The SSH connection manager enables you to perform agentless scanning without accepting SSH connections from the internet. It is distributed as a black-box OVA, VHD or Docker image which can be deployed behind your firewall. Public Amazon Machine Images (ami-8a3634ea/us-west-1 & ami-439f2c3b/us-west-2) are also available. It has a web interface which allows for centralized configuration and logging. A single connection manager can scan several thousand remote nodes using SSH.

System Requirements

  • Recommended SSH connection manager appliance specs are 4GB, 2 Core.
  • Each target node that you wish to scan agentlessly will need to have port 22 exposed for the SSH connection manager.
  • Target nodes will need to have the SSH connection manager public SSH key added for key based scanning.

Creating a Connection Manager Group

  1. To configure the UpGuard website to communicate with a connection manager click the Discover button on the top toolbar and choose Connection Managers.

  2. Click the Add Group button on the left bar. You will see the following screen:


  3. Give the Connection Manager group a unique name that makes sense to you.

  4. Click the green Add Group button and you will be given an API Key. Copy the key as you will need this during the connection manager setup.


Downloading and Installing

  1. The SSH connection manager is distributed as a black-box appliance and is available to download as an OVA, VHD or Docker image. Public Amazon Machine Images (ami-8a3634ea/us-west-1 & ami-439f2c3b/us-west-2) are also available. If your environment contains more than 100 nodes we are more than happy to assist you with capacity planning.

  2. Once deployed, the appliance will boot up and automatically update to the latest version if connectivity allows.

  3. When ready, the configuration utility is displayed after attaching a console session to the appliance. Use the Tab, Arrow, and Enter Keys to select options within the configuration utility.


Advanced Configuration

You can use the configuration utility to setup advanced network configuration details for the SSH connection manager.

Configure Networking

  1. Select on Configure Networking and press enter.


DHCP Configuration

  1. Choose Dynamic (DHCP) Configuration in the utility menu and press enter to continue. The appliance will then be assigned an IP address.

  2. Return to the “Configure Networking” screen and find the IP address indicated by the network adapter name.


  3. You may also exit out of ConfigTTY using Alt-F1 (on Windows) or fn-Alt-F1 (on Mac) to view it from the console.


  4. You can skip to the registration section once you have the SSH connection manager IP address recorded.

Static Configuration

  1. Choose Static Configuration in the utility menu and press enter to continue.


  2. You can then enter the desired IP address, netmask, gateway and DNS information for the SSH connection manager.


    Field Description
    IP Address / Netmask Specifies the IP address that will be used for the SSH connection manager. The CIDR prefix is mandatory.
    Gateway Specifies the address for the gateway to be used by the SSH connection manager.
    DNS Servers Specifies the DNS servers that the SSH connection manager will use for name resolution.
  3. Ensure that you Apply Configuration to save your settings before finishing.

  4. You can skip to the registration section once you have the SSH connection manager IP address recorded.

Configure Hostname

  1. Choose Configure Hostname and press enter.


  2. Enter your Hostname and press enter.


    Field Description
    Hostname This setting allows you to specify the name that will be used by the SSH connection manager when it is registered with the UpGuard website. This can also be set via the connection manager’s web interface.

Configure Proxy

  1. Choose Configure Proxy and press enter.


  2. Configure your proxy URL and press enter.


  3. You will see a confirmation that the configuration has been applied.


    Field Description
    HTTP Proxy URL If a HTTP proxy is required, specifies the URL of the proxy server that the connection manager will use to make HTTP requests. The scheme is mandatory.

Configure Connection Manager

  1. w600

Exiting the Configuration Utility

  1. Once finished, choose Exit and press enter.



  1. Once the IP address of the SSH connection manager has been set, you can then browse to it to complete the registration process. Registering a connection manager with the UpGuard website will allow you to use it to scan additional nodes.


  2. Update the “Site URL” field to reflect the website address of your UpGuard instance and paste the group API key provided in the Creating a Connection Manager Group step into the “API Key” field. Click Login to continue.

  3. If registration is successful, a registration confirmation screen will appear. Clicking the Status button with give you additional registration details.


  4. On the UpGuard website, click the Connection Managers tab and then click on your connection manager group on the left sidebar. Check the “Last Contact” field to verify that the connection manager is running, and that the registered “IP Address” is correct.


Add Nodes

To use this new Connection Manager, add a node by clicking the Discover > Add Nodes tab under the Discover section.


Select the node type.


The Connection Manager uses SSH. Select “SSH.”


In Section 3, select the new Connection Manager from the dropdown list, then add the new node.


Refer to the Adding an SSH Node and Adding a Network Device guides for additional setup details and troubleshooting steps.

Additional Information and Troubleshooting

  • The connection manager needs to be able to SSH to your nodes on port 22
  • Multiple connection managers can be assigned to the same connection manager group to share the workload
  • Connection managers from the same group share the same key

Accessing Connection Manager Logs

You can view connection manager logs by visiting /log at the hostname of your connection manager. For example, if your connection manager is hosted at cm-prod01.bigcorp.local then you can view logs in your browser at https://cm-prod01.bigcorp.local/log.

There are a few URL query options you can add to make searching the logs easier.

  • ?tail=100 show only the last 100 lines, for example, of log output (like tail -n 100)
  • ?grep=DEBUG show only lines containing the text DEBUG (like grep)
  • ?grepv=DEBUG do not show any lines containing the text DEBUG (like grep -v)
  • ?tail=1000&grepv=DEBUG&grep=timeout pull out the last 1000 lines of logs, filter out any line containing DEBUG and then only keep lines containing timeout (note that the order you specify params does not matter - if you specify tail=100 and grep and/or grepv you will probably see less than 100 lines.

Unsupported Hardware Family (vmx-10)

  1. When attempting to create the VM, you will need to acquire the latest version of VMWare’s ovftool utility, and run the following command:

    ovftool --lax <path to connection manager OVA> connection_manager.vmx

  2. Once the conversion is complete, open the vmx file in the text editor of your choice and change the following line:

    virtualHW.version="10" to virtualHW.version="9".

    Or the latest version that you can use. Then run the following command:

    ovftool <path of vmx file> connection_manager_new.ova

  3. You should now be able to create a VM from the produced OVA.

Tags: ssh ova