Privileged Remote Access PRA Virtual Appliance Frequently Asked Questions

The following are some of the questions frequently asked about administering the PRA Virtual Appliance and answers to these questions from BeyondTrust Technical Support.

VMware

Can I install VMware tools onto my BeyondTrust PRA Virtual Appliance?

The BeyondTrust PRA Virtual Appliance ships with the VMware guest tools pre-installed.

Can a time skew between my ESXi host and my BeyondTrust PRA Virtual Appliance cause connectivity issues?

Yes, any time difference between the BeyondTrust PRA Virtual Appliance and the host ESXi server can cause connectivity issues. To prevent this, specify a valid NTP source in the PRA Virtual Appliance /appliance interface as well as ensuring that your ESXi host is using a valid NTP source. VMware also has an option to sync the guest OS time with the host ESXi server time. If you use this option, then the NTP source within the BeyondTrust PRA Virtual Appliance does NOT need to be set. It is recommended to use one method or the other but NOT both together.

What version of VMware is supported to host the BeyondTrust PRA Virtual Appliance?

BeyondTrust certifies support for VMware vCenter 5.0+, Virtual Hardware Version 7+

Does the BeyondTrust PRA Virtual Appliance require reserved resources in VMware?

For troubleshooting purposes, a BeyondTrust Technical Support representative may require the BeyondTrust PRA Virtual Appliance to have reserved resources to effectively diagnose a support issue.

Does BeyondTrust support using the VMware snapshot functionality?

BeyondTrust supports the use of the snapshot technology only in upgrade situations. A snapshot of a powered-off BeyondTrust PRA Virtual Appliance can be taken prior to an upgrade and can be utilized as a fallback in the case of a failed upgrade.

BeyondTrust does not recommend or support taking snapshots of actively running PRA Virtual Appliances.

Can I run the BeyondTrust PRA Virtual Appliance in my clustered VWware environment?

Yes, when installed in a vSphere cluster, the BeyondTrust PRA Virtual Appliance can benefit from many of VMware's value-added technologies, such as VMotion, DRS, and HA, to maximize performance and uptime.

Can I specify an alternate disk for recordings?

Yes, in some cases you may want to separate the disks for recordings if your VMware environment has tiered storage. Add a third disk to your BeyondTrust PRA Virtual Appliance and reboot. Once the BeyondTrust PRA Virtual Appliance is rebooted, the third disk will be provisioned and used for recordings.

The virtual hardware of my BeyondTrust PRA Virtual Appliance is currently on an old version and needs to be upgraded. What are BeyondTrust's recommendations for virtual hardware version upgrades?

BeyondTrust certifies support for VMware vCenter 5.0+, Virtual Hardware Version 7+

If your configuration does not match one of the above configurations, BeyondTrust does recommend updating the virtual hardware version of your BeyondTrust PRA Virtual Appliance.

Why does the PRA Virtual Appliance fail to import with this error "The OVF package requires support for OVF Properties"?

Under certain circumstances, the PRA Virtual Appliance will fail to import with an error window with the message "The OVF package uses features that are not supported when deploying directly to an ESX host. Details Line 88: Unsupported element 'Property'."

This error is caused when the VMware host receiving the import does not have support for OVF Properties. Specifically, this error will appear when you attempt to import the BeyondTrust OVA kit (B300v v1) when connected directly to an ESXi host via the vSphere Client.

To correct the error and successfully import the OVA kit, connect the vSphere client to the vCenter server managing the ESXi host or by using vDirector.

What is the error: "The OVF certificate file is invalid"?

When importing a new BeyondTrust PRA Virtual Appliance to VMware using the OVA installation package, it is possible for VMware to return an error stating "The OVF certificate file is invalid". This happens when attempting to import the OVF file which is packaged inside the B Series Appliance's .ova file. This would require extracting the contents of the OVA package, and this would invalidate the package as a whole. To resolve this, re-download the OVA file and re-import it without extracting the OVA. If using Internet Explorer, it may be necessary to replace .tar with .ova in the download's file extension.

Should the second virtual disk use thick or thin provisioning?

In current versions, the OVF template automatically chooses thick provisioning for the second and (if present) third virtual disk(s).

According to ESXi and vCenter Server 5 Documentation, thin provision initially allocates only the space actually needed by the virtual machine and grows dynamically as needed. In contrast, both forms of thick provisioning allocate all the assigned disk space to the virtual machine upon creation, locking it from use by other machine (see "About Virtual Disk Provisioning Policies" in the ESXi and vCenter Server 5 Documentation under vSphere Virtual Machine Administration > Configuring Virtual Machines > Virtual Disk Configuration in the vSphere Documentation Center at vmware.com/support/pubs/). Although the B Series Appliance is expected to operate correctly with thin provisioning, this is not the preferred choice.

Why does the Virtual Applance download come as a .tar file?

When using Internet Explorer, BeyondTrust's OVA installer may download as a "bomgar.tar" file instead of "bomgar.ova". To install the file per the PRA Virtual Appliance Setup Guide, replace the .tar extension with .ova and follow the guide as normal.

Can the virtual hard disks be stored in multiple datastores?

Some customers with BeyondTrust PRA Virtual Appliances may be interested in distributing the various PRA Virtual Appliance disks across multiple VMware datastores. BeyondTrust does support this configuration, so we expect our B Series Appliances to work satisfactorily when their virtual drives are located in different datastores from one another.

Hyper-V

What version of Hyper-V is supported to host the BeyondTrust PRA Virtual Appliance?

BeyondTrust certifies support of Hyper-V 2012 R2 (standalone), as well as Microsoft Server 2012 R2 with the Hyper-V role enabled.

Does BeyondTrust support using the Hyper-V snapshot functionality?

BeyondTrust supports the use of the snapshot technology only in upgrade situations. A snapshot of a powered-off BeyondTrust PRA Virtual Appliance can be taken prior to an upgrade and can be utilized as a fallback in the case of a failed upgrade.

Can I specify an alternate disk for recordings?

Yes, in some cases you may want to separate the disks for recordings if your Hyper-V environment has tiered storage. Add a third disk to your BeyondTrust PRA Virtual Appliance and reboot. Once the BeyondTrust PRA Virtual Appliance is rebooted, the third disk will be provisioned and used for recordings.

The virtual hardware of my BeyondTrust PRA Virtual Appliance is currently on an old version and needs to be upgraded. What are BeyondTrust's recommendations for virtual hardware version upgrades?

For Hyper-V, BeyondTrust supports only Generation 1 virtual machines at this time. The VA image is delivered as a Generation 1 VM.

If your configuration does not match the above configuration, BeyondTrust does recommend updating the virtual hardware version of your BeyondTrust PRA Virtual Appliance.

Microsoft Azure

Is the Azure Classic deployment model supported?

No. The only supported model is Azure Resouce Manager (ARM).

Do I need to configure the Windows PowerShell script differently if I have a premium storage account?

Yes. If you have a premium storage account, you need to modify the vmSize information in STEP 2 of the script to indicate Premium along with the applicable size.

Can I use any additional Azure features provided by using Azure Linux Agent with my BeyondTrust PRA Virtual Appliance?

BeyondTrust does not support any of these features at this time.

Do I need to enter my Public IP anywhere in the BeyondTrust /appliance interface?

No. The Azure network layer maps the public IP to the private IP. The BeyondTrust PRA Virtual Appliance assigns the private IP using DHCP.

Is failover needed? Is failover supported for Microsoft Azure?

Although the risk for downtime is much lower within Azure, it is still possible to need a failover B Series Appliance. Failover is supported in Azure; however, IP sharing does not work with Azure networking. A DNS swing will be needed to failover to a backup B Series Appliance.

Do I need a static IP for my BeyondTrust PRA Virtual Appliance?

Assigning a static IP is the easiest way to ensure there are not any DNS issues across reboots and also to make sure any integration points that require an IP address work properly. However, assigning a CNAME record for your B Series Appliance's DNS entry should suffice for most deployments.

General Issues

Can an evaluation PRA Virtual Appliance be converted to production?

Yes, the existing PRA Virtual Appliance can be converted to production.

Once the PRA Virtual Appliance licenses are purchased, BeyondTrust Technical Support builds an uninstall package for the evaluation PRA Virtual Appliance and an installation package for the production PRA Virtual Appliance.

If you created security providers and user accounts on the evaluation B Series Appliance, create a backup via /login > management and restore this backup to the production PRA Virtual Appliance.

Can available resources be modified?

It is possible to add additional resources to a BeyondTrust PRA Virtual Appliance, and it is possible to decrease available memory and CPU cycles; however, it is not possible to decrease available storage safely, and none of the above should be done when the B Series Appliance is powered on. After shutting down the B Series Appliance and making your changes, the B Series Appliance should recognize the changes upon next boot.

PRA Virtual Appliances have either two or three virtual hard disks, depending on which configuration was selected during deployment: Small, Medium, or Large. Small and Medium deployments have two disks, while Large deployments have three. The first disk is used for the root of the operating system in all three cases while the second disk is used for /login site data and recordings in Small and Medium deployments.

In Large deployments, recordings are moved from the second disk to the third. If your PRA Virtual Appliance was originally deployed with two virtual hard disks, you can add a third later, and the B Series Appliance will automatically store session recordings on the third disk. The B Series Appliance will not use more than three disks.

  1. Shut down the BeyondTrust PRA Virtual Appliance.
  2. Adjust the RAM and/or CPU allocation and/or increase the disk space using VMware.
  3. Power on the BeyondTrust PRA Virtual Appliance.

Can the PRA Virtual Appliance fail over to a slower storage tier?

Organizations may choose to present storage to PRA Virtual Appliances by means of tiered storage in a SAN. "Fast-tier 1" storage typically refers to arrays which employ SSD technology for frequently accessed data, and "slow" storage typically refers to data placed on technologies such as SAS, NL-SAS, or SATA. Either of these will work with BeyondTrust, but certain storage configurations are not supported when using two B Series Appliances in failover.

In cases where the primary PRA Virtual Appliance has storage in SSD / tier-1 storage, these rules apply to the backup B Series Appliance:

  • Large PRA Virtual Appliances must be provisioned with storage of the same tier.
  • Small and Medium PRA Virtual Appliances may have lower tier storage if it is backed by 10K or 15K disks.
  • No backup PRA Virtual Appliance may have less than 10K / 15K disk storage speed.

The exact specs for Small, Medium and Large are described in our Privileged Remote Access Virtual Appliance Sizing Guidelines . It is important to note that BeyondTrust does not require any particular tier for a PRA Virtual Appliance to boot and function in isolation. Tiered storage becomes a concern only when two B Series Appliances are used in failover.

Is cloning PRA Virtual Appliances supported?

After a BeyondTrust PRA Virtual Appliance is installed in an ESX or ESXi environment, the administrator may wish to clone the B Series Appliance. Cloning a virtual machine creates a duplicate of the virtual machine with the same configuration and installed software as the original. This feature of ESX and ESXi is not supported by the BeyondTrust PRA Virtual Appliance at this time.

Does the PRA Virtual Appliance support vCenter Site Recovery Manager (SRM)?

vCenter's Site Recovery Manager (SRM) builds off of vSphere Replication to provide disaster recovery. Administrators running BeyondTrust in a vCenter system may be interested in leveraging this with BeyondTrust PRA Virtual Appliances. While BeyondTrust is expected to work with vCenter SRM, restoring from a replication like this would appear to the B Series Appliance like pulling the power cable, so there would be a risk for file system corruption, which may result in potential data loss.

 

Open Source Software Acknowledgments

For information on open source software copyrights and acknowledgments used in BeyondTrust hardware and software products, please see the Attributions index.