Email configuration

What is email configuration?

Email configuration allows administrators to set up and manage email notifications for various events within the BeyondTrust system, such as session invitations, alerts, and updates.

How is email configuration useful?

Email configuration enables the automation of communication within the BeyondTrust system, ensuring users are promptly notified about important events. It helps streamline support processes and improves communication between administrators, support staff, and customers.

How do I access the Email Configuration page?

1. Use a Chromium-based browser to sign in to your Privileged Remote Access URL.
   This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
2. From the left menu, click Management.
   The Software page opens and displays by default.
3. At the top of the page, click Email Configuration.
   The Email Configuration page displays.

How to configure email notifications

Email address

ℹ️

Note

If a B Series Appliance is designated as a backup B Series Appliance or a traffic node, the email configuration for that B Series Appliance will be overwritten with the email configuration defined on the primary B Series Appliance.

From address

Set the email address from which automatic messages from your B Series Appliance will be sent.

SMTP relay server

Configure your B Series Appliance to work with your SMTP relay server in order to send automatic email notifications of certain events.

SMTP relay server

Enter the hostname or IP address of your SMTP relay server.

SMTP port

Set the SMTP port to contact this server on.

SMTP encryption

If your SMTP server supports TLS encryption, choose TLS or STARTTLS. Otherwise, select None.

SMTP authentication type

To use a form of authentication with this server, select either Username and Password or OAuth2. Otherwise, select None.

Username and password

Enter a username and password to configure this form of authentication.

OAuth2

Admin contact

Default admin contact email addresses

Enter one or more email addresses to which emails should be sent. Separate addresses with a space.

Send daily communication notice

You can have the B Series Appliance send a daily notification to ensure that alert communication is working correctly.

In addition to the test email and daily communication notices that can be configured above, emails are sent for the following events:

• During any failover operation, the product version on the primary node does not match the product version on the backup node.

• During a failover status check, any of the following problems are detected.

  • The current B Series Appliance is the primary node and a shared IP address is configured in /login, but its network interface is not enabled.
  • A shared IP address is configured in /login but is not listed as an IP address in /appliance.
  • The backup node could not contact the primary node, and it also could not contact any of the test IP addresses configured on the Management > Failover page.
  • The backup node could not contact any of the test IP addresses configured on the Management > Failover page.
  • The backup node's backup operations are disabled on the Management > Failover page.
  • The backup node unexpectedly failed to perform a probe of itself, indicating that it is malfunctioning.
  • The backup node failed to contact the primary node using the primary node's hostname.
  • Automatic failover is disabled, and the backup node failed to probe the primary node.
  • Automatic failover is enabled, and the backup node failed to probe the primary node. The backup node will automatically become the primary node if the primary node remains unresponsive.
  • Automatic failover is enabled, and the backup node is automatically becoming the primary node because the primary node was down for too long.
  • The primary node failed to perform a data sync with the backup node sometime in the past 24 hours.

  Send a test email when the settings are saved

  If you wish to receive an immediate test email to verify that your SMTP settings are accurately configured, check this option before clicking the Save button.

Configure OAuth2 for Entra ID

ℹ️

Note

Before starting configuration on Entra ID, an Azure/Office 365 Administrator must enable Authenticated SMTP for each account on Exchange online. To do this, go to Office 365 Admin Portal (admin.microsoft.com) > Active Users > Mail > Manage Email apps and check Authenticated SMTP.

Configure Entra ID

1. Log into your Azure console (portal.azure.com), navigate to Entra ID, and follow instructions there for registering a new application.
2. The redirect URI is https://{URL OF YOUR APPLIANCE}/login/smtp-verification.
3. Note the following, as they are required later:
   • Application (client) ID
   • Authorization endpoint
   • Token endpoint
   • Client secret

Provide credentials to the SMTP relay server

1. Within the Privileged Remote Access admin interface, navigate to Management > Email Configuration.
2. Under SMTP Authentication Type, select OAuth2, and enter the following information:
   • Email: The email address for the SMTP relay.
   • SMTP OAuth Provider ID: The application ID noted earlier.
   • SMTP OAuth Client Secret: The client secret noted earlier.
   • SMTP OAuth Scopes: Enter https://outlook.office.com/SMTP.Send offline_access.
   • SMTP OAuth Authentication Endpoint: The authorization endpoint noted earlier.
   • SMTP OAuth Token Endpoint: The token endpoint noted earlier.
3. Click Save.
4. Now you can verify and connect the provider account. Click Verify Oauth2 Provider.

ℹ️

Note

Ensure you are logged into the provider portal as the email address for the SMTP relay, entered above, in the same browser session. You may need to log out of your personal or admin account.

Configure OAuth2 for Google

Configure Google Cloud

1. Log in to your Google Cloud Platform console (Google Dev Console) (console.cloud.google.com). Use the correct Gmail account, as only the owner of the project is able to work with the project. If you do not already have a paid account, you might choose to purchase an account by clicking Activate in the top banner. BeyondTrust cannot provide assistance with purchasing an account. Click Learn More in the top banner for information regarding the limitations of free accounts.
2. Click CREATE PROJECT. You can also use an existing project.
3. Accept the default Project Name, or enter a new name.
4. Accept the default Location, or select a folder from those available for your organization.
5. Click CREATE.
6. The APIs and services page appears. Click Library in the left menu.
7. Search or browse for the Gmail API in the library, and click it.
8. The Gmail API appears on its own page. Click ENABLE.
9. The Gmail API Overview page appears. Click APIs & services in the upper left.
10. The APIs and services page appears again. Click OAuth consent screen in the left menu.
11. Select the User Type. Internal allows only users from within the organization, but requires a Google Workspace account.
12. Click CREATE.
13. Enter the App name.
14. Enter a User support email address. This may default to the address you are using to create the project.
15. Enter a logo for the app, if desired. The App domain section is also optional.
16. Add the Authorized domains. For BeyondTrust test appliances, these are:
    • qabeyondtrustcloud.com
    • bomgar.com
17. Enter the Developer contact information. This is the email address you are using to create the project.
18. Click SAVE AND CONTINUE.
19. Under the Scopes tab, click ADD OR REMOVE SCOPES. This opens the Update selected scopes window.
20. Locate and check the scope https://mail.google.com/ for the Gmail API.

ℹ️

Note

The API does not appear if it has not been enabled.

21. Click UPDATE. The Update selected scopes window closes.
22. Click SAVE AND CONTINUE.
23. Under the Test users tab, click ADD USERS. This opens the Add Users window. Add the users that have access to the application and click ADD. Note the limits on test user access and related restrictions.
24. Click SAVE AND CONTINUE.
25. Review the Summary, and make any necessary changes or corrections.
26. Click BACK TO DASHBOARD.
27. Click Credentials in the left menu.
28. Click CREATE CREDENTIALS in the top banner and select OAuth client ID.
29. On the create credentials page, select Web application for the Application type. Additional fields appear when this is selected.
30. Enter a name for the application.
31. Scroll down to Authorised redirect URIs and click ADD URI.
32. Enter the Authorization Redirect URI in the form of https://{URL OF YOUR APPLIANCE}/login/smtp-verification.
33. Click CREATE.
34. A window confirms creation of the OAuth client, and shows the Client ID and Client Secret. Click to download a JSON file. The file contains information that is needed in the next steps.
35. Click OK to return to the APIs and services page.

Provide credentials to the SMTP relay server

1. Within the Privileged Remote Access admin interface, navigate to Management > Email Configuration.
2. Under SMTP Authentication Type, select OAuth2, and enter the following information:
   • Email: The email address for the SMTP relay.
   • SMTP OAuth Provider ID: The client_id from the JSON file generated during the Google configuration.
   • SMTP OAuth Client Secret: The client_secret from the JSON file generated during the Google configuration.
   • SMTP OAuth Scopes: Enter https://mail.google.com/.
   • SMTP OAuth Authentication Endpoint: The auth_uri from the JSON file generated during the Google configuration.
   • SMTP OAuth Token Endpoint: The token_uri from the JSON file generated during the Google configuration.
3. Click Save.
4. Now you can verify and connect the provider account. Click Verify Oauth2 Provider.

ℹ️

Note

Ensure you are logged into the provider portal as the email address for the SMTP relay, entered above, in the same browser session. You may need to log out of your personal or admin account.