Skip to content

Machine Discovery

TLS Protect Cloud enables machine-based discovery, facilitating seamless tracking of certificates already deployed to your machines within your environment. This capability empowers you to identify certificates that have been added or removed from these machines and manage them appropriately.

Note

Please note that this functionality is currently available only on the F5 appliance, the VMware NSX Advanced Load Balancer (AVI), and the Microsoft IIS machines.

Before you begin

  • The machine should already be created in TLS Protect Cloud.
  • The machine must be properly connected. You can use the Test Access button to verify the connection. You will find the Test Access button located under the Access tab.
  • The machine you want to discover should have a "VERIFIED" machine status. You will find the machine status located under the Access tab.
  • If you trigger machine discovery on a machine using the API (rather than the UI), the machine status can be either "UNVERIFIED" or "VERIFIED".

F5 BIG-IP LTM / Microsoft IIS / VMware NSX Advanced Load Balancer (AVI)

To perform a discovery on your machine, please follow the steps outlined below:

  1. Sign in to TLS Protect Cloud.
  2. Click Installations > Machines.
  3. Select the F5 BIG-IP LTM, Microsoft IIS, or VMware NSX Advanced Load Balancer (AVI) machine name that you want to perform a discovery on.
  4. Make sure the required fields are populated (such as Address/Hostname, Username, and Password).

  5. If you would like to set a criteria for discovery, select the Discovery tab, and you can apply filters. The available filters will vary depending on the machine type (F5, IIS, VMware NSX ALB (AVI)). Without filters, the discovery will search all resource types, partitions, tenants, CAPI stores, and certificates.

    Refer to the following machine-specific filters for more details.
    • F5:
      • Resource Types to Discover - Virtual Servers, Monitors, or Both.
      • Partitions - Use a comma to separate the list of partition names. Leaving this field empty means all partitions will be included in the discovery.
      • Exclude Expired Certificates - Certificates that have expired.
      • Exclude Inactive Certificates - Certificates not currently in use by an F5 virtual server.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more
    • IIS:
      • CAPI Store - Personal, Web Hosting, or Both.
      • Exclude Expired Certificates - Certificates that have expired.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more
    • VMware NSX ALB (AVI):
      • Tenants - Use a comma to separate the list of tenant names. Leaving this field empty means all tenants will be included in the discovery.
      • Exclude Expired Certificates - Certificates that have expired.
      • Exclude Inactive Certificates - Certificates not currently in use by an VMware NSX ALB (AVI) virtual server.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more

  6. Click Discover Now.

  7. You will see a message below the machine name that indicates the date and time your discovery was started. You must refresh the page to see if the discovery is completed. This message will update to let you know when the discovery is completed.

  8. Select the Discovery tab to see your discovery results. You will see the following:

    • Total Discovered/Newly Discovered
    • Machine IDs created
    • Machine IDs missing
    • Machine IDs deleted
    • Execution time
    What do these discovery results actually mean?
    • Total Discovered: The number of certificates found during the discovery run, including those found in previous discoveries and any new certificates.
    • Newly Discovered: The number of new certificates found by the discovery run.
    • Machine IDs created: The number of machine identities created by the discovery run.
    • Machine IDs missing: A machine identity that was found in the previous discovery is now missing in the current discovery for less than or equal to three days.
    • Machine IDs deleted: A machine identity found in the "MISSING" state for more than three days will be deleted.
    • Execution time: The amount of time the discovery took to complete.

  9. You can now view the machine identities discovered in the Machine Identities tab.

    Note

    A few notes about the Machine Identities tab and machine discovery. The "Status" field can have the following states:

    • Discovered: This is either a certificate that did not have a machine identity yet, was not pushed using TLS Protect Cloud, or an existing certificate that was pushed using TLS Protect Cloud, in which case the status will change from "Installed" to "Discovered."
    • Missing: A machine identity that was found in the previous discovery and is now missing in the current discovery for less than or equal to three days.
    • Validated: A machine identity that was found in the previous discovery and is now found in the current discovery.

    Important

    If discovery finds a machine identity in a "MISSING" state for more than three days, it will automatically delete the machine identity.

Set up Machine Discovery Schedule

  1. In the TLS Protect Cloud toolbar, click Installations and select Machines from the drop-down menu.
  2. Select the F5 BIG-IP LTM, Microsoft IIS, or VMware NSX Advanced Load Balancer (AVI) machine name that you want to perform a discovery on.
  3. Click the Discovery tab for the machine.
  4. Scroll to the bottom of the page and activate the Machine Discovery Schedule by clicking toggle the toggle switch to turn it on.
  5. Under Repeat every, select your desired daily, weekly, or monthly schedule. Then, choose your desired time.
  6. Click Save.

Note

Current local time is in UTC.