Data Recovery

Once a B Series Appliance has been repaired or replaced, it is usually necessary to restore its settings and data. This is always necessary in cases where BeyondTrust has shipped an entirely new B Series Appliance from the factory. The settings and data to restore includes /appliance settings and certificates as well as /login users and configuration. Before restoring any of this, first complete the B Series Appliance IP network configuration. Once that is done, remaining /appliance configuration, certificates, and /login settings can be restored remotely as described below.

Failover

When a B Series Appliance in a failover pair has failed and been replaced, the second B Series Appliance in the pair will be servicing clients while the failed B Series Appliance is restored. The restore process for the failed B Series Appliance varies depending on its type. Once the B Series Appliance has been restored, restore its certificates either from a backup or by exporting them from the primary B Series Appliance.

Once the failed B Series Appliance is online and has the primary B Series Appliance's certificates installed, restore its /login administrative interface. Since the primary B Series Appliance should already have all settings and data, it is generally not advisable to restore backup files to a backup B Series Appliance manually. However, installing a /login site package is needed. Once that is done, establish failover from the active B Series Appliance to the repaired one and sync them.

It is still possible to download and restore backup files to failover B Series Appliances; however, it is not ideal unless the primary failover B Series Appliance is missing crucial data that exists only in a backup file. If a backup is restored, failover settings are overwritten with the values contained in the backup. This includes both /login > Management > Failover settings and the Inter-appliance Communication Pre-shared Key found in /login > Management > Security. This means that if a backup is restored to a B Series Appliance in active failover, the failover connection is likely to have issues. Because of this, the best practice is to break failover, restore the backup, reset the pre-shared key, and re-establish the failover relationship.

If the restored B Series Appliance in a failover pair has formerly been the primary B Series Appliance in the failover relationship, it re-enters the failover relationship as the backup B Series Appliance. Sometimes, it can remain this way, but in other scenarios, it is desirable to make it primary once again. The process varies slightly, depending on how the network is routing traffic to the primary B Series Appliance. The routing methods are IP failover, DNS swing, or NAT swing.

 

Atlas

Like failover, Atlas clusters have special requirements. An Atlas cluster typically consists of a failover pair of primary B Series Appliances that route traffic between a number of traffic node B Series Appliances. If one of the primary B Series Appliances fails, refer to the failover recovery guidelines described immediately above. If one fails, follow these steps:

1. Restore the B Series Appliance.
2. Install a /login site package on the B Series Appliance.
3. Re-add the recovered B Series Appliance to the Atlas cluster.
4. Sync the recovered B Series Appliance in order to restore the /login settings.
   • Log in to the primary B Series Appliance's /login administrative web interface.
   • Browse to Management > Cluster.
   • Click Sync Now.

Once completed, the traffic node is fully operational. To test, follow these steps:

1. Log in to the traffic node's /login web interface.
2. While logged in to an access console from a geographic region that is expected to route through the restored traffic node, check Status > Connected Clients.
3. If the value for connected access consoles increases by one immediately after authenticating to the console, the traffic node is working.

If a backup is restored from an Atlas primary node, it does not overwrite the existing Atlas configuration. As a result, copying the configuration of a primary node to each of its traffic nodes is supported; however, manually performing this task is not standard practice. Synchronizing data from the primary B Series Appliance is the standard method for restoring /login settings to a traffic node.

For more information, please see Set Up the Traffic Nodes in an Atlas Cluster.

Recover Certificates

BeyondTrust requires SSL certificates. If any client software from a previous B Series Appliance is expected to reconnect with the replacement B Series Appliance, this B Series Appliance needs a copy of the original SSL certificate(s). Most Cloud Appliances share a standard certificate which validates the BeyondTrust Cloud domain. If the certificate and domain are changed, the non-standard certificate must be restored. Hardware and PRA Virtual Appliances have no such standard configuration and therefore have unique certificates configured by the administrator that must be restored in a disaster recovery scenario. The steps to restore certificates are given below, and they assume that the necessary steps have been taken to bring the web interfaces online.

The steps to bring the web interfaces online vary based on the B Series Appliance type.

1. Log in to the /appliance web interface of the BeyondTrust Appliance B Series.
2. Go to Security > Certificates.

If a B Series Appliance certificate is listed, ignore it. This is a standard certificate that ships with all B Series Appliances.

3. In Security > Certificate Installation, click Import.
4. Browse to the certificate file.
5. Enter the password for the certificate file.
6. Click Upload.

The B Series Appliance certificate appears in the Security > Certificates section. If the certificate was issued by a third-party Certificate Authority (CA), the intermediate certificate and root certificate are also listed here. If your B Series Appliance uses a CA certificate, all intermediate certificates and their root certificate must be present for the B Series Appliance to function properly. Here is a description of each type of certificate:

• Self-Signed Certificate: This has identical values for Issued To and Issued By and have the B Series Appliance's fully qualified domain name (FQDN) in the Alternative Name(s) field.
• CA-Signed Certificate: This has an Issued To field and/or an Alternative Name(s) field matching the B Series Appliance's FQDN. If a CA-signed certificate exists, the B Series Appliance also has one or more intermediate and/or root certificate(s) listed on the Certificates page.
• Intermediate certificates: These have different Issued To and Issued By fields, neither of which is an FQDN. Usually, there are only one or two intermediate certificates. Sometimes, there are none, depending on the CA.
• Root certificate: This has identical values for the Issued To and Issued By fields, neither of which are an FQDN. Every CA-signed certificate must have exactly one root certificate.

If a self-signed certificate is being used, a warning is present beneath it. The warning expresses that this kind of certificate should be used only temporarily until a CA-signed certificate is obtained. If a CA-signed certificate has already been obtained and one or more of its intermediate or root certificates are missing, a warning appears beneath the CA-signed certificate. To resolve this, contact the CA to obtain any missing intermediate or root certificates, and upload them to the Security > Certificates section.

1. Once there are no certificate warnings, click the Assign IP link in the certificates entry for the B Series Appliance's CA-signed or self-signed certificate.
2. At the bottom of the resulting page, check the IP address of the B Series Appliance.
3. Click Save Configuration. This completes the restore process for the certificate(s). However, the B Series Appliance still needs /login restored before it is fully operational.

In Base 5+, you don’t need to manually assign an IP to the certificate, as it is automatically handled by SNI. You can optionally select the certificate as Default if desired.

Recover /login

Unlike /appliance, the /login administrative web interface is not installed by default on new B Series Appliances. Therefore, in cases where a new PRA Virtual Appliance has been installed or a new hardware B Series Appliance has been shipped, the new B Series Appliance does not usually have a /login administrative web interface. If the B Series Appliance is repaired or restored from a snapshot rather than replaced or reinstalled, the repaired B Series Appliance still has a /login site package installed, but it may be necessary to upgrade the site to the same version as the failover B Series Appliance or to a version compatible with the backup file. In these cases, contact BeyondTrust Support for the necessary /login site updates. To get the updates, send BeyondTrust Support an email including these items:

• Screenshot of the /appliance Status page
• B Series Appliance FQDN registered in DNS
• Version of the most recent backup file

After receiving this information, Support registers the B Series Appliance on the BeyondTrust update servers, builds the necessary update package(s), and sends the installation instructions. There are one or more base software updates to install prior to the /login site package. Follow the instructions from BeyondTrust Support to update the B Series Appliance and log in to the /login web interface, using the default admin and password credentials. The system forces the password to be changed at login.

In failover and Atlas scenarios, /login data is recovered using data synchronization rather than backup files. Save the NSB backup files in order to restore /login settings, users, and data. However, before restoring a backup file, take into account the BeyondTrust product release version from which the backup was downloaded, as well as the version of the site receiving the backup file. BeyondTrust does not test restoring backups from every version to every other version. Only backups from the supported upgrades of a particular version are tested. Supported upgrade versions are listed in the release notes for each version.

The version of a particular backup can be found by checking the filename of the backup. By default, BeyondTrust backup file names begin with bomgar followed by the BeyondTrust product release version of the backup, the name of the site which generated the backup, the date on which the backup was downloaded, and the unique ID of the backup file. Check the version of the site to which the backup is being uploaded to by viewing the Product Version field on the /login > Status > Information page.

When attempting to restore backups from an old release version to a newer version of BeyondTrust not listed as the backup's supported upgrade version, unexpected issues and/or data loss can occur. When attempting to restore backups from newer versions of BeyondTrust to older, major issues occur. This is not supported. However, as long as the rules concerning release versions are followed, backups can be successfully restored between physical B Series Appliances (B200, B300, and B400) and PRA Virtual Appliances and between physical B Series Appliances of different hardware revisions.

Once the restore method is validated, restore the /login site backup by following these steps:

1. Browse to /login > Management > Software.
2. Locate Software > Restore Settings.
3. Click Choose File.
4. Select the backup file using the file browser.
5. Enter the backup password, if one was assigned.
6. Click Upload Backup.

The backup password is assigned by the administrator who downloads the backup originally. If it is lost, the backup cannot be restored. Once it is restored, all users (including the local administrator), settings, and most data are restored to the state at which the backup was originally downloaded.

After /login is online and the backup is restored, the B Series Appliance is fully operational, assuming the network's traffic has been properly routed. To test the B Series Appliance:

1. Open the access console.
2. Log in with the user credentials that worked prior to the failure event.
3. Verify that all Jump Clients, Jumpoints, options, and settings function as expected.

There is no need to deploy new client software. Instead, the original clients reconnect with the new B Series Appliance automatically.

For more information, please see the Privilege Remote Access Release Notes page.