Email Configuration: Configure B Series Appliance to Send Email Alerts

Security :: Email Configuration

Your B Series Appliance can send you automatic email notifications. Emails are sent for the following events:

  • Syslog Server has been Changed: A user on /appliance has changed the syslog server parameter.
  • RAID Event: One or more RAID logical drives is not in Optimum state (Degraded or Partially Degraded).
  • SSL Certificate Expiration Notice: An in-use SSL certificate (include either end-entity certificates or any CA certificate in the chain) expires in 90 days or less.

Configure via SMTP

This method does not work for some email services. Please see Configure via OAuth2 for Microsoft Entra ID or Configure via OAuth2 for Google for alternate configurations.

Email Configuration

After entering the email addresses for the administrator contacts, save your settings and send a test email to ensure everything works correctly.

Email Configuration for Administrator Contacts

Configure via OAuth2 for Microsoft Entra ID

Configuration requires changing settings on the BeyondTrust appliance and the Microsoft 365 subscription with Entra ID.

Start by changing settings on the BeyondTrust appliance:

  1. Go to Appliance, click the Security tab and click Email Configuration.
  2. Change the Authentication Method to OAuth2
  3. Note the Authorization Redirect URI. It is required later.

Before starting configuration on Microsoft Entra ID, an Azure/Office 365 Administrator must enable Authenticated SMTP for each account on Exchange online. To do this, go to Office 365 Admin Portal (admin.microsoft.com) > Active Users > Mail > Manage Email apps and check Authenticated SMTP.

Once Authenticated SMTP is enabled, perform the following steps in the Entra ID console:

  1. Log in to your console (portal.Azure.com).

Portal screen, with Entra ID searched and selected.

  1. Go to Microsoft Entra ID.

 

App registrations screen, showing owned applications and the option to add a new registration.

  1. Go to App registrations and select New registration.
  2. Enter a name, such as Appliance-OAuth2.
  3. Select the types of account you want to be able to log in to the application through OAuth2. Select Single Tenant for internal only.
  4. Enter the Redirect URI. This is the Authorization Redirect URI obtained from the BeyondTrust appliance at the start of this process.
  5. Click Register.
  6. On the Overview Page (selected from the left menu), note the Application (client) ID. It is required later.

 

App registrations screen, showing owned applications and the option to add a new registration.

  1. Click Endpoints (above the Application (client) ID).
  2. Note the OAuth2.0 authorization endpoint (v2) URI and the OAuth token endpoint (v2) URI. These are required later.

 

App registrations screen, showing owned applications and the option to add a new registration.

  1. On the Certificates & secrets page (selected from the left menu), note the Client secret. It is required later. If you do not have a Client secret, click New client secret to create one.

 

The remaining steps are done on the BeyondTrust appliance.

  1. Go to Appliance, click the Security tab, and click Email Configuration.
  2. Enter the following information noted earlier:
    • Authorization Endpoint
    • Token Endpoint
    • Client ID
    • Client Secret
  3. Enter the email address for this service as the Send from Email Address and the User email.

These addresses must match and be a valid account for Entra ID. If you have Anonymous Email (Send Email as Anyone) enabled for the Entra ID Tenant, you can add anything in the send email field. If not, use the username of the application owner and the Allowed Users.

  1. Enter data for the Host, Encryption, and Port fields.
    • Host: smtp.office365.com
    • Encryption: STARTTLS
    • Port: 587

Default data for Entra ID is shown, but your installation may use a different host or encryption method. The port is applicable for STARTTLS, but other encryption methods may use a different port.

  1. Upload the SMTP server's Root CA Certificate, if required. This step is not required for most large email vendors.
  2. Enter the following for Scopes: https://outlook.office.com/SMTP.Send offline_access
  3. Click Save Changes.
  4. Click Authorize. At the sign in page that appears, accept the permissions request. The mail setting page reloads, and the authorization button is replaced by an authorized message.
  5. To test the configuration:
    • Add an Admin Contact Email.
    • Check Send a test email.
    • Click Save Changes.

Azure AD has been renamed Microsoft Entra ID.

Configure via OAuth2 for Google

Configuration requires changing settings on the BeyondTrustappliance and the Google Cloud Platform.

Start by changing settings on the BeyondTrust appliance:

  1. Go to Appliance, click the Security tab and click Email Configuration.
  2. Change the Authentication Method to OAuth2
  3. Note the Authorization Redirect URI. It is required later.

Now log in to your Google Cloud Platform console (Google Dev Console) (console.cloud.google.com). Use the correct gmail account, as only the owner of the project is able to work with the project. If you do not already have a paid account, you may choose to purchase an account by clicking Activate in the top banner. BeyondTrust cannot provide assistance with purchasing an account. Click Learn More in the top banner for information regarding the limitations of free accounts.

Select Create Project in the Google Cloud Platform.

  1. Click CREATE PROJECT. You can also use an existing project.

 

Enter the name and organization for the project.

  1. Accept the default Project Name or enter a name.
  2. Accept the default Location or select a folder from those available for your organization.
  3. Click CREATE.

 

On the APIs and services page, select Library.

  1. The APIs and services page appears. Click Library in the left menu.

 

Search or browse for the Gmail API in the library.

  1. Search or browse for the Gmail API in the library, and click it.

 

Click Enable on the Gmail API page.

  1. The Gmail API appears on its own page. Click ENABLE.

 

The Gmail API page, with the option to return to APIs management.

  1. The Gmail API Overview page appears. Click APIs & services in the upper left.
  2. The APIs and services page appears again. Click OAuth consent screen in the left menu.

 

The OAuth consent screen, showing user type options.

  1. Select the User Type. Internal allows only users from within the organization, but requires a Google Workspace account.
  2. Click CREATE.

 

The OAuth consent screen, showing fields to complete for the app information.

  1. Enter the App name.
  2. Enter a User support email address. This may default to the address you are using to create the project.
  3. Enter a logo for the app, if desired. The App domain section is also optional.
  4. Add the Authorized domains. For BeyondTrust test appliances, these are:
    • qabeyondtrustcloud.com
    • bomgar.com
  5. Enter the Developer contact information. This is the email address you are using to create the project.
  6. Click SAVE AND CONTINUE.

 

The OAuth consent scopes screen, with Add or Remove Scopes selected, and a large new window for updating scopes.

  1. Under the Scopes tab, click ADD OR REMOVE SCOPES. This opens the Update selected scopes window.
  2. Locate and check the scope https://mail.google.com/ for the Gmail API.

The API does not appear if it has not been enabled.

  1. Click UPDATE. The Update selected scopes window closes.
  2. Click SAVE AND CONTINUE.

 

The OAuth consent test users screen, with some users added.

  1. Under the Test users tab, click ADD USERS. This opens the Add Users window. Add the users that have access to the application and click ADD. Note the limits on test user access and related restrictions.
  2. Click SAVE AND CONTINUE.
  3. Review the Summary, and make any necessary changes or corrections.
  4. Click BACK TO DASHBOARD.

 

The APIs and services screen, showing Credentials and Create Credentials selected.

  1. Click Credentials in the left menu.
  2. Click CREATE CREDENTIALS in the top banner and select OAuth client ID.

 

The Google screen for creating credentials, with sample data in fields.

  1. On the create credentials page, select Web application for the Application type. Additional fields appear when this is selected.
  2. Enter a name for the application.
  3. Scroll down to Authorised redirect URIs and click ADD URI.
  4. Enter the Authorization Redirect URI obtained from the BeyondTrust appliance at the start of this process.
  5. Click CREATE.

 

OAuth client created confirmation screen, displaying the client ID and secret.

  1. A window confirms creation of the OAuth client, and shows the Client ID and Client Secret. Click to download a JSON file. The file contains information that is needed in the next steps.
  2. Click OK to return to the APIs and services page.

 

The remaining steps are done on the BeyondTrust appliance.

  1. Go to Appliance, click the Security tab and click Email Configuration.
  2. Enter the following information, found in the downloaded JSON file:
    • Authorization Endpoint
    • Token Endpoint
    • Client ID
    • Client Secret
  3. Enter any email address for this service as the Send from Email Address.
  4. Enter the User email. This must be an email address entered as a Test user with access to the application, when you completed the OAuth consent screens.
  5. Enter data for the Host, Encryption, and Port fields.
    • Host: smtp.gmail.com
    • Encryption: TLS
    • Port: 465

Default data for Google is shown, but your installation may use a different host or encryption method. The port is applicable for TLS, but other encryption methods may use a different port.

  1. Enter your TLS certificate if one is provided by Google. If not, check Ignore TLS certificate errors.
  2. Enter the following for Scopes: https://mail.google.com
  3. Click Save Changes.
  4. Click Authorize. After the sign in page that appears, you may receive the warning Google has not verified this message, if you have not published the application. The consent page reloads, and the authorization button is replaced by an authorized message.
  5. To test the configuration:
    • Add an Admin Contact Email.
    • Check Send a test email.
    • Click Save Changes.