WIXLIB

BeyondInsightInstallation GuideSECURITY IN CONTEXT

Revision/Update Information: October 2014Software Version: 5.3Document Revision: 0Corporate Headquarters5090 N. 40th StreetPhoenix, AZ 85018Phone: 1 818‐575‐4000COPYRIGHT NOTICECopyright 2014 BeyondTrust Software, Inc. All rights reserved.The information contained in this document is subject to change without notice.No part of this document may be photocopied, reproduced or copied or translated in any manner to another language without theprior written consent of BeyondTrust Software.BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental or consequentialdamages, including lost profit or lost data, whether based on warranty, contract, tort, or any other legal theory in connection withthe furnishing, performance, or use of this material.All brand names and product names used in this document are trademarks, registered trademarks, or trade names of theirrespective holders. BeyondTrust Software is not associated with any other vendors or products mentioned in this document.

BeyondInsight Installation GuideContentsContentsIntroduction . 6Documentation Set for BeyondInsight . 6Contacting Support . 6Telephone . 6All other Regions: . 6Online . 6Preparing for Deployment .7Requirements . 7Mobility Module . 7Cloud Connectors Module . 8Patch Management Module . 8Requirements . 8Windows Server 2012 Overview . 10Installing WSUS Administration Console Using PowerShell . 10Resolving Internal HTTP 500.19 Error . 10Deployment Recommendations . 11Database Recommendations . 11Permissions . 11Installation Permissions . 11Windows Server Settings . 12Roles . 12Installing BeyondInsight . 14Before Running the Installation . 14Migrating from REM . 14SQL Server Database . 14Installing BeyondInsight . 14Configuring BeyondInsight . 15Upgrading Your License . 16Setting up BeyondInsight to use a Fully Qualified Domain Name . 17Configuring Windows Authentication to the Database . 17SQL Server 2012 . 17Changing Database Authentication . 17Retina Network Security Scanner . 18Requirements . 18Activating Central Policy . 18Setting up Retina as a Client . 19Deploying Certificates to Remote Retina Computers . 21Additional Configuration Settings . 21Verify Windows Configuration . 21Verify Port Settings . 21BeyondTrust October 2014Page 3

BeyondInsight Installation GuideContentsVerify IIS Settings . 21Set and Verify NTLM Authentication and Unencrypted Password . 22Verify Central Policy Password . 23BeyondInsight Reporting and Analytics . 24Requirements . 24General Requirements . 24Database Requirements . 25Permissions . 25Permissions Required for BeyondInsight Configuration User . 25Permissions Required for the Web Proxy User . 26Permissions Required for the SSRS Proxy User . 27Permissions Required for the SQL Agent Service Running the Daily Sync Job . 27BeyondInsight Requirements . 27Client Requirements . 27Configure BeyondInsight Reporting and Analytics . 28Updating BeyondInsight Licensing . 30Creating User Groups in BeyondInsight . 30Updating BeyondInsight Reporting . 30PowerBroker for Windows . 31Generating a Certificate . 31Configuring PowerBroker for Windows . 31PowerBroker Servers for Unix & Linux . 33Requirements . 33Generating a Certificate . 33Exporting the BeyondInsight Server SSL Certificate . 33Configuring Keywords . 34Using the BeyondInsight Configuration Tool . 35Migrating REM‐1505 Appliance Data to BeyondInsight . 37Running the Software Removal Tool . 38Command Line Syntax . 38Working with Certificates . 39Working with BeyondInsight Certificates . 39Server Certificate . 39Client Certificate . 40Troubleshooting Tips . 42Creating Certificates . 44Using a Domain PKI for BeyondInsight Communication . 44Prerequisites . 44Requirements . 45Assigning the SSL Web Service Certificate in BeyondInsight . 45Configuring a Client Certificate for PowerBroker for Windows . 46BeyondTrust October 2014Page 4

BeyondInsight Installation GuideContentsConfiguring Auto Enrollment . 47BeyondTrust October 2014Page 5

BeyondInsight Installation GuideIntroductionIntroductionThis guide provides the installation instructions and software requirements for BeyondInsight. Forinformation about its features, benefits, functionality, and basic procedures, see the BeyondInsightUser Guide.The following sections include a list of documentation for the product, and where to get additional productinformation and technical assistance.Documentation Set for BeyondInsightThe complete BeyondInsight documentation set includes the following: BeyondInsight Installation GuideBeyondInsight User GuideBeyondInsight Analytics and Reporting User GuideContacting SupportFor support, go to our Customer Portal then follow the link to the product you need assistance with.The Customer Portal contains information regarding contacting Technical Support by telephone and chat,along with product downloads, product installers, license management, account, latest product releases,product documentation, webcasts and product demos.TelephonePrivileged Account Management SupportWithin Continental United States: 800.234.9072Outside Continental United States: 818.575.4040Vulnerability Management SupportNorth/South America: 866.529.2201 949.333.1997 enter access codeAll other Regions:Standard Support: 949.333.1995 enter access codePlatinum Support: 949.333.1996 enter access port/BeyondTrust October 2014Page 6

BeyondInsight Installation GuidePreparing for DeploymentPreparing for DeploymentReview the following requirements sections to determine if your environment is ready for a BeyondInsightdeployment.Note: Installing BeyondInsight on domain controllers or Small Business Servers is not supported.RequirementsTable 1. BeyondInsight Management Console RequirementsOperating SystemsWindows Server 2008 (32‐bit and 64‐bit)Windows Server 2008 R2 (64‐bit)Windows Server 2012 (64‐bit)Windows Server 2012 R2 (64‐bit)DatabaseMicrosoft SQL Server 2008Microsoft SQL Server 2012Microsoft SQL Server 2014Processor (CPU)Intel Dual Core 2 GHz or equivalentMemory (RAM)8 GB minimum (Requires x64 OS)Hard Drive500 MB required for software installation40 GB (database minimum)NetworkNetwork Interface Card (NIC) with TCP/IP enabledServerMicrosoft .NET Framework 3.5 SP1 (Application Server Role,Windows Process Activation Service Support/HTTP Activation)Microsoft .NET Framework 4.5 (Application Server Role,Windows Process Activation Service Support/HTTP Activation)Microsoft Internet Information Server (IIS) 6.0 or later withASP.Net support (Web Server (IIS) role)ClientAdobe Flash Player 10.0 or laterOracle Sun Java Version 7 Update 11 or later for client side (forNetwork Map to work correctly)Screen Resolution1024 x 768Mobility ModuleFor more information about the Mobility module requirements, refer to the BeyondInsight User Guide.Table 2. Mobility Module RequirementsManagementConsolesBeyondInsight 2.0 or laterServerBlackBerry Enterprise Server 5.0.3 with BlackBerryAdministration ServiceMicrosoft Exchange 2010 SP1BeyondTrust October 2014Page 7

BeyondInsight Installation GuidePreparing for DeploymentCloud Connectors ModuleFor more information about the Cloud Connectors module requirements, refer to the BeyondInsight UserGuide.Table 3. Cloud Connectors Module RequirementsManagementConsolesBeyondInsight 2.0 or laterVM targetsVMWare Tools must be installed to scan the target.Patch Management ModuleFor more information about the Patch Management module requirements, refer to the BeyondInsight UserGuide.Table 4. Patch Management Module RequirementsManagementConsolesBeyondInsight 2.0 or laterInstallation Notes Installing the Patch Management module on domain controllers or Small Business Servers is not supported.BITS and Microsoft WSUS Client must be enabled on all clients.The Patch Management module is deployed when you install BeyondInsight. Ensure that you apply theappropriate license. Contact your BeyondTrust representative.RequirementsWindows Server 2012 WSUS Installation Requirements IIS Windows PowerShell .NET Framework 4.5 Features Microsoft Report View Redistributable ils.aspx?id 3841Windows Server 2012 R2 RequirementsAdd the following registry key and restart the WSUS Certificate Server service and WSUS Service.HKEY LOCAL MACHINE\SOFTWARE\Wow6432Node\Microsoft\Update Services\Server\SetupCreate DWORD value: EnableSelfSignedCertificates 1BeyondTrust October 2014Page 8

BeyondInsight Installation GuidePreparing for DeploymentWSUS Requirements Ensure the WSUS console version installed on the BeyondInsight server matches the console versionon any WSUS server that connections will be made to.Mixed WSUS EnvironmentsReview this section if you plan to use the Patch Management module or the SCCM feature.The fundamental challenge with mixed scenarios with different operating systems has to do with the WSUSAPI version.To support local publishing activities (basically anything involving putting a third‐party update into theWSUS database), both the WSUS Console version of the BeyondInsight server and the version of WSUSinstalled on the WSUS server must be same.Otherwise, the Third Party Patch Service returns the following error message and no Third Party Updateswill be available for approval and installation.Message: Failed to publish packageName. Publishing operation failed becausethe console and remote server versions do not match.Currently there are three supported production versions of WSUS that can contribute to this situation. WSUS v3.2 ‐ runs on Windows Server 2003, 2008, and 2008R2WSUS v6.2 ‐ runs on Windows Server 2012WSUS v6.3 ‐ runs on Windows Server 2012 R2ResolutionEnsure all WSUS servers and BeyondInsight servers have the same WSUS patches installed.To check the WSUS patches installed on a server:1. Log on to the server you need to check.2. If you are running Windows Server 2003, find the patches in Add or Remove Programs:a. Open Control Panel Add or Remove Programs.b. At the top of the window, select Show updates.c. Scroll to Windows Server Update Services.d. Note the KB numbers (in parentheses) at the end of each "Hotfix" entry.3. If you are running Windows Server 2008, find the patches in Programs and Features:a. Open Control Panel Programs and Features.b. In the left pane, click View installed updates.c. Scroll to Windows Server Update Services.d. Note the KB numbers (in parentheses) at the end of each entry.BeyondTrust October 2014Page 9

BeyondInsight Installation GuidePreparing for DeploymentWindows Server 2012 OverviewReview the following articles to learn more about how Windows Server 2012 and WSUS work together. WSUS on Windows Server 2012 ry/hh852345.aspxDeploy Windows Server Update Services in Your ibrary/hh852340.aspxDifference between WSUS 3.2 and WSUS d‐wsus‐40Installing WSUS Administration Console Using PowerShell1. Open a Windows PowerShell console as an administrator.2. Execute the following command:Install-WindowsFeature -Name UpdateServices-UiThis command installs the c

Windows Server 2012 is a 64‐bit only Operating System. When WSUS is installed, suscomp.dll