Configure the BeyondTrust U-Series Appliance
There are two parts to configuring your U-Series Appliance:
- Deployment wizard: Intended for infrastructure teams. Includes setting up networking details, such as time zone, IP address settings, Internet connections, and so on.
- Configuration wizard:Intended for security administrators. Includes BeyondTrust licensing, selecting roles selection, setting up how to receive updates from BeyondTrust, and selecting a solution.
Run the Deployment Wizard
SQL Server can be included as part of your U-Series Appliance, or you can use your own SQL Server deployment. If SQL Server is part of your U-Series Appliance package, a license key for SQL Server is included along with the Windows Operating System key and the BeyondInsight key.
If you are using a U-Series Appliance virtual image, you must configure the virtual image before proceeding with the U-Series Appliance configuration.
- Open a browser and enter the IP address for the U-Series Appliance, https://[U-Series Appliance IP address].
- The SSL certificate warning window displays. The SSL certificate automatically created for the U-Series Appliance ensures encrypted communications.
We recommend that you replace the automatically generated certificate with a valid certificate issued by a certificate authority. Check the box to not display the information page again. The Internet Explorer warnings will be displayed until the SSL certificate is installed or a valid certificate is obtained.
- Select Continue to this Website.
- Read through the deployment and configuration details, and then click Start Deployment.
- Create an administrator account name, including the password and email address. Click Create Admin.
- License details are displayed on the Licensing Agreements page for BeyondTrust, Microsoft, and SQL Server. Accept the licensing agreements that apply to you. If you purchased all three, select Accept All 3 Licensing Agreements.
- Enter the name for the U-Series Appliance.
Once you have named your U-Series Appliance, it cannot be renamed. If at any point you need to rename the appliance, you must either re-image (if it is a physical appliance) or re-deploy (if it is a virtual appliance) the image.
- The IP address can be manually configured or automatically assigned. Enter the network details to manually configure the IP address. Otherwise, select Obtain IP address automatically (DHCP).
- On the Internet Connection page, select one of the following ways to enter the license keys and to receive updates:
- Connect to the internet for licensing and updates. (No proxy required): Select if there is an Internet connection and no proxy server.
- Connect to the internet for licensing and updates through a proxy server: Select if you use a proxy server.
- No Internet connection. (Perform manual updates): Select if the U-Series Appliance does not have an Internet connection.
- On the Timezone and Time Settings page, select a time zone and synchronization settings. Date and synchronization settings include:
- Use NTP server for time
- Manually Configure Date and Time
- Enable VMware Tools periodic time synchronization
- On the SMTP Settings page:
- Enter the SMTP server IP address and port. The default port number is 25.
- Optionally, select SSL to enforce SSL encryption when accessing the server.
- Check the SMTP Server requires authentication box to use credentials to access the server.
- Review the deployment settings, and then click Finish.
It can take a few minutes for the deployment settings to apply. If any errors occur, you can click Back to change settings, if needed. If the deployment is successful, select Proceed to Configuration Wizard.
Run the Configuration Wizard
- On the BeyondTrust Licenses page, enter the U-Series Appliance serial number and select Get License Key. The BeyondInsight License Key box is populated with the key. Select License Appliance to apply the key. If you are working offline, go to https://licensing.beyondtrust.com to get the BeyondInsight license key. Click Next.
- On the Solution page, select an item from the list that represents your implementation for the U-Series Appliance.
- Single U-Series Appliance
- Database Server in a Multi-Node Deployment
- High Availability Pair
- SQL-less U-Series Appliance
- Cold Spare U-Series Appliance
- On the Roles Options page, select the default roles or select to go through the Role Questionnaire.
- On the Role Questionnaire page, go through the list of questions and check the boxes for the questions that apply to your solution. Recommended roles are listed on the Role Selection page based on your questionnaire results. Click Next to see the roles.
- On the Role Selection page, select the roles you want to use. The screen capture indicates there are roles that require further configuration. Click Next.
- On the Role Configuration page, select the tab for the respective role to set up that feature.
- SQL Server Role: Select Allow incoming remote database connections, and then enter the database password.
- BeyondInsight Database Access: Select the database server and enter the database logon details. When configuring a local database, select an authentication type. When you select SQL Server, Username is populated with the same user name in the Configuration wizard during your initial U-Series Appliance setup. The account is created with least privilege. Optionally, enter command timeout and connection timeout values. In a database cluster scenario, you can turn on multi subnet failover here.
- BIUL Setup Role: If you select Remote, provide the database details to access the remote database, including server name, database name, port number (default is 1433), and database logon details. Click Test Connection to ensure the database can be accessed from your U-Series Appliance.
- Cold Spare Setup Role: Set up the Restore Location where backups are stored from the production server this cold spare would replace, if that need ever arises (disaster recovery, failure, network issue, etc.). The cold spare machine consumes those backups and performs a restore on them at the scheduled interval. A temporary name is used to ensure that there are no DNS name resolution conflicts, if your network is not segregated. This temporary name is used until the appliance is taken out of Cold Spare mode, which happens when you disable the Cold Spare role.
While it is possible to rename the Administrator accounts later, we recommended choosing account names carefully during installation (next step), to avoid renaming them later.
- On the User Credentials page, enter logon credentials for the following user accounts: BeyondInsight, Central Policy, and BeyondTrust Updater.
- On the Backup and Restore page, set up the location and schedule for backup files. The backup can be set up later in Maintenance; select I will setup my Appliance later through Maintenance, and then click Next.
- On the Updates page, select to automatically download updates using BeyondTrust Updater Server. Optionally, select Do not check for updates to opt out of this feature.
- Click Finish.
The BeyondInsight configuration provides the same least privilege SQL Server account during the database configuration.
For more information about the permissions assigned to that account, please see section "Least Privilege Database User Account Setup" in the BeyondInsight Installation Guide.
Key Management Service Support
After installation and configuration, if your server does not automatically discover the Key Management Service (KMS) server, you may receive a Windows activation failed message. Specify the KMS key and IP address again.
You can replace our key with a known Volume License Key and then call into your KMS server to count against your total (number of licenses).
To activate your volume license key:
From the Maintenance menu, select Accounts and Licensing.
Under Microsoft Key Management Server Configuration, enter your volume license key and the address of the server to validate and track the license.
Click Activate Volume License Key.
For more information, please see Why did Windows activation fail on my EC2 Windows instance?.