Back Up Procedures
Backing up the site data from BeyondTrust on a regular basis is an essential part of appliance administration and maintenance. Most of the settings and data from the /login administrative web interface can be captured as a single .nsb file. In most cases, the /appliance administrative web interface contains the SSL certificates and network configuration of the appliance. These are essential to the functionality of the appliance and must be configured during the recovery process.
With the exception of certificates, /appliance configuration cannot be downloaded as a single, password-protected file in the way /login configuration can. The /appliance configuration must be backed up using screenshots and/ or text data. These files should be given an identifying name, including the appliance version, appliance serial number, base software version, and system time as shown on the Status page of the appliance at the time of the backup.
BeyondTrust-hosted sites do not have access to /appliance, but administrators should maintain backups of hosted site /login data. BeyondTrust Cloud sites have a minimal version of the /appliance web interface accessible from the Appliance tab of the /login administrative web interface. Since BeyondTrust manages the network configuration of BeyondTrust Cloud sites and provides a working default certificate, BeyondTrust Cloud administrators need to backup only their certificates, SSL/TLS configuration, and/or updates schedule, if these have been manually customized.
BeyondTrust failover enables the synchronization of data between two peer appliances, creating a simplified process for securely swapping from a failed appliance. Two appliances host the same installed software package for a single site. DNS directs support traffic of the site to one of these peer appliances, the primary appliance, where all settings are configured. The backup appliance synchronizes with the primary appliance, according to the settings configured in the appliance's /login interface. To set up failover between appliances, refer to Failover Dynamics and Options .
Once two appliances are in failover mode, the backup of settings and data from the primary to the backup should occur.
- Log into the /login admin web interface of the backup appliance.
- Browse to Management > Failover.
- Check Enable Backup Operations.
- Click Sync Now to manually force synchronization under the Backup Site Instance Status. Failover sync captures all users, files, and configuration in /login with the exception of failover configurations, including settings on the Failover page and the Inter-Appliance Pre-Shared Key under Management > Security.
Automatic Data-Sync Interval and Data-Sync Bandwidth Limit do not need to be changed in most environments.
It is important to note that failover appliances do not sync any settings or data under /appliance. This means that certificates and network configuration are not replicated. It is not necessary to back up certificates from each appliance; however, failover appliances should have identical certificate configuration. Once replicated, a single backup copy of the certificates from either appliance is sufficient. Network configuration and any other customized /appliance settings must be backed up for each appliance; however, /login data can be backed up for each appliance as well. This applies especially to failover settings, which are not included in the failover sync. Saving backups of /login settings serves as a safeguard in case failover sync fails.
Back Up Certificates
Network configuration and SSL certificates are necessary for the operation of BeyondTrust Appliances. BeyondTrust-hosted sites and cloud appliances are managed automatically, but it is possible for administrators to install custom certificates on Cloud Appliances. If an appliance fails, network configuration and SSL certificates must be restored to the new or repaired appliance in order to connect with the remote client software (e.g., rep consoles and Jump Clients). BeyondTrust-hosted sites are managed by BeyondTrust, but administrators of on-premises and Cloud Appliances should back up their certificates.
The SSL certificate issued to the BeyondTrust Appliance hostname is often unique to the appliance and is always used to validate its identity to remote client software. It is important that a backup of this certificate, all its intermediate certificates, and its root certificate are saved. Certificates are documented further in the article SSL Certificates and BeyondTrust. The certificate backup file should be saved with a password in a secure location because in the event a malicious party obtaining a copy of this certificate, they could potentially access confidential data on the network.
- To back up the appliance certificate(s), log into the /appliance administrative web interface.
- Browse to Security > Certificates.
- Locate the certificate with the Alternative Names of the appliance hostname.
- With the IP Address(es) of the appliance, verify that the Private Key? field reads Yes.
- Check the box next to the certificate.
- From the Export from the dropdown, click Apply.
- Wait for the export page to load.
- Check Include Certificate, Include Private Key, and Include Certificate Chain.
- Enter a Passphrase.
- Click Export.
- Save the resulting .p12 certificate file in a secure location.
Back Up /appliance
Network configuration for BeyondTrust should be saved by the networking team in a network diagram. This should include firewall rules, antivirus whitelists, and IDS /IPS settings, as appropriate. A backup copy of the appliance network configuration can be saved by taking screenshots of the /appliance Networking > IP Configuration page. If static routes and/or SNMP are used, this information is captured from the Networking > Static Routes and Networking > SNMP pages, respectively. BeyondTrust Cloud customers and BeyondTrust-hosted sites do not have these options and do not need to be backed up. They are managed automatically.
If the appliance has custom SSL/TLS configuration or special user account, network, and/or port restrictions, take a screenshot of these from Security > SSL/TLS Configuration and Security > Appliance Administration. The appliance may also be configured to send logs to a syslog server. If this is the case, make note of the syslog server's hostname and/or IP along with its preferred message format. These settings can be found under Security > Appliance Administration in the Syslog section.
Certain companies have policies requiring users to accept legal agreements before accessing certain interfaces, such as the BeyondTrust /appliance administrative web interface. If the appliance is configured with such an agreement, the agreement is located under Security > Appliance Administration > /appliance Prerequisite Login Agreement. If it is configured, capture a screenshot of the agreement.
The appliance may also be configured with an SMTP server for sending email. The email configuration settings in /appliance are located in Security > Email Configuration. These settings are separate from the email configuration settings in /login. The /appliance email settings are used by the appliance to send SSL certificate expiration reminders. If the appliance is configured for reminders, take a screenshot of the page.
Back Up /login
The users, settings, and data in /login can be saved in a single BeyondTrust backup file, which uses the .nsb extension. This file can be generated from the BeyondTrust API, from the BeyondTrust integration client, or from the /login administrative web interface. BeyondTrust recommends manually downloading .nsb backups before installing any updates. To perform manual downloads, click Download Backup under the /login > Management > Software Management tab.The resulting .nsb backup file includes the data listed below even if Include logged history is not checked at the time of the download:
- Local User Accounts
- Security Provider Configuration
- Group Policy Configuration
- Jumpoint Configuration
- Jump Client Configuration
- Team Configuration
- Language Configuration
- Security Configuration
- Inter-appliance Communication Pre-shared Key
- Failover Configuration
- Outbound Event Configuration
- Kerberos Keytab
Backups taken from a BeyondTrust Remote Support site (as opposed to BeyondTrust Privileged Remote Access) also include the following:
- Canned Messages Configuration
- Client Branding & Messaging
- Exit Survey Configuration
- Public Site Configuration
- File Store (first 50 files up to 200KB in size)
- Created/Scheduled Presentations
If Include logged history is checked, the .nsb backup file includes the following data:
- Logged Session Data
- Logged Presentation Information (BeyondTrust Remote Support only)
- Logged License Usage (BeyondTrust Remote Support only)
- Logged Support Team Information
In either case, the .nsb backup file does not include the following:
- Session Recordings
- Command Shell Recordings
- Presentation Recordings
- File Store files larger than 200KB
- File Store files beyond the first 50
- Settings, users, or data from /appliance
In addition to manual downloads at each upgrade, BeyondTrust also recommends downloading .nsb backups on a regular basis, using the automated schedule via the integration client. The integration client can dowload the following types of data:
- Session Data
- Session Recordings
- Command Shell Recordings
- Site Backups
- Show My Screen Recordings
Please see the Integration Client Guide for setup and configuration instructions. The client installation package is available from Downloads in the BeyondTrust Self-Service Center. It is released only as a 32-bit Windows client; however, this runs on 64-bit Windows systems. It is available in a number of different versions, so check the BeyondTrust product release version on the /login > Status > Information tab to make sure to download the right integration client version.
In addition to the Download Backup button and the integration client, the BeyondTrust API provides a variety of commands to download backup data. This is useful for automating backups using custom tools and/or scripts. The .nsb backups can be downloaded using the BeyondTrust Backup API. Session reports, session recordings, Show My Screen recordings, command shell recordings, presentation recordings, and exit surveys can be downloaded using the Reporting API.