Configure the BeyondTrust Remote Support Middleware Engine
Starting and Stopping the BeyondTrust Middleware Engine
The BeyondTrust Middleware Engine runs as a Windows service. This service must be restarted whenever a new plugin is deployed or a plugin is removed.
Deploying the Plugin
This section describes the general location and makeup of a plugin deployment. Deployment of specific plugins is beyond the scope of this document.
All plugins are deployed into the Plugins folder in the directory where the BeyondTrust Middleware Engine is installed. Each plugin is deployed into its own folder therein.
Once a plugin has been set up with configuration (described below), a file named <plugin name>.config is present. The plugin's folder may contain any number of other files and folders, depending on the plugin.
Launching the Middleware Administration Tool
If the Windows service is running, the middleware administration tool can be launched. Open a web browser on the server and go to http://127.0.0.1:53231/. This tool is accessible only from the server where the BeyondTrust Middleware Engine is installed. If necessary, the tool can run on a different port, and it can be turned on/off as desired. For details, see Configuring the Middleware Administration Tool.
Overview of the Middleware Administration Tool
The front page of the middleware administration tool displays all deployed plugins as well as each plugin's configuration(s). Multiple plugin configurations can be created. Creating multiple plugin configurations allows a single plugin to integrate with multiple systems, such as two different Secure Remote Access Appliances.
Working with plugin configurations
To add a new configuration for a plugin, click on the copy icon next to the plugin name. A screen is presented in which a number of configuration items are collected, including connection information to a Secure Remote Access Appliance and any plugin-specific settings. This screen includes an option to disable a plugin configuration.
For a specific plugin configuration, the following options are available:
Edit the plugin configuration.
Test the plugin configuration. Testing confirms that the plugin is configured correctly and that network resources can be accessed.
Test output varies between plugins.
Delete the plugin configuration.
Please be careful! The configuration cannot be recovered after deletion.
Configuration changes made via the middleware administration tool are immediately effective. It is not required to restart the Windows service.
Working with the event history for a plugin
To view the event history for a plugin, click the history icon next to the plugin name. A page is displayed listing the key details of each event the plugin has processed. The amount of history available depends on the event retention configuration. The default is seven days. For details on how to change this setting, see Configuring the Middleware Administration Tool.
On the plugin events page, the following functionality is available:
- Paging and text filtering.
- Viewing the raw event data.
- Viewing the error data if event processing failed.
- Finding the event GUID, an identifier attached to every log message for the event.
- Replaying an event (i.e., sending the event to the plugin to reprocess). This can be useful for events that fail for transient reasons such as a network issue.
Working with the event retries for a plugin
To view the active retries for a plugin, click the clipboard icon located next to the history icon. A page diplays listing details about each retry.
The retry is removed from this page when the plugin:
- Successfully processes the event.
- Reaches the retry limit.
The retries are attempted using a Fibonacci back off strategy. This strategy spaces out the retries with the first attempt being five (5) seconds after the initial failure. The maximum number of retries are set per plugin configuration. The Retry Events page provides the functionality required to replay the event before the next attempt time.
You can modify the middleware administration tool to run on a different port, and you can turn it on/off as desired. You also can change the length of time that events are stored.
- From the home page of the middleware administration tool, click the Edit Middleware Configuration link.
- The following configuration options are available:
- Logging Level: Defines the logging level for the BeyondTrust Middleware Engine. Modifications to this value take effect immediately. For maximum logging, select DEBUG. For minimum logging, select ERROR.
- Outbound Event Base Address: The base address BeyondTrust Middleware Engine listens to for outbound events from a Secure Remote Access Appliance. If this value is changed, the Windows service must be restarted.
- Middleware Administration Tool Enabled: If disabled, the web-based tool will not be available. If this value is changed, the Windows service must be restarted.
- Middleware Administration Tool Base Address: The base address on which the administration tool runs. If this value is changed, the Windows service must be restarted.
- Event Retention Days: The number of days to keep a record of events delivered to plugins. If this value is changed, the Windows service must be restarted.
- This same configuration can be edited from a file if desired, such as if the administration tool is disabled.
- Go to the directory where the BeyondTrust Middleware Engine is installed.
- In a text editor, open MiddlewareConfig.txt.
- Edit the file as needed. The file is in JSON format. Valid LogLevel values are ERROR, INFO, WARN, and DEBUG.
When changing the LogLevel from the text file, the change is not immediately effective. The log level can change dynamically only when it is changed from the administration tool user interface.
Below is the default configuration:
- "LogLevel": "ERROR",
- "EngineBaseAddress": "http://+:8180/",
- "AdminToolEnabled": true,
- "AdminToolBaseAddress": "http://127.0.0.1:53231/",
- "EventRetentionDays": 7
- After making any changes, restart the Windows service.
Using IIS as a Reverse Proxy for the BeyondTrust Middleware Engine
The following steps show you how to set up and configure IIS to work as a reverse proxy for the BeyondTrust Middleware Engine, to support scenarios where outbound events from the appliance must go over port 443. For example, outbound events from BeyondTrust Cloud must travel over port 443.
This document does not cover how to set up an outbound event in BeyondTrust, since it is assumed that setup has already been completed.
- In the Server Manager dashboard, click Add roles and features.
- Click Next on the next screen.
- Under Select installation type, select Role-based or feature-based installation. Click Next.
- Under Server Selection, click Select a server from the server pool and select the desired server. Click Next.
- Under Server Roles, select Web Server (IIS). Click Next.
- When you select Web Server (IIS), you are prompted to add IIS management tools. Click Add Features.
- Make sure that .NET Framework 4.6 Features is checked, then click Next. You do not need to select any additional features.
- Under Web Server Role (IIS), click Role Services on the left menu. Check that the necessary default values are checked
- Click Next, then Install.
- A progress bar indicates that the installation is taking place. When the installation is complete, click Close.
Install the Web Platform Installer 5.0 and Required Components
After installation is complete, download and install the Microsoft Web Platform Installer 5.0 (https://www.microsoft.com/web/downloads/platform.aspx). Using the Web Platform Installer, install the following elements into IIS:
- URL Rewrite 2.x
- Application Request Routing 3.x
You need to restart IIS services (or restart the server) after the installation.
Set Up SSL
- Open the IIS Manager application, then click the server name in the left hand pane.
- Click Server Certificates.
- In the Actions menu, choose to Import your certificate. If a CA certificate is not available, or the configuration is for a development/testing site, you may select Create a Self-Signed Certificate.
- From the right hand panel, under Sites, select the Default Web Site.
- From the Actions menu, click Bindings.
- Add a binding and choose type https.
- Choose the SSL certificate you imported/created in the prior step.
Configure Reverse Proxy
- In the right hand panel, under Sites, select Default Web Site.
- Double-click URL Rewrite.
- Click Add Rule(s)...
- Select Reverse Proxy. If prompted to enable proxy functionality, click OK.
- Enter 127.0.0.1:8180 as the server name and leave other options as default.
- Restart the Default Web Site.
Set Up BeyondTrust Outbound Event to Validate the Certificate (optional)
If desired, you may set up the appliance to validate the server certificate when sending an outbound event.
You must have a valid CA certificate in IIS for this setting to work.
- In the appliance, navigate to Management > Outbound Events.
- Edit the desired outbound event.
- Enable the CA Certificate option. Click Choose File and select your CA certificate.