Configure the Virtual Appliance
- From the /appliance interface of your BeyondTrust SRA Virtual Appliance, log in using admin as the username and password as the default password. You are prompted to change your password the first time you log in.
- Next, go to Networking > IP Configuration.
- Under the NIC Configuration section, click Add New IP.
- Enter the static IP address and subnet mask for your B Series Appliance. You can decide if this IP addresses session traffic, web traffic, or both. Then click Save Changes.
- Under the Global Network Configuration section, set your default gateway. Configuring DNS servers is not required but we highly recommend it. After entering the required information, click Save Changes.
Note
Valid DNS settings are required for failover and automatic updates to function properly. To help determine the appropriate IP and DNS configuration for your network, see B Series Appliance in the network.
- Wait for the format to complete, and then go to Status > Health to verify that the needs of the SRA Virtual Appliance are being met.
- Go to Security.
- Configure a certificate using one of the following four options.
- Obtain a free TLS certificate from Let's Encrypt
- Create a certificate signing request
- Import the certificate
- Self-signed certificate
This option is not recommended, but may be used temporarily for testing.
URL reference
<https://support.example.com/login> - User Administration
<https://support.example.com/appliance> - Appliance Administration
Console administration
After you have finished deploying your SRA Virtual Appliance, you can launch the virtual machine console to access some administrative functions.
The first screen of the virtual machine console lists the hostnames and IP addresses for this SRA Virtual Appliance.
Press Enter to view the configuration menu. From here, you can log in to make configuration changes, or use the support tunnel to enable the BeyondTrust Technical Support to resolve complex issues with your B Series Appliance.
Manage configuration options
Logging in provides additional configuration options. You can update your network settings, allow an advanced support tunnel, shut down or reboot the SRA Virtual Appliance, or reset the B Series Appliance password or a site's administrative password.
The Networking option allows you to manage the hostname, IP addresses, the default gateway, static routes, and DNS servers.
Select a network interface to manage its speed or duplex communication. From here, you also can add or edit IP addresses.
Health
The Status > Health page in the /appliance administrative interface offers information to help you ensure efficiency from your BeyondTrust SRA Virtual Appliance installation. The information presented can help you solve problems you may encounter with your SRA Virtual Appliance.
Real-time information displays in three categories: CPU, Memory, and Storage. For each category, the item's Value, Status, and any associated Notes are listed.
Value displays the specific CPU, Memory, and Storage parameters associated with your SRA Virtual Appliance installation.
Status displays green check, blue exclamation mark, or red X icons to help you quickly assess your installation's performance.
Notes are displayed when changes are recommended, or installation errors have occurred.
Status icons
-
A check icon shows you at a glance that a certain category is sufficiently configured for optimal SRA Virtual Appliance performance.
-
An exclamation mark indicates that you may need to make changes to improve performance. Suggested changes are listed in the adjacent Notes column.
-
A red X icon alerts you to a memory error situation that could cause disruptions for your SRA Virtual Appliance. The suggested changes to correct the issue associated with a red X are listed in the adjacent Notes column and may require you to contact BeyondTrust Technical Support.
Migrate sites and licenses
Existing sites and licenses can be migrated to a new BeyondTrust SRA Virtual Appliance using the built-in site migration tool. A manual process is also available.
BeyondTrust offers a variety of implementation service packages that provide customized migration planning and upgrade assistance. For more details, please contact your account manager.
Your existing SRA Virtual Appliance must be running a recent software version. Older versions must be upgraded before migrating.
Use the site migration tool
- Log in to the /login interface of your current SRA Virtual Appliance.
- Click on Management in the left menu.
- Click on the Software tab.
- Scroll down to Site Migration.
- Read and review the conditions and instructions there, including steps to follow after the migration is complete. Post-migration steps can be reviewed again after the migration.
- The site address and API account provided are used to download a backup from the source site and restore it onto this site automatically. The provided API account must have read-only or higher access to the command API, as well as permission to use the backup and vault encryption key APIs.
- Recordings are not included as part of this migration. If you need to retain access to existing recordings you can either keep the source appliance online with a different hostname or use the integration client to back up the recordings before doing the migration.
- The site must be a BeyondTrust Secure Remote Access site.
- Enter the Hostname, OAuth Client ID, and OAuth Client Secret.
- Click Verify Connection.
- Once the connection is verified, click OK. If the connection does not verify, review the connection information that was entered.
- Check Automatically begin site migration to start the migration after downloading the backup files. Uncheck to manually confirm each backup file.
Note
Make sure there is a local account in case LDAP providers cannot connect.
- Click Retrieve Backup.
- If the migration is not automatic, a series of pop-up notifications require confirmation for each download.
- Click OK on the last download.
- Click Migrate Site. Review the notification and click Continue.
- Pop-up notifications advise that the migration is in progress, and when it is complete.
- Click OK on the Migration Successful notification.
- Once the migration is complete, you must update the DNS of your primary hostname to point to this appliance. This will complete the migration process, and allow clients to connect to this instance and upgrade. The required steps display on the screen.
- Create a new DNS entry for the hostname that you would like to use to access the old site. You may not use the original BeyondTrust Secure Remote Access hostname shown in the Status page of /login.
- In the old site's Management > Site Configuration, add the new hostname address under HTTP. This step ensures that the old site responds appropriately to the new hostname.
- After the DNS entries are propagated, confirm that you can access the old site under the new hostname.
- Swing the DNS entries to point to this site instead of the old site.
- Wait for all DNS entries to finish propagating across the networks from which your clients resolve those addresses.
- From the old site's Status page, click Restart Software to trigger all clients to reconnect to your new site and begin upgrading themselves.
- Click Finish Migration.
- A pop-up notification confirms the migration is complete.
Manual site migration
Manually migrating your sites and licenses to a new BeyondTrust SRA Virtual Appliance can vary by environment, individual case preferences, and setup conditions. The steps below represent the most common requirements.
Back up your current SRA Virtual Appliance configuration
Follow the steps below to make a backup of your current SRA Virtual Appliance configuration:
- Log in to the /login interface of your current SRA Virtual Appliance.
- Click on Management in the left menu.
- Click on the Software tab.
- Enter and confirm a Backup Password, if desired.
- Leave Include logged session reporting data checked.
- Click Download Backup. If you did not enter a backup password, you are prompted to confirm you want to proceed without one.
- Save the backup file to a secure location.
Export your existing SSL certificate chain from your current SRA Virtual Appliance
Next, export your existing SSL certificate chain from your current SRA Virtual Appliance:
- Log in to the /appliance interface of your current SRA Virtual Appliance.
- Browse to the Security tab, the Certificates sub-tab, and then the Certificates section.
- Check the box next to your correct BeyondTrust site certificate.
- Select Export from the Select Action dropdown box, and click Apply.
- On the next screen, choose ALL options: Include Certificate, Include Private Key, and Include Certificate Chain (if available).
- Click the Export button.
- Save this file to a secure location.
Install the new software version
Use the directions in the BeyondTrust SRA Virtual Appliance Installation Kit to install the software in your virtual environment. These include instructions on how to access the /appliance web interface via an IP address.
Note
You must allocate storage space before booting your BeyondTrust SRA Virtual Appliance.
You must install Base software update(s) on the new SRA Virtual Appliance. There is a separate email containing instructions on how to install and update the Base software for the new SRA Virtual Appliance. The Base software is tied to the new SRA Virtual Appliance serial number.
Locate the SSL chain exported earlier, and import it into the SRA Virtual Appliance.
- To do this, log in to the /appliance interface of your new SRA Virtual Appliance.
- Click the Security tab, then the Certificates sub-tab.
- Select Import.
- Browse to the certificate file that you previously exported, and click Upload.
- Mark this as the default certificate by clicking the radio button in the right hand column of the Certificate description.
Install a license package
Once the previous steps are completed, install the Secure Remote Access software following the steps in Upgrade Remote Support.
- If the SRA Virtual Appliance has internet access, follow the steps for automatic updates.
- If the SRA Virtual Appliance does not have internet access, follow the steps for manual updates.
You now should have a functioning support portal and be able to access the /login interface to create user accounts and manage other settings.
- For your first login, use the credentials emailed with the license information.
Note
If you are trying to reach /login by using the IP address and not the hostname, you need to mark the new site as the default site. This setting is located at /appliance > Status > Basics > Default Site.
- Once logged in, click Management, then Software Management.
- Click Choose File and locate the backup file you created at the beginning of the process. A warning appears to remind you that you also need to provide a Vault key backup if you are restoring a configuration containing Vault credentials onto a new SRA Virtual Appliance.
- Click Yes, and then click Upload Backup.
- Next, update the DNS record and confirm login.
- Update the DNS A-record to route BeyondTrust site traffic to the IP address of the new SRA Virtual Appliance.
- Log in to your console and allow it to update (if applicable for your situation).
- Test by starting a session.
Note
DNS changes can take up to 72 hours to propagate.
To migrate currently deployed Jump Clients over to the new SRA Virtual Appliance, you must power down the old SRA Virtual Appliance.
FAQs
The following are some of the questions frequently asked about administering the SRA Virtual Appliance and answers to these questions from BeyondTrust Technical Support.
VMware
Can I install VMware tools onto my BeyondTrust SRA Virtual Appliance?
The BeyondTrust SRA Virtual Appliance ships with the VMware guest tools pre-installed.
Can a time skew between my ESXi host and my BeyondTrust SRA Virtual Appliance cause connectivity issues?
Yes, any time difference between the BeyondTrust SRA Virtual Appliance and the host ESXi server can cause connectivity issues. To prevent this, specify a valid NTP source in the SRA Virtual Appliance /appliance interface as well as ensuring that your ESXi host is using a valid NTP source. VMware also has an option to sync the guest OS time with the host ESXi server time. If you use this option, then the NTP source within the BeyondTrust SRA Virtual Appliance does NOT need to be set. It is recommended to use one method or the other but NOT both together.
What version of VMware is supported to host the BeyondTrust SRA Virtual Appliance?
BeyondTrust certifies support for VMware vCenter 6.5+, Virtual Hardware Version 13+.
Does the BeyondTrust SRA Virtual Appliance require reserved resources in VMware?
For troubleshooting purposes, a BeyondTrust Technical Support representative may require the BeyondTrust SRA Virtual Appliance to have reserved resources to effectively diagnose a support issue.
Does BeyondTrust support using the VMware snapshot functionality?
BeyondTrust supports the use of the snapshot technology only in upgrade situations. A snapshot of a powered-off BeyondTrust SRA Virtual Appliance can be taken prior to an upgrade and can be utilized as a fallback in the case of a failed upgrade.
Note
BeyondTrust does not recommend or support taking snapshots of actively running SRA Virtual Appliances.
Can I run the BeyondTrust SRA Virtual Appliance in my clustered VWware environment?
Yes, when installed in a vSphere cluster, the BeyondTrust SRA Virtual Appliance can benefit from many of VMware's value-added technologies, such as VMotion, DRS, and HA, to maximize performance and uptime.
Can I specify an alternate disk for recordings?
Yes, in some cases you may want to separate the disks for recordings if your VMware environment has tiered storage. Add a third disk to your BeyondTrust SRA Virtual Appliance and reboot. Once the BeyondTrust SRA Virtual Appliance is rebooted, the third disk is provisioned and used for recordings.
The virtual hardware of my BeyondTrust SRA Virtual Appliance is currently on an old version and needs to be upgraded. What are BeyondTrust's recommendations for virtual hardware version upgrades?
BeyondTrust certifies support for VMware vCenter 6.5+, Virtual Hardware Version 13+.
If your configuration does not match one of the above configurations, BeyondTrust does recommend updating the virtual hardware version of your BeyondTrust SRA Virtual Appliance.
What is the error: "The OVF certificate file is invalid"?
When importing a new BeyondTrust SRA Virtual Appliance to VMware using the OVA installation package, it is possible for VMware to return an error stating "The OVF certificate file is invalid". This happens when attempting to import the OVF file which is packaged inside the B Series Appliance's .ova file. This would require extracting the contents of the OVA package, and this would invalidate the package as a whole. To resolve this, re-download the OVA file and re-import it without extracting the OVA. If using Internet Explorer, it may be necessary to replace .tar with .ova in the download's file extension.
Should the second virtual disk use thick or thin provisioning?
In current versions, the OVF template automatically chooses thick provisioning for the second and (if present) third virtual disk(s).
According to ESXi and vCenter Server 5 Documentation, thin provision initially allocates only the space actually needed by the virtual machine and grows dynamically as needed. In contrast, both forms of thick provisioning allocate all the assigned disk space to the virtual machine upon creation, locking it from use by other machine. Although the SRA Virtual Appliance is expected to operate correctly with thin provisioning, this is not the preferred choice.
Why does the virtual applance download come as a .tar file?
When using Internet Explorer, BeyondTrust's OVA installer may download as a BeyondTrust-br.v.2.tar file instead of BeyondTrust-br.v.2.ova. To install the file per the SRA Virtual Appliance Setup Guide, replace the .tar extension with .ova and follow the guide as normal.
Can the virtual hard disks be stored in multiple datastores?
Some customers with BeyondTrust SRA Virtual Appliances may be interested in distributing the various SRA Virtual Appliance disks across multiple VMware datastores. BeyondTrust does support this configuration, so we expect our SRA Virtual Appliances to work satisfactorily when their virtual drives are located in different datastores from one another.
Hyper-V
What version of Hyper-V is supported to host the BeyondTrust SRA Virtual Appliance?
BeyondTrust certifies support of Hyper-V on Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. We support both a stand alone Hyper-V server and Windows Server with the Hyper-V Role installed.
Does BeyondTrust support using the Hyper-V snapshot functionality?
BeyondTrust supports the use of the snapshot technology only in upgrade situations. A snapshot of a powered-off BeyondTrust SRA Virtual Appliance can be taken prior to an upgrade and can be utilized as a fallback in the case of a failed upgrade.
Can I specify an alternate disk for recordings?
Yes, in some cases you may want to separate the disks for recordings if your Hyper-V environment has tiered storage. Add a third disk to your BeyondTrust SRA Virtual Appliance and reboot. Once the BeyondTrust SRA Virtual Appliance is rebooted, the third disk is provisioned and used for recordings.
The virtual hardware of my BeyondTrust SRA Virtual Appliance is currently on an old version and needs to be upgraded. What are BeyondTrust's recommendations for virtual hardware version upgrades?
For Hyper-V, BeyondTrust supports only Generation 2 virtual machines at this time. The VA image is delivered as a Generation 2 VM.
If your configuration does not match the above configuration, BeyondTrust does recommend updating the virtual hardware version of your BeyondTrust SRA Virtual Appliance.
Microsoft Azure
Is the Azure Classic deployment model supported?
No. The only supported model is Azure Resouce Manager (ARM).
Do I need to configure the Windows PowerShell script differently if I have a premium storage account?
Yes. If you have a premium storage account, you need to modify the vmSize information in STEP 2 of the script to indicate Premium along with the applicable size.
Can I use any additional Azure features provided by using Azure Linux Agent with my BeyondTrust SRA Virtual Appliance?
BeyondTrust does not support any of these features at this time.
Do I need to enter my public IP anywhere in the BeyondTrust /appliance interface?
No. The Azure network layer maps the public IP to the private IP. The BeyondTrust SRA Virtual Appliance assigns the private IP using DHCP.
Is failover needed? Is failover supported for Microsoft Azure?
Although the risk for downtime is much lower within Azure, it is still possible to need a failover B Series Appliance. Failover is supported in Azure; however, IP sharing does not work with Azure networking. A DNS swing is needed to failover to a backup B Series Appliance.
Do I need a static IP for my BeyondTrust SRA Virtual Appliance?
Assigning a static IP is the easiest way to ensure there are not any DNS issues across reboots and also to make sure any integration points that require an IP address work properly. However, assigning a CNAME record for your SRA Virtual Appliance's DNS entry should suffice for most deployments.
General issues
Can an evaluation SRA Virtual Appliance be converted to production?
Yes, the existing SRA Virtual Appliance can be converted to production.
Once the SRA Virtual Appliance licenses are purchased, confirm your intent to convert to production with your Account Manager.
Can available resources be modified?
It is possible to add additional resources to a BeyondTrust SRA Virtual Appliance, and it is possible to decrease available memory and CPU cycles; however, it is not possible to decrease available storage safely, and none of the above should be done when the B Series Appliance is powered on. After shutting down the B Series Appliance and making your changes, the SRA Virtual Appliance should recognize the changes upon next boot.
SRA Virtual Appliances have either two or three virtual hard disks, depending on which configuration was selected during deployment: Small, Medium, or Large. Small and Medium deployments have two disks, while Large deployments have three. The first disk is used for the root of the operating system in all three cases while the second disk is used for /login site data and recordings in Small and Medium deployments.
In Large deployments, recordings are moved from the second disk to the third. If your SRA Virtual Appliance was originally deployed with two virtual hard disks, you can add a third later, and the B Series Appliance automatically stores session recordings on the third disk. The B Series Appliance cannot use more than three disks.
- Shut down the BeyondTrust SRA Virtual Appliance.
- Adjust the RAM and/or CPU allocation and/or increase the disk space using VMware.
- Power on the BeyondTrust SRA Virtual Appliance.
Can the SRA Virtual Appliance fail over to a slower storage tier?
Organizations may choose to present storage to SRA Virtual Appliances by means of tiered storage in a SAN. "Fast-tier 1" storage typically refers to arrays which employ SSD technology for frequently accessed data, and "slow" storage typically refers to data placed on technologies such as SAS, NL-SAS, or SATA. Either of these work with BeyondTrust, but certain storage configurations are not supported when using two B Series Appliances in failover.
In cases where the primary SRA Virtual Appliance has storage in SSD / tier-1 storage, these rules apply to the backup B Series Appliance:
- Large SRA Virtual Appliances must be provisioned with storage of the same tier.
- Small and Medium SRA Virtual Appliances may have lower tier storage if it is backed by 10K or 15K disks.
- No backup SRA Virtual Appliance may have less than 10K / 15K disk storage speed.
The exact specs for Small, Medium and Large are described in the product specific deployment sections of this document. It is important to note that BeyondTrust does not require any particular tier for a SRA Virtual Appliance to boot and function in isolation. Tiered storage becomes a concern only when two B Series Appliances are used in failover.
Is cloning SRA Virtual Appliances supported?
After a BeyondTrust SRA Virtual Appliance is installed in an ESX or ESXi environment, the administrator may wish to clone the B Series Appliance. Cloning a virtual machine creates a duplicate of the virtual machine with the same configuration and installed software as the original. This feature of ESX and ESXi is not supported by the BeyondTrust SRA Virtual Appliance at this time.
Does the SRA Virtual Appliance support vCenter Site Recovery Manager (SRM)?
vCenter's Site Recovery Manager (SRM) builds off of vSphere Replication to provide disaster recovery. Administrators running BeyondTrust in a vCenter system may be interested in leveraging this with BeyondTrust SRA Virtual Appliances. While BeyondTrust is expected to work with vCenter SRM, restoring from a replication like this would appear to the B Series Appliance like pulling the power cable, so there would be a risk for file system corruption, which may result in potential data loss.
Updated 5 days ago