UVM User Guide - BeyondTrust · 2020-05-18 · EnterSMTPServerSettings 19 ProxySettings 19...

UVM ApplianceUser Guide

©2003-2019 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company,or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC:9/6/2019

Table of Contents

Access BeyondInsight 6

Manage Your UVM 7

Access the UVMWeb Site 7

Session Timeout 7

Activate Windows 7

Request Product Updates 7

Apply Security Updates 8

Setting the Update Method 9

Appliance General Settings 9

Adjust Date and Time Settings 9

LCD Panel Settings 10

Clear the BeyondInsight Cache 10

Export Settings 10

Pre-Logon Banner Settings 11

Manage Security Settings 12

Downloading a Crypto Key 12

Uploading a Crypto Key 12

FIPS Compliance Checking 12

Manage the UVM API Key 13

Turn off SSL Authentication 13

Analytics and Reporting Endpoints 13

Generate and Export Certificates 14

Set a Security Protocol 14

Turn On HSTS 14

Accounts and Licensing Settings 16

Update Product Serial Numbers 16

Purge Appliance Data 16

Reset Administrator Passwords 17

Network and RDP Settings 18

Configure RDP 18

Set an IP Address for the Appliance 18

SALES:www.beyondtrust.com/contact SUPPORT:www.beyondtrust.com/support DOCUMENTATION:www.beyondtrust.com/docs 2©2003-2019 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, ordepository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 9/6/2019

UVM APPLIANCE

USER GUIDE

This page needed for table ofcontents. Do not delete.

Enter SMTP Server Settings 19

Proxy Settings 19

BITS Throttle 20

Use Two-Factor Authentication 21

Appliance Health 22

Health Dashboard 22

Monitor Services and Hardware 23

Check Services 23

Configuring Counters for Performance Metrics 24

Configure Notifications 25

Send Alerts to BeyondInsight 26

View Notifications 27

Diagnose Network Connectivity Issues 29

Export Log Files 29

Configure Roles 30

Use Role Templates 30

Save Role Configuration 30

Vulnerability Scanner Role Settings 30

Event Collector Role 30

SQL Server Database Roles 31

Database Access 31

Patch Management Role 31

PowerBroker Endpoint Protection Role 31

BeyondInsight Omniworker Service Role 31

PowerBroker Password Safe Web Portal Role 31

High Availability Role 31

On the Primary Server 31

On the Secondary Server 32

PowerBroker Server Management Console Role 32

BeyondInsight Analytics and Reporting Roles 33

Analysis Services Role Settings 33

Reporting Services Role 33

Turn on Auto Update 33


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Enterprise Update Server Role Settings 33

BeyondTrust Updater Role Settings 33

Configure PowerBroker Password Safe 34

Upload SSL Certificate 34

Archive Password Safe Session Monitoring Events 34

Set up the Repository Host 35

Run the Repository Configuration Tool 36

Set up the Appliance 36

Synchronize Session Monitoring Archive Files 37

Use High Availability 38

Active-Passive High Availability 38

Set up High Availability 38

Turn on High Availability (HA) Pairing 38

Configure High Availability 39

Use a Load Balancer in an Active-Passive Configuration 41

Test HA Failover 41

Use Medium Failover Mode 42

Resume and Suspend SQL Mirroring 42

Discard HA Configuration Settings 42

Recognize a Failover 43

Disaster Recovery 43

Verifying Connectivity Between Servers 43

Database Status After a Failover 43

Restore Roles After a Failover 44

Review Database Metrics 44

Check the Database Connection Status 44

Configure Backup and Restore 46

Schedule a Backup 46

Restore the Appliance 46

UVM Recovery 48

Appendix A: Configure VLAN 50

Tagged VLAN Configuration on Physical UVM20/50 50

Virtual Guest Tagging (VGT) VLAN Configuration on Virtual UVM20 51


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Appendix B: Optional Appliance Configuration 53

Configure iDRAC 53

iDRAC Commands 53

Configure NIC Teaming or Link Aggregation 55

Appendix C: Set up a Cold Spare Appliance 56

Requirements 56

Appendix D: Dell PowerEdge System Updates 58

Update the BIOS on a Dell PowerEdge Server 58

Update the Chipset Drivers on a Dell PowerEdge Server 58

Update the iDRAC Software on a Dell PowerEdge Server 59


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Access BeyondInsight

For more information about using BeyondInsight, refer to the BeyondInsight productdocumentation.

1. Open a web browser, then enter the URL to access BeyondInsight, https://[BeyondInsightserver name]/eEye.RetinaCS.Server.

2. The SSL certificate warning window displays. The SSL certificate automatically created forthe UVM ensures encrypted communications.

To avoid the warnings, install the SSL certificate through the web browser or obtain a validcertificate from a certificate authority. Select the check box to not display the informationpage again. The Internet Explorer warnings will be displayed until the SSL certificate isinstalled or a valid certificate is obtained.

3. The BeyondInsight Login page displays. Enter your user name and the password youcreated in the configuration wizard, then click Login.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Manage Your UVMYou can access appliance diagnostics to verify version information, request updates andconfigure other options.

Access the UVM Web SiteTo log on to the UVM web site:

1. In your web browser, enter:

https://[your IP Address]/Maintenance

2. For the initial login, enter the following information.

l User Name - Enter the Administrator user name created using the Configurationwizard.

l Password - Enter the Administrator password created using the Configurationwizard.

Session Timeout

A user can be logged on to an appliance web site for 14 minutes. After 12 minutes a message isdisplayed indicating the session will expire in 2 minutes. The user must log on to the web siteafter the session expires.

Session timeout applies to all appliance web sites: Roles Editor, Maintenance, Diagnostics, andHigh Availability.

The session timeout value cannot be configured.

Activate WindowsIf the Windows environment is currently not activated, you can activate on the Maintenance website.

To activate Windows:

1. SelectMaintenance from the menu.2. Select Accounts and Licensing.3. Click one of the following:

l Activate Online - Select when you have an Internet connection.l Activate By Phone - Select if there is no Internet connection (for example, in anair-gap environment).

Request Product UpdatesYou can request product updates for the UVM. You can view the version number for theBeyondTrust products that you are licensed to use.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


To request updates: On theBeyondTrust Updates page, clickRequest Update. The update of theUVM and BeyondInsight databasestarts.

Apply Security UpdatesBeyondTrust provides a bundle of Microsoft patches in a security update package. All updates aretested and approved by BeyondTrust to ensure that updates do not interfere with the properoperation of your UVM.

The packages are updated when new patches are available from Microsoft. For more informationabout the updates included in the package, contact BeyondTrust Technical Support.

In UVM versions 1.3 or later, there is a security update package installer that ships with yourappliance. When a new package is copied to the update server, then those updates can bereceived by your appliance.

Note: If you are working in an air-gap environment, you can manually download theupdate packages. You must work with the BeyondTrust Technical Support team todownload packages manually.

To apply the updates:

1. Log on to the appliance web site.The default page displayed is the BeyondTrust Updates page.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


2. If it is not displayed, selectMaintenance from the menu,then select BeyondTrustUpdates.Details about any updatescurrently available areprovided.

3. Click Apply SecurityUpdates.The update can take timedepending on the packagesbeing applied. Click Refreshat any time to update thestatus.

Note: If a restart is required (depending on the patch), then the appliance will restartautomatically. No action is required on your part.

Note: If your UVM version is earlier than 1.3, then BeyondTrust Technical Support cansend you the update package installer to deploy on your appliance. After you run theinstaller package, the appliance web page is updated. The Security Updates sectionwill be available for you to track and manage your security updates.

Setting the Update Method

1. Log on to the appliance web site.2. SelectMaintenance from the menu, then select BeyondInsight Updates.3. Select an update method.

l Connect to the Internet for licensing and updates. No proxy required - Select ifthere is an Internet connection and no proxy server.

l Connect to the Internet for licensing and updates through a proxy server -Select if you are using a proxy server.

l No Internet connection. (Requires performing manual updates.) - Select if theappliance does not have an Internet connection.

4. After you select an update method, click Apply Changes.

Appliance General Settings

Adjust Date and Time Settings

1. SelectGeneral Settings from the Maintenance menu.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


2. Select a time zone and adjustthe time.

3. Click Set the Date and TimeNow.

LCD Panel Settings

To turn on settings for the LCD panel on the appliance:

1. SelectGeneral Settings fromthe Maintenance menu.

2. You can turn on the followingsettings:

l Allow LCD Panel toReset AdministratorPassword - Turn on tobe able to reset the administrator password to a random password from the LCDpanel. If needed, go to the appliance to reset the administrator password. Select

the Show IP option to view the IP address. Hold the and arrowssimultaneously on the UVM LCD panel. A random password is generated. Press

to accept the changed password.

l Buttons on LCD Panel - Turn off to disable all the LCD panel buttons.

3. Click Update LCD Panel Settings.

Clear the BeyondInsight Cache

The Clear BI Cache button clears the license key in the BeyondInsight database cache. If a newlicense key has been recently applied, then clearing the cache ensures that the new key is savedto the BeyondInsight database.

Clearing the cache and applying the new key ensures all features are available and workproperly. You can verify licensed features on the Product Activation Keys tab.

Export Settings

To allow appliance settings such as IP address and administrator password to be set by insertinga USB drive into the appliance:

To turn on settings for the LCD Panel on the appliance:

1. SelectGeneral Settings from the Maintenance menu.2. Click to turn on Appliance settings to be imported and exported onto removable


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


storage.3. Click Update Export Settings.

Pre-Logon Banner Settings

You can configure a pre-logon message before the logon credentials page is displayed to theuser.

To configure a pre-logon banner:

1. SelectGeneral Settings from the Maintenance menu.2. Enter a title and message.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Manage Security Settings

Downloading a Crypto Key

1. Select Security Settings fromthe Maintenance menu.

2. Enter a password, and thenclick Submit.

Uploading a Crypto Key


2. Enter password.3. Drop the zip file.4. Click Generate the Uploaded

Key.

FIPS Compliance CheckingTo turn on FIPS compliancechecking:


2. In the FIPS ComplianceChecking area, toggle the slider to FIPS State (Yes).

3. Click the Update FIPS Setting button.4. A reboot is required.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Manage the UVM API KeyThe UVM API manages the communication between appliances when high availability is used inyour environment.

The API key is automatically generated and is available to copy on the High Availability page.You can regenerate the key on this page. You might want to regenerate the key regularly forsecurity reasons.

You can also apply limitations on incoming messages.

To set the API:

1. Select Security Settings from the Maintenance menu.2. Set the maximum age for messages, and then click Update Maximum Age. The default

value is 600 minutes.3. Click Generate API Key.

When configuring high availablity between appliances, copy the key to the HighAvailablity page for the partner appliance.

Turn off SSL AuthenticationYou can turn off SSL authentication. When you select SSL/Certificate Required (No), SSLcertificates are ignored.

To ignore SSL certificate authentication:

1. Select Security Settings from the Maintenance menu.2. Click Event Service

SSL/Certificate Required(No).

3. Click Submit.

Analytics and Reporting EndpointsIf the BeyondInsight Analytics and Reporting web site is not reachable, you can refresh thesettings to establish the connection.

1. Select Security Settings from the Maintenance menu.2. Click Refresh.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Generate and Export Certificates


2. To regenerate the SSLcertificate to match theappliance network name,click Generate Certificate.The certificate will not betrusted by the client browser.

3. To export the client certificate, enter the password for the certificate and then click ExportCertificate.

Set a Security ProtocolSelect the security protocol that applies to your environment: SSL or TLS.

To use TLS 1.2, ensure the following patches have been applied to your appliance.

KB2979597 - https://support.microsoft.com/en-us/kb/2979597

KB3144114 - This is a hotfix. You can request it from here: https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=3144114&kbln=en-us

KB3144517 - https://support.microsoft.com/en-us/kb/3144517

1. Select Security Settings from the Maintenance menu.2. Select the protocol type, and

then click Update SecurityProtocols.

Turn On HSTSYou can apply extra security to the appliance web site that will use strict transport security (HSTS)technology.

To turn on HSTS:


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


https://support.microsoft.com/en-us/kb/2979597

https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=3144114&kbln=en-us

https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=3144114&kbln=en-us

https://support.microsoft.com/en-us/kb/3144517

1. Select Security Settings from the Maintenance menu.2. Turn on the setting, and then click Update HSTS Setting.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Accounts and Licensing Settings

Update Product Serial NumbersYou can review your licensed BeyondTrust components. If components are not showing aslicensed you might need to refresh the BeyondTrust database cache to ensure the most recentlicense is applied.

For more info, please see the Clearing the BeyondInsight Cache section of theManage Your UVM document.

To update the appliance serial number:

1. Select Accounts andLicensing from theMaintenance menu.

2. You can either retrieve theserial numbers and validatethe license key automaticallyusing your Internetconnection or enter thisinformation manually:

l Using the CustomerPortal - Enter youremail address andClient Portal passwordand click RetrieveKeys. Select theappropriate serialnumbers from the listwhen populated andclick Update Serial.

l Using Online Appliance - Enter the serial numbers and then click Update Keys.l Using Client Browser - Manually enter the serial number provided when youpurchased the product. To access your serial number, log on to the Client Portal,and select Product Licensing > Managing Your Serial Numbers. Click Get OfflineLicense and follow instructions on obtaining the license key offline. Manually enterthe license key once it is received.

l Using Email Validation - Enter the serial numbers and click Retrieve OfflineValidation Keys. An email is sent to request and validate the keys.

l Manually - Manually enter the serial numbers.

3. Click Update Keys.

Purge Appliance Data

1. Select Accounts and Licensing from the Maintenance menu.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


2. Scroll to the purge data area.3. To erase the database and

user configuration data fromthe appliance, clickWipeAppliance. The configurationdata and events are purged.

Reset Administrator PasswordsYou can reset the UVM administrator password, BeyondInsight administrator password, andCentral Policy password.

Ensure that you review the complexity requirements.

To reset a password:

1. Select Accounts and Licensing from the Maintenance menu.2. Select the check box for the

password that you want tochange.

3. Change the password.4. Click Update Credentials.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Network and RDP Settings

Configure RDPRDP access is turned off by default. RDP access is not required for daily use regardless oflicensing or roles. BeyondTrust Technical Support can turn on RDP access for troubleshooting.

To track RDP and 2-Factor activities, there are audit log entries in the Security Event logs.

1. Select Network and RDP Settings from the Maintenance menu.2. Select the Enable Remote Desktop box.3. Select 2-Factor required to turn on the

settings to use two-factor authenticationwhen using remote desktop.

Note: If you want to disablethe 2-Factor authenticationthe temporary passwordfrom BeyondTrust isrequired. After you enter thepassword, the 2-FactorRequired box is cleared.

You need a password toaccess the UVM remotely.BeyondTrust TechnicalSupport will generate atime-limited password foryou.

4. Click Save RDP Settings.

Set an IP Address for the ApplianceYou can get an IP address automatically using DHCP or manually configure the IP address.

1. Select Network and RDP Settings from the Maintenance menu.2. Select a network card from the list.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


3. Click the button to use DHCPto get the IP address.Otherwise, set the IP addressinformation manually.

4. Click Update IP Settings.

Enter SMTP Server Settings

1. Select Network and RDP Settings from the Maintenance menu.2. Enter the following SMTP settings:

l Address - The IP address of the server.l Port - The port number of the server.l User - The user name used to access the server.l Password/Confirm Password - The server password.

3. Click Update SMTP.

Proxy SettingsConfigure a proxy server if access to the Internet is required.

To use a proxy server:


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


1. Select Network and RDPSettings from theMaintenance menu.

2. Select the Use proxy serverfor external communicationbox.

3. Enter the address and port forthe server.

l Address - The IPaddress of the server.

l Port - The port numberof the server.

4. If the proxy server requiresauthentication, enter thecredentials:

l User - The user nameused to access theserver.

l Password/ConfirmPassword - The serverpassword.

5. Click Update Proxy Settings.

BITS Throttle

1. Select Network & RDP Settings from the Maintenance menu.2. Drag the slider to the level of throttling.3. Click Update BITS Throttling Setting.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Use Two-Factor AuthenticationYou can configure two-factor authentication using a RADIUS server.

You must configure the RADIUS server settings in BeyondInsight.

After you set up two-factor authentication, your users must log on to the appliance using the two-factor authentication method.

To configure a RADIUS Server:

1. From the Maintenance menu, select Accounts and Licensing.2. Scroll to the Configure RADIUS Authentication section.3. Click RADIUS Authentication Enabled to turn on the setting.4. From the Alias list, select one

of the available RADIUSservers.

The appliance uses thesettings configured inBeyondInsight. After youselect the server, thefollowing fields arepopulated: host name,authentication port, timeout,authentication mechanism,and initial password.

5. Enter the user name. This is the user account that is used to log on to the RADIUS server.

Note: The RADIUS user account password must match the appliance Administratorpassword.

6. Click Update Settings.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Appliance HealthOn the Diagnostics pages, you can keep track of appliance services, hardware faults, andperformance metrics.

Note: If you use your own SQL Server deployment rather than the SQL Server versionthat ships with the appliance, then the SQL Server metrics are not displayed on theHealth dashboard.

Health DashboardView dynamic, live appliance metrics including:

l CPU usagel SQL Server CPU usagel SQL Server memoryl Used disk space on the C: drive. Note that on a UVM50 additional drives are displayed (O,N, and M).

l Services running and stoppedl Analyzer reporting - Download BeyondTrust's BTAnalyzer reports. View health metrics onBeyondTrust components and services running in your environment.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Monitor Services and HardwareAppliance services and hardware are monitored:

l Services - Periodically checks the running state of the services to make sure that they arein the expected state, considering the current roles that are set. Additionally, alerts areindicated when the service control manager raises errors. Errors reported are typical errormessages on services such as, services failing to start or services terminatingunexpectedly.

l Hardware events - Any of the alerts that are raised by Dell OpenManage monitoringsoftware.

To turn on alerts for services or hardware:

1. Select Diagnostics from the menu and then select Appliance Health.2. Turn on the alerts and then click Apply Updated Settings.

Check ServicesYou can view, start, and stop appliance services.

To view appliance services:


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


1. Select Diagnostics from the menu and then select Appliance Health.The icons indicate the following:

Click to refresh the service.

Click to start the service.

Click to stop the service.

Configuring Counters for Performance MetricsYou can configure the threshold values for the performance metrics. When the threshold isexceeded, email alerts can be sent to the email account configured on the notifications page.

For example, you might not want CPU usage over 50% for too long. Consider setting thethresholds to the following:

l Low: 50l Medium: 65l High: 70l Threshold Duration: 10 minutes

If there is a running average reading of 52%, then a low level alert is sent.

After a counter alerts at a certain level it will not generate further alerts for that level (or below)until it is reset. An alert is considered in a reset state when the average is below the resetthreshold for the specified time span.

If a metric is in an alerted state, but then that metric goes below a configurable Reset threshold forthe specified amount of time, then the alert is cleared, and a Reset alert is generated. At this point,the performance counter will again receive alerts if it exceeds the threshold again.

To configure counters view performance and alert settings:


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


1. Select Diagnostics from the menu and then select Performance Counters.2. Select notifications settings:

l Generate Alerts For Monitored Performance Data - Turns on email notificationfor alerts.

l Generate Daily Summaries of Performance Data - Performance metrics arecollected every 2 hours and emailed on a daily basis.

3. By default, there are four basecounters listed: SQL ServerMemory Percentage, CPUOverall Usage, SQL ServerCPU Usage, and Disk Usage.Select additional countersfrom the list, and then clickAdd to List.

4. Adjust the performance and reset thresholds.5. Click Apply Updated Settings.

Configure NotificationsNotifications can be set for the following types of events:

l Health monitoring - Includes performance thresholds, service alerts, hardware alerts, anddaily performance summaries.

l High availability monitoring - Includes failover, connections, no partner alerts, and offstate.

l High availability mirror change - Includes suspend and resume activities on SQLmirroring.

l Backup monitoring - Includes back up success and failure alerts, and restore success.

To configure email notifications:

1. Select Diagnostics from the menu and then select the Notifications icon.2. Click the Configure

Notifications icon.

3. Click the box to turn on email notification.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


4. Click in the Email These Users box, andthen select the check boxes for the emailaddresses that will receive thenotifications.

5. Click Apply Updated Settings.

Send Alerts to BeyondInsight

Note: BeyondInsight V6.0 or higher is required to use this feature.

You can send alerts from the appliance to your BeyondInsight management console for furtheranalysis.

To configure event forwarding for the appliance alerts:

1. Select Diagnostics from the menu and then select the Notifications icon.2. Click the Configure Notifications icon.3. Under Forwarding Health

Events to BeyondInsight.select one of the followingoptions:

l None - The defaultvalue. No events areforwarded by default.

l Local - Uses the localinstallation ofBeyondInsight.

l Remote - Enter the IP address or DNS name for the remote BeyondInsight server.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


4. You must export a certificatefrom the remoteBeyondInsight server andimport the certificate to thelocal UVM. Select a certificatefrom the list, and then clickApply Updated Settings.

l If the remote server is another UVM appliance, log on to the appliance web site forthat appliance.

l Select Security Settings from the Maintenance menu.l Enter a password and click Export.l Import the certificate on the local UVM. See Uploading SSL Certificate.l On the Health tab, select the certificate from the list.If the remote server is a software install of BeyondInsight, use the BeyondInsightConfiguration Tool to create and export the certificate.

5. Click Apply Updated Settings.

You must also create a connector from the BeyondInsight management console.

To create the connector:

1. Log on to BeyondInsight.2. Select Configuration from the

menu, and then selectConnectors.

3. Click + and select SyslogEvent Forwarding.

4. Enter the details for the UVMappliance, including IPaddress, protocol, and facility.

5. Select the Appliance Health check box.By default all severity levels are included. Select an alternate level if needed.

View NotificationsA notifications icon is displayed onthe Diagnostics page.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


After notifications are received, anumber is displayed that indicatesthe number of notifications. Click theicon to view more information aboutthe notifications, as shown:

The bar next to the notification indicates severity. See the following table for descriptions.

Color Legend

Info

Low

Medium

High


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Diagnose Network Connectivity IssuesYou can view Network Configuration (IPConfig) information and use Ping to assist withdiagnosing network connectivity issues.

To use these tools:

1. Select Diagnostics from the menu and then select Tools.2. In the Network Configuration section, click Refresh to view the results from IPConfig /all.3. To ping a server, enter the fully qualified domain name, hostname, or IP address in the

Ping section, and then press Enter.

Export Log FilesYou can generate a log file and save to an external location. The file can then be imported to athird-party tool for analysis.

Note: The file cannot be saved on the UVM.

To configure the settings to export a log file:

1. Log on to the Diagnostics page.2. Select Appliance Logs from the menu.3. In the Log File Export section, click the button to turn on the log file export feature.4. Enter a path where you want to save the file and the credentials required to access the

share.

Enter the path using the following format: \\10.10.10.10\[network share].

Click the test button to ensure the share can be accessed using the credential provided.

Optionally, click Network path is an NFS Network Resource. Credentials are not required.5. Set scheduling information:

l Designated Interval - Enter the frequency, in minutes. The default is 20 minutes.The lowest interval that you can enter is 10 minutes.

l Once a day - Select the day of the week and select a time to export the logs.

6. Click Set Log Export Settings.

Optionally, at any time after the settings are initially configured, click Export Log Now to save thelog file to the share.

The file ExportReport.txt is generated and saved to the designated location.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Configure RolesSelect Appliance Roles if you are deploying more than one UVM to scale BeyondInsight in largernetworks.

Roles must be selected for at least one of the UVM appliances.

When you are selecting roles, any dependencies or conflicts that might exist between roles will bedisplayed. The Apply Roles button is only available after dependencies or conflicts are resolved.

Use Role TemplatesThere are predefined role templates that you can choose. When you choose one, all dependentroles that need to be activated will be. Any roles that are not required for the template will beturned off.

When you select a predefined template, you must enter information for some fields before theApply Roles button is available. The role is indicated in orange.

For example, if you select the Standalone Database role, then you must go to the SQL ServerRole and enter the database password.

Save Role ConfigurationYou can configure the roles that you need andsave the settings to a configuration file. You canthen upload the template to the UVM.

Vulnerability Scanner Role SettingsTurn on the role to activate the Network Security Scanner agent.

Event Collector RoleOn the Event Collector page, select the BeyondTrust service that will be responsible for sendingevents between components (for example, Network Security Scanner agent, Network SecurityScanner Protection agent, and PowerBroker Endpoint Protection Platform).

BeyondInsight AppBus Service and Event Server can be used for this communication. EventServer is preferred for enterprises and can manage a greater load of data than AppBus.

The default port for the Event Server is 21690.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


1. Select one of the following:

l Incoming Events Processed by the BeyondInsight AppBus Servicel Incoming Events Processed by the BeyondInsight Event Server Service

2. Click Apply Changes.

SQL Server Database RolesProvides access to the SQL Server database. Select the box to allow database access fromremote computers.

If you are using your SQL Server deployment, there is no action required on your part here.

Database AccessProvides access to the BeyondInsight database. You can set either a local SQL Server databaseor configure settings for a remote database.

Patch Management RoleTurn on the role to activate the LanMan service on the appliance to host Third-Party patches.

PowerBroker Endpoint Protection RolePowerBroker Endpoint Protection Platform (PB EPP) is installed on all appliances. If you do notwant PB EPP running on your appliance, click the role to turn off the PB EPP services.

BeyondInsight Omniworker Service RoleThe BeyondInsight Omniworker service manages task queues. Turn on the service when yourenvironment is using more than one appliance.

PowerBroker Password Safe Web Portal RoleTurn on the Password Safe role to activate services needed to run the Password Safe web portal.

Note that the Password Safe role is only displayed on the Roles page when a Password Safelicense is applied.

High Availability RoleTurn on the High Availability role to activate services needed to run Password Safe in highavailability mode.

On the Primary Server

If you are using Password Safe High Availability, you must configure the following settings on theprimary server.

To turn on the Password Safe role:


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


1. Log on to appliance web site.2. Select Roles Editor from the menu.3. Click High Availability, then select a mirroring option:

l HA will mirror both Server and Database (RetinaCSDatabase and PBSMCdatabase if installed)

l HA mirroring for services only

4. To save resources, you can turn off services that will not be required to run on anysecondary appliances. Select the Standalone Password Safe Worker Node check box.Select the corresponding check boxes to turn off services: Disable BeyondInsight UI orDisable Password Safe UI.

5. Click Apply Changes.6. On the main Roles Editor page, click Apply Pending Changes.

On the Secondary Server

If you are using Password Safe HighAvailability, you must turn on the role,and then select a mirroring option.

PowerBroker Server Management Console RoleThis role will only be available if PowerBroker Server Management Console (PBSMC) is installedand can be enabled for use with a local database or with a remote database. The remote option isonly available on UVMs that do not have SQL installed.

For the local database option, enter the username and password for the SQL user account to becreated for the application to access the database.

For the remote database option, enter the username and password for the remote PBSMCdatabase . The remote database must already exist on the remote host. Click Test RemoteConnection Settings to verify you have connectivity to the remote database.

Once the role is enabled, PBSMC must then be configured by accessing it at https://<IP>/PBSMC.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


The PBSMC database will now be added to Backup Restore functions and included with HighAvailability database synchronization.

BeyondInsight Analytics and Reporting RolesThere are two roles that you can configure if you are using BeyondInsight Analytics andReporting.

Analysis Services Role Settings

Turn on the role to turn on the SQL Server Analysis service.

You can click the link to run BeyondInsight Analytics and Reporting.

Reporting Services Role

If you are using BeyondInsight Analytics and Reporting to render reports, the service must runlocally. Turn on the Reporting Services role to run the service locally when using a remotedatabase.

Turn on Auto UpdateTo use the auto update feature, where product updates will automatically download whenavailable, turn on the auto update role.

To turn auto update:

1. On the appliance web site, select Roles Editor from the menu.2. Click Auto Update.3. You can configure one server for all updates or configure servers based on functional

area.

If you configured different update servers, click Load Default Settings to reset the defaultBeyondTrust server.

4. Scroll on the page, and click Apply Changes.5. On the main Roles Editor page, click Apply Pending Changes.

Enterprise Update Server Role SettingsTurn on the role to use the Enterprise Update server to update your appliances.

BeyondTrust Updater Role SettingsTurn on the role to use the Azure web based update tool.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Configure PowerBroker Password SafeTo set up Password Safe on the appliance, you need to turn on the Password Safe role.

Note: If you use Password Safe, all credentials are stored in the database using a AES256 block cipher by RijndaelManaged crypto provider. When FIPS is used, all UVMcredentials stored in the database are encrypted using Triple DES crypto provider.

Upload SSL CertificateTo upload an SSL certificate:

1. Select Security Settings from the Maintenance menu.2. Go to Upload Certificate

section.

3. Drop a file to upload.4. Enter the password.5. Select the following:

l Bind to HTTPS on update - Updates the bindings in IIS.l Use for High Availability

6. Click Upload Certificate.

To generate an SSL certificate to match the appliance name:

1. Select Security Settings from the Maintenance menu.2. Click Generate Certificate. The certificate will not be trusted by the client browser.3. To export the client certificate, enter the password for the certificate and then click Export

Certificate.

Archive Password Safe Session Monitoring EventsYou can transfer old session monitoring files off the appliance to another server for storage.Archive old files to free up disk space on the appliance. You can view the archive files inPassword Safe. For more information, refer to the Password Safe Administration Guide.

Session monitoring files are archived in one of two ways:


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


l Automatically by the UVM. Automatic archives occur in the following cases:

o When the file reaches the configured age.o When free space on the UVM hard drive is below the configured threshold. See

Setting up the Appliance to configure these settings.l Manually through Password Safe. Archive files are never deleted.

For more info, please see the Password Safe Administration Guide.

There are two parts to the configuration of archiving:

l Set up the computer that will be the repository host.l Set options on the web site for the appliance.

Set up the Repository Host

Repository Host Requirements

l The minimum operating system requirement for the host computer is Microsoft Windows2008.

l Port 443 must be open.l IIS 7.5 or later.

In Server Manager, install and enable the following feature: Background IntelligentTransfer Service (BITS).

Activating BITS ensures prerequisites are installed regardless of OS or IIS versioninstalled.

l ASP.NET 4.5l You need a copy of the Setup Session Monitoring Repository tool, located here:C:\Appliance\Tools\ConfigureRepository.exe.

Note on IIS 7.5:

If you are using IIS 7.5 and the ASP.NET 4.5 role did not install automatically:

1. Install the ASP.NET role.2. Run the command:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i3. Log on to Server Manager

and select the IIS instance.Double-click ISAPI and CGIRestrictions.

4. Ensure that ASP.NET v.4.0 is set to Allowed.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Run the Repository Configuration Tool

The repository configuration tool creates a certificate on the host computer.

To run the repository configuration tool:

1. Run the repository configuration tool.2. Click the Create Certificate button.3. Enter a password for the exported certificate.4. Click Export Certificate and choose a location for the file with the exported certificate.5. Copy the exported certificate to a location that can be accessed by the appliance. You

need to import the certificate using the Diagnostics web site. See the following section.

Set up the Appliance

You must set up the repository host before proceeding here.

On the appliance you must register the certificate that you created on the repository computer.Optionally, you can change the archive settings such as how many days pass before the files arearchived.

To configure archiving on the appliance:

1. Log on to the applianceMaintenance web site.

2. Select Security Settings fromthe menu.

3. Upload the certificate that youcreated on the host, and thenclick Upload Certificate.

4. Select Roles Editor from themenu.

5. Click PowerBrokerPassword Safe Web Portal.

6. Select the Enable SessionMonitoring Archiving box.

7. Select the way to store thearchive files:

BITS - Enter the name of therepository computer.

Enter the name of the certificate. The certificate name is the same name as the repositorycomputer.

Windows File Sharing - Enter the name of the share and credentials to access the share.Windows file sharing is the preferred method.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


8. Optionally, change the archiving settings:

l Maximum Age (in Days) - Enter the number of days that pass before the files arearchived. The default value is 90 days.

l Archive when available storage becomes less than - This value applies to thestorage available on the appliance. Enter the amount of storage remaining on theappliance before the file transfer occurs. The transfer of files will free up the diskspace when the value is reached.

l Max File Transfer Time - This value is the maximum time to wait for a file transferto occur before the transfer times out.

9. Click Test Session Monitoring Settings to ensure the repository computer is set upcorrectly and can communicate with the appliance computer.

10. Click Apply Changes to save the settings.

Synchronize Session Monitoring Archive FilesOn the High Availability Settings page, you can determine if the session monitoring archive filesare up to date on the repository host.

Compare the values in the Local Session File Count box (archive files on the appliance) andRemote Session File Count box (archive files on the repository host).

If the numbers are different, select theSynchronize Session ArchivingFiles check box. Archive files on theappliance will be copied to therepository host.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Use High Availability

Note: High Availability is only available with a PowerBroker Password Safe license.

Active-Passive High Availability

High availability is designed to be a highly available system in an Active-Passive configuration. Atany time, one of your two servers has the role of the Active node, while the other is the Passivenode.

When the Passive server detects the Active server has failed, then the Passive is promoted toActive and the Active is demoted.

After the Active server fails and all issues are resolved, the server takes on the Passive role.

Set up High AvailabilitySetting up High Availability is optional.

Turn on High Availability (HA) Pairing

You must turn on the High Availability role in the Roles Editor before setting up high availability.The role must be turned on for the active and passive appliance.

To turn on the Password Safe HA pairing:

1. Select Roles Editor from themenu.

2. Click High Availability.3. Turn on the high availability

role.4. Select a mirroring option.5. Enter the password that will

be used on the HA pairs.6. Click Apply Changes.7. On the main page, click Apply

Pending Changes.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Configure High Availability

To set up high availability:

1. Select High Availability from the menu.For first time configuration, the Initial Setup page is displayed. Certificates need to be setup between the appliances for secure communication.

2. Copy the API registration keys between the partner appliances.Registering the API keys with the partner appliance permits secure communicationbetween the appliances.

3. Enter the IP address or thename of the passive UVMappliance, and then clickApply.

l A message isdisplayed that theexchange is inprogress.

l If an error occursduring the certificateexchange aShow/Hide Resultsbutton is displayed.

l Exchangingcertificates can takeup to approximately 5minutes.

l After the certificates are exchanged with no errors the configuration settings aredisplayed.

4. Click High Availability to turn on the feature.5. Enter the mirroring port number. The default port is 5022.

6. Click Set High Availability.7. Set the following:

l Partner ContactTimeout - Enter thenumber of minutesthat pass with nocontact between theactive server andpassive server. Whenthe active receives noresponse from thepassive, then theactive continues tostart. If the passive hasno contact with theactive, the passive willstart up as the active.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


l Partner Failover Timeout - Enter the number of minutes that pass with no pingreceived from the primary server. After this time, the passive switches to the activeserver.

l Reboot Blackout Window - On graceful shutdown passive switches to active afterno response. You might want to shut down the active UVM but not want thepassive UVM to take control. For example, you might want to move the active UVMand know that it will take approximately 30 minutes. To be sure the passive doesnot take control while the active is offline, set the value here to 60 minutes.

You must shut down the primary from the Version Information tab.

Enter the number of minutes that pass before the passive takes control.l Send Alerts on Failover - When selected, either an email is sent or events aresent to BeyondInsight.

Note: For more information about alerts, please see the ConfigureNotifications section of the Appliance Health document.

l Medium Failover Mode - When communication between the pairs is lost, thepassive appliance is in a failover pending state only. Action is required on yourpart to start a failover process.

Note: For more information, please see "Use Medium Failover Mode" onpage 42.

l Background SettingsUpdate Rate - Enterthe number of minutesthat pass before a filesynchronizationoccurs. Files copied tothe passive server areconfiguration files,certificates, andregistry files.

l Failed NotificationRate - Providesnotification after youractive appliance hasfailed over. If you areusing MediumFailover Mode, the email indicates that action is required on your part. The defaultvalue is 15 minutes.

l Queue File Synchronization - Click to start a file synchronization.

8. Click Update Settings.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Use a Load Balancer in an Active-Passive Configuration

When setting up an active-passive pair, you might want to configure a load balancer that acts as aDNS-redirector.

Configure the load balancer between two appliances so that it can determine which appliance isactive and which is passive. The load balancer then sends the traffic to the active appliance.

You can use the following endpoint API to configure the load balancer. Refer to your loadbalancer documentation to ensure that it is configured to use the endpoints.

Endpoint:

GET https://<UVMAddress>/UVMInterface/api/HighAvailability

It will return an object with one member.

{

string Role;

}

You can set the formatting of the requested return value in the Content-Type request header.

For example, to get JSON, you can specify:

Content-Type: application/json;charset=UTF-8

The available values for Role are:

Off - High Availability is not turned on.

Active - UVM is in Active mode.

Passive - UVM is in Passive mode.

Test HA Failover

Note: The Attempt Auto-Resync setting is a quick way to restore high availability in ascenario where databases on the active and passive servers are synchronized. It isnot recommended for a production failover scenario. Data loss can occur if databasesare not synchronized.

To test failover:

1. Select the Attempt Auto Resync of Database When Connecting After Failover.2. Unplug or power off the active server.3. Wait for failover. Check that the passive is now the active.4. Restore the active server (turn on or plug in).5. The auto re-sync should restore high availability configuration.6. The passive server will be acting as the active server. Click the Switch Roles button to

restore the server partners to their original roles.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Use Medium Failover ModeUse Medium Failover mode when you do not want the services on the passive appliance to startautomatically when the communication between pairs is lost.

The passive appliance waits in a pending state until you manually start the failover process.When your active fails, you must log on to the appliance software to start the failover process tothe passive appliance.

To use medium availability, you must turn on Medium Failover Mode.

For more information, please see "Use High Availability" on page 38.

To start the failover:

1. Log on to the appliance, and then select High Availability.2. In the High Availability Maintenance section, click Failover to this UVM. Note that the

button is only active when the primary appliance is down.Clicking the button starts the services and database.

Resume and Suspend SQL MirroringYou can suspend and resume SQL Server mirroring. You might want to pause mirroring if youwant to take care of maintenance tasks on the database server.

A failover cannot occur when the database is in a suspended state.

Note: If the appliance is in a failover state and mirroring is suspended, you can clickResume to start mirroring.

To resume or suspend mirroring:

1. Log on to the appliance, and then select High Availability.2. Click Suspend to pause mirroring.3. Click Resume to start mirroring again.

Discard HA Configuration SettingsTo reset the appliances to the Initial Setup state, you can remove all HA configuration settingsestablished between HA appliances. You might want to do this if you want to set up new HA pairs.

1. Select High Availability fromthe menu.

2. Click AbandonConfiguration.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Recognize a FailoverReview the following to help you determine if a failover has occurred.

l In appliance v. 1.5.4 and later, an email is sent to the address set in the configurationwizard.If you are using an appliance version earlier than 1.5.4, you can contact BeyondTrustTechnical Support to activate the email feature.

l If you are not using a load balancer, you might notice that BeyondInsight is no longerresponsive on the active server.

l On the Diagnostics web site (for the primary), only two tabs are displayed. This indicatesthe server is in Passive mode.

l Confirm the passive server is in Active mode.

Disaster Recovery

If you are using High Availability as a disaster recovery solution, review the following points as aguide to restoring roles.

l Determine if the active server failed. Confirm the role of your live server (or the “primary"server).

l If a failure occurred on the primary, investigate and resolve issues on the primary.l After a failover to the disaster recovery server (or the “secondary"), you can restore roleson the appliance web site from the Active server.

Verifying Connectivity Between Servers

On the High Availability Configuration page, verify that the communication between appliances isactive.

The Last Heartbeat indicates the last ping to the passive server and the return response to theactive.

Database Status After a Failover

IMPORTANT!

In all scenarios, we strongly recommend investigating the cause of the failure. We do notrecommend resuming database mirroring until issues are resolved.

The following database status indicators might display after a failover.

l DISCONNECTED - Failover was catastrophic (server is completelyunavailable/unreachable). Turn off High Availability and investigate the issues with thefailed server.

After the failed server is cleared for use, turn on High Availability and synchronize thedatabases.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


l EXPOSED - If the other server is still available (and possibly still healthy) but the failoverwas serious or lengthy enough that High Availability was disabled.

After the failed server is cleared for use, turn on High Availability and synchronize thedatabases.

l SUSPENDED - If the interruption was of a minor or transient nature. While it may bepossible to restore connectivity without disabling High Availability, we encourage you toturn off HA and investigate the issues with the other server.

After the failed server is cleared for use, turn on High Availability and synchronize thedatabases. Optionally, contact BeyondTrust Technical Support to see if mirroring can berestored.

Restore Roles After a Failover

After a failure has been identified and resolved on an appliance, you can restore the roles to theinitial state.

1. Log on to the appliance web site from the Active appliance.2. Select High Availability from the menu.3. Click Switch Roles.

Review Database MetricsOn the High Availability Settingspage, you can review informationabout earlier databasesynchronizations and the size of thecurrent BeyondInsight database.

You can then determine from thesevalues how long a synchronization between servers might take.

Check the Database Connection Status

Check the status of the BI Mirror State on the High Availability tab to ensure that synchronizationsare occurring between the active and passive servers.

Database Mirror States

State DescriptionEXPOSED Databases are not mirrored.

SYNC PENDING: INITIAL DBSYNC STARTED

Started to back up and transfer database to passive server.

SYNC PENDING: SET MIRRORCALLED

Database is transferred and restored to the passive server,now turning on mirroring.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


SYNCHRONIZING Server is actively transmitting Transaction Logs to the otherdatabase to apply changes.

EXPOSED - MAX SYNCATTEMPTS REACHED

5 consecutive attempts were made and failed to establishmirroring.

Mirror was not established and is no longer trying.

To troubleshoot:

Check for connectivity issues. Ensure the database mirrorport is set to 5022.

SYNCHRONIZED Databases are actively mirrored. HA is considered to beworking.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Configure Backup and RestoreYou can back up the appliance immediately or schedule a back up to occur at regular intervals.

Schedule a BackupTo schedule a backup:

1. Select Backup and Restore from the Maintenance menu.2. Click Backup Scheduler to turn on scheduling.3. Enter the information for the

remote share where the .zipfile will be saved.

4. Select the day of the week and time to run the backup.5. Enter the password for the .zip file.6. Click Schedule Backup.

Restore the ApplianceYou must restart the appliance and reset the passwords after restoring.

To restore the appliance from the last backup:

1. Select Backup and Restorefrom the Maintenance menu.

2. Enter the password, and then click Restore Appliance.

To restore the appliance from a backup file:

1. Select Backup and Restore from the Maintenance menu.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


2. Drop the file to upload.

3. After the backup is uploaded, enter the password and click Restore Appliance.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


UVM RecoveryThis section applies to UVM20 and UVM50 appliances.

Use the recovery procedure to rebuild your UVM.

IMPORTANT!

All information saved or configured on the UVM will be lost. There is no way to recover thisdata.

Retrieve the BitLocker keys before starting the recovery process.

The key can be retrieved in two ways:

l Open File Explorer and look for an external drive with a label “UVM-BITLOCK". There willbe a text file on this drive for each drive letter on the UVM (1 x for a UVM20 and 4x for aUVM50).

l If the internal USB has been removed and it cannot be located type the followingcommand into a command window to display and save the BitLocker passwords.

Manage-bde -protectors -get c:

To pipe to a file type:

manage-bde -protectors -get c: > “bitlocker C.txt"

To start the recovery:

1. After the appliance isrestarted and you see thefollowing screen, press the F8key to enter the Windows bootoptions. Try pressing the keya few seconds apart to makesure you don’t miss thechance to access the bootoptions.

2. Press Enter to go to theBitLocker key prompt.

3. Enter the BitLocker Password for the C: Drive (match up the corresponding ID#) and pressEnter.

4. On the Advanced BootOptions screen, press Enter tochoose Repair YourComputer.

5. Click Troubleshoot.6. Click Reset Your PC.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


7. Enter Drive password for ID which is displayed and click Continue.8. Click Next.9. (UVM50 Only). Select All drives.10. Click Just remove my files.11. Click Reset.

Note: After you click Reset,BitLocker drive encryptionwill be turned off. It will beenabled again later in theprocess.

The Appliance is imaged with the original Manufacturing image.

12. Insert the USB which contains the BitLocker keys. The BitLocker keys will be regeneratedand saved to the USB.

l On the first reboot, scripts run that are required to set up the appliance. This part ofrecovery is automatic and it will force a system reboot when it is complete.

l After the second reboot, a command window is displayed. BitLocker starts the driveencryption. Updates are displayed on the drive encryption progress.

13. After BitLocker is complete, run Update Appliance.bat on the desktop.14. Click Next on the Auto Update window.15. All products will update to the most recent version on the Public Update

Server. Click Next when Auto Update is finished. All updates are nowcomplete.

16. Enter the license key for Windows. Then enter the license key for SQL Server.

For the final stage of preparation, run Prepare For Shipping.bat.

All temporary and setup files are removed; Windows and SQL Server are licensed.

You are now ready to configure your appliance.

For more info, please see Configure Your UVM Appliance.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Appendix A: Configure VLAN

Note: On the Microsoft Windows Server 2012 R2 appliances, the Broadcom AdvancedControl Suite 4 application is already installed. Access the application from the Startmenu.

For all other appliances, you can use the following procedures.

Tagged VLAN Configuration on Physical UVM20/50Broadcom BCM5709C NetXtreme II GigE

1. Download “Gigabit Management Applications Installer for Windows (x64)"Contact BeyondTrust Technical Support to get the installer file.

2. Install utility (rename setup.exe if required).3. Run Broadcom Control Suite 4 from Control Panel or Start Menu.

a. Filter by Team View from the menu at top.b. Under Unassigned Adapters select the Adapter being used (if connected it will

have a green checkmark).c. Right-click and click Create a VLAN > Next.d. Enter name for team (i.e. VLAN).e. Enter name for VLAN (i.e. VLAN10) > Next.f. Click Tagged > Next.g. Enter VLAN Tag (i.e. 10) > Next.h. Click Finish.i. Click Yes to acknowledge there may be a temporary network interruption.j. Right-click on the Team that was created from the previous step (i.e. VLAN) and

click Add VLAN.k. Enter name (i.e. VLAN20) > Next.l. Select Tagged > Next.m. Enter VLAN Tag (i.e. 20) > Next.n. Click Yes to add more VLAN's and repeat, or No if finished.o. Click Finish.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


4. Network configuration can be Static or Dynamic depending on your needs or on theenvironment but would be configured just as a normal adapter is configured.

Virtual Guest Tagging (VGT) VLAN Configuration on VirtualUVM20Intel(r) 82574L Gigabit Network Connection (Intel E1000)

To install the required driver within a Windows 2012 R2 guest operating system:

1. Download ProWinx64 from Intel located here:http://downloadmirror.intel.com/18718/eng/PROWinx64.exe.Use 7zip to extract contents to a temp folder.

2. Right-click the network adapter and click Update Driver Software.3. Click Browse my computer for driver software.4. Click Let me pick from a list of device drivers on my computer.5. Click Have Disk.6. Click Browse.7. Browse to temp location driver files were extracted to.8. Click Next to install the driver.9. Repeat Steps 2-8 for each network adapter you have for the virtual machine.10. After all the adapters are updated, run the PROWinx64.exe file, rather than extracting it.

You should now be able to install the Advanced Network Services software with VLANs.

To configure VLAN tagging on a Virtual Machine:


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


http://downloadmirror.intel.com/18718/eng/PROWinx64.exe

1. Open Device Manager.2. Right-click Network Adapter and select Properties.

There will now be a VLANs tab available. This is not displayed before installing thePROWinx64.exe file above.

3. Click New.4. Enter VLAN ID (for example, 20).5. Enter VLAN Name (for example, VLAN20).6. Click OK.7. Continue these steps for as

many VLAN’s that arerequired.

There will now be a new network adapter displayed under Network Connections for eachVLAN created.

8. Network configuration can be Static or Dynamic depending on the environment or yourrequirements but would be configured just as a normal adapter is configured.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Appendix B: Optional ApplianceConfiguration

Configure iDRACYou can use the iDRAC tool to remotely manage your UVM appliance (UVM20 or UVM50).Configuring iDRAC is optional.

For more information about configuring iDRAC, refer to Dell product documentation.

1. At startup, press F2 to enter the Setup menu.2. Select iDRAC Settings.3. Select Network.4. Set "Enable NIC" to Enabled.5. Configure IP address settings as per your Network Administrator (DHCP/Static).

Setting NIC selection to Dedicated only allows the physical iDRAC port on the back to beused for iDRAC communication. Setting it to another port will allow it to share the samephysical connection.

6. Save your settings.

If you use DHCP IP configuration, watch for the iDRAC IP address to be displayed at start up andrecord this for future use.

Open a browser and enter the IP address associated with the iDRAC port. Use the default logoncredentials:

User: root

Password: calvin

iDRAC Commands

The below commands can be used to configure iDRAC settings from a Windows commandprompt.

For the complete user guide with all supported commands go to http://search.dell.com and searchfor “RACADM Command Line Reference Guide".

Enable

Racadm setniccfg -o

Set useraccount

racadm config -g cfgUserAdmin -o cfgUserAdminPassword -i 2 <password>

Set Static IP

racadm setniccfg -s < IPv4Address> < netmask> < IPv4 gateway>

Set DHCP on

racadm setniccfg -d

Get Info


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Racadm getniccfg


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Configure NIC Teaming or Link Aggregation

Note: On the Microsoft Windows Server 2012 R2 appliances, the Broadcom AdvancedControl Suite 4 application is already installed. Access the application from the Startmenu. For all other appliances, you can use the following procedure.

The appliance has a Broadcom NetXreme II four-port Network Interface card. Work with yourNetwork Administrator before you configure NIC teaming or aggregation. Your administrator mustprovide IP address information for the environment where the appliance is being deployed.

You must download the Broadcom management utility before you can manage and configure NICteaming.

For more information, contact BeyondTrust Technical Support to get the installer file.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Appendix C: Set up a Cold Spare ApplianceYou can set up an appliance that can be used as the main appliance if the first one needs to betaken offline.

Requirements

l The BeyondInsight version on the cold spare must be the same or greater than the versionon the source appliance.

l It is recommended that both appliances turn on the Auto Updates role.l Ensure the cold spare is receiving updates so that it matches the source appliance.l For Analytics and Reporting, ensure SQL Server versions match on both appliances.l The source and spare appliances need the same name.

Note: If the SQL Server database is remote, the data will not be copied to the coldspare.

To set up the spare:

1. Select Roles Editor from the menu.2. Click the Cold Spare role.3. Turn on the role.4. Click Locations +.

a. Enter the path to theshared location wherethe back up files aresaved. Optionally,select an existingshare location.

b. If applicable, enter thecredentials that canaccess the share.Click the Test theRemote ShareCredentials button totest the connection.

5. Set scheduling information,including the day of the weekand time. The cold spareretrieves the information fromthe backup file at this time. When the cold spare starts up the data from the last backup fileretrieved is used.

6. Enter a restore password.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


7. Provide a temporary machinename.

8. Click Apply Changes.9. On the Roles Editor main

page, click Apply PendingChanges.A restart is required after thesettings are saved. A dialogbox is displayed when theappliance is ready to shutdown and restart.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


Appendix D: Dell PowerEdge System Updates

Update the BIOS on a Dell PowerEdge Server

1. Retrieve the BitLocker Recovery key. This can be retrieved in two ways:

l Open File Explorer and look for an external drive with a label “UVM-BITLOCK".There will be a text file on this drive for each drive letter on the UVM (1 x for aUVM20 and 4x for a UVM50).

l If the internal USB has been removed and it cannot be located type the followingcommand into a command window to display and save the BitLocker passwords.




2. Get the Service Tag from the server using one of the following ways:

l Find the EST label on the front of the server and pull out the card.l When logged on to Windows type “racadm getsysinfo". The information returnedwill contain the Service Tag number (only available on newer iDRAC versions).

3. Go to http://support.dell.com.4. Enter the Service Tag #.5. Click Drivers & Downloads.6. Change Category to show “BIOS" downloads.7. Download BIOS package and copy to the UVM.8. Double-click the downloaded .exe file and click Install.9. Follow the instructions and reboot when prompted.10. On reboot there might be a prompt to enter the BitLocker password (see step #1).

Update the Chipset Drivers on a Dell PowerEdge Server

1. Get the Service Tag from the server using one of the following methods:


2. Go to http://support.dell.com.3. Enter the Service Tag #.4. Click Drivers & Downloads.5. Change Operating System to either Windows 20012R2 or Windows 2008R2 depending

on the UVM image.6. Change Category to Chipset.7. Download the Chipset drivers and copy to the UVM.


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE


http://support.dell.com/


8. Run the downloaded installer and extract to a folder.9. In Windows Device Manager right-click any unidentified hardware devices and click

Update Driver.10. Select the browse location where the drivers were extracted earlier.

The driver files are located in a subfolder where the files were extracted. Search for afolder with *.inf files.

11. Click Next and allow the driver to be updated.12. Continue as needed with any other unidentified devices.

Update the iDRAC Software on a Dell PowerEdge Server

1. Retrieve the BitLocker Recovery key. This can be retrieved in two ways. (This may not beneeded later and is primarily for precautionary reasons).

l Open File Explorer and look for an external drive with a label “UVM-BITLOCK",there will be a text file on this drive for each drive letter on the UVM (1 x for aUVM20 and 4x for a UVM50).

l If the internal USB has been removed and it cannot be located type the followingcommand into a command window to display the BitLocker passwords and savethem.




2. Get the Service Tag from the server using one of the following ways:


3. Go to http://support.dell.com.4. Enter Service Tag #.5. Click Drivers & Downloads.6. For Category select iDRAC with Lifecycle controller.7. Download the latest version available and copy to the UVM (Not the iDRAC Controller

Integration).8. Run the downloaded file.9. Follow the instructions and reboot when prompted.10. On reboot there might be a prompt to enter the BitLocker password (see step #1).


TC: 9/6/2019

UVM APPLIANCE

USER GUIDE



Date post:	27-Jul-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

UVM User Guide - BeyondTrust · 2020-05-18 · EnterSMTPServerSettings 19 ProxySettings 19...

Documents