l Does the eEyeEmsCA exist on both the agent and the server?
Make sure the certificate on the agent has the same serial
number as the certificate on the BeyondInsight server. To view
the serial number, double-click the certificate in the certificate
manager.
l Was the eEyeEmsCA certificate regenerated or removed?
Regenerating or removing the eEyeEmsCA certificate invalidates
any certificate that was generated using the old CA certificate.
This breaks the communication between the agents and the
server until the client and server certificates are regenerated on
the server and the new client certificate is deployed on all agents
connecting to BeyondInsight.
l Did the Central Policy password change? If you change the
Central Policy password using the BeyondInsight Configuration
Tool, the password change is not automatically applied to
EmsClientCert.pfx.
If you change the Central Policy password and then deploy
Privilege Management Endpoint Protection Platform on a target,
the package includes the certificate with the old password. In this
scenario, the events communication will not be successfully
configured on the target. Using the BeyondInsight Configuration
Tool, generate a new client certificate with a new password that
matches the Central Policy password.
Use a Domain PKI for BeyondInsight Communication
If you choose to create a custom certificate, keep in mind the following considerations:
l You can modify templates using the Certificate Templates Console (certtmpl.msc).
l The default Computer template meets the requirements for BeyondInsight communication. However, to update any particular
BeyondInsight configuration settings, you must copy the Computer template and make your changes in the copy.
l To issue the new template, use the certsrv.msc snap-in.
For detailed procedures on creating a custom domain certificate, please see Microsoft's documentation.
Prerequisites
l Domain member server with Active Directory Certificate Services installed and configured.
l Certificate Authority Web Enrollment role installed
Requirements
l The certificates must be configured as Server Authentication
and Client Authentication in the Intended Purposes section of
the certificate.
SALES: www.beyondtrust.com/contact
SUPPORT: www.beyondtrust.com/support
DOCUMENTATION: www.beyondtrust.com/docs
20
©2003-2020 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository
institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
TC: 2/12/2021
BEYONDINSIGHT
INSTALLATION GUIDE 7.2