account.
  2. From the main menu, select Settings > General.
  3. Enable the Agent Selection Enabled checkbox and select Save.

  1. From the main menu, select Scans > New Scan.
  2. In the General tab, select the Preferred Agent drop-down and select an option.

  1. Complete the fields as required.

Installing multiple Agents on the same operating system

If you want to install more than one agent on the same system, first install Invicti Enterprise Agent, as usual, using the AgentSetup.exe file.

How to install multiple Agents on the same operating system
  1. Copy all files from the default Agent’s folder to the new Agent’s folder. The default installation path is: C:\Program Files (x86)\Invicti Enterprise Agent.

For example, if you decided to use Agent-2 as the new Agent name, you could use this command to copy all files to new Agent’s folder:

xcopy "C:\Program Files (x86)\Invicti Enterprise Agent\*.*" "C:\Program Files (x86)\Invicti Enterprise Agent-2" /yie

This will create a new directory in C:\Program Files (x86)\Invicti Enterprise Agent-2 and copy in all the required files.

  1. Locate the new Agent’s folder and open the appsettings.json file with a text editor. Set the new Agent’s name.

  1. Open a command prompt in Windows with Administrator rights and install the new Agent as a Windows Service using these commands:
  • This command changes the current folder to the new Agent’s folder:
cd C:\Program Files (x86)\Invicti Enterprise Agent-2
  • This command installs the new Agent as a Windows Service:
  • Netsparker.Cloud.Agent.exe /i
    This command starts the new Agent’s Windows Service:
Netsparker.Cloud.Agent.exe /s

Installing Invicti Enterprise Authentication Verifier

The Invicti Enterprise Authentication Verifier is installed using a wizard.

Starting from the Invicti Enterprise On-Premises 2.3, the Authentication Verifier Agent communicates with the Authentication Verifier Service to verify the login.

You can install the Authentication Verifier Agent without installing the verifier service. However, the verifier agent works properly only if you install the Authentication Verifier Service first.

For further information, see Authentication Verifier Settings.

How to install the Invicti Enterprise Authentication Verifier Agent

  1. Run the AuthVerifierAgentSetup.exe file.
  2. On the Welcome to the Invicti Enterprise Authentication Verifier Setup Wizard window, select Next.

  1. Select Browse if you want to install the Authentication Verifier to a different folder than the default folder. Select Next.

  1. On the Authentication Verifier Settings step, enter the API URL and API Token. The API URL field is already completed. (It should point to the WebApp URL.) In the API Token field, enter your token. You can find this in API Settings. Select Next.

  1. Select Install.

Installing multiple verifier agents? See Installing multiple authentication verifier agents.

Installing Invicti IAST Bridge

The Invicti Enterprise IAST Bridge is installed using a wizard. For further information about Invicti Shark (IAST), see Deploying Shark (IAST) in Invicti Enterprise On-Premises.

  1. Run the IASTBridgeSetup.exe file.
  2. On the Welcome to the Invicti IAST Bridge Setup Wizard window, select Next.

  1. Select Browse if you want to install the Authentication Verifier to a different folder than the default folder. Select Next.

  1. On the Agent Settings window, enter the Service Port. By default, it is 7880.

  1. Select Install to complete the installation.

To set up a custom bridge URL for the Invicti Shark (IAST), see Setting a custom bridge service for Invicti Shark (IAST).

Securing Invicti Enterprise

Now your Invicti Enterprise installation is complete, you need to make it secure. For further information, see Security Hardening for Invicti Enterprise On-Premises.

Invicti

Highly accurate, fast & easy-to-use Web Application Security Scanner

Get a demo