Micro Focus

Fortify WebInspect Enterprise

Software Version: 21.1.0 Windows® operating systems

Installation and Implementation Guide

Document Release Date: July 2021 Software Release Date: July 2021

Legal Notices

Micro Focus The Lawn

22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notice

© Copyright 2009-2021 Micro Focus or one of its affiliates

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

• Software Version number

• Document Release Date, which changes each time the document is updated

• Software Release Date, which indicates the release date of this version of the software

This document was produced on May 20, 2021. To check for recent updates or to verify that you are using the most recent edition of a document, go to:

https://www.microfocus.com/support/documentation

Contents

Preface‌

Contacting Micro Focus Fortify Customer Support‌

Visit the Support website to:

• Manage licenses and entitlements

• Create and manage technical assistance requests

• Browse documentation and knowledge articles

• Download software

• Explore the Community https://www.microfocus.com/support

  
  

  For More Information‌

  For more information about Fortify software products: https://www.microfocus.com/solutions/application-security

  
  

  About the Documentation Set‌

  The Fortify Software documentation set contains installation, user, and deployment guides for all Fortify Software products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest versions of these documents from the following Micro Focus Product Documentation website:

  https://www.microfocus.com/support/documentation

  
  

  Change Log‌

  The following table lists changes made to this document. Revisions to this document are published between software releases only if the changes made affect product functionality.

  
  

  Software Release / Document Version	Changes
  21.1.0	Updated:
  20.2.0	Added:
  20.1.0	Updated:
  19.2.0 / December 2019	Updated:

  • Release version and date.

  • Cross-references to configuring Windows Authentication in topics related to decoupling Fortify WebInspect Enterprise from Fortify Software Security Center. See "Important Considerations About Decoupling" on page 12 and "Upgrading and Decoupling Fortify WebInspect Enterprise from Fortify Software Security Center" on page 46.

  • IIS installation information to remove specific .NET Framework and ASP.NET version numbers. See "Preparing to Install Fortify WebInspect Enterprise" on page 16.

  • Upgrade and Guided Scan information with important details about manually updating the WebInspect Enterprise Desktop Application. See "Upgrading from Earlier Versions" on page 15 and "About the WebInspect Enterprise Desktop Application" on page 72.

  • Description of WebInspect Enterprise Desktop Application to remove reference to specific browsers. See "About the WebInspect Enterprise Desktop Application" on page 72.

  • Link for downloading a certificate revocation list (CRL). See "Installations Lacking Internet Connection" on page 77.

  • Description of Guided Scan to include WebInspect Enterprise Desktop Application that provides support for Chrome and Firefox browsers. See "About the WebInspect Enterprise Desktop Application" on page 72.

  
  

  Software Release / Document Version	Changes
  19.2.0	Updated:

  • Release version and date.

  Chapter 1: Before You Begin‌

  Micro Focus Fortify WebInspect Enterprise is available in FIPS and non-FIPS compliant versions for 64-bit operating systems. This topic provides information to help you select the appropriate installer package and to ensure that your system meets the requirements and recommendations for installing Fortify WebInspect Enterprise.

  
  

  FIPS or Non-FIPS Compliance‌

  Federal Information Processing Standards (FIPS) are standards developed by the U.S. federal government for use in computer systems to ensure that all agencies adhere to the same guidelines regarding security and communication.

  Fortify WebInspect Enterprise version 21.1.0 has two installer packages with different filenames—one installation complies with FIPS cryptography requirements and the other does not. Make sure that you download and use the correct installer package, based on whether your environment uses FIPS. The user interface for the installation procedure is the same for both packages.

  Fortify WebInspect Enterprise and the Micro Focus Fortify WebInspect sensors it uses must all be compliant with FIPS or they must all be non-compliant.

  Fortify Software Security Center runs on an Apache Tomcat server, which includes a FIPS mode. When integrating Fortify WebInspect Enterprise with Fortify Software Security Center in a FIPS-compliant environment, see your Apache Tomcat documentation for instructions on configuring FIPS mode on the server.

  
  

  Installation and Upgrade Options‌

  The following table describes the installation and upgrade options for Fortify WebInspect Enterprise.

  
  

  Option	Description
  Integration with Fortify Software Security Center	Integration with Micro Focus Fortify Software Security Center provides a way to publish scans to a central repository of all static and dynamic scans. It also provides somewhat centralized accounts, although permissions are still managed separately, the ability to submit scan requests, and more extensive reporting than a standalone installation.
  Standalone	For new installations, you may choose not to integrate your Fortify WebInspect Enterprise with Fortify Software Security Center.

  
  

  Option	Description
  	Important! If you install Fortify WebInspect Enterprise as standalone, you cannot integrate with Fortify Software Security Center at a later date. You must choose to integrate with Fortify Software Security Center initially.
  Decouple from Fortify Software Security Center	For existing installations, you may choose to decouple your Fortify WebInspect Enterprise from Fortify Software Security Center. If you choose to decouple, the Initialization Wizard provides an option to map each existing Fortify Software Security Center account—either user account or LDAP account—to a Windows account. Only Fortify Software Security Center accounts that were configured with permissions in Fortify WebInspect Enterprise will be displayed for mapping. Important! Decoupling Fortify WebInspect Enterprise from Fortify Software Security Center is permanent. Reconnecting to Fortify Software Security Center is not supported.

  
  

  Important Considerations About Decoupling‌

  Decoupling Fortify WebInspect Enterprise from Fortify Software Security Center ends all links and communication between the two systems. Before decoupling Fortify WebInspect Enterprise from Fortify Software Security Center, you should perform maintenance in both systems to ensure that you are ready to decouple.

  Consider the following:

• You will not be able to log into Fortify WebInspect Enterprise and Fortify Software Security Center using the same credentials.

  • Decoupled and standalone Fortify WebInspect Enterprise installations use Windows Authentication.

    
    

    Important! Before decoupling Fortify WebInspect Enterprise from Fortify Software Security Center, enable Windows Authentication as described in "Installing IIS, ASP.NET, and .NET Framework" on page 16.

  • When decoupling, you will have the opportunity to map Fortify Software Security Center users to Fortify Windows Users for logging into Fortify WebInspect Enterprise.

• You will not be able to publish scans to Fortify Software Security Center from Fortify WebInspect Enterprise.

  
  

• Any previous scans published to Fortify Software Security Center will remain in Fortify Software Security Center.

• You will not be able to perform or see previous Scan Requests.

• Deleted Application Versions that have not been purged will remain in Fortify WebInspect Enterprise.

• Any new Applications and Application Versions that are created in Fortify Software Security Center will not be created in Fortify WebInspect Enterprise.

• Any new Applications and Application Versions that are created in Fortify WebInspect Enterprise will not be created in Fortify Software Security Center.

  
  

  System Requirements‌

  Before installing Fortify WebInspect Enterprise, make sure that your systems meet the requirements described in the Micro Focus Fortify Software System Requirements.

  
  

  Installation Recommendation‌

  Fortify recommends that you do not install Fortify WebInspect Enterprise on the same machine as Fortify WebInspect. Doing so may result in known issues that affect the usability of the products.

  
  

  Installing or Upgrading Fortify Software Security Center (Optional)‌

  If you are integrating Micro Focus Fortify WebInspect Enterprise with Micro Focus Fortify Software Security Center, then Fortify Software Security Center version 21.1.0 must be installed and running before you install Fortify WebInspect Enterprise version 21.1.0. See the Micro Focus Fortify Software Security Center User Guide version 21.1.0 for information about installing or upgrading Fortify Software Security Center to the required version.

  
  

  Important! Before making each upgrade of Fortify WebInspect Enterprise, you must first upgrade Fortify Software Security Center to the supported version. For more information, see "Upgrading from Earlier Versions" on page 15.

  In Fortify Software Security Center:

• Note the Fortify Software Security Center URL. You will need to specify it during the installation of Fortify WebInspect Enterprise.

• Create a general Fortify Software Security Center administrator account or make note of an existing one. You will need to specify the user name and password of this account during the installation of Fortify WebInspect Enterprise and this person will automatically become the first Fortify WebInspect Enterprise system administrator.

• Create an account in Fortify Software Security Center for the Fortify WebInspect Enterprise Service, give it a recognizable user name such as wie_service, and give it the role of Fortify WebInspect

  
  

  Enterprise System. This service controls the sharing of application versions with Fortify WebInspect Enterprise and obtains lists of completed and running scans from Fortify WebInspect Enterprise. You will need to specify the user name and password of this account during the installation of Fortify WebInspect Enterprise.

  
  

  Important! Do not combine the Fortify WebInspect Enterprise Service account with any other role. Also, do not modify the permission of the Fortify WebInspect Enterprise Service account in the Fortify WebInspect Enterprise Administration Console. Doing so may prevent new application versions from being created in Fortify Software Security Center or cause them to be created in the wrong Security Group.

  For information about creating accounts in Fortify Software Security Center, see the Micro Focus Fortify Software Security Center User Guide. The Micro Focus Fortify Software documentation set contains installation, user, and deployment guides for all Micro Focus Fortify Software products and components. In addition, technical notes and release notes describe new features, known issues, and last-minute updates. To obtain the latest versions of these documents, access one of the websites described in the "Preface" on page 8.

  
  

  About Fortify WebInspect Enterprise SSL Certificate and Fortify Software Security Center JRE‌

  When Micro Focus Fortify WebInspect Enterprise is integrated with Micro Focus Fortify Software Security Center, the Fortify WebInspect Enterprise SSL certificate must be in the Fortify Software Security Center trust store. Therefore, you must import the Fortify WebInspect Enterprise SSL certificate into the Java runtime environment (JRE) certificate store in Fortify Software Security Center.

  
  

  Importing Fortify WebInspect Enterprise SSL Certificate‌

  Use the following process to import the Fortify WebInspect Enterprise SSL certificate into the JRE certificate store in Fortify Software Security Center.

  
  

  Stage	Description
  1	Install or upgrade Fortify Software Security Center.
  2	Install or upgrade Fortify WebInspect Enterprise. For more information, see "Installing the Fortify WebInspect Enterprise Server Software" on page 26.
  3	Run the Fortify WebInspect Enterprise Initialization Wizard to integrate Fortify WebInspect Enterprise with Fortify Software Security Center. For more information, see "About the Initialization Wizard" on page 27 and "Setting Up a Fortify Software Security Center (SSC) Connection" on page 35.
  4	Log into the Fortify WebInspect Enterprise Web Console using a supported version of Internet Explorer or Firefox. For more information, see Micro Focus Fortify Software System Requirements.

  
  

  Stage	Description
  	Do one of the following to export the Fortify WebInspect Enterprise SSL certificate:
  5	Copy the Fortify WebInspect Enterprise SSL certificate to the SSL Server install machine. Example C:\Program Files\Java\jre1.8.0_xxx\lib\security\WIESSL.cer (or *.der)
  6	Use the keytool utility to import the Fortify WebInspect Enterprise SSL certificate into the Java Store: C:\Program Files\Java\jre1.8.0_<xxx>\bin>keytool -import -alias wie -keystore "C:\ Program Files\Java\jre1.8.0_ xxx\lib\security\cacerts" -file "C:\Program Files\Java\jre1.8.0_xxx\lib\security\WIESSL.cer" (or *.der) Note: The default password is changeit.
  7	Restart the Tomcat server hosting Fortify Software Security Center.

  • If using Internet Explorer, export the CER encoded binary X.509 (*.CER) file.

  • If using Firefox, export the DER encoded binary X.509 (*.DER) file.

  1. Type the following at the command prompt to access the keytool utility:

  2. Enter the keystore password.

  3. When prompted to trust this certificate, select yes. The certificate is added to the keystore.

  
  

  Upgrading from Earlier Versions‌

  This topic describes the options for upgrading from earlier versions of Micro Focus Fortify WebInspect Enterprise.

  
  

  Upgrading from Fortify WebInspect Enterprise 20.2.0‌

  You can upgrade to Fortify WebInspect Enterprise 21.1.0 directly from Fortify WebInspect Enterprise 20.2.0, but not from any other versions of Fortify WebInspect Enterprise. Also, see "Installing or Upgrading Fortify Software Security Center (Optional)" on page 13.

  
  

  Important! If you previously downloaded the WebInspect Enterprise Desktop Application from Fortify WebInspect Enterprise 20.2.0, you must download and install the application again after upgrading to get the 21.1.0 version.

  
  

  Fortify Software Security Center Upgrade Requirements (Optional)‌

  If you are integrating Fortify WebInspect Enterprise with Micro Focus Fortify Software Security Center, then before making each upgrade of Fortify WebInspect Enterprise, you must first upgrade Fortify Software Security Center to the supported version as shown in the following table.

  
  

  Before upgrading to Fortify WebInspect Enterprise version	First upgrade to Fortify Software Security Center version
  19.2.0	19.2.0
  20.1.0	20.1.0
  20.2.0	20.2.0
  21.1.0	21.1.0

  
  

  Note: The supported versions of .NET Framework must be installed on the Micro Focus Fortify WebInspect sensor before Fortify WebInspect is upgraded to version 21.1.0. For more information, see the Micro Focus Fortify Software System Requirements.

  
  

  Preparing to Install Fortify WebInspect Enterprise‌

  This section describes how to prepare for installing Micro Focus Fortify WebInspect Enterprise by installing and configuring the prerequisite software, creating an account for a sensor user, and ensuring secure HTTPS operation.

  If you are integrating Fortify WebInspect Enterprise with Micro Focus Fortify Software Security Center, see "Installing or Upgrading Fortify Software Security Center (Optional)" on page 13.

  
  

  Installing IIS, ASP.NET, and .NET Framework‌

  You must install and configure Internet Information Services (IIS), ASP.NET, and the Microsoft .NET Framework, if applicable. The following paragraphs provide guidance for installing and configuring these components.

  
  

  Note: These instructions describe a third-party product and might not match the specific, supported version you are using. See your product documentation for the instructions for your version.

  
  

  Note: When you select role services to add, some or all of their subordinate role services might be automatically selected as well. Leave any automatic selections as is. If a message appears indicating that other particular role services must also be installed, click the button to add them and they will be automatically selected for installation.

  To install IIS and add the Web Server (IIS) server role and required role services:

  1. In the Server Manager, click Manage and then Add Roles and Features. The Add Roles and Features Wizard appears.

  2. Follow the wizard to select the installation type and destination server.

  3. On the Server Roles window, do the following:

     • Select the Web Server (IIS) check box, if it is not already selected.

     • If you are installing a standalone or decoupled Fortify WebInspect Enterprise, then expand the

       Web Server > Security role service and select the Windows Authentication check box.

       
       

       Important! If you do not select Windows Authentication, you will not be able to connect to the Fortify WebInspect Enterprise Manager and complete the initialization.

  4. Click Next.

  5. On the Features window under .NET Framework <version> Features, select .NET Framework

     <version> and ASP.NET <version>.

     
     

     Note: The version of .NET Framework and ASP.NET available in IIS depends on the OS version you are using. For example, you may see .NET Framework 4.6 or .NET Framework 4.7.

  6. Click Next.

  7. On the Role Services window under Application Development, select ASP.NET <version>.

  8. Click Install to install IIS with the features, roles, and role services you selected.

  
  

  IIS Integrated Mode‌

  During installation or upgrade, the Fortify WebInspect Enterprise Manager Web Service (WIE server) will be set up in IIS using the IIS integrated mode for the application pool. This means that the Fortify WebInspect Enterprise web site no longer needs to have ISAPI filters configured or ISAPI and CGI restrictions configured in IIS. Integrated mode does not use either of these elements.

  
  

  IIS Application Pool Identity‌

  Fortify WebInspect Enterprise no longer uses ASP.NET impersonation. Previously, ASP.NET impersonation was used to ensure that the account that was logged onto the server had the appropriate permissions to folders, registry keys, and encryption methods. However, Fortify WebInspect Enterprise now uses IIS7 and the application pool identity, which provides most of the required permissions.

  
  

  This means that ASP.NET impersonation will not be enabled in the Authentication section of the application in IIS. The application will run with the application pool identity account, which is IIS AppPool\WIEAppPool. Fortify recommends that you do not change this account in IIS.

  
  

  Important! The Fortify WebInspect Enterprise server application uses the IIS application pool identity. Because the IIS application pool is not a true Windows account, Fortify WebInspect Enterprise cannot use Windows authentication for the database connection. Customers must create a SQL Server account that can be used for the database connection.

  
  

  Installing SQL Server‌

  Install a supported version of SQL Server software if it is not already installed.

  Fortify recommends that you configure the database server on a separate machine from either Fortify Software Security Center or Fortify WebInspect Enterprise.

  
  

  Important! If you are integrating Fortify WebInspect Enterprise with Fortify Software Security Center, the Fortify WebInspect Enterprise SQL Server database requires case-insensitive collation. This is opposite the requirement for Fortify Software Security Center databases.

  
  

  Creating a Sensor User‌

  Create a local user account or an Active Directory user account in Windows, with a recognizable name such as WIEsensor, to be used as a sensor user for Fortify WebInspect Enterprise. Note the domain name, the account name, and the password.

  
  

  Ensuring Secure HTTPS Operation‌

  Fortify strongly recommends that you do the following to use HTTPS securely:

  1. Completely disable SSLv2.

  2. Enable TLS 1.1 and 1.2.

  3. Disable weak ciphers, generally defined as:

     • Ciphers having key length less than 128 bits

     • NULL ciphers

     • Ciphers that use MD5

     • Ciphers that use anonymous key exchange

     • Ciphers that use RC2

  
  

  Using SAN or Wildcard Certificates and Non-Standard Ports in IIS‌

  The Fortify WebInspect Enterprise Initialization Wizard does not overwrite certificate and port bindings that you create in IIS. As a result, you can use SAN or wildcard certificates and non-standard ports when

  
  

  configuring the Fortify WebInspect Enterprise Manager Web Service during initialization. To use a SAN or wildcard certificate:

• Configure the web site in IIS with the appropriate bindings. During initialization, Fortify WebInspect Enterprise will show those configured bindings and will not overwrite them.

  To use a non-standard port:

• Configure the binding with the port in IIS. During initialization, Fortify WebInspect Enterprise can use this binding and port.

  For more information, see "Configuring the Web Service" on page 33.

  
  

  HTTP Binding Host Name‌

  If the HTTP binding in IIS does not contain a host name, the Initialization Wizard will create the HTTP URL using the server name. This configuration causes an issue with downloading the thin client for Guided Scan, reporting, and scan imports.

  To prevent this issue:

• In the Edit Site Binding dialog box in IIS, add a host name for the HTTP binding before running the Initialization Wizard.

  To correct this issue, do one of the following:

• In the Edit Site Binding dialog box in IIS, add a host name for the HTTP binding and re-run the Initialization Wizard.

• Modify the URL directly in the database. If you update the URL directly in the database only, the URL will revert to the server name if you run the Initialization Wizard again. To manually modify the URL in the database:

  1. Run the following commands in the WIE database, replacing the SettingValue with your host name:

     SELECT * FROM ConfigSetting WHERE SettingName = 'WIE.HttpUrl'

     UPDATE ConfigSetting SET SettingValue='http://my.host.com/wie/' WHERE SettingName = 'WIE.HttpUrl'

  2. Restart the WIE application pool for this change to take effect. For more information, refer to your IIS and SQL Server documentation.

  
  

  Using HTTPS with Guided Scan and Reports‌

  By default, using Guided Scan or generating reports in conjunction with a self-signed certificate requires that HTTP be enabled for Fortify WebInspect Enterprise. However, if you use a signed certificate, then you can manually modify the HTTP URL setting in the WIE database to use HTTPS.

  To use HTTPS:

  1. Run the following commands in the WIE database:

     SELECT * FROM ConfigSetting WHERE SettingName = 'WIE.HttpUrl'

     
     

     UPDATE ConfigSetting SET SettingValue='https://my.host.com/wie/' WHERE SettingName = 'WIE.HttpUrl'

  2. Restart the WIE application pool for this change to take effect.

  
  

  Important! The HTTP URL setting will need to be manually modified if the Initialization Wizard is run again.

  
  

  Databases in Availability Groups‌

  If your SQL database is part of an availability group, remove it from the AlwaysOn Availability Group. After the WIE initialization is complete, rejoin the database to the availability group.

  For more information, refer to your SQL Server documentation.

  
  

  Mirrored Databases‌

  If your SQL database is mirrored, set the partner option to OFF on the master database. After the WIE initialization is complete, perform a restore on the mirrored database and set the partner option to ON on the master database.

  For more information, refer to your SQL Server documentation.

  
  

  Related Documents‌

  This topic describes documents that provide information about Micro Focus Fortify software products.

  
  

  Note: You can find the Micro Focus Fortify Product Documentation at https://www.microfocus.com/support/documentation. All guides are available in both PDF and HTML formats. Product help is available within the Fortify WebInspect products.

  
  

  All Products‌

  The following documents provide general information for all products. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website.

  
  

  Document / File Name	Description
  About Micro Focus Fortify Product Software Documentation About_Fortify_Docs_<version>.pdf	This paper provides information about how to access Micro Focus Fortify product documentation. Note: This document is included only with the product download.

  
  

  Document / File Name	Description
  Micro Focus Fortify Software System Requirements Fortify_Sys_Reqs_<version>.pdf	This document provides the details about the environments and products supported for this version of Fortify Software.
  Micro Focus Fortify Software Release Notes FortifySW_RN_<version>.pdf	This document provides an overview of the changes made to Fortify Software for this release and important information not included elsewhere in the product documentation.
  What’s New in Micro Focus Fortify Software <version> Fortify_Whats_New_<version>.pdf	This document describes the new features in Fortify Software products.

  
  

  Micro Focus Fortify Software Security Center‌

  The following document provides information about Fortify Software Security Center. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-software-security-center.

  
  

  Document / File Name

  Description

  Micro Focus Fortify Software Security Center User Guide SSC_Guide_<version>.pdf

  This document provides Fortify Software Security Center users with detailed information about how to deploy and use Software Security Center. It provides all of the information you need to acquire, install, configure, and use Software Security Center. It is intended for use by system and instance administrators, database administrators (DBAs), enterprise security leads, development team managers, and developers. Software Security Center provides security team leads with a high-level overview of the history and current status of a project.

  
  

  Micro Focus Fortify WebInspect‌

  The following documents provide information about Fortify WebInspect. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-webinspect.

  
  

  Document / File Name	Description
  Micro Focus Fortify WebInspect Installation Guide WI_Install_<version>.pdf	This document provides an overview of Fortify WebInspect and instructions for installing Fortify WebInspect and activating the product license.
  Micro Focus Fortify WebInspect User Guide WI_Guide_<version>.pdf	This document describes how to configure and use Fortify WebInspect to scan and analyze Web applications and Web services. Note: This document is a PDF version of the Fortify WebInspect help. This PDF file is provided so you can easily print multiple topics from the help information or read the help in PDF format. Because this content was originally created to be viewed as help in a web browser, some topics may not be formatted properly. Additionally, some interactive topics and linked content may not be present in this PDF version.
  Micro Focus Fortify WebInspect on Docker User Guide WI_Docker_Guide_<version>.pdf	This document describes how to download, configure, and use Fortify WebInspect that is available as a container image on the Docker platform. This full version of the product is intended to be used in automated processes as a headless sensor configured by way of the command line interface (CLI) or the application programming interface (API). It can also be run as a Fortify ScanCentral DAST sensor and used in conjunction with Fortify Software Security Center.
  Micro Focus Fortify WebInspect Tools Guide WI_Tools_Guide_<version>.pdf	This document describes how to use the Fortify WebInspect diagnostic and penetration testing tools and configuration utilities packaged with Fortify WebInspect and Fortify WebInspect Enterprise.
  Micro Focus Fortify License and	This document describes how to install, configure, and

  
  

  Document / File Name	Description
  Infrastructure Manager Installation and Usage Guide LIM_Guide_<version>.pdf	use the Fortify WebInspect License and Infrastructure Manager (LIM), which is available for installation on a local Windows server and as a container image on the Docker platform.
  Micro Focus Fortify WebInspect Agent Installation Guide WI_Agent_Install_<version>.pdf	This document describes how to install the Fortify WebInspect Agent for applications running under a supported Java Runtime Environment (JRE) on a supported application server or service and applications running under a supported .NET Framework on a supported version of IIS.
  Micro Focus Fortify WebInspect Agent Rulepack Kit Guide WI_Agent_Rulepack_Guide_ <version>.pdf	This document describes the detection capabilities of Fortify WebInspect Agent Rulepack Kit. Fortify WebInspect Agent Rulepack Kit runs atop the Fortify WebInspect Agent, allowing it to monitor your code for software security vulnerabilities as it runs. Fortify WebInspect Agent Rulepack Kit provides the runtime technology to help connect your dynamic results to your static ones.

  
  

  Micro Focus Fortify WebInspect Enterprise‌

  The following documents provide information about Fortify WebInspect Enterprise. Unless otherwise noted, these documents are available on the Micro Focus Product Documentation website at https://www.microfocus.com/documentation/fortify-webinspect-enterprise.

  
  

  Document / File Name	Description
  Micro Focus Fortify WebInspect Enterprise Installation and Implementation Guide WIE_Install_<version>.pdf	This document provides an overview of Fortify WebInspect Enterprise and instructions for installing Fortify WebInspect Enterprise, integrating it with Fortify Software Security Center and Fortify WebInspect, and troubleshooting the installation. It also describes how to configure the components of the Fortify WebInspect Enterprise system, which include the Fortify WebInspect Enterprise application, database, sensors, and users.
  Micro Focus Fortify WebInspect Enterprise User Guide	This document describes how to use Fortify WebInspect Enterprise to manage a distributed network of Fortify

  
  

  Document / File Name	Description
  WIE_Guide_<version>.pdf	WebInspect sensors to scan and analyze Web applications and Web services. Note: This document is a PDF version of the Fortify WebInspect Enterprise help. This PDF file is provided so you can easily print multiple topics from the help information or read the help in PDF format. Because this content was originally created to be viewed as help in a web browser, some topics may not be formatted properly. Additionally, some interactive topics and linked content may not be present in this PDF version.
  Micro Focus Fortify WebInspect Tools Guide WI_Tools_Guide_<version>.pdf	This document describes how to use the Fortify WebInspect diagnostic and penetration testing tools and configuration utilities packaged with Fortify WebInspect and Fortify WebInspect Enterprise.

  Chapter 2: Installing Fortify WebInspect Enterprise‌

  This section describes the installation process and provides detailed procedures for installing the various components that make up Micro Focus Fortify WebInspect Enterprise.

  
  

  Important! To install Fortify WebInspect Enterprise on a server, you must be a system administrator on the server.

  
  

  About the Installation‌

  Installation of Fortify WebInspect Enterprise is driven by a series of wizards as described in the following sections. The major steps are:

• Installing the Fortify WebInspect Enterprise Server software, using the Fortify WebInspect Enterprise Setup Wizard

• Running the Fortify WebInspect Enterprise Initialization Wizard

• Configuring the Scan Uploader, Task, and Scheduler services

• Installing the Fortify WebInspect Enterprise Administrative Console, using the Fortify WebInspect Enterprise Console Setup Wizard

• Logging on to and configuring the Administrative Console

  After these installation procedures, this document includes information about the following topics:

• Post-installation configuration

  • Installing Micro Focus Fortify WebInspect as a sensor

    
    

    Note: When you install Fortify WebInspect to be used with Fortify WebInspect Enterprise, the installed product is called a sensor. The sensor does not include a user interface, and is controlled from the Fortify WebInspect Enterprise Administrative Console.

  • Adding sensor users (if not previously done)

  • Enabling sensors and configuring sensor permissions

  • Assigning administrators and roles

  • Moving application versions from the default group

  • If you are integrating Fortify WebInspect Enterprise with Micro Focus Fortify Software Security Center, updating settings to allow manual publishing of scans to Fortify Software Security Center

• Guided Scan and creating reports

• Time stamping and scheduling

  
  

• Installations lacking internet connection

• Troubleshooting the installation

  
  

  Note: If the installation is not successful, the prerequisites might not have been fully met. See "Troubleshooting the Installation" on page 79.

  
  

  Installing the Fortify WebInspect Enterprise Server Software‌

  Before installation, review "FIPS or Non-FIPS Compliance" on page 11.

  Install the Micro Focus Fortify WebInspect Enterprise server software on the server by running the Setup Wizard:

  1. Launch the WIE Server installation file.

     
     

     Note: If the wizard detects an earlier version of the Fortify WebInspect Enterprise server software, uninstall that version using Control Panel and then relaunch the installation file.

     The Welcome screen of the WebInspect Enterprise 21.1.0 Setup wizard appears.

  2. Click Next.

     The End-User License Agreement window appears.

  3. Review the license agreement. If you accept it, select the check box and click Next; otherwise click

     Cancel.

     If you accept the license agreement, the Product Features window appears.

  4. On the Product Features window:

     1. Select the components you want to install.

        Micro Focus Fortify WebInspect can scan a website and export the scan results to a location called a “dropbox.” The Scan Uploader Service accesses each dropbox periodically and, if files exist, it uploads those files to the Fortify WebInspect Enterprise Manager. To install the Fortify WebInspect Enterprise Scan Uploader Service, click the associated x icon, and then in the

        drop-down list click Will be installed on local hard drive.

     2. Accept the default location or click Browse to select the location where you want to install the software.

     3. Click Next.

        The Ready to install WebInspect Enterprise 21.1.0 window appears.

  5. When you are ready to install, click Install.

     Fortify WebInspect Enterprise software is installed on the computer and the Setup Wizard completes.

  6. Click Finish.

  
  

  About the Initialization Wizard‌

  After the Setup Wizard completes, the Welcome window of the Micro Focus Fortify WebInspect Enterprise Initialization Wizard appears.

  
  

  
  

  The Initialization Wizard initializes the software as described in this section. Its functions include:

• Activating the Fortify WebInspect Enterprise license

• Creating a new Fortify WebInspect Enterprise database or updating an existing one as needed

• Creating the Fortify WebInspect Enterprise website and web service

• Connecting Fortify WebInspect Enterprise and Micro Focus Fortify Software Security Center (Optional)

• Establishing the initial Fortify WebInspect Enterprise system administrator

  
  

  Note: After you complete these installation procedures, you will always be able to restart the Initialization Wizard if necessary, by clicking

  Start > All Programs > Fortify > Fortify WebInspect Enterprise 21.1.0 > WebInspect Enterprise Initialize.

  
  

  Activating the License‌

  To activate the Fortify WebInspect Enterprise license:

  1. Click Next.

     The Activate WebInspect Enterprise License dialog box appears.

     
     

     
     

  2. Enter the Activation ID that Micro Focus sent to you.

  3. Do one of the following:

     • If the computer is connected to the Internet, select Online Activation.

       If you are using a proxy server, select Use Proxy Server, click Edit, and provide the requested information.

     • If the computer is not connected to the Internet, select Offline Activation and then click File to select the location on this computer where you want the installation software to create a license request file named LicenseRequest.xml. This file will contain information about the computer that is required to obtain a license.

  4. Click Next.

     
     

     The WebInspect Enterprise License user information dialog box displays user information as submitted to Micro Focus.

     
     

  5. Correct the information as needed and click Next.

  6. If you selected Online Activation in Step 3, go to Step 8.

  7. If you selected Offline Activation in Step 3, the Complete Offline License Activation dialog box appears. It indicates that the license request file was generated successfully. Perform the procedure in this step to download from Micro Focus a license response file named LicenseResp.xml that you can copy to the computer, not connected to the Internet, on which you are installing Fortify WebInspect Enterprise.

     
     

     
     

     1. Copy the LicenseRequest.xml file you created in Step 3 to a portable device such as a flash drive.

     2. Copy the LicenseRequest.xml file from the portable device to a computer that is connected to the Internet.

        
        

     3. Open a browser and navigate to

        https://licenseservice.fortify.microfocus.com/OfflineLicensing.aspx.

        
        

     4. Select the option that describes how the license request file was generated and click Next. The Enter Request File for Processing window appears.

     5. Click Browse as needed, select the LicenseRequest.xml file that you copied to this computer, and then click Process Request File.

        If the request is processed successfully, the Successfully processed Request for Micro Focus Licensing window appears.

        
        

     6. Click Retrieve Response File.

     7. On the File Download dialog box, click Save and specify the location on the portable device where you want to download the response file LicenseResp.xml.

     8. Return to the computer on which you are installing Fortify WebInspect Enterprise. Copy the

        LicenseResp.xml file from the portable device to a location on this computer.

        
        

     9. In the Fortify WebInspect Enterprise Initialization Wizard, specify the License Response File

        field by clicking File and navigating to the location of the LicenseResp.xml file you just copied from the portable device.

        
        

        
        

     10. Click Next.

  8. The WebInspect Enterprise License Information dialog box displays information about the license. Review the information.

  
  

  Configuring the Database‌

  To provide the SQL Server information and select the database:

  1. Click Next.

     The SQL Server Information window appears.

     
     

     
     

  2. Enter the name of the SQL Server instance in the Database Server field and select the authentication that will be used. If you are installing Fortify WebInspect Enterprise for the first

     
     

     time, you must have privileges to create a database (or your database administrator must create a blank database and assign ownership to you).

  3. Click Next.

     The Database Selection window appears.

     
     

     
     

  4. Do one of the following:

     • To use a new database, select Create new database and enter a database name. You must have privileges to create this database.

     • To use an existing Fortify WebInspect Enterprise 20.2.0 database for an upgrade, select Use existing database and select a database from the drop-down list. You must have owner privileges for that database.

  5. Click Next.

  6. Do one of the following:

     • If you created a new database, skip to "Configuring the Web Service" on the next page.

     • If you are using an existing database for an upgrade from Fortify WebInspect Enterprise 20.2.0, the database must be upgraded, and the Fortify WebInspect Enterprise Database Upgrade window appears, instructing you to back up that database before upgrading it. After you have backed up the database, select the Database is backed up check box and click Next.

  
  

  Configuring the Web Service‌

  After configuring the database, the Set Up WebInspect Enterprise Manager Web Service window appears.

  
  

  
  

  If you have configured HTTPS bindings for the root web site in IIS, only those bindings will be listed in the Available Certificates. You will not be able to create a new binding for a web site in the Fortify WebInspect Enterprise Initialization Wizard. You can create a new binding only in IIS. The following table describes your options, based on your IIS settings.

  
  

  If...	Then...
  HTTPS is setup on the default web site for port 443 in IIS	Only that binding is available to select. You cannot create a new binding in the initialization wizard.
  Multiple HTTPS bindings are configured in IIS	You may select the binding you want Fortify WebInspect Enterprise to use. Your selection determines the host name that is used in the URL and the port that is used. This allows Fortify WebInspect Enterprise to run on a non-standard port.
  No HTTPS bindings have been created for port 443	You may select the certificate you want to use or create a new certificate.

  
  

  To configure the web service:

  1. Specify the root Web site and the IIS virtual directory name (WIE in the previous example), and select (or add and select) a certificate.

     These entries create the URLs for the following components:

     • Fortify WebInspect Enterprise URL for login to the Administrative Console:

       http(s)://<computer name>/<Virtual Directory name>

     • Web Console URL:

       http(s)://<computer name>/<Virtual Directory name>/WebConsole

  2. Click Next.

  
  

  Note: If an HTTPS binding has been created for site A and you select site B, which does not have any HTTPS bindings configured, then a warning message appears. You must set up an HTTPS binding manually for site B or select another site.

  
  

  Setting Up Fortify WebInspect Enterprise Database Users‌

  At this point, the Initialization Wizard performs a file check to ensure that the user has read access to the machine keys directory where the Data Protection Application Programming Interface (DPAPI) keys used for decrypting the connection string are stored. If you receive an error message, ensure that the Administrator has read access to the machine keys directory.

  The Set Up WebInspect Enterprise Database User window appears.

  
  

  
  

  1. Enter the User Name and Password used for SQL server authentication.

  2. Click Next.

  
  

  What's Next?‌

  Continue as follows:

• To install or upgrade a Fortify WebInspect Enterprise that is integrated with Fortify Software Security Center, go to "Setting Up a Fortify Software Security Center (SSC) Connection" below.

• To install or upgrade a standalone Fortify WebInspect Enterprise, go to "Installing or Upgrading a Standalone Fortify WebInspect Enterprise" on page 41.

• To upgrade and decouple Fortify WebInspect Enterprise that is integrated with Fortify Software Security Center, go to "Upgrading and Decoupling Fortify WebInspect Enterprise from Fortify Software Security Center" on page 46.

  
  

  Setting Up a Fortify Software Security Center (SSC) Connection‌

  After setting up Micro Focus Fortify WebInspect Enterprise Manager and database users, the Set Up SSC Connection Information window appears.

  
  

  
  

  To set up a connection to Micro Focus Fortify Software Security Center:

  1. The WebInspect Enterprise URL field has a default value based on previous configuration. Make a note of this URL.

  2. Ensure that the Integrate with SSC check box is selected.

  3. Specify the Software Security Center URL. See "Installing or Upgrading Fortify Software Security Center (Optional)" on page 13.

  4. Click Next.

     
     

     The Software Security Center Users window appears.

     
     

     
     

  5. Before continuing, make sure that Fortify Software Security Center is running and that a Fortify Software Security Center administrator is logged on.

  6. In the Software Security Center Users window, specify the Fortify Software Security Center accounts for that administrator and for the Fortify WebInspect Enterprise Service Account. See "Installing or Upgrading Fortify Software Security Center (Optional)" on page 13. The Fortify Software Security Center administrator you specify here will automatically become the first Fortify WebInspect Enterprise system administrator.

  7. Click Next.

  The installation software verifies that Fortify WebInspect Enterprise can access the Fortify Software Security Center server and use the Fortify Software Security Center accounts you specified. If it cannot, an error message is displayed; make sure that Fortify Software Security Center is running.

  
  

  Initializing Fortify WebInspect Enterprise‌

  After configuring the connection to Fortify Software Security Center, the Ready to Start window appears.

  
  

  
  

  Verify your previous choices and begin initializing Fortify WebInspect Enterprise.

  1. Do one of the following:

     • To change settings, click Back.

     • To begin initializing Fortify WebInspect Enterprise using the values you have specified, click

       Next.

       The Initialization Wizard:

       • Creates a new database if you chose to do so in "Configuring the Database" on page 31.

       • Registers Fortify WebInspect Enterprise with Fortify Software Security Center. Then Fortify Software Security Center sends all current application versions (finished and unfinished) to Fortify WebInspect Enterprise, where they get created and can be displayed.

       • Configures various system components.

       • In the displayed, cumulative Status list in the Ready to Start window, adds the next step when it begins, with a flashing blue information icon while that step is running, and changes that icon to a green check mark when that step completes successfully (except for the first step, which is Initializing Database).

         
         

         When the initialization completes successfully, a window displays a list of initialization steps and the final initialization step is “Web Service Initialization Succeeded...”

         
         

         
         

  2. Click Next.

  The Fortify Software Security Center administrator you specified in "Setting Up a Fortify Software Security Center (SSC) Connection" on page 35 automatically becomes the first System Administrator in Fortify WebInspect Enterprise.

  
  

  Note: If the Fortify Software Security Center administrator’s password expires or is changed, or if a new Fortify Software Security Center administrator is chosen for interaction with Fortify WebInspect Enterprise, a Fortify WebInspect Enterprise administrator will need to rerun the Initialization Wizard (Start > All Programs > Fortify > Fortify WebInspect Enterprise

  21.1.0 > WebInspect Enterprise Initialize) and specify the new credentials for the Fortify Software Security Center administrator in "Setting Up a Fortify Software Security Center (SSC) Connection" on page 35. Then at this point in the initialization process, the Initialization Wizard will detect that the newly specified Fortify Software Security Center administrator exists in Fortify Software Security Center but is not a System Administrator in Fortify WebInspect Enterprise. In this case, the Wizard will display the Administrator Role Page, allowing you to add the new administrator to Fortify WebInspect Enterprise with the System Administrator role by selecting the Add Current User to System Administrator Role check box and clicking Next.

  
  

  The Connecting to WebInspect Enterprise Manager screen appears until the connection is made.

  
  

  
  

  Adding Sensor Users‌

  After Fortify WebInspect Enterprise is initialized, the Sensor Users window appears.

  
  

  
  

  Optionally add at least one sensor user for Fortify WebInspect Enterprise to use to run scans. Sensor users must not be general console users and they must have been previously created as Windows users as described in "Preparing to Install Fortify WebInspect Enterprise" on page 16.

  You do not have to add any sensor users to Fortify WebInspect Enterprise at this point, but you will need to specify at least one sensor user before you can run any scans. Post-installation configuration procedures in this document also describe how to add sensor users.

  
  

  To add a sensor user to Fortify WebInspect Enterprise now:

  1. Click Add.

  2. In the Select Users or Groups dialog box, type the name of an existing user to add (see "Preparing to Install Fortify WebInspect Enterprise" on page 16), in the format localhost\user or domain\user. If you specify only the user, you can click Check Names to help identify the localhost or domain.

  3. Click OK.

  4. Verify that the sensor user you specified has been added to the list of Sensor Users in the window.

  
  

  Completing Initialization‌

  To complete the initialization process:

  1. Click Next.

     The Initialization Wizard completes.

     
     

     
     

  2. Click Finish.

  The Initialization Wizard closes.

  
  

  What's Next?‌

  Continue with "Configuring Services" on page 53.

  
  

  Installing or Upgrading a Standalone Fortify WebInspect Enterprise‌

  After setting up Micro Focus Fortify WebInspect Enterprise Manager and database users, the Set Up SSC Connection Information window appears. This section describes how to install Fortify WebInspect Enterprise as standalone without a connection to Micro Focus Fortify Software Security Center.

  
  

  
  

  1. Clear the Integrate with SSC check box.

  2. Click Next.

  
  

  Initializing Fortify WebInspect Enterprise‌

  After configuring a standalone Fortify WebInspect Enterprise, the Ready to Start window appears.

  
  

  
  

  Verify your previous choices and begin initializing Fortify WebInspect Enterprise.

  
  

  1. Do one of the following:

     • To change settings, click Back.

     • To begin initializing Fortify WebInspect Enterprise using the values you have specified, click

       Next.

       The Initialization Wizard:

       • Creates a new database if you chose to do so in "Configuring the Database" on page 31.

       • Configures various system components.

       • In the displayed, cumulative Status list in the Ready to Start window, adds the next step when it begins, with a flashing blue information icon while that step is running, and changes that icon to a green check mark when that step completes successfully (except for the first step, which is Initializing Database).

         When the initialization completes successfully, a window displays a list of initialization steps and the final initialization step is “Web Service Initialization Succeeded...”

         
         

         
         

  2. Click Next.

     
     

     If a system administrator exists in WebInspect Enterprise, but the current user is not a system administrator, the Administrator Role Page appears.

     
     

     
     

     Otherwise, the current user is added as the first WebInspect Enterprise system administrator and the procedure continues with the Connecting to WebInspect Enterprise Manager window after Step 4.

  3. On the Administrator Role Page, select the Add Current User to System Administrator Role

     check box to make the current user a WebInspect Enterprise system administrator.

  4. Click Next.

  The Connecting to WebInspect Enterprise Manager window appears until the connection is made.

  
  

  
  

  Adding Sensor Users‌

  After Fortify WebInspect Enterprise is initialized, the Sensor Users window appears.

  
  

  
  

  Optionally add at least one sensor user for Fortify WebInspect Enterprise to use to run scans. Sensor users must not be general console users and they must have been previously created as Windows users as described in "Preparing to Install Fortify WebInspect Enterprise" on page 16.

  You do not have to add any sensor users to Fortify WebInspect Enterprise at this point, but you will need to specify at least one sensor user before you can run any scans. Post-installation configuration procedures in this document also describe how to add sensor users.

  To add a sensor user to Fortify WebInspect Enterprise now:

  1. Click Add.

  2. In the Select Users or Groups dialog box, type the name of an existing user to add (see "Preparing to Install Fortify WebInspect Enterprise" on page 16), in the format localhost\user or domain\user. If you specify only the user, you can click Check Names to help identify the localhost or domain.

  3. Click OK.

  4. Verify that the sensor user you specified has been added to the list of Sensor Users in the window.

  
  

  Completing Initialization‌

  To complete the initialization process:

  1. Click Next.

     The Initialization Wizard completes.

     
     

     
     

  2. Click Finish.

  The Initialization Wizard closes.

  
  

  What's Next?‌

  Continue with "Configuring Services" on page 53.

  
  

  Upgrading and Decoupling Fortify WebInspect Enterprise from Fortify Software Security Center‌

  After setting up Micro Focus Fortify WebInspect Enterprise Manager and database users, the Set Up SSC Connection Information window appears. This section describes how to decouple an existing Fortify WebInspect Enterprise installation from Micro Focus Fortify Software Security Center.

  
  

  
  

  Important! Decoupling Fortify WebInspect Enterprise from Fortify Software Security Center is permanent. Reconnecting to Fortify Software Security Center is not supported. You can choose to map existing Fortify Software Security Center users to Windows accounts, allowing mapped user accounts to continue using Fortify WebInspect Enterprise.

  Decoupled Fortify WebInspect Enterprise installations use Windows Authentication. Before decoupling Fortify WebInspect Enterprise from Fortify Software Security Center, enable Windows Authentication as described in "Installing IIS, ASP.NET, and .NET Framework" on page 16.

  To decouple an existing Fortify WebInspect Enterprise installation from Fortify Software Security Center:

  1. Clear the Integrate with SSC check box.

  2. Click Next.

     A warning appears advising that decoupling from the SSC server will require remapping all the existing SSC user accounts to Windows accounts.

  3. Click Yes.

  
  

  After confirming your selection to decouple, the Initialization Wizard checks for the items described in the following table. If no configuration errors are detected, skip ahead to "Initializing Fortify WebInspect Enterprise" on the next page.

  
  

  Item Checked	Corrective Action
  The Initialization Wizard determines whether your Fortify WebInspect Enterprise server is part of your domain. If the server is not part of the domain, the following message appears: The Fortify WebInspect Enterprise server is not joined to a domain or the domain cannot be contacted. If you continue, Windows authentication for the server will be restricted to local accounts. For access to domain accounts, you can cancel the initialization, add the server to your domain (which will require a reboot), and rerun the Initialization Wizard. Press "Yes" if you would like to continue and use only local accounts.	Do one of the following:
  The Initialization Wizard determines whether Fortify Software Security Center is running. If it is not running, the following message appears: SSC is currently not running or cannot be accessed to deregister Fortify WebInspect Enterprise. If you decouple without deregistering, SSC will continue to run as if connected to Fortify WebInspect Enterprise. Do you wish to continue?	Do one of the following:

  • To continue with authentication restricted to local accounts, click Yes.

  • To cancel the initialization and add the server to your domain, click No.

  • To continue without deregistering Fortify WebInspect Enterprise, click Yes.

  • To cancel the initialization and ensure that Fortify Software Security Center is running, click No.

  
  

  Initializing Fortify WebInspect Enterprise‌

  After configuring the decouple from Fortify Software Security Center, the Ready to Start window appears.

  
  

  
  

  Verify your previous choices and begin initializing Fortify WebInspect Enterprise.

  1. Do one of the following:

     • To change settings, click Back.

     • To begin initializing Fortify WebInspect Enterprise using the values you have specified, click

       Next.

       The Initialization Wizard:

       • Creates a new database if you chose to do so in "Configuring the Database" on page 31.

       • Configures various system components.

       • In the displayed, cumulative Status list in the Ready to Start window, adds the next step when it begins, with a flashing blue information icon while that step is running, and changes that icon to a green check mark when that step completes successfully (except for the first step, which is Initializing Database).

         
         

         When the initialization completes successfully, a window displays a list of initialization steps and the final initialization step is “Web Service Initialization Succeeded...”

         
         

         
         

  2. Click Next.

     If a system administrator exists in WebInspect Enterprise, but the current user is not a system administrator, the Administrator Role Page appears.

     
     

     
     

     Otherwise, the current user is added as the first Fortify WebInspect Enterprise system administrator and the procedure continues with the Decoupling from SSC window after Step 3.

  3. On the Administrator Role Page, select the Add Current User to System Administrator Role

     check box to make the current user a Fortify WebInspect Enterprise system administrator.

     
     

     Important! If you do not select this option, then the current user cannot map Fortify Software Security Center users to Windows accounts.

     
     

     The Connecting to WebInspect Enterprise Manager screen appears until the connection is made.