UVMSQL appliance installation
Overview
The UVMSQL Cluster Appliance is specifically designed to offer SQL Server Always On Availability Group (AOAG) configuration on a BeyondTrust UVMSQL Appliance. This guide is intended for network security administrators responsible for protecting their organization's computing assets. The administrator should be familiar with networking and security, as well as with SQL Server.
FCC certification
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the manufacturer’s instruction manual, may cause harmful interference with radio communications.
Operation of this equipment in a residential area is likely to cause harmful interference, in which case you will be required to correct the interference at your own expense.
Limited hardware U-Series Appliance warranty
This hardware U-Series Appliance is accompanied by a three-year manufacturer’s warranty based on the invoice date. (Extended warranties available on request.) The warranty covers all hardware, including internal components supplied in this shipment. The warranty does not cover additional items, such as keyboards, monitors, and mice, not included in this shipment. During the warranty period, the U-Series Appliance will be repaired or replaced at no cost under the warranty terms.
Due to continuing changes in the computer industry, if a replacement is necessary, the U-Series Appliance manufacturer reserves the right to make product substitutions of equal or greater value.
Do not ship any U-Series Appliance without first contacting BeyondTrust Technical Support to coordinate any repairs or replacements. Do not try to repair the U-Series Appliance yourself.
Please back up all data before having the U-Series Appliance serviced or repaired. Neither BeyondTrust nor the U-Series Appliance manufacturer warrants that operation of the U-Series Appliance will be uninterrupted or error-free. In no event will BeyondTrust or the U-Series Appliance manufacturer be responsible or liable for loss or integrity of any data on the U-Series Appliance or any storage media.
Warranty invalidation
This warranty is void in the event that:
- The U-Series Appliance is damaged due to accident, abuse, misuse, problems with electrical power, modifications or servicing not authorized by BeyondTrust or the U-Series Appliance manufacturer, or failure to operate in accordance with the U-Series Appliance instructions.
- Serial tags, receiving numbers, product stickers, or manufacturer seals have been removed, altered, or tampered with.
- The U-Series Appliance is opened for any reason.
- The U-Series Appliance is damaged due to improper or inadequate packaging when returned for repair or replacement.
- The U-Series Appliance has been tampered with, such as overclocking.
Labor and services performed on items or systems that are found not to be defective may be subject to a separate charge. In addition, the U-Series Appliance manufacturer reserves the right to charge a ten percent restocking fee for items returned which are found not to be defective.
Important
Do not log on to the Console or Remote Desktop to the Virtual U-Series Appliance unless directed to do so by BeyondTrust Technical Support. Installing any software or changing any additional settings may void your warranty.
Firewall settings
- All outgoing ports are allowed.
- Incoming ports are limited to the default Windows rules (includes allowing DCOM), plus the following:
TCP ports
| Port | Purpose | Target Program/System Resource | Initial Status |
|---|---|---|---|
| 80 | HTTP | System | Enabled |
| 443 | HTTPS | System | Enabled |
| 445 | SMB | System | Disabled |
| 1433 | SQL Server | sqlservr.exe | Enabled |
| 2000 | App Bus | C:\Program Files(x86)\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe | Disabled |
| 2383 | SQL Analysis Services | msmdsrv.exe | Enabled |
| 3389 | RDP | C:\Windows\System32\svchost.exe | Enabled |
| 4422 | Session Monitoring SSH | C:\Program Files(x86)\eEye Digital Security\Retina CS\pbsmd.exe | Enabled |
| 4489 | Session Monitoring RDP | C:\Program Files(x86)\eEye Digital Security\Retina CS\pbsmd.exe | Enabled |
| 5022 | SQL Server Mirroring | Binn\sqlservr.exe | Enabled |
| 5985 | WinRM (AWS Images Only) | System; Restricted to 10.0.0.0-16 | Enabled |
| 8530 | WSUS HTTP | System | Disabled |
| 8531 | WSUS HTTPS | System | Disabled |
| 10001 | Central Policy v1 | C:\Program Files(x86)\eEye Digital Security\Retina CS\REMCentralPolicyService.exe | Enabled |
| 21690 | App Bus | (C:\Program Files(x86)\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe | Enabled |
| 21690 | Event Server | C:\Program Files(x86)\Common Files\eEye Digital Security\Event Server\REMEventsSvc.exe | Enabled |
UDP port
| Port | Purpose | Target Program/System Resource | Initial Status |
|---|---|---|---|
| 4609 | Appliance Discovery | C:\Program Files(x86)\Common Files\eEye Digital Security\Scheduler\eeyeschedulersvc.exe | Enabled |
ICMPv4 protocol
| Port | Purpose | Target Program/System Resource | Protocol | Initial Status |
|---|---|---|---|---|
| Any | ICMP Type 3, Code 4- Destination Unreachable Fragmentation Needed | Any | ICMPv4 | Enabled |
| Any | ICMP Type 8- Echo | Any | ICMPv4 | Enabled |
Outbound ports
While all outgoing ports are allowed, the following lists provide specific details on outgoing ports.
Note
For a comprehensive list of ports used by BeyondInsight and peripheral applications, please see Port Requirements.
The following Windows activities use outbound ports.
| Port | Purpose |
|---|---|
| 53 TCP/UDP | DNS |
| 123 UDP | NTP (Time server) |
| 443 TCP | Web licensing request |
| 445 TCP | SMB (when needed for remote shares) |
| 2049 TCP/UDP and 111 TCP/UDP | NFS (when needed for accessing remote shares) |
| 5022 TCP | SQL Server mirroring port |
| 3389 (default) | RDP sessions |
| 22 (default) | SSH sessions |
| 25, 465, or 587 | SMTP (default) |
| 1433 | Remote SQL Server port if connecting to a remote database (default). |
UVMSQL setup worksheet
- UVMSQL Appliance Name: Create a unique name using the Microsoft naming standard.
- Domain admin credentials: The Active Directory domain user credentials.
- Organizational unit (OU) name: The location where the UVMSQL Appliance exists in Active Directory as a part of the clustering process.
- Server Security Group Name: The security group to which you add all of your UVMSQL Appliances to during AOAG configuration. You must create this group in the organizational unit.
- Service Account Group Name: This group gives the Group Managed Service Account local administrator permissions on the UVMSQL Appliance. You must create the security group in the OU.
- Group managed service account (gMSA): The username of the account used during the AOAG configuration. The associated Windows services on the UVMSQL Appliance will continue to run under this account. The Server Security Group must be given permission to retrieve the password of the gMSA. The gMSA must to be a member of the Service Account Security Group.
- Cluster name and IP: Every Windows cluster has an endpoint with a name and static IP address.
- Listener name and IP: The name and IP for each availability group.
PowerShell commands
This page contains a sample of PowerShell commands that could be used to prepare the OU, security groups, and Group Managed Service Accounts (gMSAs). This instruction assumes the following:
| Domain | UVMLAND.LOCAL |
|---|---|
| OU | UVMSQL.CLUSTER |
| Server security group | UVMServerGroup |
| Service account security group | UVMSvcAcctGroup |
| Group Managed Service Account | UVMSvcAccount |
Create an organizational unit (OU) for the UVMSQL appliances
New-ADOrganizationalUnit -Name "CLUSTER" -Path "OU=UVMSQL,DC=UVMLAND,DC=LOCAL"
Block inheritance for the OU
Set-GPinheritance -Target "OU=CLUSTER,OU=UVMSQL,DC=UVMLAND,DC=LOCAL" -IsBlocked Yes
Create a security group for the UVMSQL appliance servers in the OU
New-ADGroup -Name "UVMServerGroup" -SamAccountName UVMServerGroup -GroupCategory Security -GroupScope Global -DisplayName "UVMSQL Appliance Servers" -Path "OU=CLUSTER,OU=UVMSQL,DC=UVMLAND,DC=LOCAL" -Description "Members of this group are UVMSQL Appliances"
Create a security group for the UVMSQL appliance service accounts in the OU
New-ADGroup -Name "UVMSvcAcctGroup" -SamAccountName UVMSvcAcctGroup -GroupCategory Security -GroupScope Global -DisplayName "UVMSQL Appliance Service Accounts" -Path "OU=CLUSTER,OU=UVMSQL,DC=UVMLAND,DC=LOCAL" -Description "Members of this group are UVMSQL Appliance Service Accounts"
Create the KDS root key if one is not already created for the forest
Note
This is required for creating gMSAs. The EffectiveImmediately argument takes about ten hours to create and propagate the key.
Import-Module ActiveDirectory
Add-KdsRootKey -EffectiveImmediately
or
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10)) //to use immediately
Create the group managed service account (gMSA) giving the UVMSQL appliance servers security group permission to retrieve the managed password
New-ADServiceAccount -Name UVMSvcAccount -DnsHostName UVMSvcAccount.UVMLAND.LOCAL -PrincipalsAllowedToRetrieveManagedPassword "UVMServerGroup"
Add the gMSA to the UVMSQL appliance service accounts security group
Add-ADGroupMember -Identity UVMSvcAcctGroup -Members "CN=UVMSvcAccount,CN=Managed Service Accounts,DC=UVMLAND,DC=LOCAL"
Give the UVMSQL appliance service accounts group full control of the UVMSQL appliance OU
$ou = "AD:\OU=CLUSTER,OU=UVMSQL,DC=UVMLAND,DC=LOCAL"
$group = Get-ADGroup UVMSvcAcctGroup
$group_sid = New-Object System.Security.Principal.SecurityIdentifier $group.SID
$ou_acl = Get-Acl $ou
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $group_sid, "GenericAll", "Allow"
$ou_acl.AddAccessRule($ace)
Set-Acl -AclObject $ou_acl $ou
Features on the LCD panel
You can access the following features from the U-Series Appliance LCD panel.
Access settings menu
To access the settings:
The LCD panel displays Please wait. Once the U-Series Appliance completes the powering procedures, the U-Series Appliance displays the following actions.
| LCD Panel | Description |
|---|---|
 | Press the check to enter or accept the setting. |
  | Press the up or down arrow to navigate through the menus. |
  | Press the right or left arrow to access settings in the menu. |
 | Press the X to cancel the setting. |
Enable RDP
From the LCD panel, start where U-Series 20 Ready is displayed.
- Press the Check Mark icon to enter Settings / Show IP.
- Press the Check Mark icon. The IP address of the U-Series Appliance is displayed.
- Hold both the Up and Down arrow buttons simultaneously for four seconds. Do not do anything else between the previous step and this one.
Reset administrator password
- Check the Allow LCD Panel to Reset Administrator Password box.
- If needed, go to the U-Series Appliance to reset the administrator password.
- Select Show IP to view the IP address.
- Hold the Up and Down arrow buttons simultaneously on the U-Series Appliance LCD panel. A random password is generated.
- Press the Check Mark icon to accept the changed password.
On a U-Series Appliance with Windows Server 2016, you cannot reset an administrator account from the LCD panel. A locked administrator account is unlocked after 20 minutes. Try logging on again after the 20-minute timeout period. If the account remains locked, contact BeyondTrust Technical Support.
Power off
You can power off the U-Series Appliance using the LCD panel. To power off, on the LCD panel, select Power Off. The U-Series Appliance powers off.
Set Up the appliance
Your UVMSQL Appliance is designed to be configured and used with a web browser.
Important
If you purchased Professional Services, schedule your engagement with your Professional Services representative before starting the Configuration Wizard.
Power on the U-Series Appliance
- Plug the power cables for the U-Series Appliance into a safe power source. The U-Series Appliance’s power supplies automatically switch between 120V and 240V, as needed.
- Plug a network cable into the network interface port.
- Press and release the power button on the front of the U-Series Appliance. The power LED immediately to the right of the reset button illuminates, and the HDD activity LED (immediately to the right of the power LED) begins to flash. Initialization of the U-Series Appliance completes in about 60 seconds.
Note
The NIC1 and NIC2 LEDs may illuminate and show activity even when the U-Series Appliance is not powered on; therefore, it is important to check the power and HDD LEDs to confirm that the U-Series Appliance is on.
Perform initial network configuration
The U-Series Appliance is configured to use DHCP and receives an assigned IP address. To access your U-Series Appliance the first time, open a browser on a device on the same network subnet as the U-Series Appliance. Enter the U-Series Appliance's factory IP address as displayed on the LCD screen, preceded by https://, for example, https://10.10.123.456. You can find this IP address using the LCD display of the U-Series Appliance. You will need the IP address later in the process when you configure the U-Series Appliance.
Display IP address
To display the IP address, select Show IP on the LCD panel. The IP address automatically displays.
Automatically enter IP address
On the LCD panel, select Config IP, then select Auto DHCP. The U-Series Appliance automatically updates the IP address to the DHCP protocol.
Manually enter IP address
On the LCD panel, select Config IP, then select Manual. Enter the IP Address, Subnet Mask, Gateway, DNS 1 and DNS 2.
Hardware notes
The integrated Dell Remote Access Controller (iDRAC) is configured to use the primary interface (LAN1). The iDRAC shares the interface with Windows. By default, iDRAC is not configured.
The U-Series Appliance has more than one adapter. If all adapters are used, the adapter chosen during scan time is determined by the route associated with it.
Configure the appliance
- To access your U-Series Appliance the first time, open a browser on a device on the same network subnet as the U-Series Appliance. Enter the U-Series Appliance's factory IP address as displayed on the LCD screen, preceded by https://, for example, https://10.10.123.456. You can find this IP address using the LCD display of the U-Series Appliance.
- An SSL certificate notification displays. Click Continue. You will replace the default certificate with a signed certificate later during the configuration process.
- On the welcome page, create a name for the UVMSQL Appliance.
Important
Once you have named your UVMSQL Appliance, it cannot be renamed. If at any point you need to rename the appliance, you must either re-image (if it is a physical appliance) or re-deploy the image (if it is a virtual appliance).
- On the IP Settings page, select the network card to use. The dropdown list shows only connected network ports. If you select Obtain IP address automatically, the remaining fields fill automatically. Otherwise, enter the IP and DNS information.
Note
The domain IP must be a static IPv4 address. Use quad-dotted notation for the subnet mask. For example, 255.255.255.0.
- If you are satisfied with the settings, click Apply Settings and Reboot. If you need to rename your UVMSQL Appliance, click Back to Rename Machine.
- You are prompted to confirm your UVMSQL Appliance name.
- Click Cancel to go back, or click Apply Name and Reboot to continue.
- The UVMSQL Appliance reboots to apply its name and IP address settings.
- Once the reboot completes, you are prompted to upload a saved configuration file or to start the Configuration Wizard.
- The Configuration Wizard starts with the BeyondTrust license agreement. After reading the terms, click I Agree to the above terms and conditions. Then click Next: Microsoft Agreement.
- After reading the Microsoft agreement, click I Agree to the above terms and conditions. Then click Next: SQL Server Agreement.
- After reading the SQL Server agreement, click I Agree to the above terms and conditions. Then click Next: User Credentials.
Important
While it is possible to rename administrator accounts later, we recommended choosing account names carefully during deployment and configuration to avoid renaming them later.
- On the User Credentials page, set up an administrator username, password, and email address for the BeyondTrust software. On this page, also set up a username and password for the BeyondTrust Updater tool, as well as a password for the SQL Server Administration account. Then click Next: Machine Configuration.
Note
The email address is used as a reply address, as well as if the administrator password is forgotten.
- Under Machine Options, select a time zone. You can configure the date and time manually, or you can synchronize the time using an NTP server or VMware Tools. Click Next: Review.
- On the Review page, confirm that the settings are correct. You can go back and make changes as needed. You can also download the configuration file for backup or to use on another system. Click Next: Complete.
- The Configuration Wizard applies the settings to the UVMSQL Appliance. Once the configuration is complete, click Proceed to Diagnostics.
- Enter your BeyondTrust administrator username and password to log in.
- From the home page, open the menu and select Maintenance.
- The maintenance page loads your UVMSQL Appliance software versions. Once this information has loaded, open the menu and select API Key Maintenance.
- Under This UVM's API Key Details, copy the registration code to your clipboard.
Note
Each API key is generated for a specific UVMSQL Appliance. The key itself cannot be viewed. The registration code encrypts the key along with additional metadata, such as the UVMSQL Appliance ID and the IP address.
- To pair two UVMSQL Appliances, switch to the configuration page for the second UVMSQL Appliance.
- Open the menu and click API Key Maintenance.
- From Select IP address to use for configuration, select the appropriate IP address.
- Under Register Remote UVM, paste the copied code into Registration Code from Remote UVM.
- Enter a Description to identify this U-Series Appliance.
- From Select Usage, choose Cluster Configuration.
- Click Add/Update.
- A prompt displays that the key has been registered. Click OK.
- Copy the registration key from this UVMSQL Appliance's details.
Note
Registering a key from another UVMSQL Appliance allows this UVMSQL Appliance to accept calls from the other UVMSQL Appliance.
- Switch to the first UVMSQL Appliance's configuration page.
- From Select IP address to use for configuration, select the appropriate IP address.
- Under Register Remote UVM, paste the copied code into Registration Code from Remote UVM.
- Enter a Description to identify this U-Series Appliance.
- From Select Usage, choose Cluster Configuration.
- Click Add/Update.
- A prompt displays that the key has been registered. Click OK.
Important
You can regenerate an API key if needed. However, doing so also regenerates the registration code, breaking the link between this UVMSQL Appliance and another. You must copy the new registration code and re-enter it on the other UVMSQL Appliance to re-establish the connection.
- Scroll down to view the registered API keys.
- Click Trigger Connections Test.
- You are notified that the test has started. Click OK.
- When the test completes, the page displays the results.
- To group UVMSQL Appliances into a cluster, select the UVMSQL Appliances, and then click Start Cluster.
- In the top section, you can view the IP addresses, cluster roles, and cluster node status of the selected UVMSQL Appliances.
- Enter the domain name, organizational unit, security groups, service account, and domain administrator account.
- Choose if the cluster should use DHCP.
- Create a name for the cluster.
- If the cluster is not using DHCP, enter a dedicated static IP address for the cluster.
- Click Apply Cluster Settings.
- The SQL Cluster Wizard runs, showing status messages of its progress.
- When the wizard completes, the UVMSQL Appliance appears as part of the cluster. Click on the cluster database icon.
Important
Before the availability group can be created, the database must exist on the UVMSQL Appliance you plan to make the primary replica. There are a few ways to do this; choose the method most appropriate for your situation.
Important
- During the Configuration Wizard on a SQL Free UVMSQL Appliance, at the SQL Server Agreement step, create a database on the primary replica using the option to create a remote database.
- From a configured UVMSQL Appliance or SQL Free UVMSQL Appliance, go to the Database Utilities page of the Maintenance application and use the Create a Remote BeyondInsight Database feature to create a database on the primary replica.
- Restore a BeyondInsight database backup on the primary replica on the SQL cluster using SQL Server Management Studio.
- In the top section, you can view the IP addresses, cluster roles, and cluster node status of the clustered UVMSQL Appliances.
- Select a SQL database.
- Enter a database listener name, IP address, and subnet mask.
- Provide a domain name, domain administrator account, and service account.
- Click Apply Listener.
- The SQL Database Wizard runs, showing status messages of its progress.
- When the wizard completes, the listener name and IP address are displayed.
Updated 14 days ago