This article explains how Delve can be configured to scan your internal assets through your existing firewall in a secure way.
Most corporate networks require segmentation and isolation of assets from the outside world using firewalls. For Delve to be able to reach these assets securely, an Edge Service must be deployed in an internal network segment that is able to reach the assets to be scanned. Most frequently, this will be on the same network segment as the assets themselves.
This Edge Service will be delivered in the form of a virtual machine disk image (not a full VM) for the platform specified by the customer (ESXi, HyperV, Qemu, Xen, etc.).
Once the Edge Service has been started, it will require Internet access to establish a secure tunnel (encrypted and authenticated) with your Delve instance to discover and scan assets in the firewalled network segment.
Requesting new Edge Services is done through the Edge Service Management menu (see Creating new Edge Services).
Please note that the Edge Service needs to connect back to Delve through your firewall. If you enforce hard egress filtering, you will need to open an outbound port from the network segment where the Edge Service is instantiated.