Qualys Blog

www.qualys.com

Qualys To Decommission Scan Job “Dispatcher”, Migrate All Subscriptions To “New Scanner Services”

Qualys will decommission its legacy platform scan distribution service, "Dispatcher", in favor of New Scanner Services, which has been in operation since 2010.  The vast majority of user subscriptions have already been migrated to New Scanner Services, and Qualys will now begin a final push to migrate all remaining subscriptions.  The migration action requires no user action and is non-disruptive except in special circumstances, as described below.

This document outlines the process that will occur and provides guidance on what to expect.  If you have further questions, you may contact your Qualys reseller contact; your Qualys account manager; and/or Qualys support. Details about the migration schedule are at the end of this blog post.


How do I know if my subscription is already using New Scanner Services?

In the QualysGuard UI, navigate to Help > Account Info > General Information to see whether your subscription has been migrated to New Scanner Services.  If your subscription is already registered as Enabled for New Scanner Services, then the remainder of this document does not apply to you.

If your subscription is still in a Disabled state for New Scanner Services, then you should read on.

nssDisabled

What is New Scanner Services?

New Scanner Services is a distributed service which, as part of the QualysGuard Cloud Platform, manages communications with deployed scanner appliances.  It is a more robust and scalable service than the Dispatcher service it replaces, and brings many benefits.

What are the benefits of New Scanner Services?

The benefits of New Scanner Services are many and include some of the following:

  • Performance.  Improved scanner capacity monitoring, queuing, and job “microslicing” optimize the distribution of scans across multiple appliances.  See Microslicing Operation and Performance for more.
  • Resiliency.  Scan jobs managed by New Scanner Services continue to execute even during outages to the QualysGuard Cloud Platform UI and API.  Further, scheduled scan pauses are pre-loaded.
  • Monitoring.  Improved monitoring and metrics for appliances, including scanner capacity charts.
  • Virtual appliance availability.  Qualys has virtual appliances available for deployment onto VMware, Amazon EC2, Microsoft Hyper-V, etc.  Virtual appliances require New Scanner Services to be enabled on your subscription.

What visible changes should I expect after I am migrated to New Scanner Services?

The QualysGuard New Scanner Services Description article provides detail on the expected changes, which on the surface are mostly cosmetic.  The changes include:

  • Changes to email alerts.  New Scanner Services includes an additional email alert, a Scan Completed message which arrives as soon as the scanning work is done to provide a status update.  The existing Scan Results message still arrives when the completed scan results are ready for viewing.
  • Updated scanner status icons in the scanner management UI.
  • Appearance of scanner capacity chart in scanner info tab.

    scannercapacity

What Must I Do To Prepare for Migration To New Scanner Services?

Ensure that all of your appliances are ready for the migration.

In order for an appliance to be considered ready for the migration event, all of the following must be true:

icon_applnce_dispatcher_online

Each appliance is communicating with Dispatcher service.  If green, this icon indicates that an appliance can successfully connect to the Dispatcher service (i.e., orchestrator.qualys.com or orchestrator.qualys.eu).

Navigate to Vulnerability Management > Scans > Appliances to confirm that all appliances are Online.

Risk: An appliance that is not successfully communicating with Dispatcher at the time your subscription is migrated to New Scanner Services may be "orphaned" (see below).

icon_applnce_NonJDconnected

Each appliance is communicating with New Scanner Services.  If blue, this icon indicates that an appliance can successfully connect to New Scanner Services (i.e., scanservice1.qualys.com or scanservice1.qualys.eu).  Therefore, it is considered Ready for New Scanner Services.

ico_appliance_notready

If red, this icon indicates that scanservice1 cannot be reached.

Risk: An appliance that is not successfully communicating with New Scanner Services at the time your subscription is migrated may be "orphaned" (see below).

Tip:You should ensure that your outbound firewall, URL filtering, and/or proxy policies are updated to allow appliance outbound connectivity via HTTPS to scanservice1.qualys.com or scanservice1.qualys.eu at TCP port 443.

See How to check scanner appliance status for more guidance on this topic.

When will my subscription be migrated to New Scanner Services?

  • If all of your appliances are currently online, Qualys may migrate your subscription at any time.  If you would like to prioritize or explicitly schedule your migration, please contact your representative or Qualys Support.
  • If any of your appliances are currently offline, Qualys will begin contacting you individually to make arrangements for the migration (i.e., to decide the fate of currently offline appliances).
    • If you have offline appliances which you know to be decommisioned and unwanted, please contact Qualys support so that they may be removed from your account.
  • If any of your appliances have been continuously offline for more than 90 days, Qualys may proactively choose to consider these appliances decommissioned and unwanted by the user and may execute the migration to New Scanner Services without making special arrangements.

What happens to appliances which are not successfully migrated?

As mentioned above, appliances which are not fully online (i.e., communicating with both Dispatcher and New Scanner Services) at the time of migration may become temporarily or permanently orphaned and become unavailable for use.

If any of your appliances lose sync during the migration because they were offline at the time or otherwise, Qualys support and/or your MSSP will attempt the following recovery steps:

  • Technical support will ask you to verify full connectivity between the appliance and the QualysGuard Platform, including routing, proxy, firewall, and URL filtering configurations.
  • Technical support will perform a "session reset" on the Platform which can often bring an orphaned appliance back into sync.
  • Technical support will ask that you perform a hard reset on your appliance.  You may need to physically visit the deployment location in order to execute this.
  • Finally, if all other efforts have failed, Qualys will recommend that your current appliance be RMA’ed and replaced with another one.

How long will the migration take?

The migration process consists of a single configuration change to your subscription by Qualys support personnel. After New Scanner Services is enabled, all of your appliances should show green for New Scanner Services within 30 minutes.

Any scans already underway at the time of the migration should be unaffected.  They will complete first, and then the scanners will re-register to New Scanner Services.

Migration Schedule

For details about the migration dates for specific platforms, please see the following:

Note: There are no outstanding migrations for US Platform 2.

One response to “Qualys To Decommission Scan Job “Dispatcher”, Migrate All Subscriptions To “New Scanner Services””

Leave a Reply