Backup Procedures

Backing up the site data from BeyondTrust on a regular basis is an essential part of Secure Remote Access administration and maintenance. Most of the settings and data from the /login administrative web interface can be captured as a single NSB file. In most cases, the /appliance administrative web interface contains the SSL certificates and network configuration of the B Series Appliance. These are essential to the functionality of the B Series Appliance and must be configured during the recovery process.

With the exception of certificates, /appliance configuration cannot be downloaded as a single, password-protected file in the way /login configuration can. The /appliance configuration must be backed up using screenshots and/or text data. These files should be given an identifying name, including the B Series Appliance version, B Series Appliance serial number, base software version, and system time as shown on the Status page of the B Series Appliance at the time of backup.

Cloud sites have a minimal version of the /appliance web interface accessible from the Appliance tab of the /login administrative web interface. Since BeyondTrust manages the network configuration of BeyondTrust Cloud sites and provides a working default certificate, administrators need to backup only their own custom certificates and SSL/TLS configuration, if these have been manually customized.

Failover

BeyondTrust failover enables the synchronization of data between two peer B Series Appliances, creating a simplified process for securely swapping from a failed B Series Appliance. Two B Series Appliances host the same installed software package for a single site. DNS directs support traffic of the site to one of these B Series Appliances, the primary B Series Appliance, where all settings are configured. The backup B Series Appliance synchronizes with the primary B Series Appliance, according to the settings configured in the /login interface. BeyondTrust's failover documentation details how to configure failover between B Series Appliances.

Once two B Series Appliances are in failover mode, the backup of settings and data from the primary to the backup occurs.

  1. Log in to the /login admin web interface of the backup B Series Appliance.
  2. Browse to Management > Failover.
  3. Check Enable Backup Operations.

Automatic Data-Sync Interval and Data-Sync Bandwidth Limit do not need to be changed in most environments.

  1. Click Sync Now to manually force synchronization under Backup Site Instance Status. Failover sync captures all users, files, and configuration in /login with the exception of failover configurations, including settings on the Failover page and the Inter-Appliance Pre-Shared Key under Management > Security.

It is important to note that failover B Series Appliances do not sync any settings or data under /appliance. This means that certificates and network configuration are not replicated. It is not necessary to back up certificates from each B Series Appliance; however, failover B Series Appliances must have identical certificate configuration. Once replicated, a single backup copy of the certificates from either B Series Appliance is sufficient. Network configuration and any other customized /appliance settings must be backed up for each B Series Appliance; however, /login data can be backed up for each B Series Appliance as well. This applies especially to failover settings, which are not included in the failover sync. Saving backups of /login settings serves as a safeguard in case failover sync fails.

For more information, please see Failover Dynamics and Options.

Back Up Certificates

Cloud Appliances are managed automatically, but it is possible for administrators to install custom certificates on Cloud Appliances. If a B Series Appliance fails, network configuration and SSL certificates must be restored to the new or repaired B Series Appliance in order to connect with the remote client software (access consoles and Jump Clients, for example). BeyondTrust-hosted sites are managed by BeyondTrust, but administrators of on-premises and Cloud Appliances are encouraged to back up their certificates.

The SSL certificate issued to the B Series Appliance hostname is often unique to the B Series Appliance and is always used to validate its identity to remote client software. It is important that a backup of this certificate, all its intermediate certificates, and its root certificate are saved. We recommend that the certificate backup file be saved with a password in a secure location because in the event a malicious party obtained a copy of this certificate, they could potentially access confidential data on the network.

  1. To back up the B Series Appliance certificate(s), log in to the /appliance administrative web interface.
  2. Browse to Security > Certificates.
  3. Locate the certificate with the Alternative Names of the B Series Appliance hostname.
  4. With the IP Address(es) of the B Series Appliance, verify that the Private Key? field is set to Yes.
  5. Check the box next to the certificate.
  6. From the Export from the dropdown, click Apply.
  7. Wait for the export page to load.
  8. Check Include Certificate, Include Private Key, and Include Certificate Chain.
  9. Enter a Passphrase.
  10. Click Export.
  11. Save the resulting p12 certificate file in a secure location.

For more information on certificates, please see SSL Certificates and BeyondTrust.

Back Up /appliance

Network configuration for BeyondTrust should be saved by the networking team in a network diagram. This should include firewall rules, antivirus allow list, and IDS/IPS settings, as appropriate. A backup copy of the B Series Appliance network configuration can be saved by taking screenshots of the /appliance Networking > IP Configuration page. If static routes and/or SNMP are used, this information is captured from the Networking > Static Routes and Networking > SNMP pages, respectively. BeyondTrust Cloud customers and BeyondTrust-hosted sites do not have these options and do not need to be backed up. They are managed automatically.

If the B Series Appliance has custom SSL/TLS configuration or special user account, network, and/or port restrictions, take a screenshot of these from Security > SSL/TLS Configuration and Security > Appliance Administration. The B Series Appliance may also be configured to send logs to a syslog server. If this is the case, make note of the syslog server's hostname and/or IP along with its preferred message format. These settings can be found under Security > Appliance Administration in the Syslog section.

Certain companies have policies requiring users to accept legal agreements before accessing certain interfaces, such as the BeyondTrust /appliance administrative web interface. If the B Series Appliance is configured with such an agreement, the agreement is located under Security > Appliance Administration > /appliance Prerequisite Login Agreement. If it is configured, capture a screenshot of the agreement.

The B Series Appliance may also be configured with an SMTP server for sending email. The email configuration settings in /appliance are located in Security > Email Configuration. These settings are separate from the email configuration settings in /login. The /appliance email settings are used by the B Series Appliance to send SSL certificate expiration reminders. If the B Series Appliance is configured for reminders, take a screenshot of the page.

Back Up /login

The users, settings, and data in /login can be saved in a single BeyondTrust backup file, which uses the NSB extension. This file can be generated from the BeyondTrust API, from the BeyondTrust Integration Client, or from the /login administrative web interface. BeyondTrust recommends manually downloading NSB backups before installing any updates. To perform manual downloads, click Download Backup on the /login > Management > Software Management tab.The resulting NSB backup file includes the data listed below even if Include logged history is not checked at the time of the download:

  • Local User Accounts
  • Security Provider Configuration
  • Group Policy Configuration
  • Jumpoint Configuration
  • Jump Client Configuration
  • Team Configuration
  • Language Configuration
  • Security Configuration
  • Inter-appliance Communication Pre-shared Key
  • Failover Configuration
  • Outbound Event Configuration
  • Kerberos Keytab

If Include logged history is checked, the NSB backup file includes the following data:

  • Logged Session Data
  • Logged Support Team Information

In either case, the NSB backup file does not include the following:

  • Session Recordings
  • Command Shell Recordings
  • Presentation Recordings
  • File Store files larger than 200KB
  • File Store files beyond the first 50
  • Settings, users, or data from /appliance

In addition to manual downloads at each upgrade, BeyondTrust also recommends downloading NSB backups on a regular basis, using the automated schedule via the Integration Client. The Integration Client can dowload the following types of data:

  • Session Data
  • Session Recordings
  • Command Shell Recordings
  • Site Backups
  • Show My Screen Recordings

The client installation package is available from Downloads in the BeyondTrust Self-Service Center. It is released only as a 32-bit Windows client; however, this runs on 64-bit Windows systems. It is available in a number of different versions, so check the BeyondTrust product release version on the /login > Status > Information tab to make sure to download the correct Integration Client version.

In addition to the Download Backup button and the Integration Client, the BeyondTrust API provides a variety of commands to download backup data. This is useful for automating backups using custom tools and/or scripts. The NSB backups can be downloaded using the BeyondTrust Backup API. Session reports, session recordings, Show My Screen recordings, command shell recordings, presentation recordings, and exit surveys can be downloaded using the Reporting API.

For more information on Integration Client setup and configuration, please see the Integration Client Guide.

Back Up Vault Encryption Key

The Vault encryption key is used to encrypt and decrypt all Vault credentials stored on your B Series Appliance. If you ever need to restore configuration data from a backup onto a new B Series Appliance, you must also restore the Vault encryption key from a backup to be able to use the encrypted Vault credentials contained in the configuration backup.

Backup Password

To protect your software backup file, create a password. If you do choose to set a password, you will be unable to revert to the backup without providing the password.

Download Vault Encryption Key

Go to /login > Management > Software > Backup Vault Encryption Key and click the Download Vault Encryption Key button to download the Vault encryption key to use later.

The Vault encryption key must be password protected.