Network Requirements

Virtual Scan Appliance

This section identifies the specifications of your network requirements. Please ensure all these requirements are met before you deploy your VSA.

Accessing the Endpoints

To run a DynamicDS scan, the VSA must be able to access the endpoints specified by Veracode as well as the applications behind the firewall that you want to scan. Your network administration team must open connectivity between the VSA and these endpoints. There is only one jobservice for all your VSAs. The VSA must be able to access the following:

  • Veracode jobservice - delivers scan requests to the VSA and receives results.
    • IP address: 192.157.28.50
    • Scheme: HTTPS
    • Outbound connection over port 443

  • YUM repository - delivers software updates.
    • IP address: 192.157.28.52
    • Scheme HTTPS
    • Outbound connection over port 443
    • The host, vsa-repo.veracode.com, is externally resolvable through DNS.

  • VSA midpoint - maintains a secure tunnel through which to deliver updates and enable troubleshooting activities. Each VSA has one midpoint.
    • Veracode provides the IP address for each midpoint.
    • Scheme: OpenVPN/SSL (the VSA VM contains an OpenVPN client)
    • Outbound connection over port 443
      Note: Ports 80 and 1194 should also be open. If the port 443 connections fails, the OpenVPN client attempts to connect over port 80 or through User Datagram Protocol (UDP) over port 1194.

  • Web applications behind firewalls

    To access applications distributed across multiple subnetworks, you must deploy VSAs to a datacenter within each subnet.

Supported Proxy Configurations

The VSA supports proxy configurations for its connections to Veracode. Proxies are not supported between the VSA and the applications you want to scan.

The following proxy configurations are supported between the VSA and the Veracode jobservice and between the VSA, midpoint, and YUM repository:
  • Supported protocols:
    • HTTP proxy
    • SOCKS proxy
  • Supported authentication methods:
    • No authentication
    • Basic authentication
    • NT LAN Manager (NTLM) authentication
    Digest authentication is not supported.