Skip to main content

Hi All, Im planning to design an active/active deployment for BeyondTrust Password Safe. If Im not mistaken, active/active deployment requires 3 UVMs and also an external SQL server with AOAG. I have a few questions that need clarification.

  1. During the configuration wizard for all 3 UVMs, should I tick “Enable services-Only High availability” for all 3 appliances?
  2. How about the features selection? That part is a bit confusing actually because there are a few feature selections and I don't know which ones I need to choose specifically for all those 3 UVMs.

Appreciate all your advice on this, as Im new to exploring the active/active deployment for Password Safe. Thanks

As far as what to select, I’ve always used the questionnaire option and let the appliance decide what I need. It gives me everything except Linux/Unix, EPM, and the session monitoring archive. However, your requirements may be different from mine.

For the second question:

You will want all 3 UVM’s to have the same features with one exception. One appliance will be your admin or management appliance and you need to make sure ONLY that appliance has the management feature enabled.

Set up two servers with a load balancer. These two appliances will be end user appliances.

Set the management feature off if it is on.

On your third appliance, do NOT put it in your load balancer and turn these two features on.

If you place all 3 appliances in your load balancer, you will be posting here again asking us why features sometimes show up, and why other times they don’t.

You will also want two URLs. One URL will point to the load balancer and is for the end users. The second URL will point to your standalone appliance and will be used only by those who need to use the admin functions including password rotation, report services, etc. Unless someone needs access to the admin server, you can disable forms auth for everyone not using the admin appliance but forms logon is required for the admin appliance because you only get 1 SAML configuration which will route users to the vault-users URL.

https://vault-users.company.com - Everyone, SAML auth to log in and points to the load balancer

https://vault-admins.company.com - Anyone needing to do admin tasks including manual password rotations. Points to the admin appliance

@rhagerm’s answer is on point.

 

Features Questionnaire during UVM Deployment and Configuration Wizard clearly explains what the different features do. 

Please note there is a bug while trying to connect to remote BeyondInsight Database using Configuration Wizard. 

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0020429

KB says this issue is fixed in Appliance Management 4.1 but I think I was using 4.1 and still faced the issue. Anyway using the latest and greatest might help avoid BT bugs. 

 

Learnt something new that might be useful to my environment - Disable Forms Login. 

I am going to give it a shot. 

https://docs.beyondtrust.com/bips/docs/pathfinder-configure-saml#disable-forms-login

Thank you very much!

Reply


Badge Earners

  • BCA: Remote Support
    CodeEternalhas earned the badge BCA: Remote Support
  • BCIE: Privileged Remote Access
    Mudupurihas earned the badge BCIE: Privileged Remote Access
  • BCA: Endpoint Privilege Management - Windows
    Zubairhas earned the badge BCA: Endpoint Privilege Management - Windows
  • BCIE: Privileged Remote Access
    kcooperhas earned the badge BCIE: Privileged Remote Access
  • BCA: Endpoint Privilege Management - Windows
    30-B-Lohas earned the badge BCA: Endpoint Privilege Management - Windows
Show all badges
Terms & ConditionsCookie settings