Platforms and versions that have been tested with the web management console follow.
The Appliance Administrator responsible for racking and initial configuration of the appliance can create the virtual appliance, launch the Safeguard web management console, and select one of the following wizards.
Support Kiosk: The Support Kiosk is used to diagnose and resolve issues with Safeguard for Privileged Passwords. Any user able to access the kiosk can perform low-risk support operations including appliance restart or shutdown and support bundle creation. In order to reset the admin password, the user must obtain a challenge response token from One Identity support. For more information, see Support kiosk.
To maximize security in the absence of a hardened appliance, restrict the access to the Safeguard virtual disks, the web management console, and the MGMT interface to as few users as possible. Recommendations:
Once setup is completed, you can verify which of your NICs is MGMT and X0 by referring to the MAC address information found in Support Kiosk | Appliance Information | Networking for X0 and MGMT. For more information, see Support kiosk.
To protect the security posture of the Safeguard hardware appliance, Safeguard hardware appliances cannot be clustered with Safeguard virtual appliances. Backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance. For more information, see Virtual appliance backup and recovery.
There is a web management console running on 192.168.1.105. When you connect to the virtual appliance via the virtual display, the web management console is displayed automatically, however, upload and download functionality are disabled when connected this way.
You may choose to configure the networking of your virtual machine infrastructure to enable you to proxy to https://192.168.1.105 from your desktop. Connecting in this way will enable you to upload and download from the web management console.
CAUTION: Cloning and snapshotting are not supported and should not be used. Instead of cloning, deploy a new VM and perform Initial Setup. Instead of snapshotting, take a backup of the virtual appliance.
The Appliance Administrator uses the initial setup wizard to give the virtual appliance a unique identity, license the underlying operating system, and configure the network. The initial setup wizard only needs to be run one time after the virtual appliance is first deployed, but you may run it again in the future. It will not modify the appliance identity if run in the future.
Once set up, the Appliance Administrator can change the appliance name, license, and networking information but not the appliance identity (ApplianceID). The appliance must have a unique identity.
The steps for the Appliance Administrator to initially set up the virtual appliance follow.
Deploy the virtual machine (VM) to your virtual infrastructure. The virtual appliance is in the InitialSetupRequired state.
Hyper-V zip file import and set up
If you are using Hyper-V, you will need the Safeguard Hyper-V zip file distributed by One Identity to setup the virtual appliance. Follow these steps to unzip the file and import:
Unzip the Safeguard-hyperv-prod... zip file .
From Hyper-V, click Options.
On the Locate Folder tab, navigate to specify the folder containing the virtual machine to import then click Select Folder.
On the Locate Folder tab, click Next.
On the Select Virtual Machine tab, select Safeguard-hyperv-prod... then click Next.
Initiate access using one of these methods:
Via a browser: Configure the networking of your virtual infrastructure to proxy https://192.168.1.105 on the virtual appliance to an address accessible from your workstation then open a browser to that address. For instructions on how to do this, consult the documentation of your virtual infrastructure (for example, VMWare). You will be offered the opportunity to apply a patch with this access method. Upload and download is available from the browser. Continue to step 3.
IMPORTANT: After importing the OVA and before powering it on, check the VM to make sure it doesn't have a USB controller. If there is a USB controller, remove it.
Click Begin Initial Setup. Once this step is complete, the appliance resumes in the Online state.
Use KMS Server: If you leave this field blank, Safeguard will use DNS to locate the KMS Server automatically. For the KMS Server to be found, you will need to have defined the domain name in the DNS Suffixes.
If KMS is not registered with DNS, enter the network IP address of your KMS server.
Use Product Key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.
You can update this information in Administrative Tools | Settings | Appliance | Operating System Licensing.
You can go to the virtual appliance's IP address for the X0 (public) interface from your browser to log in and download the desktop client or use the web client.
For security reasons, change the password on the Bootstrap Administrator User.
From the web management console, click Home to see the virtual appliance name, licensing, and networking information.
After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.
An Appliance Administrator triaging a virtual appliance that has lost connectivity or is otherwise impaired can use the support kiosk even when the virtual appliance is in quarantine.
This is read-only. You can re-run setup to change networking information.
The Bootstrap Administrator is a built-in account to get the appliance running for the first time. The default credentials (admin/Admin123) should be changed once Safeguard is configured. If you lose the password, you can reset it to the default using the challenge response process below.
Click Reset Password.
Create the support bundle using one of these methods:
Appliance Administrators can execute a trusted, secure appliance diagnostics package to help solve issues with configuration, synchronization, and clustering as well as other other internal challenges. The appliance diagnostics package is available from the web support kiosk, not the serial kiosk. The appliance diagnostics package can be used even when the appliance is in quarantine. To protect against external threats, Safeguard rejects illegitimate appliance diagnostics packages. The manifest file in the appliance diagnostics package lists criteria which may include the minimum Safeguard version, appliance ID, and expiration timestamp UTC. New product code and database changes are not included in an appliance diagnostics package.
Factory Reset (hardware appliance)
Perform a factory reset to recover from major problems or to clear the data and configuration settings on a hardware appliance. All data and audit history is lost and the hardware appliance goes into maintenance mode. For more information, see Performing a factory reset.
Use the following information to backup and recover a Safeguard for Privileged Passwords virtual appliance. Factory reset is not an option for virtual appliances. To factory reset a virtual appliance, just redeploy the appliance.
To ensure security of the hardware appliance, backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance.
Backup is handled via Administrative Tools | Settings | Backup and Retention.
A Safeguard for Privileged Passwords virtual appliance is reset by using the following recovery steps.