Step 1: Components and architecture, prerequisites, and download

This document is for:

Invicti Enterprise On-Premises

Invicti Enterprise is available as an On-Demand and On-Premises solution. Invicti Enterprise On-Premises is identical to the hosted version in terms of features and capabilities, but since it runs on your own servers and network, there are a few things to note:

You can scan any internal web application without the need to allow incoming access through corporate firewalls.
No internet connection is required.
Invicti Enterprise On-Premises can also be easily deployed on Amazon Web Services (AWS), Microsoft Azure, Google Cloud, or any other type of private cloud environment.
If your business has to adhere to strict regulatory compliance requirements and policies or you have concerns about your data being stored on our servers, you can still take advantage of Invicti Enterprise's workflow tools, scaling, and scanning capabilities. The On-Premises edition can be installed on your own servers managed by your team.
No data will leave the On-Premises edition of Invicti Enterprise.

This document explains the components and architecture, prerequisites, and how to download Invicti Enterprise On-Premises.

NOTE: All Invicti editions support IPv6 both as servers and agents. This means you can configure the Invicti Enterprise On-Premises server to use IPv6, and Invicti Enterprise can scan websites that use IPv6.

Components and architecture

Invicti Enterprise On-Premises contains five parts which are explained in the table below:

Component	Explanation
Application Server	This provides the web interface that enables the efficient administration and automation of scans. This is the application that users will see and use via the Invicti Enterprise UI.
Agent	This is a service application that executes scans and informs the Invicti Enterprise Application Server of the results. A single agent can only run one scan at a time. If you want to run more than one scan at a time, you will need to install more agents.
Authentication Verifier	This is a service application that verifies form-based login authentication configuration. It is an optional component. However, if you are scanning websites that require form authentication, you need to install it.
Authentication Verifier Service	This is a service application that establishes communication between the Authentication Verifier Agent and the Invicti Enterprise Application Server. It is an optional component. However, if you are scanning websites that require form authentication, you need to install it.
IAST Bridge	This is a service application that relays information from the Shark agent to the scanning agent. It is an optional component. If you are using Invicti Shark (IAST) for Java, .NET, and Node.js, you need to install this bridge.

The following diagram shows the architecture of Invicti Enterprise On-Premises.

Prerequisites

This section lists the minimum requirements for installing each of the components of Invicti Enterprise On-Premises.

ALLOWLISTING REQUIREMENTS:

Antivirus: Some antivirus or anti-malware software may prevent Invicti Enterprise On-Premises from working or cause it to run very slowly. To ensure you can use Invicti Enterprise On-Premises effectively, we recommend adding Invicti Enterprise files and folders to your antivirus (or other protection scanning software) exception list (also known as a 'whitelist' or 'allowlist'). For more information about the Invicti Enterprise files and folders we recommend excluding from your antivirus software, refer to Excluding Invicti files from antivirus scans.

Discovery service: To ensure you can use the discovery service and predictive risk scoring features, allowlist Invicti's discovery service URLs:

https://discovery-service.invicti.com
https://jwtsigner.invicti.com

Minimum requirements for the Invicti Enterprise Application Server

All components (the Application Server, the Agent, the Authentication Verifier, the Authentication Verifier Service, the IAST Bridge, and the Database Server) can be installed on the same server if the hardware meets the listed requirements.

TIP: We highly recommend that you install the Webapp, Agents, and DB on separate servers to maximize stability and performance.

Software requirements

Windows Server 2016 or later (Windows Server 2019 or later recommended)
Web Server (IIS) role should be installed on the server
IIS 10
.NET Framework 4.8

Hardware requirements

Minimum: 2x cores CPU, 4GB RAM, 5 GB Free Disk Space

This specification applies to using the Invicti Enterprise interface and scanning a few simple websites.

While Invicti Enterprise may run on a machine with a lower specification than this, we do not recommend doing so for performance reasons.

Recommended: 2x cores CPU, 16GB RAM, 20 GB Free Disk Space

This is a good general-purpose specification.

Advanced: 4x cores CPU, 32GB RAM, 50 GB Free Disk Space

This option is suitable if you have a large number of users, advanced websites, and want to run a large number of scans simultaneously.

Access requirements

RDP credentials and access as a user with Administrator rights
Can be installed by an Invicti Engineer (or the user) using the provided installer

Minimum requirements for the Invicti Enterprise Agent

These are the minimum requirements for installing the Invicti Enterprise Agent.

Software requirements	Windows Server 2016 or later (Windows Server 2019 or later recommended) .NET 6
Hardware requirements	1.4 GHz Processor (2 GHz or faster recommended) 4 GB RAM or higher recommended 10 GB free disk space for each internal agent
Network requirements	The Agent needs to be able to access the Invicti Enterprise Application Server’s HTTP(S) (443/80) port
Access requirements	Installation of the Agent requires Administrator rights Ensure that the following groups do not have permission to modify or write service executables and that these groups do not have Full Control permission to any directories that contain service executables: Everyone, Users, Domain Users, Authenticated Users

Minimum requirements for the Authentication Verifier Service and Authentication Verifier

These are the minimum requirements for installing the Invicti Enterprise Authentication Verifier Service and Authentication Verifier Agent.

Software requirements	Windows Server 2016 or later (Windows Server 2019 or later recommended) .NET 6 for Authentication Verifier Agent .NET 8 for Authentication Verifier Service IIS 10 for Authentication Verifier Service
Hardware requirements	1.4 GHz Processor (2 GHz or faster recommended) 1 GB RAM (4 GB or higher recommended) 2 GB Free Disk space (5 GB or higher recommended)
Network requirements	The Authentication Verifier Agent needs to be able to access the Authentication Verifier Service's HTTP(S) port. (Default port: 5000) Enterprise users should access the Invicti Authentication Verifier Service Hub publicly. (Default port: 5000) The Authentication Verifier Service needs to be able to access the Invicti Enterprise Application Server’s HTTP(S) (443/80) port.
Access requirements	Installation of the Authentication Verifier and Authentication Verifier Service requires Administrator rights Ensure that the following groups do not have permission to modify or write service executables and that these groups do not have Full Control permission to any directories that contain service executables: Everyone, Users, Domain Users, Authenticated Users

Minimum requirements for IAST Bridge

These are the minimum requirements for installing the Invicti IAST Bridge.

Software requirements	Windows Server 2016 or later (Windows Server 2019 or later recommended)
Hardware requirements	1.4 GHz Processor (2 GHz or faster recommended) 4 GB RAM or higher recommended
Network requirements	The IAST Bridge Service needs to be able to listen to the Invicti Enterprise Application Server’s HTTP(S) (7880) port
Access requirements	Installation of the IAST Bridge requires Administrator rights Ensure that the following groups do not have permission to modify or write service executables and that these groups do not have Full Control permission to any directories that contain service executables: Everyone, Users, Domain Users, Authenticated Users

Minimum requirements for the Database Server

These are the minimum requirements for the Database Server.

IMPORTANT: The database is not provided by Invicti. You must set it up yourself.

Software requirements	Microsoft SQL Server 2016 or later (Microsoft SQL Server 2019 or later recommended)
Hardware requirements	Same as the Application Server requirements above
Network requirements	The Invicti Enterprise Application Server needs to access this database server for the relevant port (1433 by default), or it needs to be on the same server
Access requirements	An SQL Server database login with the db_owner role The Name of an empty SQL Server database The Database Collation field should be configured as case-insensitive

NOTE: The db_owner permission is required during installation and updating. The db_datareader and db_datawriter roles are enough for daily operations.

Downloading the installer files

TIP: Check out our video walk-through to learn how to install Invicti Enterprise On-Premises: Invicti Enterprise On-Premises Installation

How to download the installer files

Download to your server the InvictiEnterprise.zip file that was emailed to you.
Extract the .zip file to a directory.
Check that these five files are in the directory:

WebAppSetup.exe (Invicti Enterprise Application Server installer)
AgentSetup.exe (Invicti Enterprise Agent installer)
AuthVerifierAgentSetup.exe (Invicti Enterprise Authentication Verifier installer)
AuthVerifierServiceSetup.exe (Invicti Enterprise Authentication Verifier Service installer)
IASTBridgeSetup.exe (Invicti IAST Bridge installer)

NOTE: If you also purchased Invicti API Security, the .zip file will contain an additional file called ApiHubServiceSetup.exe. For instructions on how to install Invicti API Security as a component of Invicti Enterprise On-Premises, refer to Installing Invicti API Security On-Premises.