Pam Uvm
Pam Uvm
User Guide
Revision/Update Information: July 2017
Software Version: UVM Appliance 2.3
Revision Number: 0
CORPORATE H EADQUARTERS
5090 N. 40th Street
Phoenix, AZ 85018
Phone: 1 818-575-4000
COPYRIGHT NOTICE
Copyright © 2017 BeyondTrust Software, Inc. All rights reserved.
The information contained in this document is subject to change without notice.
No part of this document may be photocopied, reproduced or copied or translated in any manner to another
language without the prior written consent of BeyondTrust Software.
BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental or
consequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any other
legal theory in connection with the furnishing, performance, or use of this material.
All brand names and product names used in this document are trademarks, registered trademarks, or trade names
of their respective holders. BeyondTrust Software is not associated with any other vendors or products mentioned
in this document.
Contents
Contents
Contents 3
Introduction 6
Contacting Support 7
Access BeyondInsight 8
Profile Settings 17
Updating Product Serial Numbers 17
Purging Appliance Data 18
Resetting Administrator Passwords 18
Appliance Health 24
Health Dashboard 24
Monitoring Services and Hardware 24
Checking Services 25
Configuring Counters for Performance Metrics 26
Configuring Notifications 28
Sending Alerts to BeyondInsight 29
Viewing Notifications 31
Configuring Roles 32
Using Role Templates 32
Saving Role Configuration 32
Retina Scanner Role Settings 32
Event Collector Role 32
SQL Server Database Roles 33
Database Access 33
Patch Management Role 33
PowerBroker Password Safe Roles 33
On the Primary Server 33
On the Secondary Server 34
BeyondInsight Analytics and Reporting Roles 34
Analysis Services Role Settings 34
Reporting Services Role 34
Turning on Auto Update 34
Enterprise Update Server Role Settings 35
BeyondTrust Updater Role Settings 35
UVM Recovery 51
Introduction
This guide provides information on UVM20 and UVM50 appliances, virtual appliances, and diagnostics information.
This guide is intended for network security administrators responsible for protecting their organization's computing
assets. A familiarity with networking and security concepts is needed.
FCC Certification
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15
of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when
the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio
frequency energy and, if not installed and used in accordance with the manufacturer’s instruction manual, may
cause harmful interference with radio communications.
Operation of this equipment in a residential area is likely to cause harmful interference, in which case you will be
required to correct the interference at your own expense.
Standards Compliance
UVM has been tested and verified to comply with the applicable sections of the following standards:
• FCC Emissions
• Binational standard, UL-1950/CSA-C22.2 No. 950-95: Safety of Information Technology Equipment
Warranty Invalidation
This warranty is void in the event that:
• the appliance is damaged due to accident, abuse, misuse, problems with electrical power, modifications or
servicing not authorized by BeyondTrust and/or the appliance manufacturer, or failure to operate in
accordance with the appliance instructions;
• serial tags, receiving numbers, product stickers or manufacturer seals have been removed, altered or
tampered with;
• the appliance is opened for any reason;
• the appliance is damaged due to improper or inadequate packaging when returned for repair or replacement;
Contacting Support
For support, go to our Customer Portal then follow the link to the product you need assistance with.
The Customer Portal contains information regarding contacting Technical Support by telephone and chat, along
with product downloads, product installers, license management, account, latest product releases, product
documentation, webcasts and product demos.
Telephone
Privileged Account Management Support
Within Continental United States: 800.234.9072
Outside Continental United States: 818.575.4040
Online
http://www.beyondtrust.com/Resources/Support/
Access BeyondInsight
For more information about using BeyondInsight, refer to the BeyondInsight product documentation.
To log on to BeyondInsight:
1. Open a web browser, and then enter the URL to access BeyondInsight.
https://[BeyondInsight server name]/eEye.RetinaCS.Server
The SSL certificate warning window displays. The SSL certificate automatically created for the UVM ensures
encrypted communications.
To avoid the warnings, install the SSL certificate through the web browser or obtain a valid certificate from a
certificate authority. Or, select the check box to not display the information page again.
The Internet Explorer warnings will be displayed until the SSL certificate is installed or a valid certificate is
obtained.
The BeyondInsight Login page displays.
2. Enter your user name (btadmin) and the password you created in the configuration wizard, then click Login.
The BeyondInsight console displays.
administrator password. Select the Show IP option to view the IP address. Hold the and arrows
simultaneously on the UVM LCD panel. A random password is generated. Press to accept the changed
password.
– Buttons on LCD Panel – Turn off to disable all the LCD panel buttons.
3. Click Update LCD Panel Settings.
Export Settings
To allow appliance settings such as IP address and administrator password to be set by inserting a USB drive into the
appliance.
To turn on settings for the LCD Panel on the appliance:
1. Select General Settings from the Maintenance menu.
2. Click to turn on Appliance settings to be imported and exported onto removable storage.
3. Click Update Export Settings.
FIPS
To turn on settings for the LCD Panel on the appliance:
1. Select General Settings from the Maintenance menu.
2. Enter password.
3. Drop the zip file.
4. Click Generate the Uploaded Key.
3. Click Submit.
2. To regenerate the SSL certificate to match the appliance network name, click Generate Certificate. The
certificate will not be trusted by the client browser.
3. To export the client certificate, enter the password for the certificate and then click Export Certificate.
Profile Settings
Updating Product Serial Numbers
Note that on the Appliance Profile page you can review your licensed components. If components are not showing
as licensed you might need to refresh the BeyondInsight database cache to ensure the most recent license is
applied. See Clearing the BeyondInsight Cache.
To update the appliance serial number:
1. Select Profile from the Maintenance menu.
2. You can either retrieve the serial numbers and validate the license key automatically using your Internet
connection or enter this information manually:
– Automatically Retrieve Product Serial Numbers - Enter your email address and Client Portal password
and click Retrieve Keys. Select the appropriate serial numbers from the list when populated and click
Update Serial.
– Manually Enter Product Serial Numbers - Enter the serial number provided when you purchased the
product. To access your serial number, log on to the Client Portal, and select Product Licensing >
Managing Your Serial Numbers. Click Get Offline License and follow instructions on obtaining the license
key offline. Manually enter the license key once it is received.
3. To erase the database and user configuration data from the appliance, click Wipe Appliance. The configuration
data and events are purged.
Configuring RDP
RDP access is turned off by default. RDP access is not required for daily use regardless of licensing or roles.
BeyondTrust Technical Support can turn on RDP access for troubleshooting.
To track RDP and 2-Factor activities, there are audit log entries in the Security Event logs.
1. Select Network and RDP Settings from the Maintenance menu.
2. Select the Enable Remote Desktop box.
3. Select 2-Factor required to turn on the settings to use two-factor authentication when using remote desktop.
Note that if you want to disable the 2-Factor authentication the temporary password from BeyondTrust is
required. After you enter the password, the 2-Factor Required box is cleared.
You need a password to access the UVM remotely. BeyondTrust Technical Support will generate a time-limited
password for you.
Proxy Settings
Configure a proxy server if access to the Internet is required.
To use a proxy server:
BITS Throttle
1. Select Network & RDP Settings from the Maintenance menu.
2. Drag the slider to the level of throttling.
3. Click Update BITS Throttling Setting.
5. Enter the user name. This is the user account that is used to log on to the RADIUS server.
Note: The RADIUS user account password must match the appliance Administrator password.
6. Click Update Settings.
Appliance Health
On the Diagnostics pages, you can keep track of appliance services, hardware faults, and performance metrics.
Note: If you are using your SQL Server deployment (not the SQL Server version that ships with the appliance),
then the SQL Server metrics are not displayed on the Health dashboard.
Health Dashboard
View dynamic, live appliance metrics including:
• CPU usage
• SQL Server CPU usage
• SQL Server memory
• Used disk space on the C: drive. Note that on a UVM50 additional drives are displayed (O, N, and M).
• Services running and stopped
• Services – Periodically checks the running state of the services to make sure that they are in the expected
state, considering the current roles that are set. Additionally, alerts are indicated when the service control
manager raises errors. Errors reported are typical error messages on services such as, services failing to start
or services terminating unexpectedly.
• Hardware events – Any of the alerts that are raised by Dell OpenManage monitoring software.
To turn on alerts for services or hardware:
1. Select Diagnostics from the menu.
2. Select Appliance Health from the menu.
3. Click the box to turn on the setting.
Checking Services
You can view, start, and stop appliance services.
To view appliance services:
1. Select Diagnostics from the menu.
2. Select Appliance Health from the menu.
The icons indicate the following:
4. By default, there are four base counters listed: SQL Server Memory Percentage, CPU Overall Usage, SQL
Server CPU Usage, and Disk Free. Select additional counters from the list, and then click Add to List.
Configuring Notifications
Notifications can be set for the following types of events:
• Health monitoring – Includes performance thresholds, service alerts, hardware alerts, and daily performance
summaries.
• High availability monitoring – Includes failover, connections, no partner alerts, and off state.
• High availability mirror change – Includes suspend and resume activities on SQL mirroring.
• Backup monitoring – Includes back up success and failure alerts, and restore success.
To configure email notification:
1. Select Diagnostics from the menu.
2. Select Configure Notifications from the menu.
a. If the remote server is another UVM appliance, log on to the appliance web site for that appliance.
b. Select Security Settings from the Maintenance menu.
c. Enter a password and click Export.
d. Import the certificate on the local UVM. See Uploading SSL Certificate.
e. On the Health tab, select the certificate from the list.
If the remote server is a software install of BeyondInsight, use the BeyondInsight Configuration Tool to
create and export the certificate.
4. Click Apply Updated Settings.
You must also create a connector from the BeyondInsight management console.
To create the connector:
1. Log on to BeyondInsight.
2. Click the Configure tab, and then select Connectors.
3. Click + and select Syslog Event Forwarding.
4. Enter the details for the UVM appliance, including IP address, protocol, and facility.
5. Select the Appliance Health check box.
By default all severity levels are included. Select an alternate level if needed.
Viewing Notifications
A notifications icon is displayed on the Diagnostics page.
After notifications are received, a number is displayed that indicates the number of notifications. Click the icon to
view more information about the notifications, as shown:
The bar next to the notification indicates severity. See the following table for descriptions.
Color Legend
Info
Low
Medium
High
Configuring Roles
Select Appliance Roles if you are deploying more than one UVM to scale BeyondInsight in larger networks.
Roles must be selected for at least one of the UVM appliances.
When you are selecting roles, any dependencies or conflicts that might exist between roles will be displayed. The
Apply Roles button is only available after dependencies or conflicts are resolved.
Database Access
Provides access to the BeyondInsight database. You can set either a local SQL Server database or configure settings
for a remote database.
Note on Encryption
If you are using Password Safe, all credentials are stored in the database using AES 256 using RijndaelManaged
crypto provider. When FIPS is used, all UVM credentials stored in the database are encrypted using Triple DES
crypto provider.
– Failed Notification Rate – Provides notification after your active appliance has failed over. If you are using
Medium Failover Mode, the email indicates that action is required on your part. The default value is 15
minutes.
– Queue File Synchronization – Click to start a file synchronization.
You can set the formatting of the requested return value in the Content-Type request header.
For example, to get JSON, you can specify:
Content-Type: application/json;charset=UTF-8
The available values for Role are:
Off - High Availability is not turned on.
Active - UVM is in Active mode.
Passive - UVM is in Passive mode.
Testing HA Failover
Note: The Attempt Auto-Resync setting is a quick way to restore high availability in a scenario where databases
on the active and passive servers are synchronized. It is not recommended for a production failover
scenario. Data loss can occur if databases are not synchronized.
To test failover:
1. Select the Attempt Auto Resync of Database When Connecting After Failover.
2. Unplug or power off the active server.
3. Wait for failover. Check that the passive is now the active.
4. Restore the active (turn on or plug in).
5. The auto re-sync should restore high availability configuration.
6. Note that the passive server will be acting as the active. Click the Switch Roles button to restore the server
partners to their original roles.
Recognizing a Failover
Review the following to help you determine if a failover has occurred.
• In appliance v. 1.5.4 and later, an email is sent to the address set in the configuration wizard.
If you are using an appliance version earlier than 1.5.4, you can contact BeyondTrust Technical Support to
activate the email feature.
• If you are not using a load balancer, you might notice that BeyondInsight is no longer responsive on the active
server.
• On the Diagnostics web site (for the primary), only two tabs are displayed. This indicates the server is in Passive
mode.
• Confirm the passive server is in Active mode.
Disaster Recovery
If you are using High Availability as a disaster recovery solution, review the following points as a guide to restoring
roles.
• Determine if the active server failed. Confirm the role of your live server (or the “primary” server).
• If a failure occurred on the primary, investigate and resolve issues on the primary.
• After a failover to the disaster recovery server (or the “secondary”), you can restore roles on the appliance
web site from the Active server.
Scheduling a Backup
To schedule a backup:
1. Select Backup and Restore from the Maintenance menu.
2. Select the day of the week and time to run the backup.
3. Enter the password for the .zip file.
4. Enter the information for the remote share where the .zip file will be saved.
5. Click Schedule Backup.
3. After the backup is uploaded, enter the password and click Restore Appliance.
UVM Recovery
This section applies to UVM20 and UVM50 appliances.
Use the recovery procedure to rebuild your UVM.
All information saved or configured on the UVM will be lost.
There is no way to recover this data.
4. On the Advanced Boot Options screen, press Enter to choose Repair Your Computer.
5. Click Troubleshoot.
6. Click Reset Your PC.
7. Enter Drive password for ID which is displayed and click Continue.
8. Click Next.
9. (UVM50 Only). Select All drives.
10. Click Just remove my files.
15. All products will update to the most recent version on the Public Update Server. Click Next when Auto Update
is finished. All updates are now complete.
16. Enter the license key for Windows. Then enter the license key for SQL Server.
17. For the final stage of preparation, run Prepare For Shipping.bat.
All temporary and setup files are removed; Windows and SQL Server are licensed.
You are now ready to configure your appliance. See Configuring Your UVM Appliance.
4. Network configuration can be Static or Dynamic depending on the environment/needs but would be
configured just as a normal adapter is configured.
To install the required driver within a Windows 2012 R2 guest operating system:
1. Download ProWinx64 from Intel located here: http://downloadmirror.intel.com/18718/eng/PROWinx64.exe
Use 7zip to extract contents to a temp folder.
2. Right-click the network adapter and click Update Driver Software.
3. Click Browse my computer for driver software.
4. Click Let me pick from a list of device drivers on my computer.
5. Click Have Disk.
6. Click Browse.
7. Browse to temp location driver files were extracted to.
8. Click Next to install the driver.
9. Repeat Steps 2-8 for each network adapter you have for the virtual machine.
10. After all the adapters are updated, run the PROWinx64.exe file, rather than extracting it. You should now be
able to install the Advanced Network Services software with VLANs.
There will now be a new network adapter displayed under Network Connections for each VLAN created.
8. Network configuration can be Static or Dynamic depending on the environment or your requirements but
would be configured just as a normal adapter is configured.
Configuring iDRAC
You can use the iDRAC tool to remotely manage your UVM appliance (UVM20 or UVM50). Configuring iDRAC is
optional.
For more information about configuring iDRAC, refer to Dell product documentation.
1. At startup, press F2 to enter the Setup menu.
2. Select iDRAC Settings.
3. Select Network.
4. Set "Enable NIC" to Enabled.
5. Configure IP address settings as per your Network Administrator (DHCP/Static).
Setting NIC selection to Dedicated only allows the physical iDRAC port on the back to be used for iDRAC
communication. Setting it to another port will allow it to share the same physical connection.
6. Save your settings.
If using DHCP IP configuration, watch for the iDRAC IP address to be displayed at start up and record this for future
use.
Open a browser and enter the IP address associated with the iDRAC port. Use the default logon credentials:
User: root
Password: calvin
Requirements
• The BeyondInsight version on the cold spare must be the same or greater than the version on the source
appliance.
• It is recommended that both appliances turn on the Auto Updates role.
• Ensure the cold spare is receiving updates so that it matches the source appliance.
• For Analytics and Reporting, ensure SQL Server versions match on both appliances.
• The source and spare appliances need the same name.
Note: If the SQL Server database is remote, the data will not be copied to the cold spare.
5. Set scheduling information, including the day of the week and time. The cold spare retrieves the information
from the backup file at this time. When the cold spare starts up the data from the last backup file retrieved is
used.
6. Enter a restore password.
7. Provide a temporary machine name.