Enterprise Edition

Deploying additional scanning machines

• Last updated: March 27, 2024

• Read time: 3 Minutes

When you performed the initial installation of Burp Suite Enterprise Edition, you may have chosen to run the Enterprise server and web server on the same machine that you run scans on. Running too many concurrent scans on the same scanning machine can cause performance issues,so you might want to deploy one or more dedicated scanning machines to ease the load on your Enterprise server machine.

Setting up a new scanning machine

The setup process for a new scanning machine uses the same installer you used for the initial installation of Burp Suite Enterprise Edition. However, you might need to download a different installer if your intended scanning machine uses a different operating system.

1. On the machine that you want to use, log in to your account page on portswigger.net.
2. On the Subscriptions tab, download the installer for the same version of Burp Suite Enterprise Edition that is installed on your Enterprise server machine.
3. Open the installer and follow the same process that you did when installing Burp Suite Enterprise Edition. When asked what you want to use the machine for, deselect Running the Enterprise server and web server and select Running scans.
4. When prompted, enter the hostname or IP address of the machine where you previously installed the Enterprise server. External scanning machines automatically access the Enterprise server on port 8072.
5. When the installation is complete, you are given a fingerprint of the scanning machine's public key. Make sure you save this somewhere secure as you need it to authorize this new scanning machine later.

Authorizing a new scanning machine

Communication between scanning machines and the Enterprise server is protected by mutually authenticated TLS. When you set up a new scanning machine, it will generate a unique fingerprint, which acts as a public key, and send an authorization request to your Enterprise server. When the Enterprise server receives an authorization request, it displays the fingerprint that was used in the TLS negotiation. You compare this fingerprint with the fingerprint that you generated when setting up the new scanning machine to make sure that communication is happening directly with the authentic machine before authorizing it.

1. Log in to the web interface as an administrator.
2. From the settings menu select Scanning resources.
3. Under Scanning machines, click Manage scanning machines.
4. On the Authorization requests tab, you should see a pending authorization request showing the IP address of the new scanning machine (or, if NAT is being used on the network, the IP address from which the scanning machine's connection was received) and the public key fingerprint.
5. If you have a standard instance (as opposed to a Kubernetes instance), choose the pool that the scanning machine will belong to. For more details, see Managing scanning pools.
6. Compare the public key fingerprint shown with the one that you saved after setting up the new scanning machine. If they match, click Authorize.

This scanning machine is now available for use on the Scanning machine settings page and you can start assigning scans to it.