System requirements
BeyondInsight software and hardware requirements
Note
Installation on domain controllers or small business servers is not supported.
Server requirements
After you configure BeyondInsight, ensure the following IIS roles, server roles, and features in Server Manager are set.
Note
Some features are selected by default.
Windows server 2016
- Web Server (IIS)
- Common HTTP Features
- Default Document
- Directory Browsing
- HTTP Errors
- Static Content
- HTTP Redirection
- Health and Diagnostics
- HTTP Logging
- Performance
- Static Content Compression
- Security
- Request Filtering
- Basic Authentication
- Client Certificate Mapping Authentication
- Digest Authentication
- IIS Client Certificate Mapping Authentication
- IP and Domain Restrictions
- URL Authorization
- Windows Authentication
- Application Development
- .NET Extensibility 3.5
- .NET Extensibility 4.6
- ASP.NET 3.5
- ASP.NET 4.6
- ISAPI Extensions
- ISAPI Filters
- Management Tools
- IIS Management Console
- IIS 6 Management Compatibility
- IIS 6 Metabase Compatibility
- IIS Management Scripts and Tools
- Management Service
- Common HTTP Features
Features
- .NET Framework 3.5 Features
- .NET Framework 3.5 (includes .NET 2.0 and 3.0)
- HTTP Activation
- .NET Framework 4.6 Features
- .NET Framework 4.6
- ASP.NET 4.6
- WCF Services
- HTTP Activation
- TCP Port Sharing
- Windows Process Activation Service
- Process Model
- .NET Environment 3.5
- Configuration APIs
Windows server 2019
- Web Server (IIS)
- Common HTTP Features
- Default Document
- Directory Browsing
- HTTP Errors
- Static Content
- HTTP Redirection
- Health and Diagnostics
- HTTP Logging
- Performance
- Static Content Compression
- Security
- Request Filtering
- Basic Authentication
- Client Certificate Mapping Authentication
- Digest Authentication
- IIS Client Certificate Mapping Authentication
- IP and Domain Restrictions
- URL Authorization
- Windows Authentication
- Application Development
- .NET Extensibility 3.5
- .NET Extensibility 4.7
- ASP.NET 3.5
- ASP.NET 4.7
- ISAPI Extensions
- ISAPI Filters
- Management Tools
- IIS Management Console
- IIS Management Scripts and Tools
- Management Service
- Common HTTP Features
Features
- .NET Framework 3.5 Features
- .NET Framework 3.5 (includes .NET 2.0 and 3.0)
- HTTP Activation
- .NET Framework 4.7 Features
- .NET Framework 4.7
- ASP.NET 4.7
- WCF Services
- HTTP Activation
- TCP Port Sharing
- Windows Process Activation Service
- Process Model
- .NET Environment 3.5
- Configuration APIs
Windows server 2022
- Web Server (IIS)
- Common HTTP Features
- Default Document
- Directory Browsing
- HTTP Errors
- Static Content
- HTTP Redirection
- Health and Diagnostics
- HTTP Logging
- Performance
- Static Content Compression
- Security
- Request Filtering
- Basic Authentication
- Client Certificate Mapping Authentication
- Digest Authentication
- IIS Client Certificate Mapping Authentication
- IP and Domain Restrictions
- URL Authorization
- Windows Authentication
- Application Development
- .NET Extensibility 3.5
- .NET Extensibility 4.7
- ASP.NET 3.5
- ASP.NET 4.7
- ISAPI Extensions
- ISAPI Filters
- Management Tools
- IIS Management Console
- IIS Management Scripts and Tools
- Management Service
- Common HTTP Features
Features
- .NET Framework 3.5 Features
- .NET Framework 3.5 (includes .NET 2.0 and 3.0)
- HTTP Activation
- .NET Framework 4.7 Features
- .NET Framework 4.7
- ASP.NET 4.7
- WCF Services
- HTTP Activation
- TCP Port Sharing
- Windows Process Activation Service
- Process Model
- .NET Environment 3.5
- Configuration APIs
Database requirements
Before installing the console, log in as a domain or local administrator and install the SQL Server database.
Supported versions
- On Premises
- SQL Server 2016
- SQL Server 2017
- SQL Server 2019
- SQL Server 2022
Note
Microsoft SQL Server Express is not supported and will cause installation errors if attempted.
-
Cloud
- Microsoft Azure SQL Database (a minimum of 200 DTUs is recommended.)
Note
Increases in size of Azure SQL database might be required in the future as usage grows.
- Amazon RDS for SQL Server
Note
While cloud database services listed above can be used for the console SQL Server database, if the Analytics & Reporting features of the product is desired, those still need to be hosted on premises.
Components to install
- Database Engine Services
Note
While Full Text Search is enabled by default, additional steps are required to create a full-text index and catalog in order to run a keyword search for Password Safe Session Recordings. For more information, see Get Started with Full-Text Search .
- Analysis Services
- Reporting and Integration Services
- SQL Server Management Studio
Service accounts
- Accept the default service accounts. An individual account is automatically created for each service.
- Set the SQL Server Agent start mode as Automatic (the default is Manual).
- Select Windows authentication mode.
Note
You can select Mixed mode authentication, if desired, and provide the sa account password. However, this is not necessary when SQL Server resides on the same machine as the console.
- Select Add Current User when setting the SQL Server Administrator and Analysis Services Administrator.
Database permissions matrix
Permission | SQL Server |
---|---|
SQL Authentication (SQL Local or SQL Remote) | Assign the SQL Server account the role of sysadmin. |
Windows Authentication (SQL Local) | Assign NT AUTHORITY\SYSTEM the role of sysadmin, if not previously assigned. Add NT AUTHORITY\NETWORK SERVICE as a Login account in SQL Server, if not previously added. On the BeyondInsight database, assign NT AUTHORITY\NETWORK SERVICE the roles of db_owner and REM3Admins. REM3Admins is a custom role created by the installer. |
Windows Authentication (SQL Remote, where SQL Server and BeyondInsight are on the same domain or in trusted domains of a forest) | In SQL Server, create a local Windows group and add the group to the SQL Server instance. On the BeyondInsight database, assign the account the roles of db_owner and REM3Admins. Add each BeyondInsight machine to this local group, including any Event Collector machines or Password Safe worker node machines, in the format: 'Domain\MachineName1 |
Set the server role on NT AUTHORITY\SYSTEM
- In SQL Server Management Studio, go to Security > Logins.
- Right-click NT AUTHORITY\SYSTEM and select Properties.
- Select Server Roles > sysadmin, and then click OK.
ADOMD.net requirement
The BeyondInsight web server uses SQL ADOMD.NET components to communicate with the SQL Analysis Services cube. In cases where the web server does not have SQL installed, you must manually install the ADOMD.NET components. The SQL_AS_ADOMD.msi file is included with BeyondInsight and can be found in the Support folder. After installing the ADOMD.NET components, you might need to restart IIS.
Least privilege database user account setup
The installation of BeyondInsight requires the creation of a Least Privilege Database User account within the Configuration Wizard. The SQL Authentication Credentials entered previously in the Configuration Wizard are populated by default, but can be changed and are used to create the least privilege user account and database.
The Least Privilege Database User Account is granted the following permissions by default:
- General
- Enforce password policy
- Enforce password expiration
- Server Roles
- Public
- User Mapping
- Mapped to the RetinaCSDatabase created in previous screens
- Securables
- Connect SQL: Grant
- View any database: Deny
- Status
- Settings
- Permissions to connect to database engine: Grant
- Login: Enabled
- Settings
Set the server role on NT AUTHORITY\SYSTEM
- In SQL Server Management Studio, go to Security > Logins.
- Right-click NT AUTHORITY\SYSTEM and select Properties.
- Select Server Roles > sysadmin, and then click OK.
ADOMD.net requirement
The BeyondInsight web server uses SQL ADOMD.NET components to communicate with the SQL Analysis Services cube. In cases where the web server does not have SQL installed, you must manually install the ADOMD.NET components. The SQL_AS_ADOMD.msi file is included with BeyondInsight and can be found in the Support folder. After installing the ADOMD.NET components, you might need to restart IIS.
Least privilege database user account setup
The installation of BeyondInsight requires the creation of a Least Privilege Database User account within the Configuration Wizard. The SQL Authentication Credentials entered previously in the Configuration Wizard are populated by default, but can be changed and are used to create the least privilege user account and database.
The Least Privilege Database User Account is granted the following permissions by default:
- General
- Enforce password policy
- Enforce password expiration
- Server Roles
- Public
- User Mapping
- Mapped to the RetinaCSDatabase created in previous screens
- Securables
- Connect SQL: Grant
- View any database: Deny
- Status
- Settings
- Permissions to connect to database engine: Grant
- Login: Enabled
- Settings
Set the server role on NT AUTHORITY\SYSTEM
- In SQL Server Management Studio, go to Security > Logins.
- Right-click NT AUTHORITY\SYSTEM and select Properties.
- Select Server Roles > sysadmin, and then click OK.
ADOMD.net requirement
The BeyondInsight web server uses SQL ADOMD.NET components to communicate with the SQL Analysis Services cube. In cases where the web server does not have SQL installed, you must manually install the ADOMD.NET components. The SQL_AS_ADOMD.msi file is included with BeyondInsight and can be found in the Support folder. After installing the ADOMD.NET components, you might need to restart IIS.
Least privilege database user account setup
The installation of BeyondInsight requires the creation of a Least Privilege Database User account within the Configuration Wizard. The SQL Authentication Credentials entered previously in the Configuration Wizard are populated by default, but can be changed and are used to create the least privilege user account and database.
The Least Privilege Database User Account is granted the following permissions by default:
- General
- Enforce password policy
- Enforce password expiration
- Server Roles
- Public
- User Mapping
- Mapped to the RetinaCSDatabase created in previous screens
- Securables
- Connect SQL: Grant
- View any database: Deny
- Status
- Settings
- Permissions to connect to database engine: Grant
- Login: Enabled
- Settings
Port requirements
BeyondInsight
Function | Traffic | Port |
---|---|---|
Database Connectivity | Management console to SQL Server, Analytics & Reporting to SQL Server | 1433 |
Event Collector | BeyondTrust Discovery Scanner to BeyondInsight | 21690 |
Discovery Scanner Central Policy | BeyondTrust Discovery Scanner to the console | 443 |
BeyondTrust Updater Enterprise | 443 | |
Client Browser | User to BeyondInsight or Analytics & Reporting | 443 or 80 |
Privilege Management for Desktops | Connector to web services | 443 |
U-Series Appliance
Function | Traffic | Port |
---|---|---|
Database Connectivity | BeyondInsight to SQL Server, Analytics & Reporting to SQL Server | 1433 |
Event Collector | Discovery Scanner or Endpoint Privilege Management to BeyondInsight | 21690 |
Privilege Management for Desktops | Connector to web services | 443 |
Discovery ScannerCentral Policy | BeyondTrustDiscovery Scanner to the console | 443 |
Client Browser | User to BeyondInsight or Analytics & Reporting | 443 or 80 |
Windows Passwords | Password Safe service to client | 135, 139, 445, 389 |
UNIX, Linux, Other | Password Safe service to client | 22 |
Database | Password Safe service to client | 1433 |
RDP Client and Target Proxy Session Monitoring | 4489, 3389 | |
SSH Client and Target Proxy Session Monitoring | 4422, 22 | |
High Availability BeyondInsight | 443, 5022 | |
Email Notifications | 25 |
Password Safe
Function | Service | Port |
---|---|---|
System Discovery | ||
User enumeration | nb-ssn, ms-ds | TCP 139, 445 |
Hardware enumeration WMI service running on target | nb-ssn, ms-ds | TCP 139, 445 |
Software enumeration Remote registry service running on target | nb-ssn, ms-ds | TCP 139, 445 |
Local scan service | ms-ds | TCP 445 |
Password Change | ||
Windows password change As a fallback, uses ms-ds, 445, TCP | adsi-ldap adsi-ldaps | TCP / UDP 389 TCP 636 / UDP 389 |
Windows update and restart services WMI service running on target | wmi | TCP 135 |
Active Directory password change As a fallback, uses ms-ds, 445, TCP | adsi-ldap adsi-ldaps | TCP 135 TCP 636 / UDP 389 |
User and computer authentication, forest-level trusts | kerberos | TCP / UDP 88 |
UNIX, Linux, macOS | ssh | TCP 22 |
Oracle | oracle-listener | TCP 1521 |
Oracle RAC Database (Fast Application Notification and Fast Connect Failover events) | Oracle Notification Services (ONS) | TCP 6100, 6200 |
Microsoft SQL Server | netlib | TCP 1433 |
HP ILO | ssh | TCP 22 |
Dell DRAC | ssh | TCP 22 |
Session Management | ||
Remote Desktop | rdp | TCP 3389 |
SSH | ssh | TCP 22 |
U-Series Appliance | ||
Mail server integration | smtp | TCP 25 |
Active Directory integration | ldap ldaps | TCP / UDP 389 TCP 636 / UDP 389 |
Backup | smb | TCP 445 |
Time Protocol | ntp | UDP 123 |
High-availability replication (pair) | sql-mirroring, https | TCP 5022, 443 |
Updated 8 days ago