F5 BIG-IP configuration guide for BeyondInsight | PS
Executive Summary
BeyondInsight and Password Safe support several configuration methodologies for high availability, redundancy, and scalability. You can install the solution as software or deploy it as a ready-to-run security appliance called a U-Series; the U-Series is the more common deployment method. Most configurations require an external application delivery controller as a load balancer to help users and software endpoints continue to connect to BeyondInsight when a primary IP address goes offline. This guide describes these configuration options using the F5 BIG-IP Local Traffic Manager (LTM) application delivery controller.
Deployment Methodologies
Active/Passive
Active/Passive requires two appliances. The internal databases are replicated, and a heartbeat from the primary node signals the secondary to take over operations when needed. Active/Passive is called High Availability or HA Pairing in the U-Series appliance interface. Despite the name, configure High Availability in the U-Series appliance only for the Active/Passive deployment methodology.
Active/Passive is available for U-Series appliances only and is not supported for Password Safe Cloud. The system fails over automatically to a mirrored appliance when the primary appliance is unavailable. This method uses two appliances configured as a pair.
For more information about configuring Active/Passive pairing and requirements, see U-Series Business Continuity and U-Series Deployment and Failover Guide.
Active/Active
Also called multi-active, this deployment type allows multiple nodes (Password Safe instances) to be active simultaneously. Each node connects directly to an external database.
For more information about Active/Active design, see U-Series Deployment and Failover Guide.
Design Overview
BeyondInsight and Password Safe expose several network endpoints that each require different load-balancing configurations:
- The Password Safe HTTPS website and API, its session recording endpoints:
webconsole/api/configuration/feature/passwordsafe - The BeyondInsight Management Console HTTPS website (typically for A&R configuration):
webconsole/api/configuration/feature/managementconsole - The BI Event Collector for EPM Windows and Mac events:
EventCollector/EventCollector
Each endpoint has different networking and TLS requirements and must be configured as a separate virtual server in the F5 BIG-IP LTM. Because each endpoint uses a different URI, availability monitoring also requires separate configuration. For Active/Passive high-availability configurations, the goal is fast, efficient failover, even if it requires users to sign in again.
Configuration Elements for Both A/A and A/P Deployments
Example Monitors
The HTTPS monitor differs between Active/Active and Active/Passive deployments. The RDP and SSH monitors use the same definition in both.
RDP Monitor
Use a TCP Half-Open check for the RDP monitor. A full TCP check can periodically cause high CPU utilization on the U-Series appliance.
ltm monitor tcp-half-open U-Series-PWSMonitor-HalfOpen {
defaults-from tcp_half_open
description "U-Series test if RDP is available"
destination *.4489
interval 5
time-until-up 0
timeout 16
}SSH Monitor
ltm monitor tcp U-Series-SSH-TCP-Monitor {
adaptive disabled
defaults-from tcp
description "U-Series test if SSH is available"
destination *.4422
interval 5
ip-dscp 0
recv SSH-2.0-PBPS-SM
recv-disable none
send none
time-until-up 0
timeout 16
}Example HTTP and SSL Profiles
Build an HTTP profile to add the X-Forwarded-For header to HTTP communication. This enables address translation and avoids triangle routing complications. (This is not required when the F5 is the default router for the BeyondInsight appliances, which is a less common configuration.) Any location-based policies or API configurations must read the X-Forwarded-For header and restrict that header to the SNAT address of the virtual server. Because the F5 inspects and modifies the HTTP stream, it must terminate the TLS connection, which requires a client SSL profile to host the TLS certificate for the Password Safe deployment.
Example HTTP Profile
ltm profile http /Common/pws-http-xff-profile {
accept-xff disabled
app-service none
basic-auth-realm none
defaults-from /Common/http
encrypt-cookies none
enforcement {
allow-ws-header-name disabled
known-methods { CONNECT DELETE GET HEAD LOCK OPTIONS POST PROPFIND PUT TRACE UNLOCK }
max-header-count 64
max-header-size 32768
max-requests 0
pipeline allow
rfc-compliance disabled
truncated-redirects disabled
unknown-method allow
}
fallback-host none
fallback-status-codes none
header-erase none
header-insert none
hsts {
include-subdomains enabled
maximum-age 16070400
mode disabled
preload disabled
}
insert-xforwarded-for enabled
lws-separator none
lws-width 80
oneconnect-status-reuse "200 206"
oneconnect-transformations enabled
proxy-type reverse
redirect-rewrite none
request-chunking sustain
response-chunking sustain
response-headers-permitted none
server-agent-name BigIP
sflow {
poll-interval 0
sampling-rate 0
}
via-request preserve
via-response preserve
xff-alternative-names none
}Example SSL Profile
This profile publishes the TLS certificate from the F5, allowing the HTTP profile to modify the decrypted HTTP stream before sending it to the backend U-Series appliances.
ltm profile client-ssl /Common/prod-pws-clientssl-https {
alert-timeout indefinite
allow-dynamic-record-sizing disabled
allow-non-ssl disabled
app-service none
cache-size 262144
cache-timeout 3600
cert-key-chain {
pbps-2025-08-cert_pbps-2025-08-cert_0 {
cert /Common/pbps-2025-08-cert
chain /Common/pbps-2025-08-cert
key /Common/pbps-2025-08-cert
}
}
cipher-group none
ciphers DEFAULT
data-0rtt disabled
defaults-from /Common/clientssl
generic-alert enabled
handshake-timeout 10
inherit-ca-certkeychain true
inherit-certkeychain false
max-active-handshakes indefinite
max-aggregate-renegotiation-per-minute indefinite
max-renegotiations-per-minute 5
maximum-record-size 16384
mod-ssl-methods disabled
mode enabled
notify-cert-status-to-virtual-server disabled
ocsp-stapling disabled
options { dont-insert-empty-fragments no-tlsv1.3 no-dtlsv1.2 }
peer-no-renegotiate-timeout 10
proxy-ssl disabled
proxy-ssl-passthrough disabled
renegotiate-max-record-delay indefinite
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
secure-renegotiation require
server-name none
session-mirroring disabled
session-ticket disabled
session-ticket-timeout 0
sni-default false
sni-require false
ssl-sign-hash any
strict-resume disabled
unclean-shutdown enabled
}Example Pool and Node Configurations
Pool and Node configurations
ltm node /Common/useries01 {
address 192.168.1.3
monitor /Common/U-Series-ActiveActive-PS-API-Check and /Common/U-Series-HA-Status and /Common/U-Series-Management-Check and /Common/U-Series-PWSMonitor-HalfOpen and /Common/U-Series-SSH-TCP-Monitor
}
ltm node /Common/useries02 {
address 192.168.1.4
monitor /Common/U-Series-ActiveActive-PS-API-Check and /Common/U-Series-Management-Check and /Common/U-Series-PWSMonitor-HalfOpen and /Common/U-Series-SSH-TCP-Monitor and /Common/U-Series-HA-Status
}
ltm pool /Common/Lab-PWS-Pool {
load-balancing-mode observed-member
members {
/Common/lbapscww06-http:0 {
address 192.168.11.15
}
}
monitor /Common/U-Series-ActiveActive-PS-API-Check and /Common/U-Series-Management-Check and /Common/U-Series-PWSMonitor-HalfOpen and /Common/U-Series-SSH-TCP-Monitor
}
ltm pool /Common/Prod-PWS-Pool {
load-balancing-mode observed-member
members {
/Common/useries01:0 {
address 192.168.1.3
}
/Common/useries02:0 {
address 192.168.1.4
}
}
monitor /Common/U-Series-HA-Status and /Common/U-Series-PWSMonitor-HalfOpen and /Common/U-Series-SSH-TCP-Monitor
}Example SNAT Configuration
SNAT configuration
Source Network Address Translation (SNAT) is required in one-armed and other triangle-routing configurations. For more information about SNAT, see the Overview of SNAT features.
ltm snat /Common/PWS-lab-SNAT-IP {
origins {
0.0.0.0/0 { }
}
translation /Common/192.168.11.241
}
ltm snat-translation /Common/192.168.1.11 {
address 192.168.1.11
inherited-traffic-group true
traffic-group /Common/traffic-group-1
}
ltm snatpool /Common/PWS-SNAT-Pool {
members {
/Common/192.168.1.11
}
}Example Virtual Server
Virtual Server
Server Name Indication (SNI) may work on the virtual server configuration, but BeyondTrust has not tested it.
Because this configuration uses a SNAT Pool and address translation, the PWS Appliance API and Location Restrictions features need to match on both the SNAT IP from the F5 and the X-Forwarded-For header indicating the client.
ltm virtual /Common/Prod-PWS-VS-HTTP {
creation-time 2026-04-17:11:59:34
destination /Common/192.168.1.201:443
ip-protocol tcp
last-modified-time 2026-04-17:14:01:54
mask 255.255.255.255
persist {
/Common/source_addr {
default yes
}
}
pool /Common/Prod-PWS-Pool
profiles {
/Common/prod-pws-clientssl-https {
context clientside
}
/Common/pws-http-xff-profile { }
/Common/serverssl-secure {
context serverside
}
/Common/tcp { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
pool /Common/PWS-SNAT-Pool
type snat
}
translate-address enabled
translate-port enabled
}
ltm virtual /Common/Prod-PWS-VS-RDP {
creation-time 2026-04-17:11:59:58
destination /Common/192.168.1.201:4489
ip-protocol tcp
last-modified-time 2026-04-17:13:57:56
mask 255.255.255.255
persist {
/Common/source_addr {
default yes
}
}
pool /Common/Prod-PWS-Pool
profiles {
/Common/tcp { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
pool /Common/PWS-SNAT-Pool
type snat
}
translate-address enabled
translate-port enabled
}
ltm virtual /Common/Prod-PWS-VS-SSH {
creation-time 2026-04-17:12:00:20
destination /Common/192.168.1.201:4422
ip-protocol tcp
last-modified-time 2026-04-17:13:58:15
mask 255.255.255.255
persist {
/Common/source_addr {
default yes
}
}
pool /Common/Prod-PWS-Pool
profiles {
/Common/tcp { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
pool /Common/PWS-SNAT-Pool
type snat
}
translate-address enabled
translate-port enabled
}
ltm virtual-address /Common/192.168.1.201 {
address 192.168.1.201
arp enabled
icmp-echo enabled
mask 255.255.255.255
traffic-group /Common/traffic-group-1
}State Detection for Active/Passive Deployments
The U-Series appliance exposes an API endpoint that allows an external device to determine the current HA state:
https://[ApplianceIPaddress]/UVMInterface/api/HighAvailabilityA GET request to this address returns a result (JSON by default) that the request header controls. For example: {"Role":"Active"}.
You can view the JSON by opening the URL in a web browser. Because the API endpoint is built on the Microsoft WebAPI platform, it supports other response formats controlled by the request header. For example, Chrome returns XML when you open the URL directly.
Example HTTPS Monitor
HTTPS Monitor
ltm monitor https U-Series-HA-Status {
adaptive disabled
defaults-from https
description "HTTP GET on U-Series API for Active-Passive Configuration"
destination *.https
interval 5
ip-dscp 0
recv "\"Role\":\"Active\""
recv-disable none
send "GET /UVMInterface/api/HighAvailability/\r\n"
time-until-up 0
timeout 16
}State Detection for Active/Active Deployments
Password Safe
In addition to the BeyondInsight website, Password Safe requires support for the following interfaces:
- HTML5 web endpoint for user access to check out passwords
- Listening ports for session recording:
- 4489 (default) for RDP sessions
- 4422 (default) for SSH sessions
The HTML5 web endpoint and session recording listeners must share the same persistence profile, so that the F5 BIG-IP LTM routes each user to the Password Safe node that started their session recording service.
Previous versions of this document recommended separate configurations for the API and web GUI use cases. Because OAuth API authentication is now the preferred API access method and the BI Web Console is an available role on all worker nodes, most customers can consolidate to a single "Password Safe" virtual server.
The Password Safe configuration uses one or more virtual servers connected to a single pool with wildcard (all-services-enabled) nodes, using source_addr as the primary persistence method to maintain persistence across all virtual servers.
For more information about persistence strategy, see Persistence strategy.
The RDP and SSH monitors are the same as in the Active/Passive configuration. The HTTPS monitors differ to manage and monitor the roles enabled on each appliance.
Example Password Safe Role Monitor
Password Safe role monitor
ltm monitor https U-Series-ActiveActive-PS-API-Check {
adaptive disabled
defaults-from https
description "API call to check if the Password Safe feature is enabled"
destination *.https
interval 15
ip-dscp 0
recv true
recv-disable none
send "GET /webconsole/api/configuration/feature/passwordsafe/\r\n"
time-until-up 0
timeout 16
}Example Management Console Role Monitor
Management console role monitor
ltm monitor https U-Series-Management-Check {
adaptive disabled
defaults-from https
description "API call to check if the BI Management Console feature is enabled"
destination *.https
interval 15
ip-dscp 0
recv true
recv-disable none
send "GET /webconsole/api/configuration/feature/managementconsole/\r\n"
time-until-up 0
timeout 16
}Example HTTP Virtual Server
The only difference between Active/Active and Active/Passive configurations is the monitor used to validate system availability. In Active/Active deployments where the BeyondInsight Management Web Interface is not enabled on all Password Safe nodes, configure multiple virtual servers, each monitoring a different service (Password Safe or Management Console). This ensures health checks target the appropriate services and routes users individually without exposing additional services to the broader user space.
BeyondInsight Event Collector Service
The BeyondInsight Event Collector service allows Endpoint Privilege Management Windows and Mac clients to send events to BeyondInsight and to connect to Password Safe for endpoint account password rotation.
Clients require SSL server verification. Previous versions of BeyondInsight and EPM used mutual TLS (mTLS) certificate validation for client authentication, but this was deprecated in favor of OAuth in EPM 24.8 and BI 25.3. This guide uses the OAuth configuration. In this configuration, the virtual server definitions for EPM are the same as for Password Safe, but the backend pools may use a different monitor.
Example EventCollector Monitor
The EventCollector service requires OAuth authentication. You can validate its availability by checking for failed authentication responses, either a 403 status code or the text Forbidden.
EventCollector monitor
ltm monitor https /Common/event_client {
compatibility enabled
defaults-from /Common/https
destination *:*
interval 5
recv "Forbidden"
send "GET /EventService/Collector.svc\r\n"
time-until-up 0
timeout 16
}SNAT Pools
Source Network Address Translation (SNAT) is required in one-armed and other triangle-routing configurations. For more information, see the Example SNAT Configuration section above, and the Overview of SNAT features.
