Configure U-Series Appliance Roles

Select U-Series Appliance roles if you are deploying more than one U-Series Appliance to scale BeyondInsight in larger networks. Roles must be selected for at least one of the U-Series Appliances.

When you select roles, any dependencies or conflicts that exist between roles are displayed. The Apply Roles button is available only after dependencies and conflicts are resolved.

Role Descriptions

Vulnerability Scanner Role

Turn on the Vulnerability Scanner role to activate the Discovery Scanner agent.

Event Collector Role

On the Event Collector page, select the BeyondTrust service that will be responsible for sending events between components. You can use BeyondInsight AppBus Service or Event Server. Event Server is preferred for enterprises and can manage a greater load of data than AppBus. The default port for Event Server is 21690.

After selecting which service to use, click Apply Changes.

SQL Server Database Role

This role provides access to the SQL Server database. Check the box to allow database access from remote computers. If you are using your SQL Server deployment, no action is required.

BeyondInsight Database Access Role

This role provides access to the BeyondInsight database. You can set either a local SQL Server database or configure settings for a remote database.

U-Series Appliance Roles Editor: SQL Server least privilege account

When configuring a local database, select an authentication type. When you select SQL Server, Username is populated with the same user name in the Configuration wizard during your initial U-Series Appliance setup. The account is created with least privilege.


To use an existing remote database, you must import a password protected crypto key from the appliance running the BeyondInsight Management console that created the database.

The BeyondInsight configuration provides the same least privilege SQL Server account during the database configuration.

For more information, please see the following:

Patch Management Role

Turn on this role to activate the LanMan service on the U-Series Appliance to host third-party patches.

BeyondInsight Omniworker Service Role

The BeyondInsight Omniworker service manages task queues. Turn on this service when your environment uses more than one U-Series Appliance.

Password Safe Web Portal Role

Turn on this role to activate services needed to run the Password Safe web portal.

This role is available only when a Password Safe license is applied.

High Availability Role

Turn on this role to activate services needed to run Password Safe in high-availability mode.

  1. Log in to the U-Series Appliance website on the primary server.
  2. From the menu, select Roles Editor.
  3. Click High Availability, then select a mirroring option:
    • HA will mirror both Server and Database
    • HA mirroring for services only

To save resources, you can turn off services that are not required to run on any secondary U-Series Appliances. Check the Standalone Password Safe Worker Node box. Check the corresponding boxes to turn off services: Disable BeyondInsight UI or Disable Password Safe UI.

  1. Click Apply Changes.
  2. On the main Roles Editor page, click Apply Pending Changes.
  3. Repeat these steps for the secondary server.

BeyondInsight for Unix & Linux Role

Activate the role to configure a database connection for BeyondInsight for Unix & Linux.

The role is available only when BeyondInsight for Unix & Linux is installed and can be enabled with a local or remote database.

For a local database, enter a username and password for SQL Server. The account is created if it doesn't already exist. A SQL Server account is required for BeyondInsight for Unix & Linux to access the database.

To set up a remote database:

  1. Add the server name where the database resides.
  2. Optionally, enter the name of the SQL Server instance.
  3. Enter a port number to communicate to the server.
  4. Add the name of the BeyondInsight for Unix & Linux database, and the username and password. The remote database must already exist on the remote host.
  5. Click Test Remote Connection Settings to verify the connection to the remote database.

Once the role is enabled, you must configure BeyondInsight for Unix & Linux. The BeyondInsight database is added to backup and restore functions and is included with high availability database synchronization.

Analysis Services Role

Turn on this role to enable the SQL Server Analysis service. You can click the link to run BeyondInsight Analytics & Reporting.

This role is available only if you use BeyondInsight Analytics & Reporting.

Reporting Services Role

If you use BeyondInsight Analytics & Reporting to render reports, the service must run locally. Turn on this role to run the service locally when using a remote database.

Auto-Update Role

To automatically download product updates when available, turn on this role.

  1. On the U-Series Appliance website, select Roles Editor from the menu.
  2. Click Auto Update.
  3. You can configure one server for all updates or configure servers based on functional area. If you have configured different update servers, click Load Default Settings to reset the default BeyondTrust server.
  4. Click Apply Changes.
  5. On the main Roles Editor page, click Apply Pending Changes.

Enterprise Update Server Role

Turn on this role to use the enterprise update server to update your U-Series Appliances.


Enterprise Update Server has reached End of Life. SMTP and Proxy Credentials will not be updated for that product.

BeyondTrust Updater Role

Turn on this role to use the Azure web-based update tool.

BeyondTrust PowerBroker End Point Protection Role

If turned on, you can disable the U-Series Appliance protection policy which is applied. We recommend you leave this role on, disabling it only for troubleshooting reasons when working with BeyondTrust Technical Support.

Cold Spare Role

Turn on this role to configure options to set the automatic restore schedule and temporary machine name. When this role is enabled, the name of the U-Series Appliance is changed so that there is no conflict on the network with the main U-Series Appliance. When the cold spare U-Series Appliance is required, the role is disabled, the machine name is automatically reverted, and services are started.