DocumentationRelease Notes
Log In
Documentation

Best practices

Suggest Edits

Optional U-Series Appliance configuration

Perform Dell PowerEdge system updates

Update the BIOS on a Dell PowerEdge server

  1. Start the process by retrieving the BitLocker keys. You can do this in either of two ways:

    • Open File Explorer and look for an external drive with a label of U-Series Appliance-BITLOCK. There is a text file on this drive for each drive letter on the U-Series Appliance (one drive on most images and four drives on older U-Series 50 models).
    • If the internal USB has been removed and cannot be located, type the following command into a command window to display and save the BitLocker passwords:
    • Manage-bde -protectors -get c:
    • To pipe to a file type:
    • manage-bde -protectors -get c: > "bitlocker C.txt"

  2. Get the service tag from the server in either of two ways:

    • Find the EST label on the front of the server and pull out the card.
    • When logged in to Windows, type racadm getsysinfo in a command line. The information returned contains the service tag number. This option is available only on newer iDRAC versions.

  3. Open a browser and go to https://www.dell.com/support/home/en-us/.

  4. Enter the service tag number.

  5. Click Drivers & Downloads.

  6. Change the Category to BIOS.

  7. Download the BIOS package and copy it to the U-Series Appliance.

  8. Double-click the downloaded .exe file and click Install.

  9. Follow the instructions and reboot the U-Series Appliance when prompted.

  10. If prompted, enter the BitLocker password on reboot.

Update the Chipset drivers on a Dell PowerEdge server

  1. Get the service tag from the server in either of two ways:
    • Find the EST label on the front of the server and pull out the card.
    • When logged in to Windows, type racadm getsysinfo in a command line. The information returned contains the service tag number. This option is available only on newer iDRAC versions.
  2. Open a browser and go to https://www.dell.com/support/home/en-us/.
  3. Enter the service tag number.
  4. Click Drivers & Downloads.
  5. Change the Operating System to Windows 2012 R2, Windows 2008 R2, or Windows 2016 depending on the U-Series Appliance image.
  6. Change the Category to Chipset.
  7. Download the chipset drivers and copy them to the U-Series Appliance.
  8. Run the downloaded installer and extract to a folder.
  9. In Windows Device Manager, right-click any unidentified hardware devices and click Update Driver.
  10. Select the browse location where the drivers were extracted earlier. The driver files are located in a subfolder here. Search for a folder with .inf files.
  11. Click Next and allow the driver to update.
  12. Continue as needed with any other unidentified devices.

Update the iDRAC software on a Dell PowerEdge server

  1. Start the process by retrieving the BitLocker keys. You can do this in either of two ways:

    • Open File Explorer and look for an external drive with a label of U-Series Appliance-BITLOCK. There is a text file on this drive for each drive letter on the U-Series Appliance (one drive on most images and four drives on older U-Series 50 models).

    • If the internal USB has been removed and cannot be located, type the following command into a command window to display and save the BitLocker passwords:

      Manage-bde -protectors -get c:

      To pipe to a file type:

      manage-bde -protectors -get c: > "bitlocker C.txt"

  2. Get the service tag from the server in either of two ways:

    • Find the EST label on the front of the server and pull out the card.
    • When logged in to Windows, type racadm getsysinfo in a command line. The information returned contains the service tag number. This option is available only on newer iDRAC versions.

  3. Open a browser and go to https://www.dell.com/support/home/en-us/.

  4. Enter the service tag number.

  5. Click Drivers & Downloads.

  6. Change the Category to iDRAC with Lifecycle controller.

  7. Download the latest version available and copy it to the U-Series Appliance (not the iDRAC Controller Integration).

  8. Run the downloaded file.

  9. Follow the instructions and reboot the U-Series Appliance when prompted.

  10. If prompted, enter the BitLocker password on reboot.

Configure iDRAC

You can use Integrated Dell Remote Access Controllers (iDRAC) to remotely manage your U-Series 20 or U-Series 50.

  1. At startup, press F2 to enter the setup menu.
  2. Select iDRAC Settings.
  3. Select Network.
  4. Set Enable NIC to Enabled.
  5. Configure IP address settings as specified by your network administrator (DHCP or static). Setting the NIC selection to Dedicated allows the physical iDRAC port on the back to be used only for iDRAC communication. Setting it to another port will allow it to share the same physical connection.
  6. Save your settings.
  7. If you use DHCP IP configuration, watch for the iDRAC IP address to be displayed at startup and record this for future use.
  8. Open a browser and enter the IP address associated with the iDRAC port. Use the default login credentials:
    • User: root
    • Password: calvin

ℹ️

Note

For more information about configuring iDRAC, please refer to Dell product documentation.

iDRAC commands

You can use the commands below to configure iDRAC settings from a Windows command prompt.

SettingCommand
EnableRacadm setniccfg -o
Set user accountracadm config -g cfgUserAdmin -o cfgUserAdminPassword -i 2
Set static IPracadm setniccfg -s
Set DHCP onracadm setniccfg -d
Get infoRacadm getniccfg

Configure NIC teaming or link aggregation

ℹ️

Note

You must have the Broadcom management utility installed before continuing with these steps. On Microsoft Windows Server 2012 R2 U-Series Appliances, the Broadcom Advanced Control Suite 4 application is already installed. For Windows 2008 R2 U-Series Appliances, please contact BeyondTrust Technical Support to get the installer file. For Windows Server 2016, use the native Windows configurable options for NIC teaming, link aggregation, and VLAN configuration.

The U-Series Appliance has a Broadcom NetXreme II four-port network interface card. Work with your network administrator before you configure NIC teaming or aggregation. Your administrator must provide IP address information for the environment where the U-Series Appliance is being deployed.

Configure VLAN

Tagged VLAN Configuration on a Physical U-Series 20 or U-Series 50
Broadcom BCM5709C NetXtreme II GigE

ℹ️

Note

You must have the Broadcom management utility installed before continuing with these steps. On Microsoft Windows Server 2012 R2 U-Series Appliances, the Broadcom Advanced Control Suite 4 application is already installed. For Windows 2008 R2 U-Series Appliances, please contact BeyondTrust Technical Support to get the installer file. For Windows Server 2016, use the native Windows configurable options for NIC teaming, link aggregation, and VLAN configuration.

  1. Run Broadcom Advanced Control Suite 4 from the Start menu.
  2. Filter by Team View from the top menu.
  3. Under Unassigned Adapters, select the adapter being used. If connected, it will have a green check mark.
  4. Right-click and select Create a VLAN, then click Next.
    1. Enter a Team Name (such as VLAN) and a VLAN Name (such as VLAN10), then click Next.
    2. Select Tagged, then click Next.
    3. Enter a VLAN Tag (such as 10), then click Next.
  5. Click Finish.
  6. Click Yes to acknowledge that there may be a temporary network interruption.
  7. Right-click on the team that was created from the previous step and click Add VLAN.
    1. Enter a VLAN Name (such as VLAN20), then click Next.
    2. Select Tagged, then click Next.
    3. Enter a VLAN Tag (such as 20), then click Next.
  8. Click Yes to add more VLANs and repeat, or click No if finished.
  9. Click Finish.
  10. Network configuration can be static or dynamic depending on your needs or on the environment. Both are configured just as a normal adapter is configured.
Virtual Guest Tagging (VGT) VLAN Configuration on a U-Series v20
Intel 82574L Gigabit Network Connection (Intel E1000)
  1. You must install the required driver within a Windows 2012 R2 guest operating system.
    1. Download ProWinx64 from Intel, then extract the contents to a temporary folder.
    2. Right-click the network adapter and click Update Driver Software.
    3. Click Browse my computer for driver software.
    4. Click Let me pick from a list of device drivers on my computer.
    5. Click Have Disk.
    6. Click Browse, then browse to the temporary location where you extracted the driver files.
    7. Click Next to install the driver.
  2. Repeat the above steps for each network adapter you have for the virtual machine.
  3. After all the adapters are updated, run the ProWinx64.exe file, rather than extracting it. You should now be able to install the Advanced Network Services VLANs.
  4. To configure VLAN tagging on a virtual machine:
    1. Open Device Manager.
    2. Right-click Network Adapter and select Properties. A VLANs tab is now available. This is not displayed before the ProWinx64.exe file is installed.
    3. Click New.
    4. Enter a VLAN ID (such as 10).
    5. Enter a VLAN Name (such as VLAN10).
    6. Click OK.
  5. Repeat these steps for as many VLANs as are required.
  6. There will now be a new network adapter displayed under Network Connections for each VLAN created.
  7. Network configuration can be static or dynamic depending on your needs or on the environment. Both are configured just as a normal adapter is configured.

U-Series Appliance hardening reference

This guide provides a reference for the hardening techniques applied to your Windows Server 2022 U-Series Appliance.

Due to the nature of the data contained within an appliance and the operational roles it performs, BeyondTrust has secured the platform with multiple layers of security to ensure the attack risk surface is as minimal as technologically possible. This includes using software security solutions embedded in the product, restricting access to the operating system, restricting the installation of third-party applications, not allowing outbound browser communications, and hardening the solution to industry standards.

Security technology

The U-Series Appliance contains operating system hardening and multiple layers of security to prevent an attack. Below are configuration, software, best practices, and design considerations implemented in order to protect the appliance from malicious activity.

Configuration changes

  • Feature Based Access:
    • Windows services are enabled or disabled as needed, based on the features enabled on the appliance.
    • Components are logically separated and can be hardened individually.
    • Windows Server service is disabled by default.
  • Limited Exposed Services:
    • All non-required services are disabled and uninstalled.
    • Support for third-party software installations is prohibited, except where noted in supported Appliance software extensions and modifications below.
    • Changing the configuration of appliance features is not permitted.
  • Windows Firewall is enabled:
    • All non-essential inbound ports are disabled, except those used by BeyondTrust software.

Software protection

  • Microsoft Windows Defender
  • BeyondTrust Endpoint Privilege Management

Design consideration

  • Automatic backup with encryption and password protection is configured.

Security best practices

  • Browser communications required over HTTPS
  • User installable SSL certificates
  • Disabled local browser
  • RDP access disabled by default
  • Complex password required for all configurations
  • Hardened to Center for Internet Security (CIS) and Security Technical Implementation Guides (STIGs) standards

Secure auto update

  • BeyondTrust Updater:
    • Embedded on the appliance.
    • Provides proxy services and change management for updates.
    • SSL is required for updates on appliances.
    • Updates are validated by serial number for licenses.
    • Updated binaries (contents) are digitally signed.
  • Security Update Package Installer (SUPI):
    • Secure download of pre-screened and validated Windows Updates.
    • Install process can be performed locally or initiated remotely.
  • BeyondTrust U-Series Appliances adhere to the following schedule for risk mitigation:
    • Operating system and database critical vulnerabilities not mitigated by Appliance Hardening and Security: 7 days from patch release.
    • Operating system and database critical vulnerabilities mitigated by Appliance Hardening and Security: 90 Days from patch release.
    • BeyondTrust critical vulnerabilities regardless of type: 30 days from identification.

Encryption

  • Credentials stored within Password Safe are protected using AES256.
  • Password Safe data in transit is encrypted with TLS v1.2.

Appliance software extensions and modifications

  • Joining the appliance to a Microsoft Windows domain is permitted, only when the instructions are provided by a BeyondTrust Support representative and they are strictly followed. Failure to follow the given procedure exactly can decrease the hardening of the appliance and lead to technical problems with its normal operation.
  • The following third-party vendor supplied software is supported for installation on the appliance by end users:
    • Thales for HSM Integration

ℹ️

Note

The installation of any third-party software on the appliance, or modifications to the appliance, its settings or its associated software, that are not explicitly referenced within this guide, or are implemented without the guidance of a BeyondTrust representative, may void your warranty.

Center for Internet Security Compliance Report

CIS is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.

The CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. The U-Series Appliances produced by BeyondTrust are hardened to the CIS Benchmark for Windows Server 2022, Level 2 Member Server as a profile.

Reference

Security Technical Implementation Guides

STIGs provide configurable operational security guidance for products being used by the DoD.

The appliances produced by BeyondTrust are regularly scanned against the Security Content Automation Program (SCAP) checklist, as defined by NIST. The results of these scans are listed below.

Assessment summary

  • Score - 99%
    • Passed: 218
    • Not Applicable: 53
    • Open: 4
      • CAT I: 0
      • CAT II: 4
      • CAT III: 0
  • DISA STIG v1.2.3
  • Appliance Image: 2023-R10

ℹ️

Note

A list of the Not Applicable findings can be provided upon request.

Open findings

Category 11:

  • Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs (V-254245, WN22-00-000080).
    • Response: The appliance hardening includes BeyondTrust Endpoint Privilege Management for Windows; however, it is not configured in a deny-all, permit-by-exception policy out-of-the-box.
  • Windows Server 2022 must have a host-based intrusion detection or prevention system (V-254249, WN22-00-000120).
    • Response: The appliance doesn’t include a built-in HIDS or HIPS system; however, it does provide log exporting capabilities. Logs can be exported and consumed by the customer’s own HIDS/HIPS system.
  • Windows Server 2022 system files must be monitored for unauthorized changes (V-254259, WN22-00-000220).
    • Response: The appliance hardening includes file integrity monitoring (FIM); however, it doesn’t monitor against a baseline on a weekly basis.
  • Windows Server 2022 generates security audits user right must only be assigned to Local Service and Network Service (V-254502, WN22-UR-000120).
    • Response: Service accounts associated with BeyondTrust applications require permissions to generate security audits.

ℹ️

Note

The following STIG recommended hardening modifications, found in Security and Compliance > Local Computer Policy in the web console, were applied prior to scanning:

  • LAN Manager Authentication Level is set to Send NTLMv2 esponse only. Refuse LM &NTLM. Out of the box, the appliance is configured to Send NTLMv2 response only. Refuse LM.
  • FIPS Mode is enabled.

U-Series Appliance Migration

The following walks you through migrating from Windows 2012 R2 or 2016 U-Series Appliance to 2022 virtual or marketplace U-Series Appliance.

ℹ️

Note

Physical U-Series Appliances cannot be updated to Windows 2022. You must purchase a new U-Series Appliance.

Prerequisites and assumptions

  • Source U-Series Appliance is Windows 2012 R2 or 2016.
  • Target U-Series Appliance is Windows 2022.
  • Only one U-Series Appliance is running at a time.
  • The target appliance is named the same as the source appliance when deployed.
  • U-Series Appliance Management software is 3.3.1 or later on the source and target appliances.
  • BeyondInsight is a supported version on the source and target appliances.
  • If BeyondInsight Analytics & Reporting is configured on the source appliance, this must be configured on the target appliance prior to restoring the data from the source to the target appliance.
  • The process documented in this guide applies only to new U-Series Appliances.
  • No data is kept on the target U-Series Appliance prior to migration.

ℹ️

Note

The process documented in this guide applies only if the U-Series Appliance Management Software is version 3.3.1 or later. If your appliance does not have U-Series Appliance Management software 3.3.1 or later installed, please contact BeyondTrust Technical Support for assistance.

High level overview

The migration consists of the following general steps:

  • Back up and copy necessary data on the source U-Series Appliance.
  • Deploy the U-Series Appliance image to create the new machine.
  • Configure and prepare the target appliance to accept data from the source.
  • Restore and copy necessary data from the source to the target appliance.
  • Perform post migration configuration and verify the migration success.

ℹ️

Note

  • Downtime is necessary, with the following exception:
    • For an active / active setup, the U-Series Appliance can be removed from the pool before migration and re-added after migration is complete. This prevents downtime for the end user.
  • Windows Server 2022 U-Series Appliances can be deployed side by side.
  • When deploying a new machine with the same name as the previous, if both are on at the same time, DNS issues can occur.
  • TLS 1.3 may be enabled on newer 2022 images. This is not supported by BeyondInsight and Password Safe 24.1 and earlier releases and may cause errors when initiating an RDP or SSH session using Password Safe.

Migrate the U-Series Appliance

Follow the below steps to migrate your Windows 2012 R2 or 2016 U-Series Appliance to Windows 2022.

Verify software on the source

Product versions on the source appliance must be at least U-Series version 3.3.1 or higher and a supported version of BeyondInsight.

ℹ️

Note

Turn off automatic updates to ensure updates are not occurring during this process.

Back up data on the source

You must back up your necessary data and then restore it on the newly created target appliance. Use the below steps to create and save a backup of your data on the source machine.

Time estimate: 15 minutes or longer depending on database size

  1. From the source appliance's management console Business Continuity > Backup and Restore page, create a backup and record the password. You'll need the password to restore the backup on the target appliance.
  2. If the backup is saved locally, use RDP to connect to the U-Series Appliance to retrieve the backup from C:\LocalBackups (or the appropriate folder if another local backup location is specified).
  3. Transfer the backup and any additional backups you want to migrate to either removable media or a network location accessible by the target U-Series Appliance.
Collect additional details and settings

Gather and save the following details and settings from the source, as they are not included in the import process:

  • Licensing: Gather BeyondTrust product license numbers from the Software and Licensing > Product Licensing page on the source appliance.
  • High Availability Pairing Settings: From the source appliance, write down what you need to replicate on the target appliance or take a screenshot from the Appliance API Keys page on the source appliance.
  • Backup Schedule: Write down what you need to replicate on the target U-Series Appliance or take screenshots of the schedules and locations from the Business Continuity > Backup and Restore page on the source appliance.
  • Feature Configuration: From the Features and Services > Appliance Feature Configuration page on the source appliance, note the settings on the BeyondInsight Database Access feature. This must match what is on the target appliance after the restore.

ℹ️

Note

If you are migrating from 2012 R2 OS, WSUS is not migrated, because it is not supported on 2022 OS.

Deploy or import the target machine

Because there is no conversion method to upgrade your existing appliance to Windows 2022, you must deploy or import the appliance image package as a new machine into your environment. Refer to the VMware vSphere Client product documentation for deploying an OVF template and to the Hyper-V product documentation for importing a virtual machine.

Restore and import data from the source appliance

Once the target appliance has been deployed and configured for use in your environment, you must restore the backup of the source appliance on the target appliance.

Time estimate: 10 minutes (assuming 600MB U-Series Appliance backup file)

  1. Log in to the U-Series Appliance and navigate to Business Continuity > Backup and Restore.
  2. Copy the U-Series Appliance backup file created from the source to C:\LocalBackups on the target, or create a backup location that points to where the backup file exists.

ℹ️

Note

RDP must be enabled to access C:\LocalBackups.

  1. Start a restore from the premigration backup.
  2. Wait until the restore completes.

Perform post migration configuration and verification

Once the restore is complete on the target appliance, you can create a backup schedule, configure BeyondInsight Analytics & Reporting, and set up high availability. We also recommend you verify the appliance settings, and that the BeyondInsight and Password Safe applications are set up and functioning the same as they were prior to migration.

Time estimate: 3 minutes

We recommend that you verify and configure, where necessary, the following items to confirm functionality of your newly migrated U-Series Appliance:

U-Series Appliance settings
  • Navigate to Business Continuity > Backup and Restore and schedule a new backup and confirm that it runs.
  • From the Appliance Feature Configuration page:
    • Verify the configured features match the feature configuration of the source appliance. Specifically, the BeyondInsight Database Access feature settings must match what was configured on the source appliance, as indicated above when collecting additional information from the source .
    • Toggle specific features on or off as necessary and verify the changes are applied successfully.
BeyondInsight and Password Safe
  • Confirm the database upgraded successfully:
    • Run C:\Program Files (x86)\BeyondTrust\BeyondInsight\REMEMconfig.exe as administrator to open the BeyondInsight Configuration tool.
    • Click the Test Connection link.
    • If the Verify Database schema version field indicates that an upgrade to the database is required, click OK.
    • Click the Upgrade Database link.
    • When the database upgrade completes, close the BeyondInsight Configuration tool.
  • Log in to BeyondInsight and confirm the following:
    • Verify all assets are listed as expected on the Assets page and that the migrated U-Series Appliance is listed as a discovery scanner.
    • Run a discovery scan to verify database writes.
    • Confirm Analytics & Reporting is configured by clicking Analytics & Reporting from the left menu.
      • If you are prompted with a warning stating Updates are available for server reporting components, navigate to Configuration > Analytics & Reporting > Configuration and follow the wizard to completion.
    • Verify you can access your saved credentials from Configuration > Discovery Management > Credentials.
    • From the left menu, click Password Safe and ensure you can access your archived sessions and that you can record new admin sessions.
  • Use the BeyondTrust Discovery Tool commands to help verify that the BeyondTrust Discovery Agent (BDA) is able to communicate with BeyondInsight after the migration, as follows:
    • On the server running BDA, open PowerShell as administrator.
    • Type: cd 'C:\Program Files\BeyondTrust\Discovery\', and then press Enter.
    • Type: .\btdiscovery.cmd , where command is replaced with the command you wish to run.
      • To list the commands available type: .\btdiscovery help.ExamplesTest Event Client Settings: btdiscovery testeTest Central Policy Options: btdiscovery testcSuccessful teste and testc command output: OK

Updated 10 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.