DocumentationAPI ReferenceRelease Notes
Documentation

Install a Linux Gateway | PRA

Linux Gateways can be used for the following session types:

  • RDP
  • SSH/Telnet
  • Database Connectioning
  • Website
  • VNC

Setup of a Gateway on a remote network is a multi-step process that includes ensuring dependencies are met, configuring from the /login administrative interface, downloading the installer, and running the installation wizard.

Install dependencies

Several Linux libraries must be installed on the Gateway host. Exact requirements depend on the distribution of Linux, however the following libraries are recommended:

  • libopengl0
  • libglx0
  • libxkbcommon-dev
  • libfontconfig
  • libx11 (for X server).
  • libXcomposite
  • libXdamage
  • libXrandr
  • libnetfilter-queue1 or libnetfilter_queue as it applies to your distribution.
ℹ️

If the Gateway installation fails due to missing libraries, the error message includes information on what is missing.

To use Website, install X server and an X dummy driver. For example:

Ubuntu:

apt install xserver-xorg-video-dummy

CentOS:

yum install xorg-x11-drv-dummy

Configure /etc/X11/Xwrapper.config. Create file if it is missing.

allowed_users=anybody
needs_root_rights=no

For more information about X servers, see What is X11? or other online resources.

Install dependencies for Gateways on an Azure Ubuntu Linux environment

Users can create Kubernetes (K8s) Assets that are fully compatible with Azure Kubernetes Service (AKS) endpoints, allowing secure and streamlined access to AKS clusters through Assets.

Before installing a Gateway on an Azure Ubuntu Linux environment, ensure the following library files are installed:

  • libGLX0
  • libOpenGL
  • libEGL.so.1
  • libfontconfig.so.1
  • libatk-1.0.so.0
  • libatk-bridge-2.0.so.0
  • libcups.so.2
  • libXcomposite.so.1
  • libXdamage.so.1
  • libxfixes3
  • libxrandr.so.2
  • libcairo.so.2
  • libpango-1.0.so.0
  • libasound.so.2
  • libnetfilter-queue-dev
ℹ️

  • This feature is designed for AKS only. Other Kubernetes distributions are not supported.
  • For troubleshooting, verify that all required libraries are installed and that the Gateway has network access to the AKS cluster.

Understand clustered Gateways

Before configuring a Gateway, it is important to understand the difference between clustered Gateways and stand-alone Gateways, because they have different feature sets and because a clustered Gateway cannot be converted to stand-alone, nor a stand-alone Gateway converted to clustered. A clustered Gateway allows you to install up to ten redundant nodes of the same Gateway on different host systems in the same local network.

A clustered Gateway is available as long as at least one of the installed nodes is online. This provides redundancy, preventing the failure of all Assets associated with the failure of a single, stand-alone Gateway, and improves load balancing across the system.

All configuration of clustered Gateways is done in /login, with no local configuration available on the local host either during or after the installation. This means that if you install a clustered Gateway, selecting the BeyondTrust Gateway Configuration item on the start menu of the Gateway host does not result in a configuration window, and only an About box is shown. Editing a clustered Gateway in /login loads the same configuration page that was used to create the Gateway.

Configure

  1. From the administrative interface, go to Asset Management > Gateway.
  2. Click Add.
  3. Create a unique name to help identify this Gateway. This name should help users locate this Gateway when they need to start a session with a computer on the same network.
  4. Set a code name for integration purposes. If you do not set a code name, PRA creates one automatically.
  5. If you have a Password Safe integration, and the Gateway for External Asset Sessions selection is set to Automatically Selected by External Asset Network ID, on the /login Security page, enter the External Asset Network ID. This value is equivalent to the Workgroup attribute for managed systems in Password Safe. It is matched against the Network ID property of external Assets returned by the Endpoint Credential Manager to determine which Gateway handles the session.
  6. Add comments to help identify this Gateway.
  7. Select Linux for the Gateway Platform. Once the Gateway has been created, this option cannot be changed.
  8. Leave the Disabled box unchecked.
  9. Check the Clustered box, if appropriate. Once the Gateway has been created, this option cannot be changed.
ℹ️

  • A clustered Gateway allows you to install up to ten redundant nodes of the same Gateway on different host systems on the same local network. If this option is selected, the Gateway will be available as long as at least one of the installed nodes is online. This provides redundancy, preventing the failure of all Assets associated with the failure of a single, stand-alone Gateway, and improves load balancing across the system. All configuration of clustered Gateways is done in /login, with no local configuration available during the install. Once created, a clustered Gateway cannot be converted to stand-alone, nor a stand-alone Gateway converted to clustered.
  • Linux Gateways can only be used for RDP, Website, VNC, Database Connectioning, and SSH/Telnet sessions, allowing for credential injection from user or vault, as well as RemoteApp functionality and Shell filtering. Clustered Gateways can only add new nodes of the same OS. You cannot mix Windows and Linux nodes.
🚧

Important information

Gateway cluster nodes must be installed on hosts residing in the same local area network.

  1. If you want users to be able to connect to SSH-enabled and Telnet-enabled network devices through this Gateway, check the Enable SSH Method option.
  2. If the Enable Database Connection Method option is checked, users may make connections from their systems to remote endpoints through these types of Gateway. If Network Connection is enabled on your system, then when Enable Database Connection Method is checked, there is an option to enter Managed IP Addresses for Database Connection. You can enter multiple IP address ranges. This allows using the Network Connection feature on networks without DHCP.
  3. Under RDP Service Account, select the vault account to be used by the Gateway to run a user-initiated client on the RDP server. This allows you to collect additional event information from an RDP session started with this Gateway. This account in used only if the Remote RDP Asset is configured to enable the Session Forensics functionality. This option is not available for Linux Gateways.
ℹ️

The RDP Service Account setting must not use a local admin account, and must use a domain admin account with privileges on the endpoint including access to remotely connect to the endpoint's C$ share, remotely create and start services on the endpoint machine, and access remote file systems.

  1. If you check Enable Proxy, you can set up this Gateway to function as a proxy server, allowing it to proxy connections for Assets on the network that do not have a native internet connection, such as POS systems. Using a Gateway as a proxy routes traffic only to the B Series Appliance.
    You can enable Proxy on either a standalone Gateway or a Gateway cluster. If you set up a Gateway cluster as a Proxy, then if an endpoint is connected to one Proxy and that system goes down, the endpoint can connect to another Proxy in the cluster. Proxy Proxies are not supported for Atlas deployments.
  2. Optionally, under Proxy Host, you can enter the hostname of the machine on which this Gateway will
    be installed. Do not start the hostname with http://or https://. IP addresses are not recommended as
    they might change. The Gateway will automatically detect the hostname if one is not provided. If this is a
    clustered Gateway, this field does not appear, and the Gateway will automatically detect the hostname on
    install. If the hostname changes, you may have to redeploy any Assets that use this Gateway as a proxy.
ℹ️

The proxy host and port should be set carefully since any Asset deployed using this Gateway as a proxy server uses the settings available to it at the time of deployment and are not updated should the host or port change. If the host or port is changed, the Asset must be redeployed.

In order for a Gateway to function as a Proxy, its host system cannot reside behind a proxy. The Gateway must be able to access the internet without having to supply proxy information for its own connection.

  1. Under Proxy Port, enter the port through which Assets will connect to this Gateway. If the port
    changes, you may have to redeploy any Assets that use this Gateway as a proxy.
  2. Check Allow HTTP GET to enable HTTP connections to proxy to the B Series Appliance. This is needed
    only if you want to use a browser to access /login or /console from behind the proxy.
  3. Under Restriction Type, select No access restrictions to allow Asset connections from any IP
    address. You can limit allowed connections by selecting Deny access only for the following IP addresses
    or Allow access only from the following IP addresses, then entering network address prefixes, one per
    line. Netmasks are optional, and they can be given in either dotted-decimal or integer bitmask format.
    Entries that omit a netmask are assumed to be single IP addresses.
  4. Under Allowed Users, you may authorize users to start sessions through this Gateway. After you have created the Gateway, you can also grant access to groups of users from Users & Security > Group Policies.
  5. Save the configuration. Your new Gateway now appears in the list of configured Gateways.
ℹ️

Once you have installed the Gateway and started it at least once, PRA populates the table with the hostname of the system it is installed on, as well as with that system's public and private IP addresses. This information can help you locate the Gateway's host system in case you need to change the Gateway's configuration.

Download

Now that your Gateway is configured, you must install the Gateway on a single system in the remote network you wish to access. This system serves as the gateway for sessions with other computers on the remote network. You can either install the Gateway directly on the host or email the installer to a user at the remote system. If this is to be a clustered Gateway, you can add nodes later.

  1. From the table, find the appropriate Gateway and click the link to download the installer file.
  2. If you have access to the system you want to use as the Gateway host, you can run the installation file immediately.
  3. Otherwise, save the file and then email it to the remote user to deploy on the system that will serve as the Gateway host.
ℹ️

  • If you need to change the Gateway's host system, click Redeploy. This uninstalls the Gateway from its current location and sets the download links as available. You can then install the Gateway on a new host. The new Gateway replaces the old one for any existing Assets that are associated with it.
  • The Gateway installer expires 7 days after the time of download.

Install

  1. Once the installer file is on the remote system, use a command interface to install the file and specify any desired parameters. The exact install process depends on the Linux distribution and version, but general steps are provided below.
    • Install the Gateway in a location to which you have write permission, using --install-dir . You must have permission to write to this location, and the path must not already exist. Any additional parameters must also be specified at this time, as described below. 
      sh ./sra-jpt-{uid}.bin --install-dir /home/username/jumpoint
    • If you wish to install under a specific user context, you can pass the --user argument. The user must exist and have rights to the directory where the Gateway is being installed. If you do not pass this argument, the Gateway installs under the user context that is currently running. 
      sh ./sra-jpt-{uid}.bin --install-dir /home/username/jumpoint --user jsmith
🚧

Important info

It is not recommended to install the Gateway under the root context. If you attempt to install when the current user is root, you receive a warning message and are required to pass --user to explicitly specify the user that the process will run as.

  1. After the Gateway installs, you must start its process.
/home/username/jumpoint/init-script start

This init script also accepts the stop, restart, and status arguments. You can use ./init-script status to make sure the Gateway is running.

  1. You must also arrange for init-script start to run at boot in order for the Gateway to remain available whenever the system restarts. An example system.d service displays once the Gateway is installed. Copy this information and create the new service for the Gateway, filename.service (where filename is any name you choose), following these steps:
    • cd /etc/systemd/system
    • vi filename.service
    • Paste copied information.
    • Run chmod 777 filename.service
    • Reload the systemctl daemon.
    • Enable and start the service file:
      • Run sudo systemctl start filename.service to start the service file.
      • Run sudo su - to get to root.
      • Run systemctl enable filename.service to enable the service file, so the Gateway service will automatically start after every reboot.
      • Reboot the Gateway machine.
  2. To remove the files, use the uninstall.sh script included in the installation.
ℹ️

If the Gateway installation fails due to missing libraries, the error message includes information on what is missing.

Clustered Gateway setup: add nodes

The steps for creating a clustered Gateway in /login are the same as for a standalone, except that once you have created the clustered Gateway, you can add nodes to it. At least one node needs to be installed for the Gateway to be online.

Click the Add Node link to download the installer file.

If you have access to the system you want to use as the Gateway host, you can run the installation file immediately.

Otherwise, save the file and then email it to the remote user to deploy on the system that will serve as the Gateway host.

Follow the prompts and install the node. Note that there are no configuration screens. Once installed, the clustered Gateway shows the new node as installed, associated information, such as the public and private IP addresses, and whether a node is online or offline, as well as the number of nodes installed.

Nodes can be deleted but cannot be individually edited. In the access console, none of the nodes are visible; only the Gateway under which they are installed is visible. Nodes function as redundant connection points. When a user needs to use the Gateway, Privileged Remote Access selects one of the nodes at random. At least one node must be online for the Gateway to work.

Set up a Proxy in public clouds

Cloud environments may not broadcast mDNS by default, which is required for the auto-detection of a Proxy. Below are two workaround methods.

AWS Transit Gateway

Set up an AWS Transit Gateway to provide multicast to the Virtual Private Cloud.

ℹ️

For more information, see Multicast in Amazon VPC Transit Gateways.

Manually edit a Gateway proxy connection

Manually edit the settings.ini file of the Gateway or the settings.ini file of the Jump Client to point to the proxy or proxies.

If you see this line, delete it:

Proxy=DIRECT

If connecting to a standalone Proxy, add these lines:

[Proxy\<your_site>:443\Detected\1]
Proxy="PROXY <host_name_of_jump_zone_proxy_node>:<port_configured_in_login>"

If connecting to a clustered Proxy, each node of the cluster must be defined separately. In case of node failure, fallback will occur in this order. Add these lines:

[Proxy\<your_site>:443\Detected\1]
Proxy="PROXY <host_name_of_jump_zone_proxy_node>:<port_configured_in_login>"
[Proxy\<your_site>:443\Detected\2]
Proxy="PROXY <host_name_of_jump_zone_proxy_node>:<port_configured_in_login>"

Deploy a clustered Linux Gateway as a Docker image

You can run a clustered Linux Gateway in a Docker container. To do so, you need the Gateway's deploy key. You can get the deploy key in one of three ways:

  • Click the Copy Docker deploy key button from the main Gateway table.
  • Edit the Gateway and copy the value from the Docker DEPLOY_KEY field.
  • Use GET /jumpoint/{id} in the configuration API.

Pass the deploy key to the Gateway image in the Docker environment as DEPLOY_KEY.

The Docker image uses a bound volume to persist the Gateway install between image restarts and upgrades. To enable this, bind a volume to /jpt in the image. The Gateway install data is located under /jpt/home/install. The image requires the ipc_lock capability to do keyring operations.

The deploy key is saved under /jpt/. Deleting this file will force a re-install the next time the container runs.

Example Docker run command:

docker run -e DEPLOY_KEY=<deploy_key> -v <local_path>:/jpt --name <jumpoint_name> --cap-add ipc_lock -d beyondtrust/sra-jumpoint:<tag>
VariablesDescription
<deploy_key>The key that ties this Docker image to the specific
Gateway or cluster in your Privileged Remote Access site.
<local_path>The local path where the container is mounted to preserve settings and configuration across restarts.
<jumpoint_name>Any name to identify this container in Docker.
<tag> optionalThe tag to deploy. You can use: latest, dev or a specific hash

Variables and the < > should be replaced with information for the environment.

📘

Summary of docker arguments

FlagExplanation
-eSet environment variables
-vBind mount a volume
--nameAssign a name to the container
-dRun the container in the background and print the container ID
--cap-add ipc_lockAdd Linux capabilities with ipc_lock
--cap-add NET_ADMINAdds Linux capabilities for interacting with the network stack
--cap-add NET_RAWAllows Linux to create and use RAW sockets

For information on other docker command flags, refer to docker docs - docker run command .

Gateway through a Gateway deployed as a proxy server

You can configure a Gateway to go through another Gateway deployed as a proxy server. This allows secure access to isolated, non-routable, OT networks without being constrained to only Jump Clients. Follow these steps:

  1. On System 1, install a Gateway configured as a Proxy server.
  2. On System 2, which can be non-routable and on a network isolated from the internet, install a Gateway.
  3. On System 2, configure the Gateway's basic proxy configuration to point to the Proxy on System 1.
  4. You can now create new Assets using the Gateway on System 2, for endpoints in the same isolated network as System 2, and start sessions with them through the Proxy on System 1.
ℹ️

The Proxy, whether standalone or clustered, must be deployed to the target network before installing the Jump Client or Gateway used to create Assets. This enables automated discovery of the broadcasting proxy. Automated discovery works only if the installing Gateway or Jump Client is on the same subnet as the Proxy or if you have configured mDNS broadcasts to route across networks.

Updated 17 days ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.