Esentire Nessus Agent deployment instructions [for HCI CA]

Nessus Agent Deployment Guide

Human Concern International

  • For IT, security, or MSP teams at Human Concern International.


1. Overview

This document outlines the installation and deployment process for Tenable Nessus Agents across Human Concern International endpoints and servers.

Nessus Agents allow centralized vulnerability scanning via Tenable Cloud (cloud.tenable.com) without requiring direct inbound network access.


2. Official Resources


3. Organization-Specific Configuration

Linking Key

507687e76403fe31045a0ae813c1bd2a4deaeaea656ac6e85a625ee7327d40e2

Server (Tenable Cloud)

cloud.tenable.com:443

On Linux installations, you may alternatively use the --cloud flag.

Groups

Agents must be assigned to one of the following:

  • Workstation

  • Server


4. Deployment Methods

Option A: Manual Installation (Small Deployments)

  1. Download the appropriate agent for the OS.

  2. Install using the standard installer.

  3. Link the agent using the provided server and linking key.

  4. Confirm agent appears in Tenable Cloud.


Option B: Automated Windows Deployment (GPO / SCCM / RMM)

Use the following installation string for silent deployment:

msiexec /i NessusAgent-<version>-x64.msi NESSUS_SERVER="cloud.tenable.com:443" NESSUS_GROUPS="Workstation" NESSUS_KEY=507687e76403fe31045a0ae813c1bd2a4deaeaea656ac6e85a625ee7327d40e2 /qn

For servers:

msiexec /i NessusAgent-<version>-x64.msi NESSUS_SERVER="cloud.tenable.com:443" NESSUS_GROUPS="Server" NESSUS_KEY=507687e76403fe31045a0ae813c1bd2a4deaeaea656ac6e85a625ee7327d40e2 /qn

Notes:

  • Replace <version> with the actual downloaded file version.

  • /qn ensures a silent installation.

  • Ensure outbound access to cloud.tenable.com:443 is allowed.


Option C: Linux Deployment

After installing the agent package:

sudo /opt/nessus_agent/sbin/nessuscli agent link \
--key=507687e76403fe31045a0ae813c1bd2a4deaeaea656ac6e85a625ee7327d40e2 \
--cloud \
--groups=Workstation

For servers, replace:

--groups=Server

5. Firewall Requirements

Ensure outbound HTTPS access:

  • Destination: cloud.tenable.com

  • Port: 443

  • Protocol: HTTPS

No inbound firewall rules are required.


6. Verification Checklist

After deployment:

  • Agent service is running

  • Device appears in Tenable Cloud console

  • Correct group assignment (Workstation/Server)

  • Last check-in timestamp updates

  • No linking errors in agent logs


7. Large-Scale Deployment Considerations

For environments over 100+ endpoints:

  • Stagger deployments to avoid bandwidth spikes

  • Use GPO, Intune, SCCM, or RMM tools

  • Validate on pilot group before organization-wide rollout

  • Monitor system utilization (CPU/RAM impact)

  • Document rollback procedure


8. Best Practices

  • Separate workstation and server groups

  • Exclude domain controllers from aggressive scan windows

  • Monitor agent health weekly

  • Rotate linking key if compromised

  • Keep agent version updated quarterly