Upgrade the BeyondTrust Privileged Remote Access Software
Please visit the Product Change Log to get the details of each release of BeyondTrust Privileged Remote Access software.
- Prior to upgrading, always create a backup of your settings and configuration from /login > Management > Software Management.
(See Software Management for more details.)As a best practice, also export a copy of your SSL certificates and private key, and save them locally to ensure continuity in case of a failure on the upgrade.
- For major software releases, customers with current maintenance contracts are placed into a rollout schedule. Once your upgrade is ready, BeyondTrust will alert you via email to begin this upgrade procedure.
- Installation usually takes between 15 minutes to an hour. However, if you are storing a large amount of data on your appliance (e.g., session recordings), the installation could take significantly longer.
- BeyondTrust recommends performing upgrades during scheduled maintenance windows. Your BeyondTrust site will be temporarily unavailable during the upgrade. All logged in users and active sessions will be terminated.
- BeyondTrust also recommends testing the update in a controlled environment prior to deploying into production. Testing can best be performed when you have two appliances in a failover relationship and when you update asynchronously. (See Verify and Test).
- If you experience any issues during the Base update, do not restart the BeyondTrust Appliance. Please contact BeyondTrust Technical Support.
- If you have two appliances set up in a failover configuration, consider whether you want to update synchronously or asynchronously.
- With synchronous updating, the primary appliance is updated first and maintains its role as primary. This method does involve some downtime; it is recommended for simple deployments and scenarios that will not suffer from being offline during the update.
- With asynchronous updating, the backup appliance is updated first and then assumes the role of primary. This method has minimal downtime; it is recommended for larger deployments and scenarios that rely on maintaining solid uptime. Some complexity is involved, as the network may have to be modified in order to fail over to the backup appliance.
Only certain upgrades require client software to update. Base software updates and license add-ons do not require client software updates. Site version updates do require client updates, however. Most client updates occur automatically, but the expected update procedure for each type of client is reviewed below.
Your installed access consoles will need to be upgraded after the site upgrades. Typically, this occurs automatically the next time the user run the access console.
When upgrading to a newly built site software package, verify that all certificate stores are managed appropriately and are up-to-date prior to upgrading to a new BeyondTrust version. Failure to do so may cause a majority of your existing Jump Clients to appear offline.
- Access consoles previously deployed on locked-down computers using MSI may need to be re-deployed once the upgrade is complete.
- If the extractable access console or extractable Jump Client feature has been enabled for your site by BeyondTrust Technical Support, then you can download an MSI installer to update access consoles and/or Jump Clients prior to upgrading the appliance. To do this, check for the new update either manually or automatically. Note that the updated clients will not come online until their appliance is updated. It is not necessary to uninstall the original client prior to deploying the new one, as the new one should automatically replace the original installation. It is a best practice, however, to keep a copy of the old MSI to remove the outdated installations after the appliance is updated should this removal prove necessary. The new MSI is unable to do so.
- After an upgrade, deployed Jump Clients automatically update.
- If large numbers of Jump Clients attempt to update simultaneously, they may flood the appliance, severely crippling performance both on the appliance and the network, depending on the available bandwidth and hardware. To regulate the amount of bandwidth and resources consumed by Jump Client updates, go to /login > Jump > Jump Clients and set the Maximum Number of Concurrent Jump Client Upgrades to a lower number.
- Active and passive Jump Clients queue for update upon their first check-in with the appliance subsequent to the appliance's update. These check-in events occur at regular intervals outbound from the Jump Client host over TCP port 443 to the appliance. Active Jump Clients check in immediately after an upgrade is complete on the appliance. Passive Jump Clients check in upon boot up, upon having a connection made from the access console, upon being told to check in from the system tray icon, and at least once every 24 hours.
- If a Jump Client has not yet been updated, it is labeled as Upgrade Pending, and its version and revision number appear in the details pane. While you can modify an outdated Jump Client, you cannot Jump to it. Attempting a Jump does, however, move that Jump Client to the front of the upgrade queue.
- After an upgrade, deployed Jumpoints should automatically update.
When upgrading to a new software version, please allow some time for all Jump Clients to come back online before moving forward with any other upgrading processes.
- BeyondTrust Connection Agents will update automatically after the site upgrades.
- BeyondTrust Integration Clients will not automatically update after the site upgrades. Integration Clients will need to be re-installed manually. Integration Client installers are available from the Downloads page of beyondtrustcorp.service-now.com/csm.
- Upon upgrading, it will be necessary to regenerate any installer packages previously created for Jump Clients and access consoles. The clients themselves will update as described above. However, the installer files for them will invalidate once the appliance which generated them is upgraded.