Email Configuration: Configure the Software to Send Emails

Management

Email Configuration

Email Address

If a B Series Appliance is designated as a backup B Series Appliance or a traffic node, the email configuration for that B Series Appliance will be overwritten with the email configuration defined on the primary B Series Appliance.

From Address

Set the email address from which automatic messages from your B Series Appliance will be sent.

SMTP Relay Server

Configure your B Series Appliance to work with your SMTP relay server in order to send automatic email notifications of certain events.

SMTP Relay Server

Enter the hostname or IP address of your SMTP relay server.

SMTP Port

Set the SMTP port to contact this server on.

SMTP Encryption

If your SMTP server supports TLS encryption, choose TLS or STARTTLS. Otherwise, select None.

SMTP Authentication Type

To use a form of authentication with this server, select either Username and Password or OAuth2. Otherwise, select None.

Username and Password

Enter a username and password to configure this form of authentication.

OAuth2

For more information, please see the following:

Admin Contact

Default Admin Contact Email Addresses

Enter one or more email addresses to which emails should be sent. Separate addresses with a space.

Send Daily Communication Notice

You can have the B Series Appliance send a daily notification to ensure that alert communication is working correctly.

In addition to the test email and daily communication notices that can be configured above, emails are sent for the following events:

  • During any failover operation, the product version on the primary node does not match the product version on the backup node.
  • During a failover status check, any of the following problems are detected.
    • The current B Series Appliance is the primary node and a shared IP address is configured in /login, but its network interface is not enabled.
    • A shared IP address is configured in /login but is not listed as an IP address in /appliance.
    • The backup node could not contact the primary node, and it also could not contact any of the test IP addresses configured on the Management > Failover page.
    • The backup node could not contact any of the test IP addresses configured on the Management > Failover page.
    • The backup node's backup operations are disabled on the Management > Failover page.
    • The backup node unexpectedly failed to perform a probe of itself, indicating that it is malfunctioning.
    • The backup node failed to contact the primary node using the primary node's hostname.
    • Automatic failover is disabled, and the backup node failed to probe the primary node.
    • Automatic failover is enabled, and the backup node failed to probe the primary node. The backup node will automatically become the primary node if the primary node remains unresponsive.
    • Automatic failover is enabled, and the backup node is automatically becoming the primary node because the primary node was down for too long.
    • The primary node failed to perform a data sync with the backup node sometime in the past 24 hours.

    Send a test email when the settings are saved

    If you wish to receive an immediate test email to verify that your SMTP settings are accurately configured, check this option before clicking the Save button.

Configure OAuth2 for Azure Active Directory

Before starting configuration on Azure Active Directory, an Azure/Office 365 Administrator must enable Authenticated SMTP for each account on Exchange online. To do this, go to Office 365 Admin Portal (admin.microsoft.com) > Active Users > Mail > Manage Email apps and check Authenticated SMTP.

Configure Azure Active Directory

    Azure portal screen, with Azure Active Directory searched and selected.

  1. Log into your Azure console (portal.azure.com), and navigate to Azure Active Directory.
  2. Go to App registrations, and select New registration.
    • Enter a name, such as Appliance-OAuth2.
    • Select the types of account you want to be able to log in to the application through OAuth2. Select Single Tenant for internal only.
    • Enter the Redirect URI in the form of https://{URL OF YOUR APPLIANCE}/login/smtp-verification.
    • Click Register.
  3. On the Overview Page (selected from the left menu), note the Application (client) ID. It is required later.
  4.  

    Azure App registrations screen, showing owned applications and the option to add a new registration.

  5. Click Endpoints (above the Application (client) ID).
  6. Note the OAuth2.0 authorization endpoint (v2) URI and the OAuth token endpoint (v2) URI. These are required later.
  7.  

    Azure App registrations screen, showing owned applications and the option to add a new registration.

  8. On the Certificates & secrets page (selected from the left menu), note the Client secret. It is required later. If you do not have a Client secret, click New client secret to create one.

Provide Credentials to the SMTP Relay Server

  1. Within the Privileged Remote Access admin interface, navigate to Management > Email Configuration.
  2. Under SMTP Authentication Type, select OAuth2, and enter the following information:
    • Email: The email address for the SMTP relay.
    • SMTP OAuth Provider ID: The application ID noted earlier.
    • SMTP OAuth Client Secret: The client secret noted earlier.
    • SMTP OAuth Scopes: Enter https://outlook.office.com/SMTP.Send offline_access.
    • SMTP OAuth Authentication Endpoint: The authorization endpoint noted earlier.
    • SMTP OAuth Token Endpoint: The token endpoint noted earlier.
  3. Click Save.
  4. Now you can verify and connect the provider account. Click Verify Oauth2 Provider.

Ensure you are logged into the provider portal as the email address for the SMTP relay, entered above, in the same browser session. You may need to log out of your personal or admin account.

Configure OAuth2 for Google

Configure Google Cloud

    Select Create Project in the Google Cloud Platform.

  1. Log in to your Google Cloud Platform console (Google Dev Console) (console.cloud.google.com). Use the correct Gmail account, as only the owner of the project is able to work with the project. If you do not already have a paid account, you might choose to purchase an account by clicking Activate in the top banner. BeyondTrust cannot provide assistance with purchasing an account. Click Learn More in the top banner for information regarding the limitations of free accounts.
  2. Click CREATE PROJECT. You can also use an existing project.

 

Enter the name and organization for the project.

  1. Accept the default Project Name, or enter a new name.
  2. Accept the default Location, or select a folder from those available for your organization.
  3. Click CREATE.

 

On the APIs and services page, select Library.

  1. The APIs and services page appears. Click Library in the left menu.

 

Search or browse for the Gmail API in the library.

  1. Search or browse for the Gmail API in the library, and click it.

 

Click Enable on the Gmail API page.

  1. The Gmail API appears on its own page. Click ENABLE.

 

The Gmail API page, with the option to return to APIs management.

  1. The Gmail API Overview page appears. Click APIs & services in the upper left.
  2. The APIs and services page appears again. Click OAuth consent screen in the left menu.

 

The OAuth consent screen, showing user type options.

  1. Select the User Type. Internal allows only users from within the organization, but requires a Google Workspace account.
  2. Click CREATE.

 

The OAuth consent screen, showing fields to complete for the app information.

  1. Enter the App name.
  2. Enter a User support email address. This may default to the address you are using to create the project.
  3. Enter a logo for the app, if desired. The App domain section is also optional.
  4. Add the Authorized domains. For BeyondTrust test appliances, these are:
    • qabeyondtrustcloud.com
    • bomgar.com
  5. Enter the Developer contact information. This is the email address you are using to create the project.
  6. Click SAVE AND CONTINUE.

 

The OAuth consent scopes screen, with Add or Remove Scopes selected, and a large new window for updating scopes.

  1. Under the Scopes tab, click ADD OR REMOVE SCOPES. This opens the Update selected scopes window.
  2. Locate and check the scope https://mail.google.com/ for the Gmail API.

The API does not appear if it has not been enabled.

  1. Click UPDATE. The Update selected scopes window closes.
  2. Click SAVE AND CONTINUE.

 

The OAuth consent test users screen, with some users added.

  1. Under the Test users tab, click ADD USERS. This opens the Add Users window. Add the users that have access to the application and click ADD. Note the limits on test user access and related restrictions.
  2. Click SAVE AND CONTINUE.
  3. Review the Summary, and make any necessary changes or corrections.
  4. Click BACK TO DASHBOARD.

 

The APIs and services screen, showing Credentials and Create Credentials selected.

  1. Click Credentials in the left menu.
  2. Click CREATE CREDENTIALS in the top banner and select OAuth client ID.

 

The Google screen for creating credentials, with sample data in fields.

  1. On the create credentials page, select Web application for the Application type. Additional fields appear when this is selected.
  2. Enter a name for the application.
  3. Scroll down to Authorised redirect URIs and click ADD URI.
  4. Enter the Authorization Redirect URI in the form of https://{URL OF YOUR APPLIANCE}/login/smtp-verification.
  5. Click CREATE.

 

OAuth client created confirmation screen, displaying the client ID and secret.

  1. A window confirms creation of the OAuth client, and shows the Client ID and Client Secret. Click to download a JSON file. The file contains information that is needed in the next steps.
  2. Click OK to return to the APIs and services page.

 

Provide Credentials to the SMTP Relay Server

  1. Within the Privileged Remote Access admin interface, navigate to Management > Email Configuration.
  2. Under SMTP Authentication Type, select OAuth2, and enter the following information:
    • Email: The email address for the SMTP relay.
    • SMTP OAuth Provider ID: The client_id from the JSON file generated during the Google configuration.
    • SMTP OAuth Client Secret: The client_secret from the JSON file generated during the Google configuration.
    • SMTP OAuth Scopes: Enter https://mail.google.com/.
    • SMTP OAuth Authentication Endpoint: The auth_uri from the JSON file generated during the Google configuration.
    • SMTP OAuth Token Endpoint: The token_uri from the JSON file generated during the Google configuration.
  3. Click Save.
  4. Now you can verify and connect the provider account. Click Verify Oauth2 Provider.

Ensure you are logged into the provider portal as the email address for the SMTP relay, entered above, in the same browser session. You may need to log out of your personal or admin account.