Home U-Series Appliance 3.3 Administration Guide PDF

U-Series Appliance 3.3 Administration Guide

Document preview
File info: application/pdf · 53 pages · 1.34MB

U-Series Appliance 3.3 Administration Guide

U-Series Appliance 3.3 Administration Guide - BeyondTrust

information, please see BT Updater Enterprise User Guide at ... Note: You can use Attempt Auto-Resync as a quick way to restore high ...

U-Series Appliance 3.5 Administration Guide - BeyondTrust

il y a 15 heures — Password: The administrator password created using the Configuration Wizard. 3. Click Log In. Note: A user can be logged in to a U-Series Appliance website for ...

U-Series Appliance 3.5 Administration Guide

Full PDF Document

Loading PDF...
Download PDF

If the inline viewer fails, it will open the original document in compatibility mode automatically. You can also open the file directly.

Extracted Text

U-Series Appliance 3.3 Administration Guide

�2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC:10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Table of Contents

U-Series Appliance Administration Guide

5

Access BeyondInsight

5

Access the U-Series Appliance Web Site

5

Activate Windows

6

Request Product Updates

6

Security Updates

6

Configure U-Series Appliance General Settings

8

Join a U-Series Appliance to a Domain

8

Manage U-Series Appliance Security Settings

9

Download a Crypto Key

9

Upload a Crypto Key

9

Check FIPS Compliance

9

Manage the U-Series Appliance API Key

9

Turn SSL Authentication Off or On

9

Analytics & Reporting Endpoints

10

Generate and Export Certificates

10

Set a Security Protocol

10

Turn On HSTS

11

Accounts and Licensing Settings in the U-Series Appliance

12

Update Product Serial Numbers

12

Key Management Service Support

12

Purge U-Series Appliance Data

13

Change Administrator Password

13

Use Two-Factor Authentication

13

Network and RDP Settings in the U-Series Appliance

15

Configure RDP

15

Set an IP Address for the U-Series Appliance

15

Enter SMTP Server Settings

15

Configure Proxy Settings

15

Manage BITS Throttle

16

Appliance Health in the U-Series Appliance

17

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

2 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Monitor the Health Dashboard

17

Monitor Services and Hardware

17

Check Services

17

Configure Counters for Performance Metrics

18

Configure Notifications

18

View Notifications

20

Diagnose Network Connectivity Issues

21

Export Log Files

21

Configure U-Series Appliance Roles

23

Role Descriptions

23

Configure Password Safe on the U-Series Appliance

27

Upload SSL Certificate

27

Archive Password Safe Session Monitoring Events

27

Use High Availability with U-Series Appliances

31

Turn on High Availability Pairing

31

Configure High Availability

31

Use a Load Balancer in an Active / Passive Configuration

33

Test High-Availability Failover

34

Use Medium Failover Mode

34

Resume and Suspend SQL Mirroring

34

Discard High-Availability Configuration Settings

34

Recognize a Failover

35

Prepare for Disaster Recovery

35

Review Database Metrics

36

Configure a Remote Database for the U-Series Appliance

37

Configure Backup and Restore on the U-Series Appliance

38

Set Up a Cold Spare U-Series Appliance

42

Perform U-Series Appliance Recovery

44

Optional U-Series Appliance Configuration

46

Perform Dell PowerEdge System Updates

46

Configure iDRAC

47

Configure NIC Teaming or Link Aggregation

48

Configure VLAN

49

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

3 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Upgrade the U-Series Appliance Software

51

High Availability with Database and Services Synchronization - Active / Passive Upgrade 51

High Availability with Services Only Synchronization - Active / Active Upgrade

52

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

4 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
U-Series Appliance Administration Guide
This guide provides information on managing the U-Series Appliance. This guide is intended for network security administrators responsible for protecting their organization's computing assets.
IMPORTANT!
Once you have named your U-Series Appliance, it cannot be renamed. If at any point you need to rename the appliance, you must either re-image (if it is a physical appliance) or re-deploy (if it is a virtual appliance) the image.
Access BeyondInsight
To manage your U-Series Appliance, you must first log in to BeyondInsight. 1. In a web browser, enter the URL to access BeyondInsight, such as https://<server>/. 2. The SSL certificate warning window displays. The SSL certificate automatically created for the U-Series Appliance ensures encrypted communications. We recommend that you replace the automatically generated certificate with a valid certificate issued by a certificate authority. Check the box to not display the information page again. The Internet Explorer warnings will be displayed until the SSL certificate is installed or a valid certificate is obtained. 3. The BeyondInsight Login page displays. Enter the username and the password you created in the configuration wizard, and then click Login.
For more information about using BeyondInsight, please see the BeyondInsight documentation at www.beyondtrust.com/docs/beyondinsight-password-safe/bi.
Access the U-Series Appliance Web Site
1. In a web browser, enter the URL to access the U-Series Appliance, such as https://<Appliance-IP-Address>/Maintenance. 2. For the initial login, enter the following information:
l Username: The administrator username created using the configuration wizard. l Password: The administrator password created using the configuration wizard.
Note: A user can be logged in to a U-Series Appliance web site for fourteen minutes. After twelve minutes, a message displays, indicating that the session will expire in two minutes. The user must log back in to the website after the session expires. Session timeout applies to all U-Series Appliance websites: Roles Editor, Maintenance, Diagnostics, and High Availability. The session timeout value cannot be configured.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

5 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Activate Windows
If the Windows environment is currently not activated, you can activate it on the Maintenance web site. 1. From the Maintenance menu, select Accounts and Licensing. 2. Click one of the following: l Activate Online: Select when you have an Internet connection. l Activate By Phone: Select if there is no Internet connection (for example, in an air-gap environment).
Request Product Updates
On the BeyondTrust Updates page, you can view the version numbers for the BeyondTrust products that you are licensed to use. To request updates, click Request Update. The update of the U-Series Appliance and BeyondInsight database starts.

Security Updates
BeyondTrust provides a bundle of Microsoft patches in a security update package. All updates are tested and approved by BeyondTrust to ensure that updates do not interfere with the proper operation of the U-Series Appliance. The packages are updated when new patches are available from Microsoft. In U-Series Appliance versions 1.3 or later, a security update package installer ships with your U-Series Appliance. When a new package is copied to the update server, then those updates can be received by your U-Series Appliance.
Note: If you are working in an air-gap environment, we recommend using BT Updater Enterprise to download update packages. Using BT Updater Enterprise gives you more flexibility in the updates you download and when. For more information, please see BT Updater Enterprise User Guide at https://www.beyondtrust.com/docs/btupdater/enterprise/index.htm.
For more information about the updates included in the package, contact BeyondTrust Technical Support.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

6 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Security Update Package Types
l Security Patches for Windows Server: Microsoft Windows Updates for the server operating system, screened by BeyondTrust. l Security Patches for SQL Server: SQL Server service packs and security updates that may be released from Microsoft,
screened by BeyondTrust. l U-Series Appliance Environment: Packages created by BeyondTrust to change system settings, such as: file, registry or system
changes, or updates not integrated in Windows Updates. l U-Series Appliance Supporting Software: Packages created by BeyondTrust to deliver updates to software that may not be
from BeyondTrust but are essential to the operation of the U-Series Appliance.
Apply Updates
1. To apply the updates, log in to the U-Series Appliance website. 2. The default page displayed is the BeyondTrust Updates page. If it is not displayed, select Maintenance from the menu, then
BeyondTrust Updates. Details are displayed about any update that is ready to be applied and previous updates that have been applied. 3. Click View Updates. A page displays all available updates ready to apply and any update applied in the last 24 hours. 4. Click Schedule Updates and select one of the following:
l Run updates now: Includes all updates available. If a new update arrives while updates are being applied that update is not included.
l Schedule updates to run at a specific date and time: Includes the available packages in the scheduled time frame. If a new package is received before the scheduled run time starts, then the new package is not included. A new schedule must be created to include those new packages. A package that fails to update remains in the list of available updates. The update is automatically included in any new schedule created and attempts to update when that schedule runs.
Note: If a restart is required (depending on the patch), then the U-Series Appliance restarts automatically. No action is required on your part.
View Update History
1. Log in to the U-Series Appliance website. 2. The default page displayed is the BeyondTrust Updates page. If it is not displayed, select Maintenance from the menu, then
BeyondTrust Updates. Details are displayed about any update that is ready to be applied and previous updates that have been applied. 3. Click View Update History. This page displays the historical records of previously applied patches. The list is organized by the types of packages (subscriptions).
Set the Update Method
The Update Method section displays if update clients are configured to use an internal server or the BeyondTrust update servers. It also displays if a proxy is being used and if U-Series Appliance updates or security updates are disabled.
Clicking Change the Proxy Settings takes you to the page within Maintenance, where you can modify the proxy. Clicking Change the Update Settings takes you to the roles editor.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

7 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Configure U-Series Appliance General Settings
Adjust Date and Time Settings
1. From the Maintenance menu, select General Settings. 2. Select a time zone and adjust the time. 3. Click Set the Date and Time Now.
Configure LCD Panel Settings
1. From the Maintenance menu, select General Settings. 2. You can turn on the following settings:
l Allow LCD Panel to Reset Administrator Password: Turn on to allow you to reset the admin password to a random password from the LCD panel. On the U-Series Appliance LCD panel, select Show IP. Hold the up and down arrows simultaneously. A random password is generated. Press the check button to accept the changed password.
l Buttons on LCD Panel: Turn off to disable all the LCD panel buttons. 3. Click Update LCD Panel Settings.
Clear the BeyondInsight License Cache The Clear BeyondInsight License Cache button clears the license key in the BeyondInsight database cache. If a new license key has been recently applied, then clearing the cache ensures that the new key is saved to the BeyondInsight database. Clearing the cache and applying the new key ensures all features are available and work properly. You can verify licensed features on the Accounts and Licensing page.
Export Settings You can allow U-Series Appliance settings such as IP and administrator password to be set by inserting a USB drive into the U-Series Appliance.
1. From the Maintenance menu, select General Settings. 2. Click to turn on Allow Appliance settings to be imported and exported on removable storage. 3. Click Update Export Settings.
Configure Pre-Login Banner Settings
1. From the Maintenance menu, select General Settings. 2. Enter a title and message you want to appear before the login credentials page is displayed to the user.
Join a U-Series Appliance to a Domain
Joining a U-Series Appliance to a domain is not recommended. However, if required for your deployment, please contact your BeyondTrust representative for assistance.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

8 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Manage U-Series Appliance Security Settings
Download a Crypto Key
1. From the Maintenance menu, select Security Settings. 2. Under Download Crypto Key Options, create an encryption password. 3. Click Submit. The crypto key zip file is created and downloaded to your system.
Upload a Crypto Key
1. From the Maintenance menu, select Security Settings. 2. Under Upload Crypto Key Options, enter the encryption password. 3. Drag and drop the crypto key zip file into the drop area or click the button to browse to the zip file. 4. Click Generate the Uploaded Key.
Check FIPS Compliance
1. From the Maintenance menu, select Security Settings. 2. Under FIPS Compliance Checking, click the toggle to change it to FIPS State (Yes). 3. Click Update FIPS Setting. 4. You must reboot the U-Series Appliance for this setting to take effect.
Manage the U-Series Appliance API Key
The U-Series Appliance API manages the communication between U-Series Appliances when high availability is used in your environment. The API key is automatically generated and is available to copy from the High Availability page. From this page, you can regenerate the key and apply limitations on incoming messages.
Note: For security reasons, you might want to regenerate the key regularly.
1. From the Maintenance menu, select Security Settings. 2. Set the maximum age for messages, and then click Update Maximum Age. The default value is 600 minutes. 3. Click Generate API Key. 4. When configuring high availability between U-Series Appliances, copy the key to the High Availability page for the partner U-
Series Appliance.
Turn SSL Authentication Off or On
1. From the Maintenance menu, select Security Settings. 2. Under Event Service SSL Requirement, click the toggle to Event Service SSL/Certificate Required (No) to ignore SSL

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

9 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
certificate authentication. 3. Click Submit.
IMPORTANT!
We do not recommend disabling SSL certificate authentication. SSL authentication should be disabled only in certain rare circumstances, such as during testing.
Analytics & Reporting Endpoints
If the BeyondInsight Analytics & Reporting web site is unreachable, you can refresh the settings to establish the connection. 1. From the Maintenance menu, select Security Settings. 2. Click Refresh.
Generate and Export Certificates
1. From the Maintenance menu, select Security Settings. 2. To regenerate the SSL certificate to match the U-Series Appliance network name, click Generate Certificate.
Note: This certificate will not be trusted by the client browser.
3. To export the client certificate, enter the password for the certificate and then click Export Certificate.
Set a Security Protocol
1. From the Maintenance menu, select Security Settings. 2. Select the security protocol that applies to your environment. 3. Click Update Security Protocols.

Note: To use TLS 1.2 on a U-Series Appliance running Windows Server 2008 R2 and SQL Server 2014, ensure the following patches have been applied to your U-Series Appliance.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

10 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
l KB2979597: https://support.microsoft.com/en-us/kb/2979597 l KB3144517: https://support.microsoft.com/en-us/kb/3144517
Turn On HSTS
You can apply extra security to the U-Series Appliance web site by using HTTP strict transport security (HSTS) technology. 1. From the Maintenance menu, select Security Settings. 2. Toggle the switch to on. 3. Click Update HSTS Setting.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

11 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Accounts and Licensing Settings in the U-Series Appliance
Update Product Serial Numbers
You can review your licensed BeyondTrust components. If some components do not appear as licensed, you might need to refresh the BeyondTrust database cache to ensure the most recent license is applied. To update the U-Series Appliance serial number:
1. From the Maintenance menu, select Accounts and Licensing. 2. You must supply the serial numbers and validate the license key.
You can either do so automatically using your Internet connection, or you can enter this information manually.
l Using Online Appliance: Enter the serial numbers, then click Update Keys.
l Using Client Browser: Manually enter the serial numbers provided when you purchased the product. Select Retrieve Offline Validation Keys.Manually enter the license key once you receive it.
l Using Email Validation: Enter the serial numbers, then click Retrieve Offline Validation Keys. An email is sent to request and validate the keys.
l Manually: Manually enter the serial numbers. Select Retrieve Offline Validation Keys. Enter the validation keys when received, and then click Update Offline Serials.
3. Click Update Keys.
For more information, please see "Clear the BeyondInsight License Cache" on page 8.
Key Management Service Support
After installation and configuration, if your server does not automatically discover the Key Management Service (KMS) server, you may receive a Windows activation failed message. Specify the KMS key and IP address again. You can replace our key with a known Volume License Key and then call into your KMS server to count against your total (number of licenses). To activate your volume license key:
1. From the Maintenance menu, select Accounts and Licensing.
2. Under Microsoft Key Management Server Configuration, enter your volume license key and the address of the server to validate and track the license.
3. Click Activate Volume License Key.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

12 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

For more information, please see Why did Windows activation fail on my EC2 Windows instance? at https://aws.amazon.com/premiumsupport/knowledge-center/windows-activation-fails/.
Purge U-Series Appliance Data
IMPORTANT!
Be careful! Purging the U-Series Appliance data erases the database, user configuration data, and events from the U-Series Appliance.
1. From the Maintenance menu, select Accounts and Licensing. 2. Under Purge All Configuration Data and Events, click Wipe Appliance. The data is purged from the U-Series Appliance.
Change Administrator Password
IMPORTANT!
While it is possible here to change administrator usernames, we recommend contacting Support and discussing the implications of this action on your systems, before making any changes. The username change may affect various areas of your deployment, and require restarting services or appliances.
You can reset the U-Series Appliance administrator password, BeyondInsight administrator password, and BT Updater password. Make sure you review the password complexity requirements.
1. From the Maintenance menu, select Accounts and Licensing. 2. heck the box for the password that you want to change. 3. Change the password. 4. Click Update Credentials.
Note: If changing the administrator username or password, you must log back into the Maintenance page.
Use Two-Factor Authentication
Using a RADIUS server, you can require users to log in to the U-Series Appliance using a configured two-factor authentication method. You must configure the RADIUS server settings in BeyondInsight.
1. From the Maintenance menu, select Accounts and Licensing. 2. Under Configure RADIUS Authentication,click the RADIUS Authentication Enabled toggle to on. 3. From the RADIUS Settings Alias dropdown, select an available RADIUS server. This uses the settings configured in
BeyondInsight to populate the hostname, port, request timeout, authentication mechanism, and initial action. 4. Enter the username. This is the user account that is used to log in to the RADIUS server.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

13 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Note: The RADIUS user account password must match the U-Series Appliance administrator password. 5. Click Update Settings.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

14 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Network and RDP Settings in the U-Series Appliance
Configure RDP
In your U-Series Appliance, RDP access is off by default. RDP access is not required for daily use, regardless of licensing or roles. BeyondTrust Technical Support can turn on RDP access for troubleshooting. RDP and two-factor activities are tracked with audit log entries in the Security event logs.
1. From the Maintenance menu, select Network and RDP Settings. 2. Toggle the Enable Remote Desktop switch to on. 3. Toggle the 2-Factor required switch to enable the settings for two-factor authentication when using remote desktop.
Note: If you need to disable two-factor authentication, you must first contact BeyondTrust Technical Support and request them to generate a time-limited password for you. You must enter this password before the toggle will switch off.
4. Click Save RDP Settings.
Set an IP Address for the U-Series Appliance
You can obtain an IP address automatically using DHCP, or you can manually configure the IPv4 address. 1. From the Maintenance menu, select Network and RDP Settings. 2. Select a network card from the list. 3. Toggle on the switch to Obtain IP address automatically, or toggle it off to set the IP address information manually. 4. If setting the IP manually, enter the IP address, subnet mask, gateway, and DNS information. 5. Click Update IP Settings.
Enter SMTP Server Settings
1. From the Maintenance menu, select Network and RDP Settings. 2. Enter the following SMTP settings:
l Enable SSL: Select to enforce encryption policies on the SMTP connection. l Address: The IP address of the server. l Port: The port number of the server. l User: The username used to access the server. l Password: The server password. 3. Click Update SMTP Settings.
Configure Proxy Settings
You can configure a proxy server if one is required for internet access. 1. From the Maintenance menu, select Network and RDP Settings. 2. Toggle the Use proxy server for external communication switch to on.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

15 TC: 10/28/2021

3. Enter the IP address and port for the server. 4. If the proxy server requires authentication, enter the credentials. 5. Click Update Proxy Settings.
Manage BITS Throttle
1. From the Maintenance menu, select Network and RDP Settings. 2. Drag the slider to the appropriate level of throttling. 3. Click Update BITS Throttling Setting.

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

16 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Appliance Health in the U-Series Appliance
On the Diagnostics pages, you can keep track of U-Series Appliance services, hardware faults, and performance metrics.
Monitor the Health Dashboard
View dynamic, real-time U-Series Appliance metrics, including: l CPU usage l SQL Server CPU usage l SQL Server memory l Used disk space on the C: drive l Services running and stopped l Analyzer reporting
Note: View health metrics on BeyondTrust components and services running in your environment.
Note: If you use your own SQL Server deployment rather than the SQL Server version that ships with the U-Series Appliance, then the SQL Server metrics are not displayed on the health dashboard.
Monitor Services and Hardware
The U-Series Appliance periodically checks the running state of the services to make sure that they are in the expected state, considering the current roles that are set. Additionally, alerts can be triggered when the service control manager raises errors, such as when a service fails to start or terminates unexpectedly. The U-Series Appliance also monitors the hardware. Alerts can be triggered when an error is raised by Dell OpenManage monitoring software.
1. From the Diagnostics menu, select Appliance Health. 2. Turn on the alerts, then click Apply Updated Settings.
Check Services

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

17 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

You can manage U-Series Appliance services. From the Diagnostics menu, select Appliance Health.
Restart the service.
Start the service.
Stop the service.
Configure Counters for Performance Metrics
You can configure the threshold values for performance metrics. When the threshold is exceeded, email alerts can be sent to the email account configured on the notifications page. For example, you might not want CPU usage over 50% for too long. In this case, you might set the thresholds to:
l Low: 50 l Medium: 65 l High: 70 l Threshold Duration: 10 minutes If the running average reads at 52%, then a low level alert is sent. After a counter alerts at a certain level, it does not generate further alerts for that level (or below) until it is reset. An alert is considered in a reset state when the average is below the reset threshold for the specified time span. If a metric in an alerted state goes below the configured reset threshold for the specified time, the alert is cleared, and a reset alert is generated. At this point, the performance counter receives alerts if it exceeds the threshold again. 1. From the Diagnostics menu, select Performance Counters. 2. Select notification settings:
l Generate Alerts for Monitored Performance Data: Turns on email notification for alerts. l Generate Daily Summaries of Performance Data: Collects performance metrics every two hours and emails them on a
daily basis. 3. By default, four base counters are listed: SQL Server Memory Percentage, CPU Overall Usage, SQL Server CPU Usage, and
Disk Usage. You may select additional counters from the list, and then click Add to List. 4. Adjust the performance and reset thresholds. 5. Click Apply Updated Settings.
Configure Notifications
You can set notifications for the following types of events: l Health monitoring: includes performance thresholds, service alerts, hardware alerts, and daily performance summaries. l High availability monitoring: includes failover alerts, connection alerts, no partner alerts, and off state alerts. l High availability mirror change: includes suspend and resume activities on SQL mirroring. l Backup monitoring: includes backup success and failure alerts and restore success alerts.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

18 TC: 10/28/2021

To configure email notifications:
1. From the Diagnostics menu, select Notifications. 2. Click the Configure Notifications icon.
3. Check the box to turn on email notification. 4. For each event type, click Email These Users, and select the users who you want to
receive notifications. 5. Click Apply Updated Settings.

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Send Alerts to BeyondInsight
Note: BeyondInsight 6.0 or higher is required to use this feature.
You can send alerts from the U-Series Appliance to your BeyondInsight management console for further analysis.
1. From the Diagnostics menu, select Notifications. 2. Click the Configure Notifications icon. 3. Under Forwarding Health Events to BeyondInsight, select:
l None: The default value. No events are forwarded. l Local: Forwards events to the local installation of
BeyondInsight. l Remote: Forwards events to a remote BeyondInsight
server, specified by IP address or DNS name.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

19 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
4. You must export a certificate from the remote BeyondInsight server and import the certificate to the local U-Series Appliance. Select a certificate from the list, and then click Apply Updated Settings. l If the remote server is another U-Series Appliance, log in to that U-Series Appliance's web site. l From the Maintenance menu, select Security Settings. l Enter a password and click Export and Download Certificate. l Import the certificate on the local U-Series Appliance. l On the Health tab, select the certificate from the list. If the remote server is a software install of BeyondInsight, use the BeyondInsight Configuration Tool to create and export the certificate.
5. Click Apply Updated Settings. You must also create a connector from the BeyondInsight management console.
1. Log in to BeyondInsight. 2. Select Configuration from the menu, and then select Connectors. 3. Click + and select Syslog Event Forwarding. 4. Enter the details for the U-Series Appliance, including IP address,
protocol, and facility. 5. Check the Appliance Health box. 6. By default, all severity levels are included. You may select an
alternate level if needed.
For more information on importing a certificate to the U-Series Appliance, please see "Upload SSL Certificate" on page 27.
View Notifications
To view notifications, locate the icon in the top right corner of the Diagnostics page.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

20 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

After notifications are received, a green number indicates the number of notifications. Click the icon to view more information about the notifications. The bar next to the notification indicates severity. Color Legend
Info Low Medium High

Diagnose Network Connectivity Issues
You can view network configuration information and use ping to assist with diagnosing network connectivity issues. 1. From the Diagnostics menu, select Tools. 2. In the Network Configuration section, click Refresh to view the results from IPConfig /all. 3. To ping a server, enter the fully qualified domain name, hostname, or IP address in the Ping section, and then press Enter.
Export Log Files
You can generate a set of log files and save them to an external location. The logs can then be imported to a third-party tool for analysis.
Note: The file cannot be saved on the U-Series Appliance.
1. From the Diagnostics menu, select Appliance Logs. 2. In the Log File Export section, click the button to turn on log file export. 3. Enter a path where you want to save the logs and the credentials required to access the share, following this format:
\\10.10.10.10\[network share] 4. Provide the username for the share in the following format:
l For a domain user account with access to the remote share, use domain\User. l For a local account on the remote share, use hostname\user. 5. Click the test button to ensure the share can be accessed using the credentials provided. 6. Optionally, click Network path is an NFS Network Resource. Credentials are not required. 7. Set the scheduling information: l Designated Interval: Enter the frequency, in minutes. The default is 20 minutes. The lowest interval you can enter is 10
minutes. l Once a day: Select the day of the week, and select a time to export the logs. 8. Click Set Log Export Settings.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

21 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Note: At any time after the settings are initially configured, you can click Export Log Now to save the log file to the share. 9. At the specified times, the log files are generated and saved to the designated location.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

22 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Configure U-Series Appliance Roles
Select U-Series Appliance roles if you are deploying more than one U-Series Appliance to scale BeyondInsight in larger networks. Roles must be selected for at least one of the U-Series Appliances.
Note: When you select roles, any dependencies or conflicts that exist between roles are displayed. The Apply Roles button is available only after dependencies and conflicts are resolved.
Role Descriptions
Vulnerability Scanner Role Turn on the Vulnerability Scanner role to activate the Discovery Scanner agent.
Event Collector Role On the Event Collector page, select the BeyondTrust service that will be responsible for sending events between components. You can use BeyondInsight AppBus Service or Event Server. Event Server is preferred for enterprises and can manage a greater load of data than AppBus. The default port for Event Server is 21690. After selecting which service to use, click Apply Changes.
SQL Server Database Role This role provides access to the SQL Server database. Check the box to allow database access from remote computers. If you are using your SQL Server deployment, no action is required.
BeyondInsight Database Access Role This role provides access to the BeyondInsight database. You can set either a local SQL Server database or configure settings for a remote database. When configuring a local database, select an authentication type. When you select SQL Server, Username is populated with the same user name in the Configuration wizard during your initial U-Series Appliance setup. The account is created with least privilege.

The BeyondInsight configuration provides the same least privilege SQL Server account during the database configuration.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

23 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

For more information about the permissions assigned to that account, please see section "Least Privilege Database User Account Setup" in the BeyondInsight Installation Guide at https://www.beyondtrust.com/docs/beyondinsight-passwordsafe/documents/bi/bi-install.pdf.
Patch Management Role Turn on this role to activate the LanMan service on the U-Series Appliance to host third-party patches.
BeyondInsight Omniworker Service Role The BeyondInsight Omniworker service manages task queues. Turn on this service when your environment uses more than one U-Series Appliance.
Password Safe Web Portal Role Turn on this role to activate services needed to run the Password Safe web portal.
Note: This role is available only when a Password Safe license is applied.
High Availability Role Turn on this role to activate services needed to run Password Safe in high-availability mode.
1. Log in to the U-Series Appliance web site on the primary server. 2. From the menu, select Roles Editor. 3. Click High Availability, then select a mirroring option:
l HA will mirror both Server and Database l HA mirroring for services only
Note: To save resources, you can turn off services that are not required to run on any secondary U-Series Appliances. Check the Standalone Password Safe Worker Node box. Check the corresponding boxes to turn off services: Disable BeyondInsight UI or Disable Password Safe UI.
4. Click Apply Changes. 5. On the main Roles Editor page, click Apply Pending Changes. 6. Repeat these steps for the secondary server.
BeyondInsight for Unix & Linux Role Activate the role to configure a database connection for BeyondInsight for Unix & Linux.
Note: The role is available only when BeyondInsight for Unix & Linux is installed and can be enabled with a local or remote database.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

24 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

For a local database, enter a username and password for SQL Server. The account is created if it doesn't already exist. A SQL Server account is required for BeyondInsight for Unix & Linux to access the database. To set up a remote database:
1. Add the server name where the database resides. 2. Optionally, enter the name of the SQL Server instance. 3. Enter a port number to communicate to the server. 4. Add the name of the BeyondInsight for Unix & Linux database, and the username and password. The remote database must
already exist on the remote host. 5. Click Test Remote Connection Settings to verify the connection to the remote database. Once the role is enabled, you must configure BeyondInsight for Unix & Linux. The BeyondInsight database is added to backup and restore functions and is included with high availability database synchronization.
Analysis Services Role Turn on this role to enable the SQL Server Analysis service. You can click the link to run BeyondInsight Analytics & Reporting.
Note: This role is available only if you use BeyondInsight Analytics & Reporting.
Reporting Services Role If you use BeyondInsight Analytics & Reporting to render reports, the service must run locally. Turn on this role to run the service locally when using a remote database.
Auto-Update Role To automatically download product updates when available, turn on this role.
1. On the U-Series Appliance web site, select Roles Editor from the menu. 2. Click Auto Update. 3. You can configure one server for all updates or configure servers based on functional area. If you have configured different update
servers, click Load Default Settings to reset the default BeyondTrust server. 4. Click Apply Changes. 5. On the main Roles Editor page, click Apply Pending Changes.
Enterprise Update Server Role Turn on this role to use the enterprise update server to update your U-Series Appliances.
BeyondTrust Updater Role Turn on this role to use the Azure web-based update tool.
BeyondTrust PowerBroker End Point Protection Role If turned on, you can disable the U-Series Appliance protection policy which is applied. We recommend you leave this role on, disabling it only for troubleshooting reasons when working with BeyondTrust Technical Support.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

25 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Cold Spare Role Turn on this role to configure options to set the automatic restore schedule and temporary machine name. When this role is enabled, the name of the U-Series Appliance is changed so that there is no conflict on the network with the main U-Series Appliance. When the cold spare U-Series Appliance is required, the role is disabled, the machine name is automatically reverted, and services are started.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

26 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Configure Password Safe on the U-Series Appliance
To set up Password Safe on the U-Series Appliance, you must turn on the Password Safe role. Note: If you use Password Safe, all credentials are stored in the database using an AES-256 block cipher by RijndaelManaged.
For more information, please see "Password Safe Web Portal Role" on page 24.
Upload SSL Certificate
1. From the Maintenance menu, select Security Settings. 2. Under Upload Certificate, drag the certificate file into the drop area
or click the button to browse.

3. Enter the password. 4. To update the bindings in IIS, click the Bind to HTTPS on update toggle to the on setting. 5. To enable this certificate for multiple U-Series Appliances, toggle the Use for High Availability switch to the on setting . 6. Click Upload Certificate.
To generate an SSL certificate to match the U-Series Appliance name:
1. From the Maintenance menu, select Security Settings. 2. To regenerate the SSL certificate to match the U-Series Appliance network name, click Generate Certificate.

Note: This certificate will not be trusted by the client browser.

3. To export the client certificate, enter the password for the certificate and then click Export Certificate.
Archive Password Safe Session Monitoring Events
To make more disk space available on the U-Series Appliance, you can transfer session monitoring files from the U-Series Appliance to another server for storage. You can view these archived files in Password Safe. There are three types of remote hosts that can be used to store session archive files:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

27 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
l Remote Network share. We recommend that you use a secure network share which requires authentication. l Network File System (NFS) share. l Run the Configure Repository Installer on a remote server which creates an IIS site and enables Background Intelligent Transfer
Service (BITS). This uses BITS to transfer files. Session monitoring files are archived in one of two ways:
l Automatically by the U-Series Appliance. Automatic archives occur in the following cases: o When the file reaches the configured age. o When free space on the U-Series Appliance hard drive is below the configured threshold.
l Manually through Password Safe. Archive files are never deleted.
For more information, please see the following: Password Safe Administration Guide at https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/admin/index.htm "Set Up the Repository Host" on page 28
Set Up the Repository Host
Repository Host Requirements
l Windows 2008 or later. l Port 443 open. l IIS 7.5 or later. l ASP.NET 4.5 l Setup Session Monitoring Repository tool, located at C:\Appliance\Tools\ConfigureRepository.exe.
Note: In Server Manager, install and enable BITS. Activating BITS ensures prerequisites are installed regardless of OS or IIS version installed.
Note: If you are using IIS 7.5 and the ASP.NET 4.5 role did not install automatically: 1. Install the ASP.NET role. 2. Run the command C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i. 3. Log in to Server Manager and select the IIS instance. 4. Double-click ISAPI and CGI Restrictions. 5. Ensure that ASP.NET 4.0 is set to Allowed.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

28 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Run the Repository Configuration Tool
The repository configuration tool creates a certificate on the host computer. 1. Run the repository configuration tool. 2. Click the Create Certificate button. 3. Enter a password for the exported certificate. 4. Click Export Certificate and choose a location for the file with the exported certificate. 5. Copy the exported certificate to a location that can be accessed by the U-Series Appliance. You must import the certificate using the Diagnostics web site.
Set Up the U-Series Appliance If using the installed repository, you must register the certificate on the U-Series Appliance. Optionally, you can change the archive settings, such as the number of days that should pass before the files are archived.
1. From the Maintenance menu, select Security Settings. 2. Upload the certificate that you created on the host, and then click Upload Certificate. 3. Select Roles Editor from the menu. 4. Click Password Safe Web Portal. 5. Check the Enable Session Monitoring Archiving box. 6. Select the way to store the archive files:
l BITS: Enter the name of the repository computer and the name of the certificate. These are the same name.
l Windows File Sharing: Enter the name of the share and credentials to access the share. Windows file sharing is the preferred method.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

29 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
7. Optionally, change the archive settings: l Maximum Age (in Days): Enter the number of days that pass before the files are archived. The default value is 90 days. l Archive when available storage becomes less than: This value applies to the storage available on the U-Series Appliance. Enter the amount of storage remaining on the U-Series Appliance before the file transfer occurs. The transfer of files will free up the disk space when the value is reached. l Max File Transfer Time: This value is the maximum time to wait for a file transfer to occur before the transfer times out.
8. Click Test Session Monitoring Settings to ensure the repository computer is set up correctly and can communicate with the USeries Appliance computer.
9. Click Apply Changes to save the settings.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

30 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Use High Availability with U-Series Appliances
High availability (HA) is designed to work in an active / passive configuration. At any time, one of your two servers has the role of the active node, while the other is the passive node. When the passive server detects that the active server has failed, then the passive is promoted to active, and the active is demoted.
Turn on High Availability Pairing
Note: Before setting up high availability, you must turn on the High Availability role in the Roles Editor for both the active and passive U-Series Appliances. For more information, please see "High Availability Role" on page 24.
1. Log in to the U-Series Appliance web site on the primary server. 2. From the menu, select Roles Editor. 3. Click High Availability, then select a mirroring option:
l HA will mirror both Server and Database l HA mirroring for services only
Note: To save resources, you can turn off services that are not required to run on any secondary U-Series Appliances. Check the Standalone Password Safe Worker Node box. Check the corresponding boxes to turn off services: Disable BeyondInsight UI or Disable Password Safe UI.
4. Click Apply Changes. 5. On the main Roles Editor page, click Apply Pending Changes. 6. Repeat these steps for the secondary server.
Configure High Availability
1. Log in to the U-Series Appliance, and then select High Availability. For a first-time configuration, the Initial Setup page displays. Certificates must be set up between the U-Series Appliances for secure communication.
2. Click Go to the API Key Maintenance Page. 3. Copy the API registration keys between the partner U-Series Appliances. Registering the API key with the partner U-Series
Appliance permits secure communication between the U-Series Appliances. 4. Enter the host name of the passive U-Series Appliance, then click Apply. 5. A message displays that the exchange is in progress. If an error occurs during the certificate exchange, a Show/Hide Results
button displays. Exchanging certificates can take up to approximately five minutes. After the certificates are exchanged with no errors, the configuration settings display.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

31 TC: 10/28/2021

6. Toggle the High Availability switch on to turn on the feature. 7. Enter the mirroring port number. The default port is 5022. 8. Click Set High Availability.

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

9. For Partner Contact Timeout, enter the number of minutes that pass with no contact between the active server and passive server. When the active server receives no response from the passive server, then the active continues to start. If the passive server has no contact with the active, the passive server starts up as the active one.
10. For Partner Failover Timeout, enter the number of minutes that pass with no ping received from the primary server. After this time, the passive server switches to the active one.
11. For Reboot Blackout Window, enter the number of minutes that should pass before the passive server takes control. On graceful shutdown, the passive server switches to the active one after no response for this length of time.
This is useful when you want to shut down the active U-Series Appliance but do not want the passive U-Series Appliance to take control. For example, you might want to move the active U-Series Appliance and know this will take about thirty minutes. To be sure the passive U-Series Appliance does not take control while the active U-Series Appliance is offline, set this value to sixty minutes.
Note: You must shut down the primary U-Series Appliance from the Maintenance > Schedule a Reboot page.
12. We recommend that you enable Attempt Auto-Resync only for testing scenarios. 13. Synchronize Session Archving Files synchronizes local session recording files from Password Safe with the partner U-Series
Appliance. This allows you to replay the session recordings from within Password Safe if a failover occurs and the passive USeries Appliance is made active. 14. You can select Send Alerts on Failover to send either an email or events to BeyondInsight. 15. If you select Medium Failover Mode, then when communication between the pairs is lost, the passive U-Series Appliance is in a failover-pending state only. Action is required on your part to start a failover process.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

32 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
16. In Background Settings Update Rate, enter the number of minutes that pass before a file synchronization occurs. Files copied to the passive server are configuration files, certificates, and registry files.
17. Set the Failed Notification Rate to provide notification after your active U-Series Appliance has failed over. If you are using medium failover mode, the email indicates that action is required on your part. The default value is fifteen minutes.
18. You can click Queue File Synchronization to start a file synchronization. 19. Click Update Settings.
For more information, please see the following: l "Test High-Availability Failover" on page 34 l "Configure Notifications" on page 18 l "Use Medium Failover Mode" on page 34
Use a Load Balancer in an Active / Passive Configuration
When setting up an active / passive pair, you might want to configure a load balancer that acts as a DNS redirector. Configure the load balancer between two U-Series Appliances so that it can determine which U-Series Appliance is active and which is passive. The load balancer then sends the traffic to the active U-Series Appliance. You can use the following endpoint API to configure the load balancer. Refer to your load balancer documentation to ensure that it is configured to use the endpoints.
GET https://<ApplianceAddress>/UVMInterface/api/HighAvailability
The code above returns an object with one member:
{ string Role; }
You can set the formatting of the requested return value in the Content-Type request header.
Example: To return a value in JSON format, you can specify:
Content-Type: application/json;charset=UTF-8
The available values for Role are: l Off: High Availability is not turned on. l Active: The U-Series Appliance is in active mode. l Passive: The U-Series Appliance is in passive mode.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

33 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Test High-Availability Failover
Note: You can use Attempt Auto-Resync as a quick way to restore high availability in a scenario where databases on the active and passive servers are synchronized. We do not recommend a production failover scenario. Data loss can occur if databases are not synchronized.
1. Select Attempt Auto Resync of database when connecting after failover. 2. Unplug or power off the active server. 3. Wait for failover. Ensure that the passive is now the active. 4. Restore the active server (turn on or plug in). 5. The auto re-sync restores the high-availability configuration. 6. The passive server is now acting as the active server. Click Switch Roles to restore the server partners to their original roles.
Use Medium Failover Mode
Use medium failover mode when you do not want the services on the passive U-Series Appliance to start automatically when the communication between pairs is lost. The passive U-Series Appliance waits in a pending state until you manually start the failover process. When the active U-Series Appliance fails, you must log in to the U-Series Appliance software to start the failover process to the passive U-Series Appliance.
1. Log in to the U-Series Appliance, and then select High Availability. 2. In the High Availability Maintenance section, click Failover to this U-Series Appliance to start the services and database.
Note: This button is active only when the primary U-Series Appliance is down.
Resume and Suspend SQL Mirroring
You might want to pause mirroring if you want to take care of maintenance tasks on the database server. A failover cannot occur when the database is in a suspended state.
1. Log in to the U-Series Appliance, and then select High Availability. 2. Click Suspend to pause mirroring. 3. Click Resume to start mirroring again.
Note: If the U-Series Appliance is in a failover state and mirroring is suspended, you can click Resume to start mirroring.
Discard High-Availability Configuration Settings
To reset the U-Series Appliances to the initial setup state, you can remove all high-availability configuration settings established between U-Series Appliances. You might want to do this if you want to set up new high-availability pairs.
1. Log in to the U-Series Appliance, and then select High Availability. 2. Click Abandon Configuration.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

34 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Recognize a Failover
Review the following to help you determine if a failover has occurred.
l If you are using a U-Series Appliance version 1.5.4 or later, an email is sent to the address set in the Configuration Wizard. If you are using a U-Series Appliance version earlier than 1.5.4, you can contact BeyondTrust Technical Support to activate the email feature.
l If you are not using a load balancer, you might notice that BeyondInsight is no longer responsive on the active server. l On the Diagnostics web site (for the primary), only two tabs are displayed. This indicates that the server is in passive mode. l Confirm that the passive server is in active mode.
Prepare for Disaster Recovery
If you are using high availability as a disaster recovery solution, review the following points as a guide to restoring roles.
l Determine if the active server has failed. Confirm the role of the live server (the primary). l If a failure has occurred on the primary, investigate and resolve issues on the primary. l After a failover to the disaster recovery server (the secondary), you can restore roles on the active server's web site.
Verify Connectivity between Servers On the High Availability Configuration page, verify that the communication between U-Series Appliances is active. The Last Heartbeat indicates the last ping to the passive server and the return response to the active server.
Check the Database Status after a Failover
IMPORTANT!
In all scenarios, we strongly recommend investigating the cause of the failure. We do not recommend resuming database mirroring until issues are resolved.
The following database status indicators might display after a failover:
l DISCONNECTED: Failover was catastrophic, and the server is completely unavailable or unreachable. Turn off high availability and investigate the issues with the failed server. After the failed server is cleared for use, turn on high availability and synchronize the databases.
l EXPOSED: The other server is still available and possibly still healthy, but the failover was serious or lengthy enough to disable high availability. After the failed server is cleared for use, turn on high availability and synchronize the databases.
l SUSPENDED: The interruption was of a minor or transient nature. While it may be possible to restore connectivity without disabling high availability, we recommend that you turn off high availability and investigate the issues with the server. After the failed server is cleared for use, turn on high availability and synchronize the databases. Optionally, contact BeyondTrust Technical Support to see if mirroring can be restored.
Restore Roles After a Failover After a failure has been identified and resolved on a U-Series Appliance, you can restore the roles to the initial state. Log in to the U-Series Appliance, and then select High Availability. Then click Switch Roles.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

35 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Review Database Metrics
On the High Availability Settings page, review information about earlier database synchronizations and the size of the current database.
You can then determine from these values how long a synchronization between servers might take.
Check the status of the BeyondInsight mirror state on the High Availability tab to ensure that synchronizations are occurring between the active and passive servers.

Database Mirror States

State
EXPOSED SYNC PENDING: INITIAL DB SYNC STARTED SYNC PENDING: SET MIRROR CALLED SYNCHRONIZING EXPOSED: MAX SYNC ATTEMPTS REACHED
SYNCHRONIZED

Description
Databases are not mirrored. The process of backing up and transferring the database to the passive server has begun.
The database has been transferred and restored to the passive server. Mirroring is being turned on. The server is actively transmitting transaction logs to the other database to apply changes. Five consecutive attempts were made and failed to establish mirroring. Mirroring was not established and is no longer trying. To troubleshoot, check for connectivity issues and ensure the database mirror port is set to 5022. Databases are actively mirrored. High availability is considered to be working.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

36 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Configure a Remote Database for the U-Series Appliance
Use the Database Utilities tool to connect to a remote SQL Server and create a BeyondInsight database.
Note: The tool is not available on SQL Free or UVMSQL Appliances.
1. From the Maintenance menu, select Database Utilities. 2. Enter the IP address and database name. 3. Enter a SQL Server username and password. The credential needs sufficient access to create a database. 4. The default database connection timeout is 360 seconds. Enter another timeout value, if required. 5. The Remote MultiSubnet Enabled setting is turned on by default. Click the button to turn the setting off. 6. To ensure a connection to the database server can be established, click Test Connection. 7. Click Create Database.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

37 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Configure Backup and Restore on the U-Series Appliance
Save the U-Series Appliance configuration in case of disaster recovery or if you need to revert settings to a previous configuration. You can back up the U-Series Appliance immediately or schedule a backup to occur at regular intervals. A backup contains full packages of all data for all roles set up on the U-Series Appliance. You can select the backup location or use the default. When configuring the backup location, you can set the number of backups that are saved. The default number is 5 (0 is unlimited). When the retention number is reached, then the oldest backups are deleted and removed from the database permanently. There is no time limit for how long backups are retained. Backups are only deleted when the retention limit is reached or when they are manually deleted.
Backup Location
By default, there is one backup location already for saving backups to a local path. New backup locations can be added which are either local or remote network shares.
1. From the Maintenance menu, select Backup and Restore. 2. Click New Backup Location. 3. Enter a name and the local or remote path. If remote share requires
credentials enter them here, or if the remote share is an NFS share, click that option.
Note: We do not recommend storing backup files on an unsecured network share.
4. Enter a value in the Retention box. Retention is the number of backups saved. When the limit is reached, then older backups are deleted and removed from the database permanently.
5. Click Create Backup Location. This process attempts to write and delete a file. If that fails, you cannot create the backup location. Upon failure, we recommend that you verify access permissions.
Import Backups
After a backup location is added, it automatically adds any backups to the list on the page which are applicable for the U-Series Appliance. If a backup file is added to a folder after it has already been created as an available backup location, click Import backups to force a rescan of the available folders.
Schedule a Backup
1. From the Maintenance menu, select Backup and Restore. 2. Click Backup Scheduler to turn on scheduling. 3. Select the backup location from the menu. If a new location is required, add it from the Backup Locations section. 4. Select the day of the week and the time to run the backup.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

38 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

5. Create a password for the zip file. 6. Check the Include Session Files in the Backup box. This has the potential to create a large backup file, depending on the
number of local session files and how often they might be archived. 7. Click Schedule Backup.
Back Up the U-Series Appliance Now 1. From the Maintenance menu, select Backup and Restore. 2. Select the backup location from the menu. If a new location is required, add it from the Backup Locations section. 3. Create a password for the zip file. 4. Check the Include Session Files in the Backup box. This has the potential to create a large backup file, depending on the number of local session files and how often they might be archived. 5. Click Create Backup.
Restore the U-Series Appliance 1. From the Maintenance menu, select Backup and Restore. 2. Search through the list of available backups and click Restore. l If the backup was taken on this U-Series Appliance, you are not prompted for a password. l If the backup was taken on a different U-Series Appliance, you are prompted for a password. 3. If the browser session remains open when a restore is complete, it returns a message displaying that the restore process is complete.
Download Backup
Note: Downloads greater than 4GB cannot be downloaded from a web browser. Copy downloads greater than 4GB to a network share, or use another way to download.
1. From the Maintenance menu, select Backup and Restore. 2. Search through the list of available backups and click the download icon.
Delete Backups 1. From the Maintenance menu, select Backup and Restore. 2. Search through the list of available backups and click the delete / trash bin icon. This removes the backup from the list displayed and also removes it from the current folder location.
IMPORTANT!
Warning: Once a backup is deleted it cannot be undone.

Contents of a Backup File What is contained in a backup file:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

39 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

BeyondInsight Analytics & Reporting
l ReportServer Database l BeyondInsight Reporting Database l ReportServerTempDB Database l Cube database l Encryption key
BeyondInsight
l BeyondInsight Database l BeyondInsight Registry information l Database Connection String l Encryption Key l System files
Event Collector
l Product registry settings
Enterprise Update Server (EUS)
l EUS Database l EUS webconfig
U-Series Appliance
l Certificates (Client & Server) l Roles settings l U-Series Appliance Monitored data l U-Series Appliance Notification data l Performance Counters l Log Export Database
BeyondInsight for Unix & Linux (BIUL)
l BIUL Database l Product Configuration l Log File l Related product settings
BeyondTrust Auto Update:
l Proxy details l Registration details l Parent update server endpoint
BeyondTrust Updater

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

40 TC: 10/28/2021

l BeyondTrust Analyzer data l Client database l Health check report l Licenses l User database l Product related registry settings
Network Vulnerability Scanner
l Product Registry settings l Certificates l Database audits l Application settings
Session Archiving
l Session Monitoring files

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

41 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Set Up a Cold Spare U-Series Appliance
You can set up a U-Series Appliance that can be used as the main U-Series Appliance if the first one needs to be taken offline.
Requirements l The BeyondInsight version on the cold spare must be the same or later than the version on the source U-Series Appliance. l It is recommended that both U-Series Appliances have the Auto Updates role turned on. l The cold spare must receive updates so that it matches the source U-Series Appliance. l For Analytics & Reporting, ensure SQL Server versions match on both U-Series Appliances. l The source and spare U-Series Appliances must have the same name.
Note: If the SQL Server database is remote, the data will not be copied to the cold spare.
1. To set up the spare, select Roles Editor from the menu. 2. Click the Cold Spare role. 3. Turn on the role. 4. Click Locations +.
l Enter the path for the shared location where you want the backup files to be saved. Optionally, select an existing share location.
l If applicable, enter the credentials that can access the share. l Click Test the Remote Share Credentials to test the connection. 5. Select the day of the week and the time when you want the cold spare to retrieve the information from the backup file. When the cold spare starts, the data from the last backup file retrieved is used.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

42 TC: 10/28/2021

6. Create a restore password. 7. Provide a temporary machine name. 8. Click Apply Changes. 9. On the Roles Editor main page, click Apply Pending Changes. 10. Once the settings have been saved, a dialog box displays and
prompts you to restart the U-Series Appliance.

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

43 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Perform U-Series Appliance Recovery
Use the recovery procedure to rebuild your U-Series 20 or U-Series 50.
IMPORTANT!
All information saved or configured on the U-Series Appliance will be lost. There is no way to recover this data.
1. Start the process by retrieving the BitLocker keys. You can do this in either of two ways: l Open File Explorer and look for an external drive with a label of U-Series Appliance-BITLOCK. There is a text file on this drive for each drive letter on the U-Series Appliance (one drive on most images and four drives on older U-Series 50 models). l If the internal USB has been removed and cannot be located, type the following command into a command window to display and save the BitLocker passwords:
Manage-bde -protectors -get c:
To pipe to a file type:
manage-bde -protectors -get c: > "bitlocker C.txt"
2. Restart the U-Series Appliance. At the BIOS screen, press F8 to access the Windows boot options.
Tip: Try pressing the F8 key every few seconds to make sure you do not miss the chance to access the boot options.
3. Press Enter to go to the BitLocker key prompt. 4. Enter the BitLocker password for the C: drive (matching the ID), and
press Enter. 5. On the Advanced Boot Options screen, press Enter to choose
Repair Your Computer. 6. Click Troubleshoot. 7. Click Reset Your PC. 8. Enter the drive password for the displayed ID and click Continue. 9. Click Next. 10. For the U-Series 50 only, select All drives. 11. Click Just remove my files. 12. Click Reset.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

44 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
Note: After you click Reset, BitLocker drive encryption will be turned off. It will be enabled again later in the process.
13. The U-Series Appliance is imaged with the original manufacturing image. 14. Insert the USB which contains the BitLocker keys. The BitLocker keys will be regenerated and saved to the USB.
l On the first reboot, scripts run that are required to set up the U-Series Appliance. This part of recovery is automatic and forces a system reboot when it is complete.
l After the second reboot, a command window displays. BitLocker starts the drive encryption. Updates are displayed on the drive encryption progress.
15. After BitLocker is complete, run Update Appliance.bat on the desktop. 16. Click Next on the auto-update window. 17. All products will update to the most recent version on the public update server. When auto-update finishes, click
Next. All updates are now complete. 18. Enter the license key for Windows and the license key for SQL Server. 19. For the final stage of preparation, run Prepare For Shipping.bat. All temporary and setup files are removed;
Windows and SQL Server are licensed. You are now ready to configure your U-Series Appliance.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

45 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Optional U-Series Appliance Configuration
Perform Dell PowerEdge System Updates
Update the BIOS on a Dell PowerEdge Server
1. Start the process by retrieving the BitLocker keys. You can do this in either of two ways: l Open File Explorer and look for an external drive with a label of U-Series Appliance-BITLOCK. There is a text file on this drive for each drive letter on the U-Series Appliance (one drive on most images and four drives on older U-Series 50 models). l If the internal USB has been removed and cannot be located, type the following command into a command window to display and save the BitLocker passwords:
Manage-bde -protectors -get c:
To pipe to a file type:
manage-bde -protectors -get c: > "bitlocker C.txt"
2. Get the service tag from the server in either of two ways: l Find the EST label on the front of the server and pull out the card. l When logged in to Windows, type racadm getsysinfo in a command line. The information returned contains the service tag number. This option is available only on newer iDRAC versions.
3. Open a browser and go to https://www.dell.com/support/. 4. Enter the service tag number. 5. Click Drivers & Downloads. 6. Change the Category to BIOS. 7. Download the BIOS package and copy it to the U-Series Appliance. 8. Double-click the downloaded .exe file and click Install. 9. Follow the instructions and reboot the U-Series Appliance when prompted. 10. If prompted, enter the BitLocker password on reboot.
Update the Chipset Drivers on a Dell PowerEdge Server
1. Get the service tag from the server in either of two ways: l Find the EST label on the front of the server and pull out the card. l When logged in to Windows, type racadm getsysinfo in a command line. The information returned contains the service tag number. This option is available only on newer iDRAC versions.
2. Open a browser and go to https://www.dell.com/support/. 3. Enter the service tag number. 4. Click Drivers & Downloads.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

46 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

5. Change the Operating System to Windows 2012 R2, Windows 2008 R2, or Windows 2016 depending on the U-Series Appliance image.
6. Change the Category to Chipset. 7. Download the chipset drivers and copy them to the U-Series Appliance. 8. Run the downloaded installer and extract to a folder. 9. In Windows Device Manager, right-click any unidentified hardware devices and click Update Driver. 10. Select the browse location where the drivers were extracted earlier. The driver files are located in a subfolder here. Search for a
folder with .inf files. 11. Click Next and allow the driver to update. 12. Continue as needed with any other unidentified devices.
Update the iDRAC Software on a Dell PowerEdge Server
1. Start the process by retrieving the BitLocker keys. You can do this in either of two ways: l Open File Explorer and look for an external drive with a label of U-Series Appliance-BITLOCK. There is a text file on this drive for each drive letter on the U-Series Appliance (one drive on most images and four drives on older U-Series 50 models). l If the internal USB has been removed and cannot be located, type the following command into a command window to display and save the BitLocker passwords:
Manage-bde -protectors -get c:
To pipe to a file type:
manage-bde -protectors -get c: > "bitlocker C.txt"
2. Get the service tag from the server in either of two ways: l Find the EST label on the front of the server and pull out the card. l When logged in to Windows, type racadm getsysinfo in a command line. The information returned contains the service tag number. This option is available only on newer iDRAC versions.
3. Open a browser and go to https://www.dell.com/support/. 4. Enter the service tag number. 5. Click Drivers & Downloads. 6. Change the Category to iDRAC with Lifecycle controller. 7. Download the latest version available and copy it to the U-Series Appliance (not the iDRAC Controller Integration). 8. Run the downloaded file. 9. Follow the instructions and reboot the U-Series Appliance when prompted. 10. If prompted, enter the BitLocker password on reboot.
Configure iDRAC
You can use Integrated Dell Remote Access Controllers (iDRAC) to remotely manage your U-Series 20 or U-Series 50.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

47 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

1. At startup, press F2 to enter the setup menu. 2. Select iDRAC Settings. 3. Select Network. 4. Set Enable NIC to Enabled. 5. Configure IP address settings as specified by your network administrator (DHCP or static). Setting the NIC selection to Dedicated
allows the physical iDRAC port on the back to be used only for iDRAC communication. Setting it to another port will allow it to share the same physical connection. 6. Save your settings. 7. If you use DHCP IP configuration, watch for the iDRAC IP address to be displayed at startup and record this for future use. 8. Open a browser and enter the IP address associated with the iDRAC port. Use the default login credentials:
l User: root l Password: calvin
For more information about configuring iDRAC, please refer to Dell product documentation.

iDRAC Commands You can use the commands below to configure iDRAC settings from a Windows command prompt.

Setting Enable Set user account Set static IP Set DHCP on Get info

Command Racadm setniccfg -o racadm config -g cfgUserAdmin -o cfgUserAdminPassword -i 2 <password> racadm setniccfg -s <IPv4Address> <netmask> <IPv4 gateway> racadm setniccfg -d Racadm getniccfg

Configure NIC Teaming or Link Aggregation

Note: You must have the Broadcom management utility installed before continuing with these steps. On Microsoft Windows Server 2012 R2 U-Series Appliances, the Broadcom Advanced Control Suite 4 application is already installed. For Windows 2008 R2 U-Series Appliances, please contact BeyondTrust Technical Support to get the installer file. For Windows Server 2016, use the native Windows configurable options for NIC teaming, link aggregation, and VLAN configuration.
The U-Series Appliance has a Broadcom NetXreme II four-port network interface card. Work with your network administrator before you configure NIC teaming or aggregation. Your administrator must provide IP address information for the environment where the U-Series Appliance is being deployed.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

48 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Configure VLAN
Tagged VLAN Configuration on a Physical U-Series 20 or U-Series 50
Broadcom BCM5709C NetXtreme II GigE
Note: You must have the Broadcom management utility installed before continuing with these steps. On Microsoft Windows Server 2012 R2 U-Series Appliances, the Broadcom Advanced Control Suite 4 application is already installed. For Windows 2008 R2 U-Series Appliances, please contact BeyondTrust Technical Support to get the installer file. For Windows Server 2016, use the native Windows configurable options for NIC teaming, link aggregation, and VLAN configuration.
1. Run Broadcom Advanced Control Suite 4 from the Start menu. 2. Filter by Team View from the top menu. 3. Under Unassigned Adapters, select the adapter being used. If
connected, it will have a green check mark. 4. Right-click and select Create a VLAN, then click Next.
a. Enter a Team Name (such as VLAN) and a VLAN Name (such as VLAN10), then click Next.
b. Select Tagged, then click Next. c. Enter a VLAN Tag (such as 10), then click Next. 5. Click Finish. 6. Click Yes to acknowledge that there may be a temporary network interruption. 7. Right-click on the team that was created from the previous step and click Add VLAN. a. Enter a VLAN Name (such as VLAN20), then click Next. b. Select Tagged, then click Next. c. Enter a VLAN Tag (such as 20), then click Next. 8. Click Yes to add more VLANs and repeat, or click No if finished. 9. Click Finish. 10. Network configuration can be static or dynamic depending on your needs or on the environment. Both are configured just as a normal adapter is configured.
Virtual Guest Tagging (VGT) VLAN Configuration on a U-Series v20
Intel 82574L Gigabit Network Connection (Intel E1000)
1. You must install the required driver within a Windows 2012 R2 guest operating system. a. Download ProWinx64 from Intel at https://downloadcenter.intel.com/download/23073/Intel-Network-Adapter-Driver-forWindows-Server-2012-R2, then extract the contents to a temporary folder. b. Right-click the network adapter and click Update Driver Software.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

49 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
c. Click Browse my computer for driver software. d. Click Let me pick from a list of device drivers on my computer. e. Click Have Disk. f. Click Browse, then browse to the temporary location where you extracted the driver files. g. Click Next to install the driver. 2. Repeat the above steps for each network adapter you have for the virtual machine. 3. After all the adapters are updated, run the ProWinx64.exe file, rather than extracting it. You should now be able to install the Advanced Network Services VLANs. 4. To configure VLAN tagging on a virtual machine: a. Open Device Manager. b. Right-click Network Adapter and select Properties. A
VLANs tab is now available. This is not displayed before the ProWinx64.exe file is installed. c. Click New. d. Enter a VLAN ID (such as 10). e. Enter a VLAN Name (such as VLAN10). f. Click OK. 5. Repeat these steps for as many VLANs as are required.
6. There will now be a new network adapter displayed under Network Connections for each VLAN created.
7. Network configuration can be static or dynamic depending on your needs or on the environment. Both are configured just as a normal adapter is configured.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

50 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

Upgrade the U-Series Appliance Software
There are two upgrade options available, depending on your environment:
l Active / passive upgrade l Active / active upgrade
High Availability with Database and Services Synchronization - Active / Passive Upgrade
Keep the following in mind when running an upgrade:
l Do not turn high availability OFF while doing upgrades. l Any time an installer or login page for the U-Series Appliance recommends to reboot after installation, reboot before continuing.
Package Dependencies
l U-Series Appliance software 3.2.6 and later require .NET Core 3.1. l The .NET Core installer is included in both 2012 Supporting software and 2016 Supporting software version 210201. l 2016 and 2012 Environment or Supporting Software packages often depend on a version of Security Update Package Installer
(SUPI). It is best to upgrade SUPI to the latest version prior to upgrading the U-Series Appliance software. l BeyondInsight 6.10.x can upgrade to the latest version. If the source is earlier than 6.10.x, contact BeyondTrust Technical
Support.
Start the Upgrade
1. Log on to the active U-Series Appliance. 2. Go to the Backup page in the Maintenance application and run a backup. This backs up settings and the database. 3. Go to the High Availability page and click Suspend to prevent failover while upgrades are running. 4. Download Software and Security updates using BeyondTrust Updater. Open a case with BeyondTrust Technical Support if you
need links to any software not available through BeyondTrust Updater or the Customer Portal. 5. Unlock Security Update packages and installer subscriptions in BeyondTrust Updater:
l Security Patches for Windows Server 2012/2016 l Security Patches for SQL 2014/2016 l U-Series 2012/2016 Environment l U-Series 2012/2016 Supporting Software l Security Update Package Installer 6. Click Update Now to download all security packages. 7. If one download stops and another does not start, click Update Now again until all are complete. 8. Apply security updates downloaded in step 4. l Log in to the Maintenance page; the BeyondTrust Updates page loads first. l Click View Updates. l Schedule updates. This provides two options, either to schedule now or at a later date and time.
o If any new packages are downloaded after the schedule is made they are NOT included. o Updates are almost required and the process resumes without intervention until all packages are installed.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

51 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE

o Service may become unresponsive during the installation of updates. o Progress can also be viewed from this page. 9. Download and install the remaining products from BeyondTrust Updater. l Settings in BeyondTrust Updater allow you to configure specific hours to download and install packages. 10. Log in to the passive U-Series Appliance and repeat steps 2 through 7. l There is no need to perform a backup, because all the settings are still on the active U-Series Appliance. l The database is not accessible on the secondary U-Series Appliance. This is expected, due to SQL mirroring. 11. If needed, set the lock status on the Subscriptions page again. 12. Verify applications were upgraded. 13. Log in to the High Availability page, click Resume, and verify database state returns to synchronized.
High Availability with Services Only Synchronization - Active / Active Upgrade
Keep the following in mind when running an upgrade:
l Do not turn high availability OFF while performing upgrades. l Any time an installer or login page for the U-Series Appliance recommends to reboot after installation, reboot before continuing.
Package Dependencies
l U-Series Appliance software 3.2.6 and later versions require .NET Core 3.1. l The .NET Core installer is included in both 2012 Supporting Software and 2016 Supporting software version 210201. l 2016 and 2012 Environment or Supporting Software packages often depend on a version of SUPI, so it is best to upgrade SUPI to
the latest version prior to upgrading the U-Series Appliance software l BeyondInsight 6.9 can upgrade to the latest version. If the source is earlier than 6.9, contact BeyondTrust Technical Support.
Start the Upgrade
1. Go to the Backup page in the Maintenance application and run a backup. This backs up settings but NOT any remote databases. 2. Download Software and Security updates using BeyondTrust Updater. Open a case with BeyondTrust Technical Support if you
need links to any software not available through BeyondTrust Updater or the Customer Portal. 3. Unlock Security Update packages and installer subscriptions in BeyondTrust Updater:
l Security Patches for Windows Server 2012/2016 l Security Patches for SQL 2014/2016 (may not be subscribed if SQL Server is not installed) l U-Series 2012/2016 Environment l U-Series 2012/2016 Supporting Software l Security Update Package Installer 4. Click Update Now to download all security packages. 5. If one download stops and another does not start, then click Update Now again until all are complete. 6. Apply security updates downloaded in step 4: l Log in to the Maintenance page. The BeyondTrust Updates page loads first. l Click View Updates. l Schedule Updates. This provides two options, either to schedule now or at a later date and time.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

52 TC: 10/28/2021

U-SERIES APPLIANCE 3.3 ADMINISTRATION GUIDE
o New packages downloaded after the schedule is set are NOT included. o Updates are almost always required and the process resumes without intervention until all packages are installed. o Service may become unresponsive during the installation of updates. o Progress can also be viewed from this page. 7. Download and install the remaining products from BeyondTrust Updater. l Settings in BeyondTrust Updater allow you to configure specific hours to download and install packages. 8. Log in to the passive U-Series Appliance and repeat steps 2 through 7. l There is no need to perform a backup, because all the settings are still on the active U-Series Appliance. l The database is not accessible on the secondary U-Series Appliance. This is expected, due to SQL mirroring. 9. If needed, set the lock status on the Subscriptions page again. 10. Verify applications were upgraded. 11. Log in to the High Availability page for both active or passive U-Series Appliance and confirm the state is correct (for example, active or passive). 12. If there are other Password Safe worker nodes pointing at the remote database, then those BeyondInsight installations also need to be upgraded.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

53 TC: 10/28/2021