The manager uses port 443 (https) for agent communication. In this case the vulnerability scanner is thinking there is a web server running over port 443, when that's not the case, but rather it's picking up the self-signed certs of the agent communication which is over this same port. 

We have 3 options depending on what's preferred:

1. Make a note to the people in charge of the vulnerability scanners that this port is not hosting a web server, but instead is used for agent communication, and what's being picked up by the scanner is the self signed cert (which is the agent-cert.ssl)

2. Change the port to another port other than 443 for agent communication. This way there is nothing listening on that port. You will need to change the manager settings and then on each agent so they start using the new port. Please see a Broadcom support technician for more details on the how-to.

3. CA sign the agent cert. This way the vulnerability scanner will see that the cert used on port 443 is not self signed. Each agent will need the new CA Signed agent-cert.ssl file.

For more details on this please contact the Broadcom Support Team.