Virtual Appliance installation
What is the Secure Remote Access Virtual Appliance?
The SRA Virtual Appliance is a software-based version of the BeyondTrust B Series Appliance, designed to provide the same secure remote access and support functionalities as the physical appliance. It runs as a virtual machine (VM) in your organization's data center or cloud environment. The virtual appliance enables secure, encrypted connections for remote support, privileged access management, and system monitoring without the need for dedicated hardware.
Why is it important?
The SRA Virtual Appliance is important because it provides flexibility in deployment, offering organizations the ability to choose between physical and virtual environments based on their infrastructure needs. It ensures secure communication between users and remote systems, leveraging encryption and access control features to meet organizational security requirements. As a virtual solution, it allows for easier scalability and integration with cloud-based systems, making it ideal for organizations looking to manage remote support securely while minimizing hardware requirements.
License and sizing conditions
| Sizing Guidelines | Users | Endpoints | CPU | Memory | Disk 1 | Disk 2 |
|---|---|---|---|---|---|---|
| Small | 1 - 20 | 1 - 1,000 | 2 - 4 | 4 - 8 GB | 8 - 128 GB | 64+ GB |
| Medium | 20 - 75 | 1,000 - 10,000 | 4 - 8 | 16 - 32 GB | 32 - 256 GB | 132+ GB |
| Large | 75 - 150 | 10,000 - 35,000 | 8 - 16 | 64 - 128 GB | 128 - 1024 GB | 1024+ GB |
| Enterprise | 150 - 300 | 35,000 - 50,000 | 16 - 32 | 128 - 512 GB | 512 - 4096 GB | 1024+ GB |
| Atlas | 300 - 3,000 | 50,000 - 250,000 | Enterprise | Enterprise | Enterprise | Enterprise |
Note
- For Atlas deployments please work with your solutions engineer for more detailed architecture planning.
- If you are an existing BeyondTrust customer and anticipate increasing to more than 300 concurrent users, please log into the Customer Portal to chat with Support, to ensure that the resources allocated meet your needs. Most situations over 300 concurrent users require transitioning to an Atlas based architecture.
- The range that your deployment falls into is influenced by variables such as API usage, console usage, size and number of Jump Groups, recording settings, failover replication frequency, and Jump Client upgrade settings.
- BeyondTrust offers a 150 Jump Clients per concurrent license.
- The above numbers assume one session per concurrent user.
- The resource specifications in this document represent recommendations. For troubleshooting purposes, BeyondTrust Technical Support may require your BeyondTrust SRA Virtual Appliance to be given reserved resources matching those listed here.
Deployment
AWS
Note
You must have an Amazon AWS account and support plan already configured. You are also responsible for registering the DNS hostname for your site.
Administrators can deploy the BeyondTrust SRA Virtual Appliance into their Amazon Web Services (AWS) environment by following the steps below.
- Open the email you received from BeyondTrust Technical Support and select the Link your AWS account(s) link to be redirected to the BeyondTrust site.
- Enter your Commercial AWS Account ID or Government AWS Account ID in the text box and click Add Account ID. Your SRA Virtual Appliance is shared with your Amazon AWS account as a Private Amazon Machine Image (AMI) within an hour. The AMI is shared to each of your AWS regions.
Note
If you are uncertain what your AWS Account ID is, the email contains a link to an Amazon help page that details how to find it.
- In the AWS EC2 Dashboard, in the AWS services section, click the EC2 link to start the wizard.
- Browse to Images > AMI.
- Select Private Images from the dropdown.
- Select the SRA Virtual Appliance (for example, BeyondTrust SRA Appliance - 6.x.x) in the AMI list. This is the base software image, which must next be updated and configured.
- Click the Launch button.
- Choose an instance type. BeyondTrust supports all T3 and M5 instance types.
Note
For more information about sizes, see License and sizing conditions.
- Click Next: Configure Instance Details.
- After configuring the instance launch details, click Next: Add Storage.
- On the Add Storage page, configure the sizes and volume types of the drives you wish to include on the AMI. A second EBS volume is set to device /dev/sdb with a size of 10GB. We recommend you increase this second disk to 100GB. If you need a large volume for recordings, and this is a cost-sensitive deployment, then you can provision a third drive and configure it as Magnetic (standard). The third drive must be added as /dev/sdg. You may enable the Encrypted option if desired.
- Click Next: Add Tags.
- Click Next: Configure Security Group.
- The Launch Wizard creates a security group which you must edit, or you can create a new security group after you deploy the image, so that the site is accessible on ports 443 and 80. This can be accomplished from Network & Security > Security Groups in the EC2 Dashboard.
- Click Review and Launch. Review your instance details and click Launch.
- Skip the option to select or create a key pair, as the instance does not allow SSH access. Instead, select Proceed without a key pair, check the acknowledgment box, and click Launch Instances.
- After the site launches, browse to Instances > Instances in the EC2 Dashboard and locate the assigned Public IP address in the Description tab. This is the IP address used to configure your B Series Appliance and your DNS A record.
Note
If you stop or terminate your Instance, you are not guaranteed to retrieve the same IP address after it reboots. To facilitate managing your DNS, we recommend purchasing an Elastic IP address.
- Navigate in a web browser to https://[Public IP address]/appliance.
- Enter your Appliance License Key provided in the email from BeyondTrust Technical Support. Click Save.
Azure
Prerequisites for Microsoft Azure
You must have a Microsoft Azure account and environment, including Microsoft Azure Resource Manager (ARM), already configured.
For deployment via Microsoft Azure, make sure the following is in place prior to deployment:
- A resource group.
- A storage account with a VHDX container.
- A VNET and subnet has been configured.
For deployment via Powershell, make sure the following is in place prior to deployment:
- Powershell AZ module installed.
- Powershell Hyper-V module installed.
Note
For more information about installing and configuring the Azure PowerShell Module, please see Install and configure Azure PowerShell.
Deploy the SRA Virtual Appliance
To deploy the BeyondTrust SRA Virtual Appliance into a Microsoft Azure environment, follow the steps below:
- Open the email you received from BeyondTrust Technical Support and click the Click Here for your BeyondTrust Virtual Appliance (Hyper-V and Azure) link to download the file.
- Click BeyondTrust Remote Support-hyperv-azure.exe within your file browser to begin installation.
- If you receive a Security Warning prompt, click Run.
- Choose where you wish the files to be extracted. Click Extract.
- When extraction is complete, Deploy-AzBeyondTrustVM.ps1, Deploy-HyperVBeyondTrustVM.ps1, and BeyondTrust-br.v.2.vhdx files appear in the location you designated during the extraction process. A PowerShell script is provided to assist in the deployment of your B Series Appliance to Azure: Deploy-AzBeyondTrustVM.ps1. A second script, Deploy-HyperVBeyondTrustVM.ps1, is provided to assist with Hyper-V deployments, and should not be used to deploy to Azure. Deploy-AzBeyondTrustVM.ps1 uses the Az module. Right-click Deploy-AzBeyondTrustVM.ps1 and click Edit.
- Once the PowerShell script opens, locate STEP 1 and modify the following variables based on the specifics of your Microsoft Azure environment:
- resourceGroupName
- storageAccountName
- location (westus, for example)
- vnetName
- subnetName
#################################################################
# Instructions
#
# This script deploys a BeyondTrust Appliance to Microsoft Azure
# STEP 1 (REQUIRED): Fill out these variables
# resourceGroupName:
# The name of the Resource Group to create the VM in
# storageAccountName: The name of the Storage Account to
# upload and create VHDs in
# NOTES: This must already exist with a container
# named the same as `$vhdFolder` (default: vhds)
# vnetName: The name of the virtual network to add the NIC to
# subnetName: The name of the subnet to add the NIC to
# location: The Location that the VM should be created in
# (must match the location of previous settings)
# vmName: What name to set the VM to in Azure
# (Name must only contain alphanumeric (A-z 0-9)
# dash (-), underscore (_), or period (.) )
#################################################################
$resourceGroupName = ""
$storageAccountName = ""
$vnetName = ""
$subnetName = ""
$location = ""
$vmName = "BeyondTrust-br.v.2"
Note
The vmName does not need to be changed.
Note
The storage account used for storing the Azure Virtual Appliance must be General purpose v2.
- In the Deploy-AzBeyondTrustVM.ps1 script, set the value of $size to the desired deployment size of your SRA Virtual Appliance. The options are:
- small
- medium
- large
Note
For more information about sizes, see License and sizing conditions.
#################################################################
# REQUIRED
# Sizes:
# small: 1-20 licenses
# medium: 21-100 licenses
# large: 100+ licenses
#################################################################
$size = "small"
#################################################################
# REQUIRED
# Subscription and Tenant are required for Az module
#################################################################
$subscription = ""
$tenant = ""
#################################################################
# STEP 2 (OPTIONAL): Change these variables as needed
# vhdFolder: The blob storage container in the storageAccount
# where VHDs will be created (default: vhds)
# createPublicIP: Whether to create this VM with or without a
# public IP [$true or $false] (default: $true)
# networkSecurityGroup: The NSG to use or create
# (if it does not exist, will create one
# with ports 80 and 443 open)
# (default: BeyondTrust-NSG
#################################################################
$vhdFolder = "vhds"
$createPublicIP = $true
$networkSecurityGroup = "BeyondTrust-NSG"
# Azure US Government Account
# Set this to $true if your account is in Azure US Government
$azureUSGovernment = $false
#################################################################
# STEP 4: Save this file and run
#################################################################
- The Az module requires a subscription and tenant ID from Azure to deploy. Enter this information.
- Change optional variables as required for your Microsoft Azure environment.
- For US government accounts, set the value of $azureUSGovernment to $true.
- Save, then run the script in Windows PowerShell.)
.\Deploy--AzBeyondTrustVM.ps1
- When prompted, enter your credentials and sign into your Microsoft Azure account.
- Next, the system configures an MD5 hash, uploads the SRA Virtual Appliance into your Azure environment, and configures a public IP address for your BeyondTrust SRA Virtual Appliance.
- You are prompted to go to the IP address configured for your SRA Virtual Appliance. The message reads For Appliance administration, go to <https://xx.xx.xx.xxx/appliance>.
- On the /appliance page, enter your Appliance License Key provided in the email from BeyondTrust Technical Support. Click Save.
- To setup a persistent URL for your SRA Virtual Appliance, you can perform one of two options:
- In the Azure console, set the SRA Virtual Appliance's external IP to static. Then assign your DNS entry to that external IP.
- Apply a DNS name within Azure. Set a CNAME record pointed to that address.
Note
For information about using BeyondTrust Vault with Microsoft Entra ID, see the Vault user guide.
Hyper-V
Prerequisites for Hyper-V
You must have a Hyper-V account and environment already configured.
Before beginning the BeyondTrust SRA Virtual Appliance setup, please review the following prerequisites:
- Hyper-V 2012 R2 (standalone or as a role) and Generation 2 hardware, Hyper-V 2016, or Hyper-V 2019.
- At least 4GB of memory available.
- At least 140GB of storage available.
- One 32GB partition for the BeyondTrust OS, and at least 100GB available for logs and recordings.
- External IP SANs require a 1Gbit or 10Gbit reserved network with a 10K RPM disk or better.
Note
For more information about sizes, see License and sizing conditions.
- A static IP for your SRA Virtual Appliance.
- A private DNS A-record resolving to the static IP of your SRA Virtual Appliance. A public A-record and a public IP are also required if public clients access the B Series Appliance. The DNS A-record is the fully qualified domain name (FQDN) of your site (support.example.com, for example).
Note
"Public clients" include any client software (browsers, BeyondTrust consoles, endpoint clients, etc.) which connect from external networks and VPN(s) local to the B Series Appliance's network.
- A valid NTP server that is reachable by the B Series Appliance.
- Ensure that the system time between the host ESXi server and the guest BeyondTrust OS are in sync. Variations by only a few seconds can potentially result in performance or connectivity issues.
Configure via Hyper-V Manager
To deploy the BeyondTrust SRA Virtual Appliance into a Hyper environment using the Hyper-V Manager, follow the steps below:
-
Open the email you received from BeyondTrust Technical Support and click the link to download the BeyondTrust SRA Virtual Appliance (Hyper-V and Azure) file. Save the file to an appropriate location so that it can be imported to your Hyper-V host, and then double-click the self-extracting ZIP file to extract your SRA Virtual Appliance.
-
Start Hyper-V Manager.
-
Ensure the server you will install the SRA Virtual Appliance is present. Right-click the desired server and select New > Virtual Machine to start the New Virtual Machine Wizard.
-
Enter a display name to easily identify the virtual machine, and choose a location for the BeyondTrust SRA Virtual Appliance. Then click Next.
-
Select Generation 2 and click Next.
-
Enter 4096 MB for a small deployment, or 8192 MB for any other size. Do not use dynamic memory. Click Next.
-
From the Connection dropdown, select the network interface option that best suits your needs, and then click Next.
-
Select Use an existing virtual hard disk and select the BeyondTrust-br.v.2.vhdx file that was extracted earlier from the download archive. BeyondTrust recommends putting the VHD file in the same location where the VM resides. Click Next.
-
Review the VM details on the Summary page and click Finish.
-
Once the VM has been created, right-click it and select Settings.
-
Click Security, and uncheck Enable Secure Boot. This helps to prevent unauthorized code from running when the machine is started.
-
Click SCSI Controller and select Hard Drive. Then click Add.
-
Click the New button to create a new virtual hard disk. The New Virtual Hard Disk Wizard launches.
-
On the Choose Disk Format page, select VHDX and click Next.
-
Choose your desired disk type on the Choose Disk Type page, and click Next.
-
On the Specify Name and Location page, provide a name and location for the virtual hard disk file. Click Next.
-
Select Create a new blank virtual hard disk and specify a size of 100 GB. Click Next.
-
Review the hard disk option on the Summary page and then click Finish.
-
If your sizing requirements are for a medium or larger virtual machine, follow the above steps to create an additional disk, and specify a size of 500 GB.
Note
For more information about sizes, see License and sizing conditions.
- Finally, right click on the virtual machine and select Connect.
- Click the Start button to start the Hyper-V virtual machine.
- From the initial console configuration screen, press Enter, and then press 1 to enter the Appliance License Key.
- Go back to the email you received from BeyondTrust Technical Support, get the Appliance License Key, enter it here, and then press Enter.
Note
If you are unable to provide the Appliance License Key at this time, you can manually enter it later from the virtual machine console.
Configure via PowerShell
To deploy the BeyondTrust SRA Virtual Appliance into a Hyper environment using PowerShell, follow the steps below:
-
Open the email you received from BeyondTrust Technical Support and click the link to download the BeyondTrust SRA Virtual Appliance (Hyper-V and Azure) file. Save the file to an appropriate location so that it can be imported to your Hyper-V host, and then double-click the self-extracting ZIP file to extract your SRA Virtual Appliance.
-
Double click BeyondTrust Remote Support-hyperv-azure.exe within your file browser to begin extraction.
-
Choose the destination directory for the extraction and click Extract.
Note
Extract to a directory where you want to run the virtual machine from.
- When extraction is complete, the following files appear in the designated location:
- Deploy-AzBeyondTrustVM.ps1: PowerShell script to assist deployment of your appliance to Hyper-V.
- Deploy-HyperVBeyondTrustVM.ps1: PowerShell script to assist Azure deployment. Not used.
- BeyondTrust-br.v.2.vhdx.
- Deploy- HyperVBeyondTrustVM.ps1 uses the Hyper-V PowerShell module. Right-click on the script and click Edit.
- Once the PowerShell script opens, locate the following variables and edit for your environment:
- $vmName: The name for the virtual machine.
- $vmLocation: The directory that the virtual machine resides in.
- $vmSwitch: The virtual switch this virtual machine uses.
- $beyondtrustVHD: The name of the VHDX. Leave as is.
###########################################################
## BeyondTrust Hyper-V Deployment script
##
## This script will create a VM using the BeyondTrust VHD.
## Refer to BeyondTrust support documentation for custom
## deployment options.
##
## Required variables:
## vmName: What do call this VM in Hyper-V
## vmLocation: the folder to create this VM in
## vmSwitch: the switch to attach this VM to
## BeyondTrustVHD:
## The name of the VHD provided by BeyondTrust.
## THIS VHD SHOULD ALREADY BE IN $vmLocation
###########################################################
$vmName = ""
$vmLocation = ""
$vmSwitch = ""
$beyondtrustVHD = "BeyondTrust-br.v.2.vhd"
- Set the value of the $size variable to the desired deployment size for your virtual machine. The options are:
- small
- medium
- large
###########################################################
## Select a size based on the number of
## licenses or endpoints. Only uncomment one.
## (Refer to BeyondTrust support for details)
##
## Small (1-20 licenses or 1-3000 endpoints) (Default)
$size = "small"
## Medium (20-100 licenses or 3001-15000 endpoints)
#$size = "medium"
## Large (100+ licenses or 15000+ endpoints)
#$size = "large"
- Save and run the script in Windows Powershell.
- Once complete, you can view the newly created virtual machine in Hyper-V Manager or via PowerShell Hyper-V commands.
| Network Location | Advantages/Disadvantages |
|---|---|
| Outside your firewall | Does not require that ports 80 and 443 be open inbound for TCP traffic on your firewall. Simplifies the setup process significantly because both consoles and clients are built to resolve to a specific DNS; if your registered DNS resolves to a public IP address directly assigned to your B Series Appliance, no additional setup is required by you to initiate a session. |
| DMZ | May require additional setup depending on your router or routers. |
| Inside your firewall | Requires port forwarding on your firewall and possibly additional setup of your NAT routing and internal DNS. |
Nutanix AHV
Prerequisites for Nutanix
You must have a Nutanix account and environment already configured.
Before beginning the BeyondTrust SRA Virtual Appliance setup, please review the following prerequisites:
- Nutanix AHV 20190916.410+.
- At least 4GB of memory available.
- At least 140GB of storage available.
- One 32GB partition for the BeyondTrust OS, and at least 100GB available for logs and recordings.
- External IP SANs require a 1Gbit or 10Gbit reserved network with a 10K RPM disk or better.
- A static IP for your SRA Virtual Appliance.
- A private DNS A-record resolving to the static IP of your SRA Virtual Appliance. A public A-record and a public IP are also required if public clients access the B Series Appliance. The DNS A-record is the fully qualified domain name (FQDN) of your site (support.example.com, for example).
Note
"Public clients" include any client software (browsers, BeyondTrust consoles, endpoint clients, etc.) which connect from external networks and VPN(s) local to the B Series Appliance's network.
- A valid NTP server that is reachable by the B Series Appliance.
- Ensure that the system time between the host ESXi server and the guest BeyondTrust OS are in sync. Variations by only a few seconds can potentially result in performance or connectivity issues.
Deploy the SRA Virtual Appliance
Administrators can deploy and configure the BeyondTrust SRA Virtual Appliance into their Nutanix AHV environment by following the steps below.
Open the email you received from BeyondTrust Technical Support, and click the Click Here for your BeyondTrust Virtual Appliance (Nutanix AHV) link to download the file. Save the file to an appropriate location to be uploaded to your Nutanix environment.
- Log in to Nutanix AHV.
- Go to Menu > Virtual Infrastructure > Images and click Add Image to upload the BeyondTrust.qcow2 file to the image repository.
- Click Next.Select the location for the image in your Nutanix cluster.
- Click Save.
- Go to Home > VM and select + Create VM.
- In the Create VM dialog, select the desired CPU and Memory configuration for this Appliance.
- Click Next.
- Click Attach Disk.
- Change Operation to Clone from Image Source and select the previously uploaded BeyondTrust image.
- Click Add.
- Click Attach Disk.
- Create a disk of at least 100GB.
- Click Add.
- Click the X next to the CD-ROM disk.
- Select UEFI under Boot Configuration.
- Click the Attach to Subnet text button.
- Select the desired network in the dropdown.
- Click Add.
- Select UEFI Mode and click Confirm on pop-up.
- Click Save.
- Nutanix AHV begins deploying the B Series Appliance.
- Wait for the appliance to deploy, then select the B Series Appliance and click Power On.
VMWare
Prerequisites for VMware
You must have a VMware account and environment already configured.
Before beginning the BeyondTrust SRA Virtual Appliance setup, please review the following prerequisites:
- VMware vCenter 6.5+ and virtual hardware versions 13+.
- At least 4GB of memory available.
- At least 140GB of storage available.
- One 32GB partition for the BeyondTrust OS, and at least 100GB available for logs and recordings.
- External IP SANs require a 1Gbit or 10Gbit reserved network with a 10K RPM disk or better.
- A static IP for your SRA Virtual Appliance.
- A private DNS A-record resolving to the static IP of your SRA Virtual Appliance. A public A-record and a public IP are also required if public clients access the B Series Appliance. The DNS A-record is the fully qualified domain name (FQDN) of your site (support.example.com, for example).
Note
"Public clients" include any client software (browsers, BeyondTrust consoles, endpoint clients, etc.) which connect from external networks and VPN(s) local to the B Series Appliance's network.
- A valid NTP server that is reachable by the B Series Appliance.
- Ensure that the system time between the host ESXi server and the guest BeyondTrust OS are in sync. Variations by only a few seconds can potentially result in performance or connectivity issues.
Deploy the SRA Virtual Appliance
To deploy the BeyondTrust SRA Virtual Appliance into a VMWare environment, follow the steps below:
- Open the email you received from BeyondTrust Technical Support, and click the link to download the BeyondTrust SRA Virtual Appliance OVA file.
- Log in to your virtual infrastructure client. You must use an account with permissions to deploy a virtual machine as an OVF template.
- On the Select an OVF Template screen, select the BeyondTrust.ova file.
- Review the OVF template details.
- Read and accept the end user license agreement.
- Specify a name for this OVF template, and select a location in the inventory to which you have rights.
- Select a configuration of Small, Medium, or Large. This selection defines your default resource allocations. Choose a configuration based on your usage needs and available resources.
Note
For more information about sizes, see License and sizing conditions.
- Select a resource pool to which you have rights.
- Select the datastore on which you want the SRA Virtual Appliance to run. This is where the operating system and session data is stored.
- Select the appropriate network mapping for your environment. Your SRA Virtual Appliance can function anywhere in your network with internet access. If you plan to access systems outside of your network, security practices recommend that you place the SRA Virtual Appliance in a DMZ or outside of your internal firewall. Network location considerations are outlined in the table below.
| Network Location | Advantages/Disadvantages |
|---|---|
| Outside your firewall | Does not require that ports 80 and 443 be open inbound for TCP traffic on your firewall. Simplifies the setup process significantly because both consoles and clients are built to resolve to a specific DNS; if your registered DNS resolves to a public IP address directly assigned to your B Series Appliance, no additional setup is required by you to initiate a session. |
| DMZ | May require additional setup depending on your router or routers. |
| Inside your firewall | Requires port forwarding on your firewall and possibly additional setup of your NAT routing and internal DNS. |
- Return to the email you received from BeyondTrust Technical Support, and copy the Appliance License Key. In the Deployment Wizard, paste the key into the field.
Note
If for some reason you are unable to provide the Appliance License Key at this time, you can manually enter it later, from the virtual machine console.
- Review your settings and click Finish.
- The SRA Virtual Appliance deploys in the location and with the resources you have specified.
Note
For detailed information about network locations, please see The B Series Appliance in the Network.
First boot
- In the virtual infrastructure client, browse to the VM folder you configured, and locate the new entry for the SRA Virtual Appliance. Right-click on this entry and then select Open Console.
- Click the play button to start booting your BeyondTrust SRA Virtual Appliance.
- After your BeyondTrust SRA Virtual Appliance has finished booting, one or more IP addresses display.
Note
If you were unable to provide the Appliance License Key during deployment, press Enter to start basic configuration. Selection 1 on the next menu screen allows you to manually enter the Appliance License Key. Then exit back to the main screen.
- From a computer on the same network, open a web browser and browse to any of the IP addresses listed, followed by /appliance. If none of the IPs listed are accessible, see Console administration to assign a usable IP address using the console interface. Otherwise, you are done with the VMware portion of the setup and can close the VMware console.
Updated 5 days ago