Trustlist requirements for Invicti Enterprise on-premises
Accurate scans of your targets require proper network access configuration. Follow these steps to configure trustlist settings:
Inbound connections
IAST Bridge accepting inbound connections
Ensure that your IAST Bridge network infrastructure allows incoming connections from:
| Scope | Source |
|---|---|
| Incoming Shark sensor data | IP Address of your Shark sensor |
| API Calls from the Scanning Agent | IP Address of your Scanning Agent |
| API Calls from Invicti Enterprise Main Installation | IP Address of your Main Installation |
Your Invicti Enterprise main installation accepting inbound connections
You must ensure that your Invicti Enterprise main installation's network infrastructure trustlists incoming connections from:
| Scope | Source |
|---|---|
| Connections from Auth Verifier Service | IP Address of your Auth Verifier Service |
| Connections from the Scanning Agent | IP Address of your Scanning Agent |
| Connections from the integration source | IP Address of your integration source |
Your target accepting inbound connections
You must ensure that your target's network infrastructure trustlists incoming connections from:
| Scope | Source |
|---|---|
| Incoming scanning and auth verification requests | IP Address of your scanning and auth verification agents |
| Incoming API Discovery requests | IP Address of your Auth Verification Service |
Your integration server accepting inbound connections
You must ensure that your integrations server's network infrastructure trustlists incoming connections from:
| Scope | Source |
|---|---|
| Integration Connections | IP Address of your Invicti Enterprise Main Installation |
Outbound connections
Your browser outbound connections
If your browser is behind an outbound firewall or web proxy, particularly within a corporate LAN or VPN, ensure that the firewall, proxy, or VPN permits outbound connections to:
| Scope | Destination |
|---|---|
| Browser access to Invicti Enterprise | IP or URL of your Invicti Enterprise main installation on (default) port 443 |
| Browser and Auth Verifier Agent Access to the Authentication Verifier Service | IP or URL of your Invicti Enterprise main installation on (default) port 5000/5001 |
Invicti Enterprise scanning agent outbound connections
Ensure that your network infrastructure permits any deployed scanning Agent to establish outbound connections to:
| Scope | Destination |
|---|---|
| Connections to Invicti Enterprise main installation | IP or URL of your Invicti Enterprise main installation on (default) port 443 |
| Connections to the Hawk service for out-of-band vulnerability checking | https://r87.me |
| VDB database download | https://service.invicti.com/ |
| Connections to the IAST Bridge | https://iast.invicti.com |
| Scanning requests to your Target | IP address/URL for your Target, including destination port |
Invicti Enterprise main installation outbound connections
Ensure that your network infrastructure permits the Invicti Enterprise main installation to establish outbound connections to:
| Scope | Destination |
|---|---|
| Connections to the Hawk service for out-of-band vulnerability checking | https://r87.me |
| VDB database download; Update notifications | https://www.invicti.com |
| Access Tokens for the Discovery service | https://jwtsigner.invicti.com |
| API calls to the Discovery service | https://discovery-service.invicti.com |
| API calls for Invicti licensing and Target management | https://service.invicti.com |
| Scanning requests to your Target | IP address/URL for your Target, including destination port |
| API Hub discovery for Apigee, Mulesoft, AWS API Gateway, etc. | IP ranges or URLs for your Target API integrations (including port number) |
| ZeroDiscovery requests to your Targets | IP addresses/URLs for your Targets (default port list is 80, 81, 443, 3000, 5000, 7000, 8000, 8008, 8080, 8081, 8083, 8088, 8090, 8181, 8443, 8888) |
Invicti Enterprise auth verifier agent outbound connections
For any deployed auth verifier agent, you must ensure that your network infrastructure allows it to make outbound connections to:
| Scope | Destination |
|---|---|
| Connections for auth verifier registration | IP or URL of your Invicti Enterprise main installation on (default) port 5000/5001 |
| Auth Verification requests to your Target | IP Address / URL for your Target, including destination port |
| ZeroDiscovery requests to your Targets | IP address/URL for your Targets (default port list is 80, 81, 443, 3000, 5000, 7000, 8000, 8008, 8080, 8081, 8083, 8088, 8090, 8181, 8443, 8888) |
Shark outbound connections
Ensure that your network infrastructure permits any Shark agent deployed in your target web application to establish outbound connections to:
| Scope | Destination |
|---|---|
| Connections to the IAST Bridge (default) | https://iast.invicti.com |
| Connections to the IAST Bridge (if configured) | IP or URL of your Invicti Enterprise IAST Bridge on port 7880 |
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center