DocumentationRelease Notes
Log In
Documentation

System requirements

BeyondInsight software and hardware requirements

ℹ️

Note

Installation on domain controllers or small business servers is not supported.

Server requirements

After you configure BeyondInsight, ensure the following IIS roles, server roles, and features in Server Manager are set.

ℹ️

Note

Some features are selected by default.

Windows server 2016

  • Web Server (IIS)
    • Common HTTP Features
      • Default Document
      • Directory Browsing
      • HTTP Errors
      • Static Content
      • HTTP Redirection
    • Health and Diagnostics
      • HTTP Logging
    • Performance
      • Static Content Compression
    • Security
      • Request Filtering
      • Basic Authentication
      • Client Certificate Mapping Authentication
      • Digest Authentication
      • IIS Client Certificate Mapping Authentication
      • IP and Domain Restrictions
      • URL Authorization
      • Windows Authentication
    • Application Development
      • .NET Extensibility 3.5
      • .NET Extensibility 4.6
      • ASP.NET 3.5
      • ASP.NET 4.6
      • ISAPI Extensions
      • ISAPI Filters
    • Management Tools
      • IIS Management Console
      • IIS 6 Management Compatibility
        • IIS 6 Metabase Compatibility
      • IIS Management Scripts and Tools
      • Management Service
Features
  • .NET Framework 3.5 Features
    • .NET Framework 3.5 (includes .NET 2.0 and 3.0)
    • HTTP Activation
  • .NET Framework 4.6 Features
    • .NET Framework 4.6
    • ASP.NET 4.6
    • WCF Services
      • HTTP Activation
      • TCP Port Sharing
  • Windows Process Activation Service
    • Process Model
    • .NET Environment 3.5
    • Configuration APIs

Windows server 2019

  • Web Server (IIS)
    • Common HTTP Features
      • Default Document
      • Directory Browsing
      • HTTP Errors
      • Static Content
      • HTTP Redirection
    • Health and Diagnostics
      • HTTP Logging
    • Performance
      • Static Content Compression
    • Security
      • Request Filtering
      • Basic Authentication
      • Client Certificate Mapping Authentication
      • Digest Authentication
      • IIS Client Certificate Mapping Authentication
      • IP and Domain Restrictions
      • URL Authorization
      • Windows Authentication
    • Application Development
      • .NET Extensibility 3.5
      • .NET Extensibility 4.7
      • ASP.NET 3.5
      • ASP.NET 4.7
      • ISAPI Extensions
      • ISAPI Filters
    • Management Tools
      • IIS Management Console
      • IIS Management Scripts and Tools
      • Management Service
Features
  • .NET Framework 3.5 Features
    • .NET Framework 3.5 (includes .NET 2.0 and 3.0)
    • HTTP Activation
  • .NET Framework 4.7 Features
    • .NET Framework 4.7
    • ASP.NET 4.7
    • WCF Services
      • HTTP Activation
      • TCP Port Sharing
  • Windows Process Activation Service
    • Process Model
    • .NET Environment 3.5
    • Configuration APIs

Windows server 2022

  • Web Server (IIS)
    • Common HTTP Features
      • Default Document
      • Directory Browsing
      • HTTP Errors
      • Static Content
      • HTTP Redirection
    • Health and Diagnostics
      • HTTP Logging
    • Performance
      • Static Content Compression
    • Security
      • Request Filtering
      • Basic Authentication
      • Client Certificate Mapping Authentication
      • Digest Authentication
      • IIS Client Certificate Mapping Authentication
      • IP and Domain Restrictions
      • URL Authorization
      • Windows Authentication
    • Application Development
      • .NET Extensibility 3.5
      • .NET Extensibility 4.7
      • ASP.NET 3.5
      • ASP.NET 4.7
      • ISAPI Extensions
      • ISAPI Filters
    • Management Tools
      • IIS Management Console
      • IIS Management Scripts and Tools
      • Management Service
Features
  • .NET Framework 3.5 Features
    • .NET Framework 3.5 (includes .NET 2.0 and 3.0)
    • HTTP Activation
  • .NET Framework 4.7 Features
    • .NET Framework 4.7
    • ASP.NET 4.7
    • WCF Services
      • HTTP Activation
      • TCP Port Sharing
  • Windows Process Activation Service
    • Process Model
    • .NET Environment 3.5
    • Configuration APIs

Database requirements

Before installing the console, log in as a domain or local administrator and install the SQL Server database.

Supported versions

  • On Premises
    • SQL Server 2016
    • SQL Server 2017
    • SQL Server 2019
    • SQL Server 2022

ℹ️

Note

Microsoft SQL Server Express is not supported and will cause installation errors if attempted.

  • Cloud

    • Microsoft Azure SQL Database (a minimum of 200 DTUs is recommended.)

    ℹ️

    Note

    Increases in size of Azure SQL database might be required in the future as usage grows.

    • Amazon RDS for SQL Server

ℹ️

Note

While cloud database services listed above can be used for the console SQL Server database, if the Analytics & Reporting features of the product is desired, those still need to be hosted on premises.

Components to install

  • Database Engine Services

ℹ️

Note

While Full Text Search is enabled by default, additional steps are required to create a full-text index and catalog in order to run a keyword search for Password Safe Session Recordings. For more information, see Get Started with Full-Text Search .

  • Analysis Services
  • Reporting and Integration Services
  • SQL Server Management Studio

Service accounts

  • Accept the default service accounts. An individual account is automatically created for each service.
  • Set the SQL Server Agent start mode as Automatic (the default is Manual).
  • Select Windows authentication mode.

ℹ️

Note

You can select Mixed mode authentication, if desired, and provide the sa account password. However, this is not necessary when SQL Server resides on the same machine as the console.

  • Select Add Current User when setting the SQL Server Administrator and Analysis Services Administrator.

Database permissions matrix

PermissionSQL Server
SQL Authentication (SQL Local or SQL Remote)Assign the SQL Server account the role of sysadmin.
Windows Authentication (SQL Local)Assign NT AUTHORITY\SYSTEM the role of sysadmin, if not previously assigned.
Add NT AUTHORITY\NETWORK SERVICE as a Login account in SQL Server, if not previously added.
On the BeyondInsight database, assign NT AUTHORITY\NETWORK SERVICE the roles of db_owner and REM3Admins.
REM3Admins is a custom role created by the installer.
Windows Authentication (SQL Remote, where SQL Server and BeyondInsight are on the same domain or in trusted domains of a forest)In SQL Server, create a local Windows group and add the group to the SQL Server instance.
On the BeyondInsight database, assign the account the roles of db_owner and REM3Admins.
Add each BeyondInsight machine to this local group, including any Event Collector machines or Password Safe worker node machines, in the format:
'Domain\MachineName1

Set the server role on NT AUTHORITY\SYSTEM

  1. In SQL Server Management Studio, go to Security > Logins.
  2. Right-click NT AUTHORITY\SYSTEM and select Properties.
  3. Select Server Roles > sysadmin, and then click OK.

ADOMD.net requirement

The BeyondInsight web server uses SQL ADOMD.NET components to communicate with the SQL Analysis Services cube. In cases where the web server does not have SQL installed, you must manually install the ADOMD.NET components. The SQL_AS_ADOMD.msi file is included with BeyondInsight and can be found in the Support folder. After installing the ADOMD.NET components, you might need to restart IIS.

Least privilege database user account setup

The installation of BeyondInsight requires the creation of a Least Privilege Database User account within the Configuration Wizard. The SQL Authentication Credentials entered previously in the Configuration Wizard are populated by default, but can be changed and are used to create the least privilege user account and database.

The Least Privilege Database User Account is granted the following permissions by default:

  • General
    • Enforce password policy
    • Enforce password expiration
  • Server Roles
    • Public
  • User Mapping
    • Mapped to the RetinaCSDatabase created in previous screens
  • Securables
    • Connect SQL: Grant
    • View any database: Deny
  • Status
    • Settings
      • Permissions to connect to database engine: Grant
      • Login: Enabled

Set the server role on NT AUTHORITY\SYSTEM

  1. In SQL Server Management Studio, go to Security > Logins.
  2. Right-click NT AUTHORITY\SYSTEM and select Properties.
  3. Select Server Roles > sysadmin, and then click OK.

ADOMD.net requirement

The BeyondInsight web server uses SQL ADOMD.NET components to communicate with the SQL Analysis Services cube. In cases where the web server does not have SQL installed, you must manually install the ADOMD.NET components. The SQL_AS_ADOMD.msi file is included with BeyondInsight and can be found in the Support folder. After installing the ADOMD.NET components, you might need to restart IIS.

Least privilege database user account setup

The installation of BeyondInsight requires the creation of a Least Privilege Database User account within the Configuration Wizard. The SQL Authentication Credentials entered previously in the Configuration Wizard are populated by default, but can be changed and are used to create the least privilege user account and database.

The Least Privilege Database User Account is granted the following permissions by default:

  • General
    • Enforce password policy
    • Enforce password expiration
  • Server Roles
    • Public
  • User Mapping
    • Mapped to the RetinaCSDatabase created in previous screens
  • Securables
    • Connect SQL: Grant
    • View any database: Deny
  • Status
    • Settings
      • Permissions to connect to database engine: Grant
      • Login: Enabled

Set the server role on NT AUTHORITY\SYSTEM

  1. In SQL Server Management Studio, go to Security > Logins.
  2. Right-click NT AUTHORITY\SYSTEM and select Properties.
  3. Select Server Roles > sysadmin, and then click OK.

ADOMD.net requirement

The BeyondInsight web server uses SQL ADOMD.NET components to communicate with the SQL Analysis Services cube. In cases where the web server does not have SQL installed, you must manually install the ADOMD.NET components. The SQL_AS_ADOMD.msi file is included with BeyondInsight and can be found in the Support folder. After installing the ADOMD.NET components, you might need to restart IIS.

Least privilege database user account setup

The installation of BeyondInsight requires the creation of a Least Privilege Database User account within the Configuration Wizard. The SQL Authentication Credentials entered previously in the Configuration Wizard are populated by default, but can be changed and are used to create the least privilege user account and database.

The Least Privilege Database User Account is granted the following permissions by default:

  • General
    • Enforce password policy
    • Enforce password expiration
  • Server Roles
    • Public
  • User Mapping
    • Mapped to the RetinaCSDatabase created in previous screens
  • Securables
    • Connect SQL: Grant
    • View any database: Deny
  • Status
    • Settings
      • Permissions to connect to database engine: Grant
      • Login: Enabled

Port requirements

BeyondInsight

FunctionTrafficPort
Database ConnectivityManagement console to SQL Server, Analytics & Reporting to SQL Server1433
Event CollectorBeyondTrust Discovery Scanner to BeyondInsight21690
Discovery Scanner Central PolicyBeyondTrust Discovery Scanner to the console443
BeyondTrust Updater Enterprise 443
Client BrowserUser to BeyondInsight or Analytics & Reporting443 or 80
Privilege Management for DesktopsConnector to web services443

U-Series Appliance

FunctionTrafficPort
Database ConnectivityBeyondInsight to SQL Server, Analytics & Reporting to SQL Server1433
Event CollectorDiscovery Scanner or Endpoint Privilege Management to BeyondInsight21690
Privilege Management for DesktopsConnector to web services443
Discovery ScannerCentral PolicyBeyondTrustDiscovery Scanner to the console443
Client BrowserUser to BeyondInsight or Analytics & Reporting443 or 80
Windows PasswordsPassword Safe service to client135, 139, 445, 389
UNIX, Linux, OtherPassword Safe service to client22
DatabasePassword Safe service to client1433
RDP Client and Target Proxy Session Monitoring 4489, 3389
SSH Client and Target Proxy Session Monitoring 4422, 22
High Availability BeyondInsight 443, 5022
Email Notifications 25

Password Safe

FunctionServicePort
System Discovery
User enumerationnb-ssn, ms-dsTCP 139, 445
Hardware enumeration
WMI service running on target
nb-ssn, ms-dsTCP 139, 445
Software enumeration
Remote registry service running on target
nb-ssn, ms-dsTCP 139, 445
Local scan servicems-dsTCP 445
Password Change
Windows password change
As a fallback, uses ms-ds, 445, TCP
adsi-ldap
adsi-ldaps
TCP / UDP 389
TCP 636 / UDP 389
Windows update and restart services
WMI service running on target
wmiTCP 135
Active Directory password change
As a fallback, uses ms-ds, 445, TCP
adsi-ldap
adsi-ldaps
TCP 135
TCP 636 / UDP 389
User and computer authentication, forest-level trustskerberosTCP / UDP 88
UNIX, Linux, macOSsshTCP 22
Oracleoracle-listenerTCP 1521
Oracle RAC Database (Fast Application Notification and Fast Connect Failover events)Oracle Notification Services (ONS)TCP 6100, 6200
Microsoft SQL ServernetlibTCP 1433
HP ILOsshTCP 22
Dell DRACsshTCP 22
Session Management
Remote DesktoprdpTCP 3389
SSHsshTCP 22
U-Series Appliance
Mail server integrationsmtpTCP 25
Active Directory integrationldap
ldaps
TCP / UDP 389
TCP 636 / UDP 389
BackupsmbTCP 445
Time ProtocolntpUDP 123
High-availability replication (pair)sql-mirroring, httpsTCP 5022, 443

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.