BeyondTrust Privileged Remote Access Recovery

B Series Appliances are available in virtual, hardware, and Cloud versions, which run on shared B Series Appliances in BeyondTrust's data centers. When any of these go offline unexpectedly, the process necessary to repair or replace the B Series Appliance varies, depending on the B Series Appliance in question. The various repair and replacement scenarios are described below so an effective strategy can be developed to prepare for them in advance.

Failover and Spare B Series Appliances

BeyondTrust recommends using a preconfigured failover relationship between a primary and a backup B Series Appliance. This ensures that the BeyondTrust software is available in the event either B Series Appliance should fail. BeyondTrust customer clients and access consoles are built to attempt connection with the primary B Series Appliance at a specific address. In the event of a primary B Series Appliance failure, this address is used to redirect clients from the failed B Series Appliance to the backup B Series Appliance. This can be accomplished using one of three network routing methods: shared IP, DNS swing, or NAT swing.

Though client traffic is redirected to the backup B Series Appliance, this B Series Appliance does not accept connections until it takes the primary role. Once a backup B Series Appliance takes the primary role, it begins accepting client connections and provides all the same services the failed B Series Appliance did. This role change can be triggered manually or automatically.

Given the above information, here are the basic steps to take in the event of a primary B Series Appliance failure in a failover pair:

  1. Redirect network traffic from the primary to the backup B Series Appliance. If the B Series Appliances are configured with:
    • Shared IP: The backup B Series Appliance automatically takes over the IP address of the failed B Series Appliance.
    • DNS swing: Update the DNS A-record of the primary B Series Appliance to resolve the IP address of the backup B Series Appliance.
    • NAT swing: Update the firewall NAT rule(s) to resolve the client-facing / public IP of the failed B Series Appliance to the private IP of the backup B Series Appliance.
  2. Make the backup B Series Appliance take over the primary role. If Enable Automatic Failover is:
    • Enabled: If the backup B Series Appliance can reach the Network Connectivity Test IPs and cannot reach the primary B Series Appliance during the Primary Site Instance Timeout period, the backup B Series Appliance automatically takes the primary role.
    • Disabled: Use the Become Primary button or the API command:set_failover_role. To use the button, log in to the backup B Series Appliance's /login administrative web interface. Browse to Management > Failover. Click Become Primary, leaving the adjacent box unchecked.
  3. Confirm the clients are working and proceed to perform maintenance on the failed B Series Appliance.

In the event that there is a cold spare instead of a failover B Series Appliance, begin the recovery process by restoring settings and data from the backup(s) to the spare B Series Appliance. Once the data is restored, redirect the client traffic to the spare B Series Appliance using DNS or NAT swing. If the spare B Series Appliance is on the same local network as the failed B Series Appliance, attempt to assign the IP of the failed B Series Appliance to the spare B Series Appliance. However, if the spare B Series Appliance is on the same switch as the failed B Series Appliance, this switch must be rebooted for the change to take effect.

For more information, please see the following:

PRA Virtual Appliances

BeyondTrust's SRA Virtual Appliances are certified for VMware vCenter 6.5+, Hyper-V 2012 R2, Azure, AWS, and Nutanix. These SRA Virtual Appliance support virtual machine snapshots (VMware) and checkpoints (Hyper-V). A checkpoint or snapshot represents the state of a virtual machine at the time it was taken and includes the following:

  • Files and memory state of the virtual machine's guest operating system
  • Settings and configuration of the virtual machine and its virtual hardware

BeyondTrust does not recommend or support creating snapshots (VMware or Nutanix) or checkpoints (Hyper-V) of actively running SRA Virtual Appliances.

If the BeyondTrust SRA Virtual Appliance experiences a failure and there is a recent snapshot or checkpoint, try restoring it first. This is often the fastest way to restore functionality.

If the BeyondTrust SRA Virtual Appliance is under an active support maintenance contract, BeyondTrust Technical Support sends an up-to-date VMware, Hyper-V/Azure, or Nutanix deployment file for the SRA Virtual Appliance upon request in the event of a failure and/or loss of the SRA Virtual Appliance. To receive a copy, contact BeyondTrust Support with company information from an authorized email address. This address would normally be the same used to communicate with BeyondTrust during the initial deployment of the B Series Appliance and/or subsequent administrative-level incident management. Save a local copy of the SRA Virtual Appliance file in case the SRA Virtual Appliance needs to be restored outside of BeyondTrust Support's normal business hours.

To reinstall the SRA Virtual Appliance, follow the procedures outlined in the Beyondtrust SRA Installation Guide.Access to the VMware, Hyper-V administrative management tool, the Nutanix console, the Azure Portal or the AWS Console is needed to complete this process.

  1. Log in to the Hyper-V Manager, VMware, or Nutanix infrastructure client.
  2. Deploy the BeyondTrust OVA (VMware), EXE (Hyper-V), or QCOW2 (Nutanix) file.

For AWS redeployment, BeyondTrust does not send a file. The Amazon Machine Image (AMI) used for deployment should be shared with your AWS account. You can see it in the AWS Console under EC2 > AMIs by selecting Private Images.

  1. Use the Hyper-V Manager, VMware, or Nutanix console client to power on the SRA Virtual Appliance. You must use the AWS Console to power on the AWS appliance.
  2. Open the virtual console.
  3. Enter the IP address, subnet mask, and default gateway of the SRA Virtual Appliance.

The network settings of the SRA Virtual Appliance should already be saved from previous configuration. Otherwise, contact the company network administrator for the appropriate settings. Once the SRA Virtual Appliance is accessible on the network, log in to the /appliance administrative web interface, update the SRA Virtual Appliance, and restore settings, as needed.