Configure U-Series Appliance Features

From the Features and Services > Appliance Feature Configuration page, you can select U-Series Appliance features if you are deploying more than one U-Series Appliance to scale BeyondInsight in larger networks. Features must be selected for at least one of the U-Series Appliances.

The features are listed as read-only initially. Click Change Configuration to enable to ability to turn features on and off and configure feature settings where applicable.

When you turn features on and off, any dependencies or conflicts that exist between features are displayed. The Save Configuration button is available only after dependencies and conflicts are resolved.

Feature Descriptions

BeyondInsight Management Web Console

The BeyondInsight Management Web Console is a web application where administrative users can log in, view dashboards, manage assets, create and configure Smart Rules, and make most configuration changes.

BeyondInsight Manager Engine

This is the processor for BeyondInsight. Enabling this, enables BeyondInsight Management Web Console, BeyondInsight Omniworker Service, BeyondInsight Database Access, and SQL Server Database, if they are not already enabled.

BeyondInsight Omniworker Service

The BeyondInsight Omniworker is a worker node that manages task queues. It processes background tasks involved in the operation of BeyondInsight and Password Safe, including the regularly scheduled rotation of passwords. Turn on this service when your environment uses more than one U-Series Appliance. Adding worker nodes allows your solution to scale up to meet the demands of your organization.

BeyondInsight Database Access

BeyondInsight Database Access is a foundation on which many other features rely. Turning off BeyondInsight Database Access also turns off BeyondInsight Event Collector, BeyondInsight Omniworker Service, BeyondInsight Management Web Console, and Password Safe Web Portal, when they are on.

This feature provides the settings for the locally installed software products to connect to the BeyondInsight database. Depending on your solution architecture, you may be using a local database, a remote database on another appliance, a SQL Server Always-On Availability Group, or an Azure SQL Cloud Database.

When configuring a local database, select an authentication method. When you select SQL Server Authentication, SQL Server Username is populated with the same user name used in the U-Series Appliance Deployment & Configuration wizard during your initial appliance setup. The account is created with least privilege.

To use an existing remote database, you must import a password protected crypto key from the appliance running the BeyondInsight Management console that created the database.

The BeyondInsight configuration provides the same least privilege SQL Server account during the database configuration.

U-Series Appliance Feature Configuration - Create a Remote BeyondInsight Database

To create a new remote BeyondInsight database:

  1. Click the Remote option for Database Settings.
  2. If using an external SQL Server:
    • Enter the IP address for Server Name and provide the Database Name.
    • Enter the username and password to connect to the SQL Server. An external SQL Server must have SQL Authentication enabled.
  3. Click the toggle to enable the Create a BeyondInsight Database option in the Create the Remote Database section.
  4. Enter SQL Administrator username and password. This credential must have sufficient permissions to create a database and to create a user for that database.
  5. Enter the BeyondInsight Administrator username and password.
  6. Leave the default Database Connection Settings, or update these if required.
  7. Click the toggle to enable the Multi-subnet Failover setting. Multi-subnet failover allows for failover across multiple subnets when using an SQL always-on database cluster.
  8. To ensure a connection to the database server can be established, click Test Connection.
  9. Click Save Configuration.

Database creation can take up to an hour to complete.

 

For more information, please see the following:

BeyondInsight Event Collector

The BeyondInsight Event Collector is responsible for forwarding information gathered from scanners and endpoint protection agents, and forwarding policy for BeyondTrust integrations.

To enable the BeyondInsight Event Collector feature, select the BeyondTrust service that will be responsible for sending events between components. You can use BeyondInsight AppBus Service or Event Server. Event Server is preferred for enterprises and can manage a greater load of data than AppBus. The default port for Event Server is 21690. After selecting which service to use, click Apply Changes.

An event server can be deployed on its own to scale up your solution or to facilitate communication with specific network segments.

BeyondInsight Unix & Linux

BeyondInsight for Unix & Linux (BIUL) is a web-based tool that you can use to manage software for AD Bridge, Privilege Management for Unix & Linux, Privilege Management for Unix & Linux Basic, and Solr.

Turn on the BeyondInsight Unix & Linux feature to configure a database connection for BeyondInsight for Unix & Linux.

BeyondInsight for Unix & Linux conditionally requires the SQL Server Database feature. Turning on BeyondInsight for Unix & Linux may turn on SQL Server Database if it is not already on. Some configuration may be required.

The role is available only when BeyondInsight for Unix & Linux is installed and can be enabled with a local or remote database.

For a local database, enter a username and password for SQL Server. The account is created if it doesn't already exist. A SQL Server account is required for BeyondInsight for Unix & Linux to access the database.

To set up a remote database:

  1. Add the server name where the database resides.
  2. Optionally, enter the name of the SQL Server instance.
  3. Enter a port number to communicate to the server.
  4. Add the name of the BeyondInsight for Unix & Linux database, and the username and password. The remote database must already exist on the remote host.
  5. Click Test Remote Connection Settings to verify the connection to the remote database.

Once the feature is enabled, you must configure BeyondInsight for Unix & Linux. The BeyondInsight database is added to backup and restore functions and is included with high availability database synchronization.

Password Safe Web Portal

The Password Safe web portal is where end users log in to perform tasks, such as making and approving password requests, accessing remote systems and applications, and managing recorded sessions. Additional Password Safe portals can help you reach geographically diverse users, or scale up to serve higher volumes. Turn on this role to activate services needed to run the Password Safe web portal.

This feature is available only when a Password Safe license is applied.

Turning off Password Safe Web Portal also turns off the Session Monitoring Archive feature, if it is on.

Session Monitoring Archive

Session Monitoring Archive allows you to configure the transfer of session monitoring files from this appliance to an external data repository. This prevents filling the local storage.

Session Monitoring Archive requires the Password Safe Web Portal feature. Turning on Session Monitoring Archive turns on Password Safe Web Portal, if it is not already on.

BeyondTrust Updater

The BeyondTrust Updater Service provides updates for all BeyondTrust managed products. This feature can be disabled for troubleshooting purposes, but otherwise should always be enabled. Specific product updates can be managed by configuring the settings in the BeyondTrust web application.  You can click the link to access BeyondTrust Updater Settings.

Privilege Management for Desktops

Configure a connection to Privilege Management for Desktops.

SQL Server Database

This feature controls the local database service, and allows you to enable external access if you are using this appliance as a database server. This feature cannot be enabled on SQL-Free appliances. Check the TCP/IP Database Connections option to allow database access from remote computers. If you are using your SQL Server deployment, no action is required.

SQL Server Analysis Services

SQL Server Analysis Services is the analytical data engine behind BeyondInsight Analytics & Reporting. It hosts the data cube (evolution of data over time) and provides data for reports generated by SQL Server Reporting Services.You can click the link to run BeyondInsight Analytics & Reporting.

This role is available only if you use BeyondInsight Analytics & Reporting.

SQL Server Reporting Services

SQL Server Reporting Services is the reporting engine behind BeyondInsight Analytics & Reporting. It generates reports from data in the BeyondInsight database and data processed by SQL Server Analysis Services .If you use BeyondInsightAnalytics & Reporting to render reports, the service must run locally. Turn on this feature to run the service locally when using a remote database.

Endpoint Privilege Management (EPM) Event Collector

The EPM Event Collector processes information gathered from EPM agents. It is dependent on the BeyondInsight Event Collector, which first receives the incoming events and forwards them to the EPM Event Collector for processing. The EPM Event Collector requires the EPM Database Access and BeyondInsight Event Collector features to be enabled, which requires BeyondInsight Database Access.

Endpoint Privilege Management Database Access

Select one of the following options for database settings for EPM:

  • Single Appliance using the Local Database:
    • Select this option if this is the only appliance in your environment. This option applies the configuration for EPM using the SQL Server configured on this local appliance.
    • Enter SQL credentials for the EPM Event Collector and PMR Report Reader.
  • Multi-node deployment using the Local Database:
    • Select this option if you have more than one appliance deployed in your environment and SQL Server is configured on this local appliance.
    • Select this local appliance from the Server Name dropdown. It must be the FQDN or IP address of this appliance (not localhost).
    • Enter SQL credentials for the EPM Event Collector and PMR Report Reader.
  • Remote Privilege Reporting Database:
    • Select this option if you have more than one appliance deployed in your environment and the BeyondInsight and EPM databases are on remote SQL Servers. This option saves the connection details to the remote BeyondInsight database.
    • Enter the FQDN or IP address of the remote server where the EPM database exists.
    • The EPM database must already exist on the destination server.
    • Enter the SQL credentials provided by your database administrator to connect to the EPM Event Collector and PMR Report Reader.
    • Test the connection settings.

Privilege Management Reporting

Endpoint Privilege Management Reporting includes a rich set of dashboards and reports designed to simplify the centralized management and auditing of EPM activity throughout the desktop and server estate. This feature is separate from and unrelated to BeyondInsight Analytics & Reporting. This feature requires the EPM Database Access feature.

Endpoint Privilege Management Web Policy Editor

The EPM Web Policy Editor allows you to view, unlock, edit, and lock existing EPM policies, as well as create new policies directly from the BeyondInsight console, eliminating the need to use a standalone policy editor. This feature requires the BeyondInsight Database Access feature.