Configure the BeyondTrust U-Series Appliance

There are two parts to configuring your U-Series Appliance:

• Deployment wizard: Intended for infrastructure teams. Includes setting up networking details, such as time zone, IP address settings, Internet connections, and so on.
• Configuration wizard: Intended for security administrators. Includes BeyondTrust licensing, selecting roles selection, setting up how to receive updates from BeyondTrust, and selecting a solution.

License the Microsoft Windows Operating System

As part of setting up your new appliance, you must activate the Windows operating system. New physical images ship without the Windows license configured. There are two ways to apply the Windows license:

• When you initially access the appliance to start the configuration
• On the Software and Licensing page after the appliance is configured

Apply the Windows License Before Configuring the Appliance

1. When accessing the appliance to start configuration, click Accept on the SSL Certificate page.

 

2. Enter the license key, and then click License Windows.

 

After you enter the key, the U-Series Appliance deployment and configuration wizard starts. Instructions are detailed in the next sections.

Apply the Windows License on the U-Series Appliance Website

1. If you decide to license Windows later, from the sidebar menu, click Software and Licensing, and then select Product Licensing.
2. Click the Microsoft tab.
3. Enter a Microsoft Product Key, and then click Activate Windows.

 

Evaluation Mode Banner

If you do not activate Windows, messaging on the U-Series Appliance website indicates you are using the software in evaluation mode. The number of days remaining for the evaluation period is shown.

 

Run the Deployment Wizard

SQL Server can be included as part of your U-Series Appliance, or you can use your own SQL Server deployment. If SQL Server is part of your U-Series Appliance package, a SQL Server COA is included along with the Windows Operating System key and the BeyondInsight key.

If you are using a U-Series Appliance virtual image, you must configure the virtual image before proceeding with the U-Series Appliance configuration.

1. Open a browser and enter the IP address for the U-Series Appliance, https://[U-Series Appliance IP address].

2. The SSL certificate warning window displays. The SSL certificate automatically created for the U-Series Appliance ensures encrypted communications.

   We recommend that you replace the automatically generated certificate with a valid certificate issued by a certificate authority. Check the box to not display the information page again. Browser warnings are displayed until the SSL certificate is installed or a valid certificate is obtained.

3. Select Continue to this Website.
4. The U-Series License Keys window appears (for Windows and possibly SQL Server keys, if you have SQL Server as part of your package). If you want to skip this step for now, click Skip. Otherwise, enter your activation key(s).

 

If you skip entering license keys here, warning messages will appear in the U-Series Appliance interface to remind you to enter your license keys for activation. Enter the license keys under the Software and Licensing > Product Licensing > Microsoft tab section.

 

 

5. Click License Windows.
6. Read through the deployment and configuration details, and then click Start Deployment.
7. Create an administrator account name, including the password and email address. Click Create Admin.
8. License details are displayed on the Licensing Agreements page for BeyondTrust, Microsoft, and SQL Server. Accept the licensing agreements that apply to you. If you purchased all three, select Accept All 3 Licensing Agreements.
9. Enter the name for the U-Series Appliance.

 

Once you have named your U-Series Appliance, it cannot be renamed. If at any point you need to rename the appliance, you must either re-image (if it is a physical appliance) or re-deploy the image (if it is a virtual appliance).

10. The IP address can be manually configured or automatically assigned. Enter the network details to manually configure the IP address. Otherwise, select Obtain IP address automatically (DHCP).
11. On the Internet Connection page, select one of the following ways to enter the license keys and to receive updates:
    • Connect to the internet for licensing and updates. (No proxy required): Select if there is an Internet connection and no proxy server.
    • Connect to the internet for licensing and updates through a proxy server: Select if you use a proxy server.
    • No Internet connection. (Perform manual updates): Select if the U-Series Appliance does not have an Internet connection.
12. On the Timezone and Time Settings page, select a time zone and synchronization settings. Date and synchronization settings include:
    • Use NTP server for time
    • Manually Configure Date and Time
    • Enable VMware Tools periodic time synchronization
13. On the SMTP Settings page:
    • Enter the SMTP server IP address and port. The default port number is 25.
    • Optionally, select SSL to enforce SSL encryption when accessing the server.
    • Check the SMTP Server requires authentication box to use credentials to access the server.
14. Review the deployment settings, and then click Finish.

It can take a few minutes for the deployment settings to apply. If any errors occur, you can click Back to change settings, if needed. If the deployment is successful, select Proceed to Configuration Wizard.

Run the Configuration Wizard

1. On the BeyondTrust Licenses page, enter the U-Series Appliance serial number and select Get License Key. The BeyondInsight License Key box is populated with the key. Select License Appliance to apply the key. If you are working offline, go to https://licensing.beyondtrust.com to get the BeyondInsight license key. Click Next.

2. On the Solution page, select an item from the list that represents your implementation for the U-Series Appliance.
   • Single U-Series Appliance
   • Database Server in a Multi-Node Deployment
   • High Availability Pair
   • SQL-less U-Series Appliance
   • Cold Spare U-Series Appliance

      

3. On the Roles Options page, select the default roles or select to go through the Role Questionnaire.
4. On the Role Questionnaire page, go through the list of questions and check the boxes for the questions that apply to your solution. Recommended roles are listed on the Role Selection page based on your questionnaire results. Click Next to see the roles.

5. On the Role Selection page, select the roles you want to use. The screen capture indicates there are roles that require further configuration. Click Next.

 

6. On the Role Configuration page, select the tab for the respective role to set up that feature.
   • SQL Server Role: Select Allow incoming remote database connections, and then enter the database password.
   • BeyondInsight Database Access: Select the database server and enter the database logon details. When you select SQL Server, Username is populated with the same user name in the Configuration wizard during your initial U-Series Appliance setup. The account is created with least privilege. Optionally, enter command timeout and connection timeout values. In a database cluster scenario, you can turn on multi subnet failover here.
   • BIUL Setup Role: If you select Remote, provide the database details to access the remote database, including server name, database name, port number (default is 1433), and database logon details. To use an existing remote database, you must import a password protected cryto key from the appliance running the BeyondInsight Management console that created the database. Click Test Connection to ensure the database can be accessed from your U-Series Appliance.
   • Cold Spare Setup Role: Set up the Restore Location where backups are stored from the production server this cold spare would replace, if that need ever arises (disaster recovery, failure, network issue, etc.). The cold spare machine consumes those backups and performs a restore on them at the scheduled interval. A temporary name is used to ensure that there are no DNS name resolution conflicts, if your network is not segregated. This temporary name is used until the appliance is taken out of Cold Spare mode, which happens when you disable the Cold Spare role.

 

While it is possible to rename administrator accounts later, we recommended choosing account names carefully during deployment and configuration to avoid renaming them later.

 

7. On the User Credentials page, enter logon credentials for the following user accounts: BeyondInsight, Central Policy, and BeyondTrust Updater.
8. On the Backup and Restore page, set up the location and schedule for backup files. The backup can be set up later in Maintenance; select I will setup my Appliance later through Maintenance, and then click Next.
9. On the Updates page, select to automatically download updates using BeyondTrust Updater Server. Optionally, select Do not check for updates to opt out of this feature.
10. Click Finish.

The BeyondInsight configuration provides the same least privilege SQL Server account during the database configuration.

For more information about the permissions assigned to that account, please see section "Least Privilege Database User Account Setup" in the BeyondInsight Installation Guide.

Key Management Service Support

After installation and configuration, if your server does not automatically discover the Key Management Service (KMS) server, you may receive a Windows activation failed message. Specify the KMS key and IP address again.

You can replace our key with a known Volume License Key and then call into your KMS server to count against your total (number of licenses).

To activate your volume license key:

1. From the sidebar menu, click Software and Licensing, and then select Product Licensing.
2. Click the Microsoft tab, and select the KMS option, which displays two fields to complete.
3. Enter your Volume License Key.
4. Enter the KMS server address that will validate and track the license. This is only valid on appliances created as volume images.
5. Click Activate Windows.

For more information, please see Why did Windows activation fail on my EC2 Windows instance?.