How To: setup a Discovery job

Applies to:

Venafi Encryption Director version 6.x and higher, TrustAuthority 14 and higher


This article attempts to describe the steps needed to setup a Discovery job on Venafi Encryption Director.  It answers these questions:

  • What are the steps to setup a Discovery job?
  • How do you configure a server for Discovery, and restrict it to a ip Address range, or Zone?


More info:

Network Discovery Overview:

Network Discoveries are run by the Discovery module in the Platforms tree. The server where the Discovery module is installed is referred to as the Discovery Server. Network discoveries are configured using Discovery objects in the Discovery tree. The Discovery objects in the Discovery tree provide the information that the Discovery Server requires to run a Network discovery. 

Because of Directors modular architecture, the Discovery module can be independently deployed on one or more servers. Depending on your system requirements, you may run discoveries from a single Director server or, for larger systems, you may require a dedicated Discovery Server. For example, if you scan both private and public IP addresses, you may configure one Discovery Server inside the firewall and another outside the firewall.

Setting up Venafi Encryption Director to discover certificates in your network can be devided into three main tasks:

  1. Creating and Configuring a Discover object in the Discovery tree.
  2. Scheduling the job(s).
  3. Configuring Discovery servers for certain IP address ranges ( Zones).

1: Configuring a Discovery object ( job)

  • Login into the Windows Administration Console with your admin user, or with a user id that has View and Create rights to the root of the Discover tree.
  • Navigate to the Discovery tree, and select the root object.
  • Click Add > Discovery. 


  • GIve the object a name, and press Create
  • Navigate to the settings tab to setup the object with parameters such as addresses and ports to scan, and exclusion objects.
  • NOTE: an exclusion object is created separately, and defines what subnets, or address ranges not to scan. 

2: Scheduling:

Scheduling consists on two types: 

  • Submission schedule: This sets the time you can submit a job to the Discovery server Q- Submission schedule. We expose this schedule to the user simply because just by submitting a Large job for processing may burden that server excessively. 
  • Execution Window: A schedule that sets the time your job will be executed.
Both types are configured on the tabs of the Discovery object, and are called "Submission Schedule", and "Execution Window" respectively. 

3: Configuring a server for a Zone:

On a multi server Director configuration, each server can configured to only only discover certain subnet(s).  This can be advantageous in large distributed environments, or across Wide Area networks where bandwidth restrictions apply. To configure a server for a Zone, follow these steps:

  • Login into the Windows Administration Console with your admin user, or with a user id that has View and Write rights to the server object. The server objects resides in the Platform tree.
  • Select the Platforms tree. 
  • In the Platforms tree, select the Director Server object.
  • In the Discovery Zones, click ADD and define the range of ip addresses that this server object to service.  This server needs to be able to access this range.
  • Repeat the above steps for every Discovery ZONE you want this server to service.
  • When finished, press Apply.
NOTE: For details on what happens at the packet level while Director is processing a Discovery request, see KB 21416607
Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request