On-premises Scanner Configuration

1.0 Introduction

This article describes the minimum configuration requirements for successfully scanning keys, certificates, resources, and cryptographic assets in on-premises infrastructure types on the Windows platform.

It also describes:

Installing the Fortanix On-premises Scanner.
Configuring the scanner through the configuration file parameters.
Executing the Fortanix On-premises Scanner.

For detailed information about each on-premises infrastructure type, refer to Infrastructure Types.

2.0 Scanning Permissions

For detailed information on on-premises connection scanning permissions, refer to On-premises Connection Permissions.

3.0 Prerequisites

The following are the prerequisites to configure an on-premises connection on the Windows platform:

Server Specifications
- The server hosting the scanner must have at least 2 virtual Central Processing Units (vCPUs) allocated.
- The server must have a minimum of 8 GB of Random Access Memory (RAM) to support the scanner.
- The server should have at least 20 GB of storage capacity for temporarily storing scanned data.
Operating System and Libraries
- Supported operating systems include Windows Server 2016, 2019, 2022, and 2025. The necessary packages are available in .msi format.
Network Requirements
- Outbound (Fortanix On-premises Scanner → External Services)
  The Fortanix On-premises Scanner must be allowed to make outgoing connections to:
  - armor.fortanix.com on port 443
  - Databases on their configured ports
  - The following Internet Protocol (IP) range to communicate back to Fortanix Key Insight:
    - 216.180.120.0/24
    IP whitelisting is not mandatory. It is required only if your on-premises environment enforces outbound firewall restrictions.
- Inbound (File System Scanner Agent → Fortanix On-premises Scanner)
  The Fortanix On-premises Scanner must be reachable from the File System Scanner Agent:
  - Must accept inbound connections from the File System Scanner Agent’s IP on the configured port. For example, 8080 or 1443.
  - Firewall or security group rules must allow this traffic.
  - The service must bind to 0.0.0.0 or its external or private IP, not just 127.0.0.1.
NOTE
Although inbound connectivity is required, the Fortanix On-premises Scanner itself does not expose any ports externally.
Configuration File
The Fortanix On-premises Scanner requires a configuration file that includes a list of databases, source code, and file systems with their corresponding credentials, as well as the Fortanix DSM on-premises credentials. This configuration file is in plain text, and it is your responsibility to secure the file and its credentials.
Mixed Mode Authentication: Ensure that Mixed Mode authentication is enabled in MSSQL if you are using Windows Authentication before starting the scan.
Perform the following steps to enable the Mixed Mode:
1. Open Microsoft SQL Server Management Studio (SSMS).
2. Right click the server’s name and select Properties.
3. Navigate to the Security page.
4. Set Server authentication to SQL Server and Windows Authentication mode.
5. Click OK.
Figure 1: Enable Mixed Mode authentication in SQL

4.0 On-premises Scanner Installation

You must install the Fortanix On-premises Scanner package on a Windows machine to manage your databases, source code, file systems, and Fortanix DSM on-premises keys and resources.

Perform the following steps to install the Fortanix On-premises Scanner:

Download and open the Fortanix Key Insight scanner Microsoft installer file (msi) file.
Review the license agreement and select the check box to accept the terms.
Figure 2: On-premises Windows Installer
Click Install to begin the installation.
After the installation is complete, click Finish to exit the setup wizard. The installer installs the scanner at the default directory, C:\Program Files\Fortanix\KI\.
Figure 3: Installation completed
Generate the scanner configuration file as detailed in Section 5.0: On-Premises Scanner Configuration.
Initiate the scanning process as detailed in Section 6.0: On-Premises Scanner Execution.

NOTE
A sample configuration file is available at C:\ProgramData\Fortanix\KI\Conf\Config.yaml.example.
To upgrade the package on Windows, download the latest installer (.msi) and run it. The installer automatically replaces the previous version and no manual uninstallation is required.

5.0 On-premises Scanner Configuration

For detailed information on how to configure the Fortanix On-premises Scanner for both Linux and Windows platforms, including authentication methods, database, source code, and file system infrastructures, and secure credential management using environment variables or configuration files, refer to On-premises Scanner Configuration File.

6.0 On-premises Scanner Execution

NOTE
The scanner command in this section requires the configuration file to be named config.yaml. If you are using the provided example file (config.yaml.example), ensure to copy or rename it to config.yamlbefore running the scanner command.

After configuring the Fortanix On-premises Scanner, perform the following steps to execute it:

Open the command prompt and run the following command to navigate to the scanner installation directory:
```
cd "C:\Program Files\Fortanix\KI"
```
Run the following command to execute the Fortanix On-premises Scanner:
NOTE
Recommended guidelines:
- Run the FortanixScanner.exe file from the C:\Program Files\Fortanix\KI directory.
- Keep the config.yaml file in the C:\ProgramData\Fortanix\KI\Conf directory.
```
FortanixScanner.exe start --config-file < path-to-config.yaml>
```
Where, < path-to-config.yaml> is the full path to your scanner configuration file. For example: C:\ProgramData\Fortanix\KI\Conf\config.yaml.

NOTE
After you start the Fortanix On-premises Scanner, any changes made to the scanner configuration file require restarting of the scanner to apply the latest updates.
If a scan is interrupted or closed before completion, then the next scan will restart from the beginning.
To stop the Fortanix On-premises Scanner running in Command Prompt, press Ctrl + C in the same console window.

7.0 Additional References

After configuring the Fortanix On-premises Scanner, refer to the following:

Getting Started With On-Premises Connection for guidance on onboarding an on-premises connection in Fortanix Key Insight.
On-Premises Connection Troubleshooting for guidance on troubleshooting steps for common issues encountered while configuring and running Fortanix Key Insight in on-premises environments.

On-premises Scanner Configuration - Windows

1.0 Introduction

2.0 Scanning Permissions

3.0 Prerequisites

4.0 On-premises Scanner Installation

5.0 On-premises Scanner Configuration

6.0 On-premises Scanner Execution

7.0 Additional References

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6