Data Recovery in the Case of B Series Appliance Replacement
Once a B Series Appliance or site has been repaired and/or replaced, it is usually necessary to restore its settings and data. This is always necessary in cases where BeyondTrust has shipped an entirely new B Series Appliance from the factory. The settings and data to restore includes /appliance settings and certificates as well as /login users and configuration. Before restoring any of this, first complete the B Series Appliance IP network configuration. Once that is done, remaining /appliance configuration, certificates, and /login settings can be restored remotely as described below.
When a B Series Appliance in a failover pair has failed and been replaced, the second B Series Appliance in the pair should be servicing clients while the failed B Series Appliance is restored. The restore process for the failed B Series Appliance varies depending on its type. Once the B Series Appliance has been restored, restore its certificates either from a backup or by exporting them from the primary B Series Appliance.
Once the failed B Series Appliance is online and has the primary B Series Appliance's certificates installed, restore its /login administrative interface. Since the primary B Series Appliance should already have all settings and data, it us generally not advisable to restore backup files to a backup B Series Appliance manually. However, installing a /login site package is needed. Once that is done, establish failover from the active B Series Appliance to the repaired one and sync them as described in Establish the Primary/Backup Failover Relationship Between Two B Series Appliances .
It is still possible to download and restore backup files to failover B Series Appliances; however, it is not ideal unless the primary failover B Series Appliance is missing crucial data that exists only in a backup file. If a backup is restored, failover settings are overwritten with the values contained in the backup. This includes both /login > Management > Failover settings and the Inter-appliance Communication Pre-shared Key found in /login > Management > Security. This means that if a backup is restored to a B Series Appliance in active failover, the failover connection is likely to have issues. Because of this, the best practice is to break failover, restore the backup, reset the pre-shared key, and re-establish the failover relationship. For details, please see Failover Dynamics and Options .
If the restored B Series Appliance in a failover pair has formerly been the primary B Series Appliance in the failover relationship, it re-enters the failover relationship as the backup B Series Appliance. Sometimes, it can remain this way, but in other scenarios, it is desirable to make it primary once again. If this is the case, follow the instructions in Establish Failover for Planned Maintenance. The process varies slightly, depending on how the network is routing traffic to the primary B Series Appliance. The routing methods are IP failover, DNS swing, or NAT swing.
Like failover, Atlas clusters have special requirements. An Atlas cluster typically consists of a failover pair of primary B Series Appliances that route traffic between a number of traffic node B Series Appliances. If one of the primary B Series Appliances fail, refer to the failover recovery guidelines described immediately above. If one fails, follow these steps:
- Restore the B Series Appliance.
- Install a /login site package on the B Series Appliance.
- Add the recovered B Series Appliance back into the Atlas cluster. Please see Configure the Traffic Nodes in an Atlas Cluster for more information.
- Sync the recovered B Series Appliance in order to restore the /login settings.
- Log into the primary B Series Appliance's /login administrative web interface.
- Browse to Management > Cluster.
- Click Sync Now.
Once completed, the traffic node is fully operational. To test, follow these steps:
- Log into the traffic node's /login web interface.
- While logged into a rep console from a geographic region that is expected to route through the restored traffic node, check Status > Connected Clients.
- If the value for connected rep consoles increases by one immediately after authenticating to the console, the traffic node is working.
If a backup is restored from an Atlas primary node, it does not overwrite the existing Atlas configuration. As a result, copying the configuration of a primary node to each of its traffic nodes is supported; however, manually performing this task is not standard practice. Synchronizing data from the primary B Series Appliance is the standard method for restoring /login settings to a traffic node.
BeyondTrust requires SSL certificates. If any client software from a previous B Series Appliance is expected to reconnect with the replacement B Series Appliance, this B Series Appliance needs a copy of the original SSL certificate(s). Most Cloud Appliances share a standard certificate which validates the BeyondTrust Cloud domain. If the certificate and domain are changed, the non-standard certificate must be restored. Hardware and PRA Virtual Appliances have no such standard configuration and therefore have unique certificates configured by the administrator that must be restored in a disaster recovery scenario. The steps to restore certificates are given below, and they assume that the necessary steps have been taken to bring the web interfaces online.
The steps to bring the web interfaces online vary based on the B Series Appliance type.
- Log into the /appliance web interface of the BeyondTrust Appliance B Series.
- Go to Security > Certificates.
- In Security :: Certificate Installation, click Import.
- Browse to the certificate file.
- Enter the password for the certificate file.
- Click Upload.
The B Series Appliance certificate appears in the Security :: Certificates section. If the certificate was issued by a third-party Certificate Authority (CA), the intermediate certificate and root certificate are also listed here. If your B Series Appliance uses a CA certificate, all intermediate certificate and their root certificate must be present for the B Series Appliance to function properly. Here is a description of each type of certificate:
- Self-Signed Certificate: This has identical values for Issued To and Issued By and have the B Series Appliance's fully qualified domain name (FQDN) in the Alternative Name(s) field.
- CA-Signed Certificate: This has an Issued To field and/or an Alternative Name(s) field matching the B Series Appliance's FQDN. If a CA-signed certificate exists, the B Series Appliance also has one or more intermediate and/or root certificate(s) listed on the Certificates page.
- Intermediate certificates: These have different Issued To and Issued By fields, neither of which is an FQDN. Usually, there are only one or two intermediate certificates. Sometimes, there are none, depending on the CA.
- Root certificate: This has identical values for the Issued To and Issued By fields, neither of which are an FQDN. Every CA-signed certificate must have exactly one root certificate.
If a self-signed certificate is being used, a warning is present beaneath it. The warning is expressing that this kind of certificate should normally be used only temporarily until a CA-signed certificate is obtained. If a CA-signed certificate has already been obtained and one or more of its intermediate and/or root certificate(s) are missing, a warning appears beneath the CA-signed certificate.
- Once there are not any certificate warnings, click the Assign IP link in the certificates entry for the B Series Appliance's CA-signed or self-signed certificate.
- At the bottom of the resulting page, check the IP address of the B Series Appliance.
- Click Save Configuration. This completes the restore process for the certificate(s). However, the B Series Appliance still needs /login restored before it is fully operational.
Unlike /appliance, the /login administrative web interface is not installed by default on new B Series Appliances. Therefore, in cases where a new PRA Virtual Appliance has been installed or a new hardware B Series Appliance has been shipped, the new B Series Appliance does not usually have a /login administrative web interface. If the B Series Appliance was repaired or restored from a snapshot instead of replaced or re-installed, the repaired B Series Appliance still has a /login site package installed, but it may be necessary to upgrade the site to the same version as the failover B Series Appliance or to a version compatible with the backup file. In these cases, contact BeyondTrust Support for the necessary /login site updates. To get the updates, send BeyondTrust Support an email including these items:
- Screenshot of the /appliance Status page
- B Series Appliance FQDN registered in DNS
- Version of the most recent backup file
After receiving this information, Support registers the B Series Appliance on the BeyondTrust update servers, builds the necessary update package(s), and sends the installation instructions. There are one or more base software updates to install prior to the /login site package. Follow the instructions from BeyondTrust Support to update the B Series Appliance and log into the /login web interface, using the default admin and password credentials. The system forces the password to be changed at login.
In failover and Atlas scenarios, /login data is recovered using data synchronization rather than backup files. Outside of this, the .nsb backup files should be saved in order to restore /login settings, users, and data. However, before restoring a backup file, take into account the BeyondTrust product release version from which the backup was downloaded as well as the version of the site receiving the backup file. BeyondTrust does not test restoring backups from every version to every other version. Only backups from the supported upgrades of a particular version are tested. Supported upgrade versions are listed in the release notes for each version. Release notes are available at www.beyondtrust.com/support/changelog.
The version of a particular backup can be found by checking the filename of the backup. By default, BeyondTrust backup file names begin with BeyondTrust followed by the BeyondTrust product release version of the backup, the name of the site which generated the backup, the date on which the backup was downloaded, and the unique ID of the backup file. Check the version of the site to which the backup is being uploaded to by viewing the Product Version field on the /login > Status > Information page.
When attempting to restore backups from an old release version to a newer version of BeyondTrust not listed as the backup's supported upgrade version, unexpected issues and/or data loss can occur. When attempting to restore backups from newer versions of BeyondTrust to older, major issues occur. This is not supported. However, as long as the rules concerning release versions are followed, backups can be successfully restored between physical B Series Appliances (i.e., B200, B300, and B400) and PRA Virtual Appliances and between physical B Series Appliances of different hardware revisions.
Once the restore method is validated, restore the /login site backup by following these steps:
- Browse to /login > Management > Software.
- Locate Software :: Restore Settings.
- Click Choose File.
- Select the backup file using the file browser.
- Enter the backup password, if one was assigned.
- Click Upload Backup.
The backup password is assigned by the administrator who downloads the backup originally. If it is lost, the backup cannot be restored. Once it is restored, all users (including the local administrator), settings, and most data are restored to the state at which the backup was originally downloaded.
After /login is online and the backup is restored, the B Series Appliance should be fully operational, assuming the network's traffic has been properly routed. To test the B Series Appliance:
- Open the rep console.
- Log in with the user credentials that worked prior to the failure event.
- Verify that all Jump Clients, Jumpoints, options, and settings function as expected.
There should be no need to deploy new client software. Instead, the original clients should reconnect with the new B Series Appliance automatically.
Return the Defective B Series Appliance
In cases where you have replaced a failed hardware B Series Appliance, it will be necessary to dispose of the failed hardware. First, you may wish to wipe the B Series Appliance of all sensitive data. You can wipe the B Series Appliance by taking these steps:
- Log into the /appliance web interface of the defective B Series Appliance.
- Browse to the Status > Basics page.
- Click Reset Appliance to Factory Defaults.
- Wait for the reset to complete.
- Click Shut Down This Appliance.
Once done, ask BeyondTrust Support for a return shipping label, if you have not been sent one already. Once you have the return label, use it to ship the B Series Appliance back. Many administrators choose to use the packaging materials of the replacement B Series Appliance to return the defective one.