This article completes the BMC Discovery Outpost FAQs available at the official Discovery documentation.

What are the most pertinent benefits of Outposts compared to proxies ?

Replacing a group of scanners/proxies by a group of outposts reduces the maintenance efforts. For example, scanners will require individual TKU (Technology Knowledge Update) and OSU (OS Upgrade) upgrades, not outposts. Proxies will require to be upgraded manually too. Whereas by default outposts will automatically be updated. 

Using a group of outposts should also consume less hardware than a group of scanners/proxies.

It is simpler to deploy/monitor/maintain/manage N outposts behind a firewall compared to deploy 1 scanner and N proxies.

Finally, a group of outposts requires less open ports compared to a group of scanners/proxies.

What are the most pertinent differences between Outposts and proxies ?

Proxies can only scan windows ip. Outposts can scan everything.

Proxies can't have their own credentials. Outposts can.

Proxies are not password protected. Outposts are.

Proxies can't have their own credential broker settings. Outposts can.

Proxy upgrades are manual. Outposts upgrades are automated.

Proxies can't manage scopes. Outposts can.

It could be easier to open the Outpost default port (443) compared to the proxy ports (4321, 4323)

Is it mandatory to use Outposts ?

In Saas, yes.

On prem, no.

Can a scanner be replaced by an Outpost ?

Yes. Yet in some situations it can be a 1:1 ratio, but in others It may require more than 1 outpost.

Can a consolidator be replaced by an Outpost ?

No.

Can Outposts use an existing Windows Proxy?

No. Outposts have a built-in proxy (and may create their own additional built-in outpost proxy services after adding Active Directory credentials).

How is the outpost load balanced?

The system can balance load across Outposts in a limited/static way. It initially balances the load, but after that, the scans with "anything suitable" keeps re-using the same outposts that used to successfully scan each ip until:

• • the outpost is reinstalled
  • the outpost is removed and registered again
  • the ip is excluded from the outpost that used to scan it
  • the ip is successfully rescanned with a specified outpost (instead of "anything suitable")

In the other cases, even if the scan fails, even if the reused outpost is down, the ip won't be assigned to another outpost.

Can two Outposts be installed on the same Windows Server?

No. A second installation will just override/replace the existing outpost.

Is it recommended to clone Outpost servers?

No. There are procedures to import the credentials and drivers from another outpost.

In case an outpost was cloned, then the cloned outpost should be uninstalled and then reinstalled instead. 

Is it still possible to scan from the appliance when an outpost is configured?

On prem: Yes, with valid credentials on the appliance. But will only be possible to scan Windows endpoints from the appliance if the appliance has a working Powershell credential.

In Saas: Only outposts can scan.

How to configure a scan when the appliance and/or outposts are restricted to some subnets?

Use "anything suitable" in the configuration of the Discovery run. Discovery will then select the proper outpost or the appliance itself to scan each endpoint.

How to set a scan using "anything suitable" when outposts should be restricted to scanning specific ips or subnets?

Connect to the Outpost UI then go to Manage > Configuration > IP Ranges and set the allowed and/or excluded ip ranges to scan.

Is it possible to force Discovery on Prem to only use outposts to scan?

Yes. In the UI of the appliance, go to Manage > Outposts and Proxies, then disable the option "Discovery is Enabled for all IP addresses on this Appliance"

Do Outposts share their credentials with all the registered appliances?

No.

Can the credentials be exported/imported from an Outpost to another one?

Yes, the outpost credentials (except for the AD credentials) can be exported from 1 outpost then imported to another outpost with this documented procedure, (See the section "To export the credential vault").

Can Outposts be registered with multiple Discovery appliances ?

Yes. Yet, note that by default an outpost will be updated as soon as the first of the appliances it is connected to will be upgraded or updated to a new TKU.

How to upgrade Outposts?

By default an outpost will be updated as soon as the first of the appliances it is connected to will be upgraded or updated to a new  TKU. See Upgrading the BMC Discovery Outpost.

Is it possible to replace the https certificate of an Outpost?

Yes. But it is not yet possible to do it from the outpost UI. More information here, and also in this blog article.

Where are the Outpost logs?

When using the default installation path, the main logs are stored in C:\Program Files\BMC Software\Discovery Outpost\log and the outpost proxy logs are stored in C:\Program Files\BMC Software\Discovery Outpost\runtime\*\log , where * can be multiple sub-folders.

How much swap should be allocated to an outpost?

This documentation page provides different minimum requirements (cpu, ram, os) but it does not cover the swap because BMC has no recommendations about that. Discovery administrators often chose to set a swap size 2x bigger than the ram.   

Does BMC provide OVAs or docker images for outposts installations?

No. Windows installers for outposts can be downloaded from Manage > Outposts & Proxies > Outposts in every appliance UI. See the documentation for more information on the system requirements for an outpost installation.