Getting Started with U-Series Appliance

Overview

This topic is intended for experienced network security administrators who want to start using a U-Series Appliance in their network to assist with protecting their organization's computing assets.

U-Series is a self-contained virtual appliance that contains the operating system, the database, the BeyondTrust BeyondInsight platform, and the BeyondTrust Password Safe solution. This guide provides the necessary details to assist you in getting familiar with your appliance and getting it deployed and set up for use in your network or cloud environment.

The U-Series v20 is the virtual version of the U-Series 20 appliance and is available for VMware, Microsoft Hyper-V and Nutanix, and the Red Hat OpenShift platform for local hosting, and also for AWS and Azure cloud marketplaces.

The virtual appliances can be deployed in your network as standalone systems or configured for high availability with or without redundancy.

Installation summary

To set up the virtual U-Series appliance, there two types of versions: Virtual or Cloud.

• The Virtual version has three steps to set up the U-series appliance where you do the following:
  • Download the virtual image
  • Import the virtual image
  • Configure the U-Series appliance IP address
• The Cloud version uses a Marketplace where you either import AWS or Azure virtual images.
• Regardless of version, you run the Appliance Deployment and Configuration Wizard.

ℹ️

The Appliance Deployment and Configuration Wizard applies to any version, that is, virtual or cloud.

Virtual appliance

1. Download virtual machine image

1. You can download U-Series v20 VMware, Hyper-V, and Nutanix AHV, KVM images from the BeyondTrust Customer Support Portal and import them as virtual machines in your network. Virtual U-Series Appliances are based on Windows Server 2022.

   ℹ️

   Image download speed and time may vary due to the large file sizes of these images and your internet connectivity. For example, some of these file sizes can be up to 40 GB in size.

2. Import your specific virtual machine image.

The below sections walk you through importing the U-Series v20 appliance as a virtual machine in your environment and configuring it with an IP address so that you can access the appliance from a client web browser within the same network subnet.

Once you have completed the initial setup of your U-Series Appliance, you must run the U-Series Appliance Deployment & Configuration Wizard to complete the deployment of the appliance in your environment.

ℹ️

For steps to run the U-Series Appliance Deployment & Configuration Wizard, see Deploy and Configure BeyondTrust U-Series Appliances in Your Network .

2. Deploy / import the virtual machine

Before you can configure the Virtual U-Series Appliance, you must deploy and import the virtual image package as a virtual machine into your environment. The following images are supported:

• VMware (vSphere)
• Microsoft Hyper-V
• Nutanix
• Red Hat OpenShift

🚧

Important information

We recommend that you do not join the Virtual U-Series Appliance to a domain. Local policy is set on the appliance and if the appliance belongs to a domain, it is possible that domain policy is pushed to the appliance overwriting the local policy. This has the potential to negatively impact appliance hardening and usage. If joining the appliance to a domain is a requirement, contact BeyondTrust Services for assistance.

Deploy the virtual machine into VMware using vSphere client

1. In vSphere Client, select File > Deploy OVF Template.
2. In the Deploy OVF Template window, click Browse.
3. Browse to the folder containing the .ova package you had downloaded, select it and click Open.
4. Click Next and complete the wizard to deploy the virtual machine image.

Import the virtual machine into Microsoft Hyper-V using Hyper-V Manager

🚧

Important information

The following procedure is a guide only. For more detailed information about Hyper-V features, refer to Hyper-V product documentation.

1. In Hyper-V Manager, select the host machine, then select Action > Import Virtual Machine. If the Before You Begin page appears, click Next. Otherwise, go to step 4.
2. On the Locate Folder page, browse to the folder containing the image, and select the name.
3. Click the Select Folder button at the bottom.

ℹ️

The folder you want to select contains three other folders (Virtual Machine, Virtual Hard Drive, Snapshots). Do not import the VHD directly.

4. On the Select Virtual Machine page, verify that the machine appears in the list and click Next.
5. On the Choose Import Type page, select Register the virtual machine in-place (use the existing unique ID) and click Next.

ℹ️

If the virtual machine is already registered with Hyper-V, you must delete it before the import works.

6. The default behavior is to import the files to the default Hyper-V folders set by your server configuration. If there are any issues with the import, additional steps appear.

For example, a Virtual U-Series Appliance is configured to use a minimum of 32GB of RAM. If your server does not support this much RAM or have enough RAM available, the message Memory virtual quantity above maximum appears.

7. Review the import settings.
8. Click Finish to import the U-Series Appliance.

Import the virtual machine into Nutanix Prism Central

Refer to the Nutanix documentation for importing images to Prism Central.

Import the virtual machine into RedHat OpenShift

Refer to the RedHat documentation for importing custom images.

🚧

Important information

The minimum recommended instance size is 4 CPUs and 32 GB memory.

3. Configure the U-Series v20's IP address

After the virtual images are downloaded and imported, you configure the U-Series IP address.

ℹ️

If you already know the IP for the appliance and it is accessible, the below steps are not required. The IP is configured when deploying the appliance using the U-Series Appliance Deployment & Configuration Wizard, see Run Part 1: Appliance Deployment Using the Wizard.

You can use the following account to set your IP address.

Account Name: btadmin

Password: ch@ngeM3now#!#!

ℹ️

If you completed the Deployment & Configuration Wizard, you have already changed the password. If the image has just been deployed, allow for at least 10 minutes to pass before logging in, to allow post deployment scripts to complete.

1. Sign in to the virtual machine using the btadmin account.
2. Double-click the Local Area Connection on the desktop.
3. Click the Properties button.
4. From the list, select Internet Protocol Version 4.
5. Click the Properties button.
6. Enter the IP address and DNS server fields, as needed.

Cloud instance

Before you can configure the Virtual U-Series Appliance, you must use either the AWS Marketplace or Azure Marketplace to set up virtual image package as a virtual machine into your environment. The following images are supported:

• Amazon Web Services (AWS)
• Microsoft Azure

Perform initial setup of U-Series Appliance cloud instance

The below sections provide steps to get you started with running a U-Series Appliance cloud instance, available from the AWS and Azure Marketplaces.

Once you have completed the initial setup of your U-Series Appliance, you must run the U-Series Appliance Deployment & Configuration Wizard to complete the deployment of the appliance in your environment.

ℹ️

For steps to run the U-Series Appliance Deployment & Configuration Wizard, see Deploy and Configure BeyondTrust U-Series Appliances in Your Network .

Open an instance from AWS Marketplace

Sign in to AWS Marketplace, and search for BeyondTrust or BeyondInsight. From the BeyondTrust marketplace website, click Continue and follow the below steps for using the 1-Click Launch or the Manual Launch options to open an Amazon Machine Image (AMI) instance in the EC2 Console.

🚧

Important information

To deploy an AWS instance you first need to purchase the image using a commercial account and then deploy to a GOV Cloud region.

For more information, see AWS Marketplace.

Use the 1-Click Launch option

1. Click the 1-Click Launch tab.
2. Configure the following settings:
   • Version: Select the desired UVM version from the list.
   • Region: Select the applicable region from the list.
   • EC2 Instance Type: Select m4.2xlarge or m4.4xlarge from the list.
   • VPC Settings: Select a Virtual Private Cloud (VPC) and Subnet from the lists.
   • Security Group: Select the default BeyondTrust security group from the list.
   • Select the Key Pair.

ℹ️

The key pair is required to retrieve Windows passwords for your instance. See How do I retrieve my Windows administrator password after launching an instance?.

3. Click Launch 1-Click Launch.

ℹ️

• Initially, port 3389 is open to all IP addresses. We recommend changing firewall settings to reflect your IP address only. Additionally, you can create an AWS security group that provides similar security protection as the firewall settings.
• For more information on AWS security groups, see Security Groups for Your VPC.

Use the Manual Launch option

1. Click Manual Launch.
2. The U-Series Appliance version is selected by default.
3. Select the region and then click Launch with EC2 Console.

ℹ️

• For more information on how to run an AMI instance, see Launching an Instance Using the Launch Instance Wizard .
• We recommend you use an AWS VPN connection when you use your instance or access your assets. For more information, see What Is Amazon VPC? .

Run an Azure virtual machine for the U-Series Appliance deployment

To run an Azure virtual machine, sign in to Azure Marketplace, and follow the below steps:

1. Select Virtual Machines > Add from the menu on the left.
2. Enter BeyondInsight in the search box.
3. Select a deployment model and click Create.

The five steps to complete your purchase are detailed below.

Step 1: Basics

1. Enter a virtual machine name and VM disc type.

   The VM name must be the name you want to use as the machine name for the U-Series Appliance. The name must be 15 characters or less, or it will violate the requirement below. The U-Series Appliance name is entered when you run the U-Series Appliance Deployment & Configuration Wizard.

2. You can create a new resource group or choose an existing one.

3. Select a location and click OK.

Step 2: Size

Choose a size. We recommend that you select a U-Series Appliance size from the recommended systems.

Step 3: Configure optional features

• Managed Disks: Click Yes to automatically manage the availability of disks to provide data redundancy and fault tolerance without creating and managing storage accounts on your own. Managed disks might not be available in all regions.
• Virtual Network: Virtual networks are logically isolated from each other in Azure. You can configure their IP address ranges, subnets, route tables, gateways and security settings, much like a traditional network in your data center. Virtual machines on the same virtual network can access each other by default.
• Subnet: A subnet is a range of IP addresses in your virtual network, which can be used to isolate virtual machines from each other or from the Internet.
• Public IP Address: Use a public IP address to communicate with the virtual machine from outside the virtual network. Choose Dynamic or Static and give it a name.
• Extensions: Extensions are not currently supported.
• High Availability: Select None.
• Monitoring: Enable this feature to capture serial console output and screenshots of the virtual machine running on a host to help diagnose startup issues.
• Click OK.

Step 4: Summary

A summary of the configuration settings is displayed. Click OK to confirm.

Step 5: Buy

• Click Purchase to complete your order.
• It takes several minutes for the machine to deploy. After the machine deploys, select Informational from the options under the Notifications tab.

ℹ️

• Initially, port 3389 is open to all IP addresses. We recommend changing firewall settings to reflect your IP address only. For security purposes, limit your Internet exposure to only your IP address.
• For more information on how to run an Azure virtual machine, see Windows Virtual Machine Pricing .
• We recommend you use a VPN connection when you use your instance or access your assets. For more information on configuring the VPN Tunnel in Azure, see Create a Site-to-Site connection in the Azure portal .

Deploy the Azure U-Series Appliance using ARM template

You can use the Azure Resource Manager (ARM) template to help automate creating your U-Series Appliance. You can use the template in the following ways:

• Use the template and JSON parameters provided in the code block below to create two separate JSON files and use Windows PowerShell or Azure CLI scripting to execute them.
• You can use the template in the Azure portal with the Create with Template option and upload the JSON file to the portal. This gives the user minimal parameters, assuming defaults to some of the Azure Resource properties.

You can add your new U-Series Appliance to an existing virtual network (V-Net) or create a V-Net.

Key points to consider:

• Licensing is applied after the U-Series Appliance is created and is not part of the ARM template.
• When using this ARM template using Azure Portal with the Create with custom Template option, use the same resource group for both the virtual machine and virtual network.

This section assumes you have knowledge about Azure ARM templates and Microsoft Azure Cloud.

ℹ️

For more information on Azure templates, see Tutorial: Deploy a local ARM template.

ARM template parameters

The following parameters are part of the ARM template. There are different areas you can enter the parameters depending on how you launch the ARM template.

• vmName: This is the name for the VM and is usually the same as the U-Series Appliance name configured during setup.
• vmSize: Azure sizing for the virtual machine. The default is Standard_D2s_v3.
• Admin Username: The credential for the administrator account.
• Admin Password: The password for the administrator account.
• vNet New or Existing: Specify whether to create a new or existing virtual network for the VM.
• Virtual Network Name: The name of the new or existing virtual network.
• Virtual Network Resource Group: The name of the new or existing resource group for the virtual network.
• Subnet name: Name of the subnet in the virtual network you want to use.
• DNS Name: Unique DNS Name for the Public IP used to access the virtual machine.
• Network Security Group Name ('nsgName'): Name of the new or existing NSG.

Deploy SQL free image

To deploy the SQL Free image, you must change a couple of lines in the JSON file.

From:

"imageReference": {
"publisher": "beyondtrust",
"offer": "beyondinsight",
"sku": "u-series",
"version": "latest"

To:

"imageReference": {
"publisher": "beyondtrust",
"offer": "uvm-sf",
"sku": "u-series_sf",
"version": "latest"

JSON template code block

Template JSON

  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vmName": {
      "type": "string",
      "defaultValue": "btuseries",
      "metadata": {
        "description": "Name of the VM"
      }
    },
    "vmSize": {
      "type": "string",
      "defaultValue": "Standard_DS4_v2",
      "metadata": {
        "description": "Size of the VM"
      }
    },
    "adminUsername": {
      "type": "string",
      "metadata": {
        "description": "VM Admin User Name"
      }
    },
    "adminPassword": {
      "type": "string",
      "metadata": {
        "description": "VM Admin Password"
      }
    },
    "vNetNewOrExisting": {
      "type": "string",
      "defaultValue": "new",
      "allowedValues": [
        "new",
        "existing"
      ],
      "metadata": {
        "description": "Specify whether to create a new or existing virtual network for the VM."
      }
    },
    "virtualNetworkName": {
      "type": "string",
      "defaultValue": "",
      "metadata": {
        "description": "Name of the new/existing VNET"
      }
    },
    "virtualNetworkResourceGroup": {
      "type": "string",
      "defaultValue": "",
      "metadata": {
        "description": "Name of the new/existing VNET resource group"
      }
    },
    "subnetName": {
      "type": "string",
      "defaultValue": "",
      "metadata": {
        "description": "Name of the subnet in the virtual network you want to use"
      }
    },
    "dnsNameForPublicIP": {
      "type": "string",
      "defaultValue": "",
      "metadata": {
        "description": "Unique DNS Name for the Public IP used to access the Virtual Machine."
      }
    },
    "nsgName": {
      "defaultValue": "",
      "type": "string",
      "metadata": {
        "description": "Network Security Group"
      }
    },
    "osDiskType": {
      "type": "string",
      "defaultValue": "Premium_LRS",
      "metadata": {
        "description": "OS Disk Type"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "eastus",
      "metadata": {
        "description": "Location for all resources."
      }
    }
  },
  "variables": {
    "diagStorageAccountName": "[concat(uniquestring(resourceGroup().id), 'specvm')]",
    "subnetRef": "[resourceId(parameters('virtualNetworkResourceGroup'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'),  parameters('subnetName'))]",
    "nicName": "nic",
    "publicIPAddressName": "publicIp"
  },
  "resources": [
      {
          "condition": "[equals(parameters('vNetNewOrExisting'), 'new')]",
          "type": "Microsoft.Network/networkSecurityGroups",
          "apiVersion": "2020-11-01",
          "name": "[parameters('nsgName')]",
          "location": "eastus",
          "properties": {
              "securityRules": []
          }
      },
    {
      "condition": "[equals(parameters('vNetNewOrExisting'), 'new')]",
      "apiVersion": "2018-10-01",
      "type": "Microsoft.Network/virtualNetworks",
      "name": "[parameters('virtualNetworkName')]",
      "location": "[parameters('location')]",
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "10.0.0.0/16"
          ]
        },
        "subnets": [
          {
            "name": "[parameters('subnetName')]",
            "properties": {
              "addressPrefix": "10.0.0.0/24"
            }
          }
        ]
      }
    },
{
      "type": "Microsoft.Storage/storageAccounts",
      "name": "[variables('diagStorageAccountName')]",
      "apiVersion": "2018-07-01",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "Storage",
      "properties": {}
    },
    {
      "apiVersion": "2018-10-01",
      "type": "Microsoft.Network/publicIPAddresses",
      "name": "[variables('publicIPAddressName')]",
      "location": "[parameters('location')]",
      "tags": {
        "displayName": "PublicIPAddress"
      },
      "properties": {
        "publicIPAllocationMethod": "Dynamic",
        "dnsSettings": {
          "domainNameLabel": "[parameters('dnsNameForPublicIP')]"
        }
      }
    },
    {
      "apiVersion": "2018-10-01",
      "type": "Microsoft.Network/networkInterfaces",
      "name": "[variables('nicName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[variables('publicIPAddressName')]",
        "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
      ],
      "tags": {
        "displayName": "NetworkInterface"
      },
      "properties": {
        "ipConfigurations": [
          {
            "name": "ipconfig1",
            "properties": {
              "privateIPAllocationMethod": "Dynamic",
              "publicIPAddress": {
                "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]"
              },
              "subnet": {
                "id": "[variables('subnetRef')]"
              }
            }
          }
        ],
        "networkSecurityGroup": {
          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
        }
      }
    },
    {
      "apiVersion": "2018-10-01",
      "type": "Microsoft.Compute/virtualMachines",
      "name": "[parameters('vmName')]",
      "location": "[parameters('location')]",
      "tags": {
        "displayName": "VirtualMachine"
      },
      "dependsOn": [
        "[variables('nicName')]"
      ],
      "plan": {
        "name": "u-series",
        "publisher": "beyondtrust",
        "product": "beyondinsight"
      },
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('vmSize')]"
        },
        "storageProfile": {
          "osDisk": {
                "createOption": "FromImage",
                "managedDisk": {
                    "storageAccountType": "[parameters('osDiskType')]"
                }
            },
            "imageReference": {
                "publisher": "beyondtrust",
                "offer": "beyondinsight",
                "sku": "u-series",
                "version": "latest"
            }
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]"
            }
          ]
        },
        "osProfile": {
            "computerName": "[parameters('vmName')]",
            "adminUsername": "[parameters('adminUsername')]",
            "adminPassword": "[parameters('adminPassword')]",
            "windowsConfiguration": {
                "enableAutomaticUpdates": true,
                "provisionVmAgent": true
            }
        },
        "diagnosticsProfile": {
          "bootDiagnostics": {
            "enabled": true,
            "storageUri": "[reference(variables('diagStorageAccountName')).primaryEndpoints.blob]"
          }
        }
      }
    }
  ]
}

Connect to a cloud database

You can create remote database connections to an Azure SQL database or Amazon Relational Database Service (RDS) database.

Connect to Azure SQL database

Review the information in this section to learn more about using an Azure SQL database for BeyondInsight.

Prerequisites

• If starting a new BeyondInsight installation, ensure you have already created an empty database in Azure SQL.
• If you are connecting to an existing database server in Azure SQL, ensure the connection string details are available.
• BeyondInsight 22.2 or later release.

Resources

An Azure SQL database must already be created.

ℹ️

For more information, see the following:

• Create and manage servers and single databases in Azure SQL Database
• Quickstart: Create an Azure SQL Database single database

Configure Azure SQL

1. Create an empty database in Azure SQL.
   • Ensure a database server is created.
   • Make a note of the connection string information.
   • Make a note of the Azure SQL Server administrator name and password. This is needed during the U-Series Configuration Wizard when you create the database.
2. Ensure firewall rules are set up appropriately to allow your U-Series Appliance to connect to your Azure SQL machine.

ℹ️

Every Azure SQL machine has firewall rules that need to be configured in addition to general Azure firewall rules.

3. When going through the U-Series Appliance Deployment & Configuration Wizard, on the Feature Configuration screen, select Remote for the BeyondInsight database access.

Although the Azure SQL database is already created, you must select the Create the Remote Database option on the first appliance configured to populate the empty Azure SQL database with BeyondInsight SQL Server tables.

For any additional appliances, use the existing database option on the Feature Configuration page after the first appliance is configured and the crypto key is exported.

Connect to Amazon RDS instance

Prerequisites

• BeyondInsight 22.3 or later release
• U-Series Appliance 4.0 or later release

Resources

A database instance must already be created.

ℹ️

For more information, see Getting started with Amazon RDS.

Configure Amazon RDS

1. Create an empty database.

   • Ensure a database server is created.
   • Make a note of the connection string information.
   • Make a note of the Amazon RDS administrator name and password. This is needed during the U-Series Configuration Wizard when you create the connection to the service.

2. Ensure firewall rules are set up appropriately to allow your U-Series Appliance to connect to the Amazon RDS machine.

3. When going through the U-Series Appliance Deployment & Configuration Wizard, on the Feature Configuration screen, select Remote for the BeyondInsight database access.

   You must select the Create the Remote Database option on the first appliance configured to populate the empty Amazon RDS database with BeyondInsight SQL Server tables.

   For any additional appliances, use the existing database option on the Feature Configuration page after the first appliance is configured and the crypto key is exported.

Run the U-Series Appliance deployment and configuration wizard

Once you have completed the initial setup of your U-Series Appliance, you must run the U-Series Appliance Deployment & Configuration Wizard to complete the deployment of the appliance in your environment.

There are two distinct and separate components of the wizard to allow infrastructure teams to handle the initial deployment in the network, while leaving the feature configuration to your network security administrator, outlined as follows:

Part 1: Appliance Deployment - Intended for infrastructure teams, and includes the following:

• • Licensing Windows
  • Creating the appliance admin account
  • Naming the appliance
  • Setting up networking details, such as IP address settings, internet connection, timezone and time settings, and SMTP settings
• Part 2: Appliance Configuration - Intended for security administrators, and includes the following:
  • Licensing your BeyondTrust solutions
  • Selecting your BeyondTrust solution
  • Selecting and configuring appliance features
  • Configuring user credentials for BeyondInsight, Central Policy, and BeyondTrust Updater
  • Configuring appliance backup and restore location and schedule
  • Setting up how to receive updates from BeyondTrust

✅

Tip

Once part 1 is complete, you may complete part 2 now or at a later time. There are no time restrictions on completing the configuration.

🚧

Important information

If you purchased Professional Services, schedule your engagement with your Professional Services representative before starting configuring your appliance.

Access your appliance from web browser for the first time

To access your appliance, open a web browser from a device within the same network subnet as the appliance, and enter the IP address for the U-Series Appliance, https://[U-Series Appliance IP address].

When accessing your appliance for the first time, you are presented with a message advising you of the SSL certificate that is automatically created for the administration of the appliance to ensure encrypted communications.

Because this HTTPS SSL certificate is self generated and not registered with a public certificate authority, your browser displays a warning message when connecting to the appliance via SSL. To avoid these warnings, install the certificate through a web browser or obtain a custom certificate from a public certificate authority.

Browser warnings are displayed until the SSL certificate is installed or a valid certificate is obtained. Check the box next to Do not show this message again if you don't want this message to display each time you access the appliance.

Click Accept to continue to the U-Series Appliance Deployment & Configuration Wizard.

🚧

Important information

After you accept the SSL certificate, the progress of the initialization scripts for your U-Series Appliance might display. This only occurs if the appliance was recently deployed and has not finished the initialization process, which can take 5-10 minutes under average processing power. If so, wait for the steps to complete before proceeding. If errors are indicated, contact Technical Support, or try re-deploying your appliance.

Run Part 1: New appliance deployment using the deployment wizard

After you accept the SSL certificate message, the BeyondTrust U-Series Appliance Deployment & Configuration Wizard starts. Part 1 of the wizard involves configuring settings related to the deployment of your appliance in your network. Follow the below steps for configuring appliance deployment.

🚧

Important information

While it is possible to rename administrator accounts later, we recommended choosing account names carefully during deployment and configuration to avoid renaming them later.

1. Enter the Windows 2022 activation key you received from BeyondTrust, and then click License Windows.
   • Alternatively, if you have not yet purchased the appliance, click Skip, to trial the appliance for 180 days.

ℹ️

• Microsoft SQL Server can be included as part of your U-Series Appliance, or you can use your own SQL Server deployment. If SQL Server is part of your U-Series Appliance package, a SQL Server COA is included along with the Windows Operating System key and the BeyondInsight key.
• If you do not activate Windows, once deployment is complete, an evaluation banner displays at the top of the U-Series Appliance website indicating you are using the software in evaluation mode and shows the number of days remaining for the evaluation period.

After 180 days, you must activate Windows to continue using the appliance. For more information, see Manage Licensing and Admin Accounts in the U-Series Appliance.

2. Read through the deployment and configuration details, and then click Start Deployment.
3. Enter a username, password, and email address to create an administrator account for the appliance.

ℹ️

This is the Windows admin account used to sign in to the appliance. It cannot be named Administrator. U-Series Appliance notifications and reports are sent to this email address.

4. Click Create Admin.
5. On the Appliance Name screen, enter the name for the U-Series Appliance, following the naming conventions used in your environment, and click Next.

⚠️

Warning

Once you have named your U-Series Appliance, it cannot be renamed. If at any point you need to rename the appliance, you must re-deploy the image (if it is a virtual appliance). The appliance name is stored in the BeyondInsight database and associated to the asset in BeyondInsight, so it is important to name it appropriately during deployment.

ℹ️

If creating a Cold Spare, use the same name as the source appliance.

6. On the IP Settings screen, if you wish to keep automatically assigned IP settings, click Next. Otherwise, you can manually configure these settings for each network adapter, and then click Next.
7. On the Internet Connection screen:
   • Select one of the following ways to connect to the internet to validate license keys and to receive updates:
     • Connect to the internet for licensing and updates. (No proxy required):** Select this option if there is an internet connection and no proxy server.
     • Connect to the Internet for licensing and updates through a proxy server: Select this option and provide the address and port number for the proxy, to use a proxy server.
     • No Internet connection. (Perform manual updates): Select this option if the U-Series Appliance does not have an Internet connection, for example in air gap environments.
   • Click Test Connection to verify connectivity.
   • Once the connectivity test shows as succeeded, click Next.
8. On the Timezone and Time Settings screen:
   • Select a timezone from the dropdown.
   • Select one of the following date and time synchronization options:
     • Use NTP server for time: Provide the name of the Network Time Protocol (NTP) server.
     • Manually Configure Date and Time: Set the date and optionally set the time.
     • Enable VMware Tools periodic time synchronization
   • Click Next.
9. On the SMTP Settings screen, specify the email server for the appliance software, BeyondInsight, and BT Updater to send notifications to users:
   • Enter the SMTP server address and port. The default port number is 25.
   • Optionally, select SSL to enforce SSL encryption when accessing the server.
   • Optionally, check the SMTP Server requires authentication box and enter the username and password to use credentials to access the server.
   • Click Next.
10. Review the deployment settings to verify everything is correct. Click Back if you need to make changes, otherwise, click Finish to reboot the appliance.

✅

Tip

It can take several minutes for the deployment settings to apply as the appliance reboots. If any errors occur, you can click the wizard's Back button to change settings, if needed.

11. A Deployment Status page displays while the appliance is rebooting and settings are being applied.
12. Once deployment is successful, click Proceed to Configuration Wizard.

Run Part 2: New appliance configuration using the configuration wizard

Part 2 of the wizard involves configuring settings related to how your appliance functions in your network and which application services it provides to your users. Follow the below steps for configuring the appliance.

🚧

Important information

While it is possible to rename administrator accounts later, we recommended choosing account names carefully during deployment and configuration to avoid renaming them later.

1. On the BeyondTrust Licenses screen:
   • Enter the BeyondInsight Serial Number, and then click Get License Key. The BeyondInsight License Key box is populated with the key.
     • Alternatively, if you are working offline, go to https://licensing.beyondtrust.com to get the BeyondInsight license key.
   • If you do no currently have serial numbers and would like to evaluate the solution for 30 days, leave the Evaluate solution option selected. This option is not available for cloud deployments.
   • Click Next.
2. On the Solution screen, select one of the following options that represents your implementation for the U-Series Appliance, and then click Next:
   • Single Appliance: Select this option if this appliance hosts all of your BeyondTrust products and your SQL database.
   • Database Server in a Multi-Node Deployment: Select this option if you plan to have multiple appliances and this appliance hosts your SQL database with no failover configured.
   • High Availability Pair: Select this option if this appliance hosts your SQL database and stores application data and you plan to use this appliance in a pair with another appliance that also hosts a SQL database. The pair provides failover for the database and application services.
   • SQL-less Appliance: Select this option if you have multiple appliances in your environment and this appliance either does not have SQL Server installed or you plan to configure a connection to a remote database as opposed to using the local SQL server. Check the box to enable application service failover with another appliance, if desired.
   • Cold Spare Appliance: Select this option if you plan to use this appliance as a backup appliance. This appliance serves as a duplicate of your primary appliance. It actively restores backups of the primary on a schedule. This spare appliance inherits features from the primary. Feature selection and configuration is not required.
3. On the Feature Options screen, select one of the following options, and then click Next:
   • Select Use default features with the option to customize to have features settings enabled based on your chosen solution. You can enable or disable features at any time after your appliance has been deployed and configured.
   • Or, select Feature Questionnaire if you aren't sure which features to select for this appliance and need some guidance. The Feature Questionnaire guides you through a series of questions to assist you in determining the features best suited for your appliance.
4. On the Feature Selection screen, leave the defaults or click the toggles to enable or disable the features on this appliance. Click Next to configure your features.
5. On the Feature Configuration screen, select the tab for the respective feature to set up that feature, and then click Next:
   • SQL Server Feature: Check the TCP/IP Database Connections option to enable external database connections and provide SQL credentials for those databases.
   • BeyondInsight Database Access: Select the database server for BeyondInsight to use and enter the database credentials.  
     • For a local database, if the provided username doesn't exist, the account is created with least privilege.
     • For a remote database, provide the credentials supplied by your database administrator.
     • Optionally, enter command timeout and connection timeout values.
     • For a SQL cluster deployments, configure the following:
       • Enable the Multi Subnet Failover option.
       • If the database does not yet exist on the SQL cluster, check Create the Remote Database to have the database created on the remote server. Provide the credentials for the account that has sufficient permissions to create the database. These credentials are used only once during this initial database connection and are not saved. Moving forward, BeyondInsight uses the least privileged credentials you created or provided in the above steps to connect to the database.
       • If your primary appliance is already in place, and you are connecting this appliance to the same database, you can export the Crypo Key from the primary appliance and import it here, providing the password. To create and export the Crypto Key zip file from the primary appliance:
         • From the left menu, under Security and Compliance, click Data Encryption Key.
         • Enter the encryption password and confirm it.
         • Click Export and Download Crypto Key.
   • BIUL Setup Feature:
     • Select Local to create a SQL database on the local appliance. If the provided username doesn't exist, the account is created with least privilege.
     • If you select Remote, provide the database details to access the remote database, including server name, database name, port number (default is 1433), and database credentials. The remote database must already exist.
   • Cold Spare Setup Feature: Set up the Restore Location where backups are stored from the production server this cold spare would replace, if that need ever arises. For example, in disaster recovery, failure, and network issue scenarios. The cold spare machine stores those backups and performs a restore on them at the scheduled interval. A temporary name is used to ensure there are no DNS name resolution conflicts, if your network is not segregated. This temporary name is used until the appliance is taken out of Cold Spare mode, which happens when you disable the Cold Spare feature.
   • Endpoint Privilege Management (EPM): Select the appropriate option for configuring database settings for EPM and Privileged Management Reporting (PMR), depending on the appliance and database architecture deployed in your environment:
     • Single Appliance using the Local Database: Select this option if this is the only appliance in your environment. This option applies the configuration for EPM using the SQL Server configured on this local appliance and the credentials entered on the SQL Server Feature tab.
     • Multi-node deployment using the Local Database: Select this option if you have more than one appliance deployed in your environment, SQL Server is configured on this local appliance, and you want other appliances to be able to connect to the database on this appliance. This option applies the configuration for EPM using the local SQL Server and the credentials entered on the SQL Server Feature tab.
       • You must select this local appliance from the Server Name dropdown and it must be the FQDN or IP address of this appliance (not localhost).
     • Multi-node deployment using Remote Database (first time connecting): Select this option if you have more than one appliance deployed in your environment, the BeyondInsight and EPM databases are on remote SQL Servers, and no appliances have ever been configured to connect to the EPM database. This option saves the connection details to the remote BeyondInsight database.
       • Enter the FQDN or IP address of the remote server where the EPM database exists.
       • The EPM database must already exist on the destination server.
       • Enter the SQL credentials provided by your database administrator to connect to the EPM Event Collector and PMR Report Reader.
       • Test the connection settings.
     • Multi-node deployment using Remote Database (load configuration from BeyondInsight): Select this option if you have more than one appliance deployed in your environment, the BeyondInsight and EPM databases are on remote SQL Servers, and the EPM configuration has already been saved to the remote BeyondInsight database (as other appliances have previously been configured to connect to the EPM database).
       • The remote database must be configured on the BeyondInsight Database Access tab.

ℹ️

Only the features that are applicable to the appliance, based on your selection, are enabled here for configuration. After initial deployment and configuration is complete, you can edit the appliance feature configuration by clicking Appliance Feature Configuration, under Features and Services from the sidebar.

6. On the User Credentials screen, enter login credentials for the following user accounts: BeyondInsight, Central Policy, and BeyondTrust Updater.
7. On the Backup and Restore screen, set up the location and schedule for backup files. Alternatively, select I will setup my Appliance later through the Appliance User Interface to create backups later from the Business Continuity > Backup and Restore page. Click Next.
8. On the Updates page, select to install updates from the BeyondTrust Update Server or from an internal BeyondTrust Updater Enterprise server. Optionally, select Do not check for updates to opt out of this feature. Click Next.
9. A Review page displays a summary the settings you configured. Verify everything is accurate. Click Back if you need to make changes, otherwise, click Next.
10. A Configuration Status page displays while the settings are being applied.
11. Once configuration is successful, click Finish. You are directed to the BeyondInsight login page on your appliance. Your appliance is now ready to use.

ℹ️

The BeyondInsight configuration provides the same least privilege SQL Server account during the database configuration.

For advance configuration of the U-Series appliance, see Advanced configuration.