Upgrade the BeyondTrust Software
Please visit the Product Change Log to get the details of each release of BeyondTrust remote support software.
If your BeyondTrust software has not been updated in some time and is several revisions behind the latest version, you will probably need to install several intermediate versions before installing the latest software. Please see the third bullet below for details.
- Prior to upgrading, always create a backup of your settings and configuration from /login > Management > Software Management.
- As a best practice, export a copy of your SSL certificates and private key, and save them locally to ensure continuity in case of a failure during the upgrade.
- For major software releases, customers with current maintenance contracts are placed into a rollout schedule. Once your upgrade is ready, BeyondTrust alerts you via email to begin this upgrade procedure.
- If your appliance is many months or years out of date, it is unlikely to be able to upgrade directly to the latest version of BeyondTrust in a single installation. In this case, some upgrade packages may be grayed out in the updates list and require another package to be installed first. Select Install This Update on the available package to enable the dependent one.
- If uncertain which updates to install or in which order, contact BeyondTrust Technical Support at www.beyondtrust.com/support with a screenshot of your /appliance > Status > Basics page to determine the specific updates needed for your appliance.
- In cases where intermediate BeyondTrust updates must be installed before the latest version, BeyondTrust software clients are not expected to auto-update successfully unless they are allowed time to retrieve the intermediate updates. Therefore, BeyondTrust recommends that you wait at least 24 hours after installing each package prefixed by BeyondTrust.
- Base updates do not require a waiting period, but they are typically prerequisite to BeyondTrust packages. As such, Base updates are normally installed immediately prior to BeyondTrust packages.
- If it is impossible to allow 24 hours for automatic client upgrades to complete, the alternative to automated updating is first to remove all existing client software, including representative consoles, Jump Clients, Jumpoints, Support Buttons, connection agents, etc. Install each BeyondTrust and Base upgrade in sequence until the latest version is reached. Then, manually reinstall all client software.
- Installation usually takes between 15 minutes to an hour. However, if you are storing a large amount of data on your appliance (e.g., session recordings), the installation could take significantly longer.
- We recommend performing upgrades during scheduled maintenance windows. Your BeyondTrust site will be temporarily unavailable during the upgrade. All logged in users and active sessions will be terminated.
- We also recommend testing the update in a controlled environment prior to deploying into production. Testing can best be performed when you have two appliances in a failover relationship and when you update asynchronously.
For more information, please see Verify and Test.
- If you experience any issues during the Base update, do not restart the Secure Remote Access Appliance. Please contact BeyondTrust Technical Support.
- If you have two appliances set up in a failover configuration, consider whether you want to update synchronously or asynchronously.
- With synchronous updating, the primary appliance is updated first and maintains its role as primary. This method does involve some downtime; we recommend synchronous updates for simple deployments and scenarios that will not suffer from being offline during the update.
- With asynchronous updating, the backup appliance is updated first and then assumes the role of primary. This method has minimal downtime; we recommend asynchronous updates for larger deployments and scenarios that rely on maintaining solid uptime. Some complexity is involved, as the network may have to be modified in order to fail over to the backup appliance.
Vault Key Backup
The Vault encryption key is used to encrypt and decrypt all Vault credentials stored on your Secure Remote Access Appliance. If you ever need to restore configuration data from a backup onto a new appliance, you must also restore the Vault encryption key from a backup to be able to use the encrypted Vault credentials contained in the configuration backup.
To password protect your software backup file, create a password. If you do choose to set a password, you will be unable to revert to the backup without providing the password.
Download Vault Encryption Key
Click the Download Vault Encryption Key button to download the Vault encryption key for you to use later.
The Vault encryption key must be password protected.
Only certain upgrades require client software to update. Base software updates and license add-ons do not require client software updates. Site version updates do require client updates, however. Most client updates occur automatically, but the expected update procedure for each type of client is reviewed below.
When upgrading to a newly built site software package, verify that all certificate stores are managed appropriately and are up-to-date prior to upgrading to a new BeyondTrust version. Failure to do so may cause a majority of your existing Jump Clients to appear offline.
- Your installed representative consoles will need to be upgraded after the site upgrades. Typically, this occurs automatically the next time the representative runs the representative console.
- Representative consoles previously deployed on locked-down computers using MSI may need to be redeployed once the upgrade is complete.
For more information, please see My Account: Change Password and Username, Download the Representative Console and Other Software .
- If the extractable representative console or extractable Jump Client feature has been enabled for your site by BeyondTrust Technical Support, then you can download an MSI installer to update representative consoles or Jump Clients prior to upgrading the appliance. To do this, check for the new update either manually or automatically. Click the Rep Console Installers or Jump Client Installers link to download the MSI for distribution. Note that the updated clients will not come online until their appliance is updated. It is not necessary to uninstall the original client prior to deploying the new one, as the new one should automatically replace the original installation. It is a best practice, however, to keep a copy of the old MSI to remove the outdated installations after the appliance is updated should this removal prove necessary. The new MSI is unable to do so.
- After an upgrade, deployed Jump Clients automatically update.
- If large numbers of Jump Clients attempt to update simultaneously, they may flood the appliance, severely crippling performance both on the appliance and the network, depending on the available bandwidth and hardware. To regulate the amount of bandwidth and resources consumed by Jump Client updates, go to /login > Jump > Jump Clients and set a lower value for Maximum Number of Concurrent Jump Client Upgrades and/or Maximum bandwidth of concurrent Jump Client upgrades.
- Active and passive Jump Clients queue for update upon their first check-in with the appliance subsequent to the appliance's update. These check-in events occur at regular intervals outbound from the Jump Client host over TCP port 443 to the appliance. Active Jump Clients check in immediately after an upgrade is complete on the appliance. Passive Jump Clients check in upon boot up, upon having a connection made from the representative console, upon being told to check in from the system tray icon, and at least once every 24 hours.
- If a Jump Client has not yet been updated, it is labeled as Upgrade Pending, and its version and revision number appear in the details pane. While you can modify an outdated Jump Client, you cannot Jump to it. Attempting a Jump does, however, move that Jump Client to the front of the upgrade queue.
- If your Secure Remote Access Appliance is out of date, multiple release versions may need to be installed to reach the current version. In this case, BeyondTrust recommends allowing at least 24 hours between updates to allow Jump Clients to upgrade. Passive Jump Clients may take longer than this depending on how long their host systems remain offline.
When upgrading to a new software version, please allow some time for all Jump Clients to come back online before moving forward with any other upgrading processes.
- Once a Jump Client appears as online in the representative console or the /login > Status > Information page, it has updated successfully. An effective means of confirming that all Jump Clients have updated is to log into the representative console as an administrative user with permission to modify all Jump Clients in the system. Export the list of Jump Clients. In the resulting report, sort the Jump Clients by Status Details and confirm that all the dates listed are more recent than the date of the last Secure Remote Access Appliance upgrade.
- If too many release versions are installed back-to-back without first allowing Jump Clients to upgrade, Jump Clients may require manual redeployment.
- After an upgrade, Support Buttons update automatically upon being used for the first time subsequent to an upgrade.
- After an upgrade, deployed Jumpoints should automatically update.
- BeyondTrust Connection Agents update automatically after the site upgrades.
- BeyondTrust Integration Clients do not automatically update after the site upgrades. Integration Clients must be re-installed manually.
Integration Client installers are available from the Downloads page at www.beyondtrust.com/support.
- Upon upgrading, it is necessary to regenerate any installer packages previously created for Support Buttons, Jump Clients, and representative consoles. The clients themselves update as described above. However, the installer files for them invalidate once the appliance which generated them is upgraded.