Jump Interface

The Jump interface appears in the Jump Item tab of the access console, listing the Jump Items available to you. The list may contain Jump Clients, as well as Jump shortcuts for Remote Jumps, Local Jumps, RDP sessions, VNC sessions, Protocol Tunnel Jumps, Shell Jumps, and Web Jumps. Jump Item availability, including whether or not the Jump Item is in use, is listed in the Status column.

Jump Items are listed in Jump Groups. If you are assigned to one or more Jump Groups, you can access the Jump Items in those groups, with the permissions assigned by your admin. Selecting a Jump Group and then clicking Create auto-selects that Jump Group in the Jump Item configuration window.

Your personal list of Jump Items is primarily for your individual use, although your team leads, team managers, and users with permission to see all Jump Items may have access to your personal list of Jump Items. Similarly, if you are a team manager or lead with appropriate permissions, you may see team members' personal lists of Jump Items. Additionally, you may have permission to access Jump Items in Jump Groups you do not belong to and personal Jump Items for non-team members.

Copy Jump Items

Jump Clients and other Jump Items can be copied and assigned to multiple Jump Groups. This allows administrators to apply separate policies and group permissions without needing an additional Jump Client installation or Jump Item setup on the target endpoint. Users with the necessary permissions can copy Jump Items by right-clicking the Jump Item or selecting the option at the top of the Jump Item tab.

Jump to a Jump Item

Browse through groups for the computer you wish to access. To facilitate browsing the Jump Items list, you may drag the columns into any order you wish, and then sort a column by clicking the column header. The access console remembers the column order and the sort order the next time the access console is launched.

In addition to browsing for Jump Items, you can search and filter based on multiple fields. Click Add Filter, then select a category. Enter the text you want to filter by into the empty filter. You can add multiple filters as needed.

Enter a string in the search field and then press Enter. To change the fields you are searching, click on the magnifying glass and check or uncheck any of the available fields.

Once you have found the computer you wish to access, double-click the entry, or select the entry and click the Jump button. This attempts to start a session with the remote computer.

You may programmatically connect to a Jump Item directly from your systems management or ticketing tool. If your search results in only one Jump Item, the session starts immediately. If multiple Jump Items are returned, select one of the Jump Items listed in the selection window and click OK.

ℹ️
Note
For details about scripting, see Client scripting API.

Default credentials for Jump Items

When starting a Jump session that requires credentials, after selecting the credentials, you can check Remember as my default. Once a credential is selected as a default, it displays with other Jump Item details, and subsequent sessions start without requesting credentials.

When a default credential is set, the Jump Item details (accessed by right-clicking the Jump Item) include a button for Jump (Change Credentials). This opens the credential selection window, and you can either change default credential, select a different credential for this session, or clear the saved default credential.

If a default credential is no longer available to the user for that Jump Item, the next time they start a session with that Jump Item there is a warning that the requested credentials for starting the session were not found, and the option to continue. If you continue, the credential selection window opens and you can select a credential as usual.

Start multiple Jump sessions

You can select up to ten Jump Items and start them with a single click. To start a session with all Jump Items in a Jump Group, right-click the group and select Start a session with n items. The Jump Group must contain no more than ten Jump Items for this feature to be available.

Jump Group with the right-click menu showing "Start a session with 6 items

Each session opens in its own tab. If a Jump Item requires credentials and does not have predefined credentials, you are prompted to enter them.

Manage multiple Jump sessions

Users with external tools, such as SQL clients, PuTTY, or VMware Desktop Manager, can manage multiple Jump sessions simultaneously by using static ports and usernames. This feature ensures that the port and username generated at the start of a session with a Jump item remain consistent across sessions. By setting up a connection "bookmark" in your external tools, you can save these connection details, eliminating the need to re-enter them each time you access a session.

Session information is available in the Tunnel session after a session is started. You can use this information to configure your bookmarks within your external tools.

ℹ️
Note
This feature is only available for Tunnel-type Jump items, such as SSH Tunnel sessions, RDP Tunnel sessions, and database Tunnel sessions.

To enable this option:

Go to Users & Security > Access Permissions > Jump Technology.
Check the Enable static port and username for external tool sessions box.

ℹ️
Note
If this option is disabled, a new port number and username is randomly generated for that user every time they begin a new session with each jump item.

Schedule

If a Jump Policy is applied to the Jump Item, that policy affects how and/or when a Jump Item may be accessed.

If a Jump Policy enforces a schedule for this Jump Item, an attempt to access the Jump Item outside of its permitted schedule prevents the Jump from occurring. A prompt informs you of the policy restrictions and provides the date and time when this Jump Item is next available for access.

Notification

If a Jump Policy is configured to send a notification on session start or end, then an attempt to access a Jump Item alerts you that an email will be sent. You can choose to proceed with the Jump and send a notification, or you can cancel the Jump.

Ticket ID

If a Jump Policy requires entry of a ticket ID from your external ITSM or ticket ID system before the Jump can be performed, a dialog opens. In the dialog, enter the ticket ID you need, authorizing access to this Jump Item.

Authorization

If a Jump Policy requires authorization before the Jump can be performed, a dialog opens. In the dialog, enter the reason you need to access this Jump Item. Then enter the date and time at which you wish authorization to begin, as well as how long you require access to the Jump Item. Both the request reason and the request time are visible to the approver and help them decide whether to approve or deny access.

When you click OK, an email is sent to the addresses defined as approvers for this policy. This email contains a URL where an approver can see the request, add comments, and either approve or deny the request.

If a request was approved by one person, a second can access the URL to override approval and deny the request. If a request was denied, then any other approvers accessing the site can see the details but cannot override the denied status. If a user has already joined an approved session, that access cannot be denied. Although other approvers can see the email address of the person who approved or denied the request, the requestor cannot. Based on the Jump Policy settings, an approved request grants access either to any user who can see and request access to that Jump Client or only to the user who requested access.

In the Jump interface, the Jump Item's details pane displays the status of any authorization requests as either pending, approved, approved only for a different user, or denied. When an approver responds to a request, a pop-up notification appears on the requestor's screen alerting them that access has been either approved or denied. If the requestor has a configured email address, an email notification is also sent to the requestor.

When a user Jumps to a Jump Item which has been approved for access, a notification alerts the user to any comments left by the approver.

When approval has been granted to a Jump Item, that Jump Item becomes available either to any user who can see and request access to that Jump Item or only to the user who requested access. This is determined by the Jump Policy.

ℹ️
Note
Multiple requests may be sent for different times. The requested access times can overlap if the Jump approval request is for the Requestor Only. Access time cannot overlap if the approval is for Anyone Permitted to Request. If a request is denied, then a second request may be sent for the same time.

Revoke an access approval request

Permission to revoke approved access requests is controlled by Jump Policy. Any user who can approve requests on the Jump Policy can cancel requests, subject to the approval type. In the /login web management interface, go to Jump > Jump Policies. Under Jump Approval you have two options:

Anyone Permitted to Request
Requestor Only

If the Jump Policy is set to requestor Only, and an Access Request is presently approved for User A, User B is asked to create a new Access Request if they attempt to Jump to the Jump Item, since that request does not apply to them. Additionally, if User B attempts to cancel the Access Approval Request, the option is grayed out. The only user who can cancel the approved request is User A, because they are the approved user for the request.

Cancel Request Authorization - not Allowed

However, if the Jump Policy is set to Anyone Permitted to Request, and an Access Request is presently approved for User A, User B is allowed to start a new session with the Jump Item if they attempt to Jump to it. In addition, anyone with permission to access the Jump Item is allowed to cancel / revoke the request.

Cancel Request Authorization - Allowed

Jump Clients

To access an individual Windows, Mac, or Linux computer that is not on an accessible network, install a Jump Client on that system from the /login > Jump > Jump Clients page. Jump Clients appear in the Jump interface along with Jump Item shortcuts.

Use a Jump Client

To use a Jump Client to start a session, select the Jump Client from the Jump interface and click the Jump button.

Jump Group with the right-click menu showing "Start a session with 6 items

Each session opens in its own tab. If a Jump Item requires credentials and does not have predefined credentials, you are prompted to enter them.

ℹ️
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.

ℹ️
Note
For more information on simultaneous Jumps, please see Simultaneous Jumps on the Jump Items page and the Jump Policies page.

Sort Jump Clients

Search for a Jump Client

Enter a string in the search field and then press Enter. To change the fields you are searching, click on the magnifying glass and check or uncheck any of the available fields.

Jump Client details pane

When you select a Jump Client, a details pane appears to the right of the Jump interface. Which details are shown here is determined by the Jump Client Statistics setting in the /login interface as well as by the remote operating system.

If a Jump Client goes offline and does not reconnect to the B Series Appliance for the number of days set by the Jump Client Settings in the /login interface, it is labeled as lost. No specific action is taken on the Jump Client. It is labeled as lost only for identification purposes, so that an administrator can diagnose the reason for the lost connection and take action to correct the situation. In the details pane, the scheduled deletion date appears should the Jump Client not come back online.

After a software update, Jump Clients update automatically. The number of concurrent Jump Client upgrades is determined by settings on the /login > Jump > Jump Clients page. If a Jump Client has not yet been updated, it is labeled as Upgrade Pending, and its version and revision number appear in the details pane. You can modify and Jump to an outdated Jump Client.

Wake-On-Lan (WOL)

Wake-On-Lan (WOL) allows you to remotely turn on or wake up machines configured for WOL from BeyondTrust. In a configured environment, customers can power off their machine but still receive BeyondTrust support, if needed.

ℹ️
Note
WOL is not a BeyondTrust technology. The BeyondTrust software integrates with existing WOL systems. To use WOL through BeyondTrust, the system must have WOL enabled, and the network must allow WOL packets to be sent.

To enable support for WOL in BeyondTrust, turn on the WOL setting in the administrative /login interface under Jump > Jump Clients. When enabling the WOL option, keep the following items in mind:

WOL does not work for wireless clients. A wired network connection is required.
WOL is supported by the underlying system hardware, which is independent of the installed OS.
WOL is supported only by active Jump Clients. Jumpoints and Local Jump from representative consoles do not support WOL.

To wake an active Jump Client using WOL, right-click an existing Jump Client from within the rep console. Attempt to wake the system by clicking the Attempt to wake up Jump Client option.

The wake option is only available when selecting a single Jump Client. It is not available when multiple Jump Clients are selected.

Attempt to Wake a Jump Client

WOL packets are sent from other Jump Clients residing on the same network as the target machine. When an active Jump Client is installed or checks-in, it registers its network information with the B Series Appliance, and the B Series Appliance uses this information to determine which Jump Clients are on the same network.

Once attempting to wake up a selected Jump Client, the WOL option greys out for 30 seconds before it can attempt to send another wake up request. If no other Jump Clients are available on that same network to send WOL packets to the target machine, the rep receives a message indicating that no other Jump Clients are available on the network. When sending a WOL packet, the rep has an advanced option to provide a password for WOL environments requiring a secure WOL password. A WOL packet is a one-way packet, and no confirmation of success is given to the rep besides seeing the client come online in the rep console.

Copy Jump Items

Jump Client properties

Organize and manage existing Jump Items by selecting one or more Jump Items and clicking Properties.

ℹ️
Note
To view the properties of multiple Jump Items, the items selected must be the same type (all Jump Clients, all Remote Jumps, etc.).

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

ℹ️
Note
This feature is available only to customers who own an on-premises B Series Appliance. BeyondTrust Cloud customers do not have access to this feature.

Based on the options your administrator sets, these statistics may include the remote computer's logged-in console user, operating system, uptime, CPU, disk usage, and a screen shot from the last update.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each Jump Item is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.

Choose a Session Policy to assign to this Jump Item. The session policy assigned to this Jump Item has the highest priority when setting session permissions. The ability to set a session policy depends on your account permissions.

Choose an Endpoint Agreement to assign to this Jump Item. Depending on what is selected, an endpoint agreement is displayed. If there is no response, the agreement is automatically accepted or rejected.

If you no longer need access to a remote system, select the Jump Item and click Remove, or right-click on the Jump Item and select Remove from the menu. You may select multiple Jump Items to remove them all at the same time.

ℹ️
Note
If the remote user manually uninstalls a Jump Client, the deleted item is either marked as uninstalled or completely removed from the Jump Items list in the access console. If the Jump Client cannot contact the B Series Appliance at the time it is uninstalled, the affected item remains in its offline state. This setting is available at /login > Jump > Jump Clients. If a Jump Client goes offline and does not reconnect to the B Series Appliance for 180 days, it is automatically uninstalled from the target computer and is removed from the Jump interface.

Export Jump Item details

Click Export at the top of the interface to create a CSV file of Jump Item details. You can export details for the selected Jump Items, the current view, or all Jump Items.

Remote Jump

Remote Jump enables a privileged user to connect to an unattended remote computer on a network outside of their own network. Remote Jump depends on a Jumpoint.

A Jumpoint acts as a conduit for unattended access to Windows and Linux computers on a known remote network. A single Jumpoint installed on a computer within a local area network is used to access multiple systems, eliminating the need to pre-install software on every computer you may need to access.

ℹ️
Note
Jumpoint is available for Windows and Linux systems. Jump Clients are needed for remote access to Mac computers. To Jump to a Windows computer without a Jump Client, that computer must have Remote Registry Service enabled (disabled by default in Vista) and must be on a domain. You cannot Jump to a mobile device, though Jump Technology is available from mobile BeyondTrust consoles.

Create a Remote Jump shortcut

To create a Remote Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Remote Jump. Remote Jump shortcuts appear in the Jump interface, as well as Jump Clients and other types of Jump Item shortcuts.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Use a Remote Jump shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

A dialog box opens for you to enter administrative credentials to the remote computer in order to complete the Jump. The administrative rights must be either a local administrator on the remote system or a domain administrator.

The client files are pushed to the remote system, and a session attempts to start.

ℹ️
Note
Because a Remote Jump attempts to connect directly back through the appliance, the end machine must be able to communicate with the appliance as well. If this is not the case, you can use the Jump Zone Proxy feature to proxy the traffic through the Jumpoint.

ℹ️
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.

ℹ️
Note
For more information on simultaneous Jumps, please see Simultaneous Jumps on the Jump Items page and the Jump Policies page.

Local Jump

Local Jump enables a privileged user to connect to an unattended remote computer on their local network. Within the local area network, the BeyondTrust user's computer can initiate a session to a Windows system directly without using a Jumpoint, if appropriate user permissions are enabled. A Jumpoint is needed only when the BeyondTrust user's computer cannot access the target computer directly.

ℹ️
Note
Local Jump is only available for Windows systems. Jump Clients are needed for remote access to Mac computers. To Jump to a Windows computer without a Jump Client, that computer must have Remote Registry Service enabled (disabled by default in Vista) and must be on a domain.

Create a Local Jump shortcut

To create a Local Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Local Jump. Local Jump shortcuts appear in the Jump interface along with Jump Clients and other types of Jump Item shortcuts.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

Enter the Hostname / IP of the system you wish to access.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Use a Local Jump shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

The client files are pushed to the remote system, and a session attempts to start.

ℹ️
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.

ℹ️
Note
For more information on simultaneous Jumps, please see Simultaneous Jumps on the Jump Items page and the Jump Policies page.

Remote Desktop Protocol

Use BeyondTrust to start a Remote Desktop Protocol (RDP) session with remote Windows and Linux systems. Because RDP sessions are proxied through a Jumpoint and converted to BeyondTrust sessions, users can share or transfer sessions, and sessions can be automatically audited and recorded as your administrator has defined for your site. To use RDP through BeyondTrust, you must have access to a Jumpoint and must have the user account permission Allowed Jump Methods: RDP via a Jumpoint.

ℹ️
Note
You can use your own RDP tool for remote RDP sessions. For more information, please see Change settings and preferences in the access console.

⚠️
Important
In order to use your own tool, you must enable Protocol Tunnel Jump in /login > Users & Security > Users > Access Permissions > Jump Technology > Protocol Tunnel Jump. This may need to be enabled by a group policy. You must also enable the appropriate external tools in /login > Jump > Jump Items > Jump Item Settings.

Create an RDP shortcut

To create a Microsoft Remote Desktop Protocol shortcut, click the Create button in the Jump interface. From the dropdown, select Remote RDP. RDP shortcuts appear in the Jump interface with Jump Clients and other types of Jump Item shortcuts.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

ℹ️
Note
By default, the RDP server listens on port 3389, which is therefore the default port BeyondTrust attempts. If the remote RDP server is configured to use a different port, add it after the hostname or IP address in the form of <hostname>:<port> or <ipaddress>:<port> (for example, 10.10.24.127:40000).

Provide the Username to sign in as, along with the Domain.

Select the Quality at which to view the remote screen. This cannot be changed during the remote desktop protocol (RDP) session. Select the color optimization mode to view the remote screen. If you are going to be primarily sharing video, select Video Optimized; otherwise, select Black and White (uses less bandwidth), Few Colors, More Colors, or Full Color (uses more bandwidth). Both Video Optimized and Full Color modes allow you to view the actual desktop wallpaper.

To start a console session rather than a new session, check the Console Session box.

If the server's certificate cannot be verified, you receive a certificate warning. Checking Ignore Untrusted Certificate allows you to connect to the remote system without seeing this message.

ℹ️
Note
When RemoteApp or BeyondTrust Remote Desktop Agent is selected in the SecureApp section, the Console Session checkbox is unchecked. Remote applications cannot run in a console session on a RDP server.

To get more detailed information on the RDP session, check Session Forensics. For this feature to work, you must select an RDP Service Account for the Jumpoint being used. When checking this setting, the following reminder displays:

Enabling this feature requires the RDP server to be configured to receive the monitoring agent and an RDP Service Account to be configured with this Jumpoint. If these requirements are not met, all attempts to start a session will fail.

ℹ️
Note
In typical installations, the RDP service account requires privileges including access to create and control remote services and write access to remote file systems. We recommend that you create an Entra ID account and use Entra ID group policy settings to configure the permissions, however the exact permissions required depend on your Entra ID configuration.

When Session Forensics is checked, the following additional details are logged:

Focused window changed event
Mouse click event
Menu opened event
New window opened event

To start a session with a remote application, configure the SecureApp section. The following dropdown options are available:

None: When accessing a Remote RDP Jump Item, no application is launched.
RemoteApp:The user can configure an application profile or command argument, which executes and opens an application on a remote server. To configure, select the RemoteApp option and enter the following information:
- Remote App Name: Enter the name of the application you wish to connect to.
- Remote App Parameters: Enter the profile details or command line arguments needed to open the application.
BeyondTrust Remote Desktop Agent: This option facilitates passing parameters through an agent in order to launch applications on a remote host. To configure, select the BeyondTrust Remote Desktop Agent option and enter the following information:
Executable Path: Enter the path of the application the agent will connect to.
Parameters: Enter any parameters that you could normally type from a command line when launching the app on the remote system.

ℹ️
Note
For more information on Session Forensics and RDP service account, please see RDP service account.

Inject credentials

The option to Inject Credentials is made available when the BeyondTrust Remote Desktop Agent type is selected. This option facilitates passing parameters as well as credentials through an agent in order to launch applications on a remote host. The first set of credentials is in the Jump definition. These are the credentials for the user account you'll use to log into the remote system. There is a secondary prompt for additional credentials, either manually provided or from a password vault. These secondary credentials are made available to the command line you define through the %USERNAME% and %PASSWORD% macros (additional macros shown below). This allows you to pass additional credentials to the application you are launching (e.g., SQL Server Management Studio). To configure, select the BeyondTrust Remote Desktop Agent: option and enter the following information:

Enter the Executable Path and Parameters as described above.
Target System: Enter the name of the system running the application.
Credential Type: Enter the credential type as defined by the credential management system (e.g., SQL).

Macro Name	Result
%USERNAME%	username
%USERPRINCIPLENAME%	username@domain
%DOWNLEVELLOGONNAME%	domain\username
%DOMAIN%	domain
%PASSWORD%	password
%PASSWORDRAW%	password (without any attempt to escape special characters)
%TARGETSYSTEM%	supplied target system value; in the case of SQL Server, this would be the SQL Server name.
%APPLICATIONNAME%	optional application name; in the case of SQL Server, this can be hard-coded to "SQL Server" or something similar.

ℹ️
Note
The BeyondTrust Remote Desktop Agent option requires a BeyondTrust Remote Desktop Agent to be preconfigured on the target system. This agent can be downloaded from the My Account page in the /login interface. It is neither version nor site-specific, and thus the same agent can be used for as many applications as the admin wishes to support. Once the agent is installed, you can then use BeyondTrust to create RDP Jump Items that are configured to use the BeyondTrust Remote Desktop Agent option to launch any application installed on the remote system.

ℹ️
Note
RemoteApp relies on publishing applications using Microsoft RDS RemoteApps. Please refer to the Microsoft documentation for publishing applications.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

ℹ️
Note
For more information about contained database users, please see Contained Database Users - Making Your Database Portable.

Use an RDP shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

You are prompted to enter the password for the username you specified earlier.

Your RDP session now begins.

ℹ️
Note
When starting an RDP session, the RDP keyboard automatically matches the language you have set in the access console. This functionality is available for Windows-based access consoles only.

Begin screen sharing to view the remote desktop. You can send the Ctrl-Alt-Del command, capture a screenshot of the remote desktop, share clipboard contents, use Alt and Shift commands, and perform key injection. You also can share the RDP session with other logged-in BeyondTrust users, following the normal rules of your user account settings.

ℹ️
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Start New Session, then a new independent session starts for each user who Jumps to a specific RDP Jump Item. The RDP configuration on the endpoint controls any further behavior regarding simultaneous RDP connections.

ℹ️
Note
For more information on simultaneous Jumps, please see Simultaneous Jumps on the Jump Items page and the Jump Policies page.

VNC

Use BeyondTrust to start a VNC session with a remote Windows or Linux system. Because VNC sessions are proxied through a Jumpoint and converted to BeyondTrust sessions, users can share or transfer sessions, and sessions can be automatically audited and recorded as your administrator has defined for your site. To use VNC through BeyondTrust, you must have access to a Jumpoint and have the user account permission Allowed Jump Methods: Remote VNC via a Jumpoint.

Create a VNC shortcut

To create a VNC shortcut, click the Create button in the Jump interface. From the dropdown, select Remote VNC. VNC shortcuts appear in the Jump interface along with Jump Clients and other types of Jump Item shortcuts.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

ℹ️
Note
By default, the VNC server listens on port 5900, which is, therefore, the default port BeyondTrust attempts. If the remote VNC server is configured to use a different port, add it after the hostname or IP address in the form of <hostname>:<port> or <ipaddress>:<port> (e.g., 10.10.24.127:40000).

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Use a VNC shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

When establishing the connection to the VNC server, the system prompts you to enter the user name and password.

Your VNC session now begins. Begin screen sharing to view the remote desktop. You can send the Ctrl-Alt-Del command, capture a screenshot of the remote desktop, and share clipboard text contents. You also can share, transfer or record the VNC session, following the normal rules of your user account settings.

ℹ️
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.

ℹ️
Note
For more information on simultaneous Jumps, please see Simultaneous Jumps on the Jump Items page and the Jump Policies page.

Protocol Tunnel

A Protocol Tunnel Jump establishes a connection between your system and an endpoint on a remote network, or in the case of a Network Tunnel, multiple endpoints. Because the connection occurs through a Jumpoint, the administrator can control which users have access, when they have access, and if the sessions are recorded.

Set up a Protocol Tunnel Jump Item

Create a Protocol Tunnel Jump shortcut

ℹ️
Note
Protocol Tunnel Jump shortcuts are available only if their Jumpoint is configured for the Protocol Tunnel Jump method on the /login > Jump > Jumpoint page. For more information, see Enable Protocol Tunnel Jump method.

To create a Protocol Tunnel Jump Shortcut, click the Create button in the Jump Item tab of the access console. From the dropdown, under Protocol Tunnel Jump, select the desired type of Protocol Tunnel Jump:

TCP Tunnel: This tunnel connects a TCP port on your system to a TCP port on a remote system through the Jumpoint. You can configure a TCP Tunnel to define one or more local-TCP-port-to-remote-TCP-port relationships. Once the session is active, external tools can access the remote port by using your local port value.
MySQL Tunnel: This tunnel uses the MySQL Server protocol as a database proxy, enabling credential injection for users and improved auditing. Authentication is supported using Vault username and password. The MySQL Server must be configured to use caching_sha2_password authentication. You must have the MySQL client already installed on the machine running the access console.
PostgreSQL Tunnel: This tunnel uses the PostgreSQL Server protocol as a database proxy, enabling credential injection for users and improved auditing. Authentication is supported using Vault credentials or manually entered credentials. External tools can establish a connection to the remote PostgreSQL database using the local address provided in the PostgreSQL Tunnel tab in the access console.
SQL Server Tunnel: This tunnel uses the Microsoft SQL Server protocol as a database proxy, enabling credential injection for users and improved auditing. Authentication is supported using Windows authentication and SQL login.
Kubernetes Cluster Tunnel: This tunnel uses the open source Kubernetes system, also known as K8s, to manage connections. To use this tunnel, the Jumpoint must be hosted on a Linux system. The necessary configuration file is created in a local cache, and deleted when the session is closed. Users are able to natively use the kubectl command line tool over this tunnel and have all commands and traffic fully proxied, logged, and auditable.
Network Tunnel: This network layer tunnel enables port tunneling of any TCP and non-TCP protocol (e.g. UDP) traffic to a network. This tunnel is unique from other types because it enables you to establish sessions allowing one-to-one or one-to-many connectivity.

A Network Tunnel session is defined by one or more filter rules. Each rule specifies the IP address accessible in the remote network and can either allow any protocol or restrict it to a single one. For protocols supporting ports, each rule can further limit access to specific ports.

ℹ️
Note
See Network Tunnel Jump shortcuts for more information.

Protocol Tunnel Jump shortcuts appear in the Jump interface along with Jump Clients and other types of Jump Item shortcuts.

Create a TCP tunnel

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Specify a Local Address. The default address is 127.0.0.1. If you need to connect to multiple systems on the same remote port at the same time, you can enable that connection by changing each Protocol Tunnel Jump Shortcut's address to a different address within the 127.x.x.x subrange.

In Local Port, specify the port that will listen on the user's local system. If you leave this as automatic, the access console allocates a free port.

In Remote Port, specify the port to connect to on the remote system. This is dictated by the type of server you are connecting to.

You can define multiple pairs of TCP Tunnels as necessary for your setup. Added tunnels can be removed but not edited.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Create a MySQL tunnel

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Optionally, enter a Username. This is applied if Vault credentials are not used.

Enter the applicable Database. This is required if the PostreSQL server will not be able to infer the database name from the username used during authentication.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Create a PostgreSQL server tunnel

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Enter the applicable Username and Database.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Create a SQL server tunnel

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Enter the applicable Username and Database.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Create a Kubernetes cluster tunnel

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the base URL for the Kubernetes cluster, beginning with https://

For the CA Certificates, copy and paste a PEM-formatted certificate or chain of certificates used to validate the cluster URL. When using a chain of certificates, the typical order is domain, intermediate, and root.

ℹ️
Note
You may be able to obtain your certificate with the following command: kubectl get configmap kube-root-ca.crt -o jsonpath="{['data']['ca\.crt']}"

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Use a Protocol Tunnel Jump shortcut

To use a Protocol Tunnel Jump shortcut to start a session, simply select the shortcut from the Jump interface and click the Jump button.

A session appears in your access console. Click the Protocol Tunneling button to establish the connection.

If screen recording is enabled, a prompt appears, informing you that your desktop will be recorded. Click OK to continue. If you click Cancel, the Protocol Tunnel will not be created.

If screen recording is enabled, an indicator appears at the top of your session screen.

The Current Tunnels section displays current connections and their statuses. You also can view brief Network Statistics.

You can now open a third-party client to perform tasks on the remote system. Use the port value appended to the local address to connect through the Jumpoint.

Use a TCP Tunnel

When you open a TCP tunnel, you can view details about all the connections set up for this Jump Item. Use the TCP Tunnel by pointing your client software to the corresponding local address and port. The client software will then be able to communicate to the remote system through the TCP Tunnel. Note that if you stop and restart the tunnel, the port will likely change.

Use a MySQL Tunnel

When you open a MySQL Tunnel, you can click the Open MySQL Client button to open a new terminal and start the MySQL client automatically in order to connect to the database. You must have the MySQL client already installed on the machine running the access console. Pressing the button launches the default database client tool. If multiple MySQL client tools are found, a drop-down appears to the right of the Open MySQL Client button, allowing you to select a specific tool. The selected tool becomes the new default.

This button is deactivated if the access console cannot find either mysql or mysqlsh in the list of paths to search as defined by the PATH environment variable. You also see details about the connection.

Copy the command and paste it into your command line interface. You are now connected to the MySQL instance on the remote endpoint.

ℹ️
Note
The credentials used to initiate the MySQL Tunnel are also used to authenticate as the user when connecting to the remote endpoint.

Use a PostgreSQL Tunnel

When you open a PostgreSQL Tunnel, you can click the Open PostgreSQL Client button to open a new terminal and start the PostgreSQL client automatically in order to connect to the database. Pressing the button launches the default database client tool. If multiple PostgreSQL client tools are found, a drop-down appears to the right of the Open PostgreSQL Client button, allowing you to select a specific tool. The selected tool becomes the new default.

This button is deactivated if the access console cannot find the pgAdmin tool or the psql client binary. You also can view details about the connection.

Copy the command and paste it into your command line interface. You are now connected to the PostgreSQL instance on the remote endpoint.

Use a SQL Server Tunnel

When you open a SQL Server Tunnel, you can click the Open SQL Client button to open a new terminal and start the SQL Server client automatically in order to connect to the database. Pressing the button launches the default database client tool. If multiple PostgreSQL client tools are found, a drop-down appears to the right of the Open SQL Client button, allowing you to select a specific tool. The selected tool becomes the new default.

This button is deactivated if the access console cannot find the correct tool. In Windows, this is azure-data-studio, Microsoft SQL Server Management Studio, or the sqlcmd utility. In Linux, this is the sqlcmd utility. You also can view details about the connection.

Copy the command and paste it into your command line interface. You are now connected to the SQL Server instance on the remote endpoint.

Use a Kubernetes Cluster Tunnel

Run your Kubernetes Cluster Tunnel Jump Item. Then, run kubectl or another Kubernetes-enabled tool of your choice. When the Jump Item starts, you will see an environment variable and a command line argument. Provide either of these to your Kubernetes tool to initiate the connection. You are now connected to the Kubernetes instance on the remote endpoint.

Stipulations for correct use

The Protocol Tunneling feature tunnels network traffic in a way that places some restrictions on how communication must occur between the user's system and the endpoint.

TCP, MySQL, PostgreSQL, and SQL Server tunnel requirements

All traffic must be TCP.
No more than 256 simultaneous connections can be handled.
All TCP connections must originate from the endpoint and must be accepted by the listening user's system. The application's protocol cannot require that the user's system make a separate connection back to the endpoint.
Any TCP connections that the endpoint is to make back to the user's system must be made over tunnels already defined within the Protocol Tunnel Jump Item properties.
Operating systems typically disallow non-elevated processes from listening on ports less than 1024. Therefore, the local port must generally be greater than 1024. The endpoint software connects to the server by connecting to the local port on which the access console (a non-elevated process) is listening.
The endpoint software cannot make connections to any system on the remote network other than the one specified in the Protocol Tunnel Jump Item properties.
The protocol must be agnostic toward the hostname that the endpoint used to connect to the server. Otherwise, other means must be made to satisfy the protocol's requirements, such as mapping a hostname to 127.0.0.1 in the hosts file or applying special configuration to the endpoint client.
If the tunnel definition has a local port that is different than the remote port (namely, when the local port must be greater than 1024 because the server's port is less than 1024), the protocol must be agnostic toward the port that the endpoint client used to connect to the server.
Any protocol which goes beyond the case of making a single TCP connection from the endpoint client to the user's system requires the administrator's understanding their specific protocol and the stipulations listed above.

Kubernetes tunnel requirements

No more than 256 simultaneous connections can be handled.
All connections must originate from the endpoint and must be accepted by the listening user's system. The application's protocol cannot require that the user's system make a separate connection back to the endpoint.
Kubernetes does not authenticate when the tunnel is initially established but instead each time a user runs a kubectl command.

Shell Jump

With Shell Jump, quickly connect to an SSH-enabled or Telnet-enabled network device to use the command line feature on that remote system. For example, run a standardized script across multiple systems to install a needed patch or troubleshoot a network issue. Administrators can enable command filtering to help prevent users from inadvertently using harmful commands on SSH-connected endpoints.

ℹ️
Note
You can use your own SSH tool for the SSH protocol. For more information, please see Change settings and preferences in the access console.

⚠️
Important
In order to use your own tool, you must enable Protocol Tunnel Jump in /login > Users & Security > Users > Access Permissions > Jump Technology > Protocol Tunnel Jump. This may need to be enabled by a group policy. You must also enable the appropriate external tools in /login > Jump > Jump Items > Jump Item Settings.

Create a Shell Jump shortcut

To create a Shell Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Shell Jump. Shell Jump shortcuts appear in the Jump interface, as well as Jump Clients and other types of Jump Item shortcuts.

ℹ️
Note
Shell Jump shortcuts are enabled only if their Jumpoint is configured for open or limited Shell Jump access.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Choose the Protocol to use, either SSH or Telnet.

Port automatically switches to the default port for the selected protocol but can be modified to fit your network settings.

Enter the Username to sign in as.

Select the Terminal Type, either xterm or VT100.

You can also select to Send Keep-Alive Packets to keep idle sessions from ending. Enter the number of seconds to wait between each packet send.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Use a Shell Jump shortcut

To use a Shell Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

If attempting to Shell Jump to an SSH device without a cached host key, you receive an alert that the server's host key is not cached and that there is no guarantee that the server is the computer you think it is.

If you choose Save Key and Connect, then the key is cached on the Jumpoint's host system so that future attempts to Shell Jump to this system do not result in this prompt. Connect Only starts the session without caching the key, and Abort ends the Shell Jump session.

When you Shell Jump to a remote device, you can click the Open SSH Client button to open a new terminal and start the SSH tunnel. You also see details about the connection.

If you Shell Jump to a provisioned SSH device with an unencrypted key or with an encrypted key whose password has been cached, you are not prompted for a password. Otherwise, you are required to enter a password. If you Shell Jump to an SSH device with keyboard interactive MFA enabled, there is a secondary prompt for input.

If the rep console setting Automatically add session aliases to SSH Config (when possible) is configured, you can copy the POSIX command and paste it into your command line interface. Otherwise, you will need to construct the POSIX command using the provided details. You are now connected via SSH to the remote system, and you can send it commands.

Administrators can configure command filtering on Shell Jump Items to block some commands and allow others in an effort to prevent the user from inadvertently using a command that may cause undesirable results. In the event a user attempts to use a command that matches an expression that is not allowed, they receive a prompt and are not allowed to execute the command.

ℹ️
Note
BeyondTrust's command filter uses egrep regular expressions. For more information, please see Regular expressions (C++).

Configure shell prompt filtering:

Log into the /login interface as a user with permissions to configure Jump Items and session policies.
Browse to Jump > Jump Items and scroll down to the Shell Jump Filtering section.
In the Recognized Shell Prompts text box, enter regexes to match the command shell prompts found on your endpoint systems, one per line.

ℹ️
Note
Line breaks, or newlines, are not allowed within the command prompt patterns entered. If an endpoint system uses a multi-line prompt, enter an expression that matches only the final line of the prompt in the text box.

Click Save.

ℹ️
Note
Once you have entered the regexes you wish to use, you can test a shell prompt to determine if it matches any of the regexes in the list. This allows you to test your regexes without starting a session. Enter the expression in the Shell Prompt text box and click the Check button. A notice displays whether or not the shell prompt you entered matches one of the regexes in the list.

Configure command filtering:

Browse to Users & Security > Session Policies and either create a new policy or edit an existing one.

ℹ️
Note
You can also configure this for users and/or group policies.

Locate the Command Shell settings in the Permissions section.
Because you will use command filtering with Shell Jump Items, select the Allow radio button to allow the use of the command shell.
Choose from Allow all commands, Allow the command patterns below, or Deny the command patterns below and specify in the text box which regex patterns you wish to allow or block.

ℹ️
Note
Once you have entered the command patterns you wish to allow or block, you can test commands in the Command Tester text box. A notice displays whether or not the command entered would be allowed to run on the remote system based on the regexes specified in the list.

The two possible messages are:

"The entered command shall be allowed based on your selections."
"The entered command shall not be allowed based on your selections."

Use credential injection with SUDO on a Linux endpoint

To use credential injection with SUDO, an administrator must configure one or more functional accounts on each Linux endpoint to be accessed via Shell Jump. As the process for configuring the sudoers file is complex and varies by platform, please refer to your platform's documentation for details on completing this process. Each functional account must:

Allow authenticating via SSH (password or SSH key).
Have the account credentials stored in the Endpoint Credential Manager (ECM).
Have one or more entries in /etc/sudoers granting the functional account access to one or more commands to be executed as root without requiring a password (NOPASSWD).

An administrator must create a Shell Jump Item for the endpoint.

Next, an administrator must configure the ECM and/or password vault to grant users access to the appropriate functional accounts for that Jump Item.

When a user Jumps to the Shell Jump Item, they can choose from the list of functional accounts available for that endpoint. Each functional account has its own set of commands that can be executed using SUDO, as configured by the administrator on the endpoint. The credentials for the account are passed from the ECM to the endpoint.

ℹ️
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.

ℹ️
Note
For more information on simultaneous Jumps, please see Simultaneous Jumps on the Jump Items page and the Jump Policies page.

Web Jump

With the proliferation of infrastructure components that have moved to web-based interfaces for configuration, IT administrators are faced with an increasingly complex security management situation. With privileged access to web-based resources, it is a challenge to control, audit, and enforce proper authentication without negatively affecting business productivity. IT administrators need a way to effectively control and audit resources managed via web interfaces, including:

Externally hosted Infrastructure as a Service (IaaS) servers such as Amazon AWS, Microsoft Azure, IBM SoftLayer, and Rackspace
Internally hosted servers managed by hypervisor software such as VMware vSphere, Citrix XenServer, and Microsoft Hyper-V
Modern core network infrastructure that leverages web-based configuration interfaces

The identity and access management capabilities vary significantly between IaaS, hypervisor providers, and core infrastructure systems, and many do not offer native multifactor authentication support, thereby missing that additional layer of security. These inconsistencies across systems create opportunities for business vulnerabilities, such as misuse of accounts and access, leading to leaks of sensitive data. BeyondTrust Web Jump is the extra layer of security for authenticating to these systems.

⚠️
Important
Web Jump does not support Flash. Be sure to consult your hypervisor documentation and update it to a version that supports HTML5.

ℹ️
Note
The Web Jump Item is an add-on for Privileged Remote Access, and requires additional purchase.

Create a Web Jump shortcut

ℹ️
Note
Before creating Web Jump shortcuts, ensure that your user account has the ability to access Web Jumps. This permission is set on your user account in the /login interface under Access Permissions > Jump Technology.

To create a Web Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Web Jump. Web Jump shortcuts appear in the Jump interface with Jump Clients and other types of Jump Item shortcuts.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the Windows or Linux Jumpoint that hosts the computer you wish to access.

ℹ️
Note
Copy/Paste functionality is not supported for Linux Jumpoints.

Type the URL for the web site you wish to access.

Check Verify Certificate if you want the site certificate to be validated before the connection is made. If this box is checked and issues are found with the certificate, the session does not start.

⚠️
Important
You should uncheck Verify Certificate only if you are Jumping to a site that you trust but that uses a self-signed certificate.

If you want to use credential injection, first select the Username Format:

Default: This is the default value for new and existing Web Jump Items. The username is not modified before injection into the web page and is used in the stored format. For the Endpoint Credential Manager (ECM), the credential may be in either UPN or DLLN format. For Vault, the username is always in UPN format.
Username Only: Independently of the format stored in either Vault or ECM (username@domain or domain\username), the domain is removed and only the username is used.

Under Login Form Detection, the recommended practice is to leave the three fields empty, and allow the system to auto-detect and use the information already stored for login. If auto-detection fails, the injection fails and a message states that the Username Field, Password Field, and/or Submit Button could not be found.

If entering the names of the input elements, enter the HTML id, HTML name, or CSS selector for each element on the login page.

✅
Example
This shows HTML ids with input fields and a submit button, as they might appear on the code view of a login page. The HTML ids here are user, pwd, and button.
<form action="/action_page.php">
Username: <input type="text" id="user"><br>
Password: <input type="password" id="pwd"><br>
<input type="submit" value="Submit" id="button">
</form>

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

ℹ️
Note
For more information about identifying HTML form fields, please see online resources such as this page explaining the use of CSS selectors.

Use a Web Jump shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

Once a connection is made to the web site, click the screen sharing button. The web site's login interface becomes available.

ℹ️
Note
If you want to open a new tab in Windows or Linux, hold down the CTRL key and click the mouse button. For iOS, hold down the Command key and click the mouse button.

ℹ️
Note
You can copy and paste text to and from the website by using the copy/paste controls of your operating system.

Upload and download files using a Web Jump shortcut

If you click a link to download a file from the web site, a prompt appears in your chat window asking you to accept or decline the download. If you accept, a window opens on your computer allowing you to choose a download location.

Uploading files to the web site works similarly, opening a window to allow you to choose which file to upload.

ℹ️
Note
The privileged web access console does not support uploading or downloading of files to a web page via a Web Jump. File upload to, or downloaded from, a web page via Web Jump is supported only by the desktop access console.

Use credential injection

⚠️
Important
Credential injection is not supported for non-secure sites (non-HTTPS).

ℹ️
Note
This feature is not supported for ARM-based Windows systems.

When integrating BeyondTrust PRA with a password vault system, you can seamlessly access your web site accounts without viewing the login screen or entering any credentials using credential injection.

ℹ️
Note
Web Jump supports multi-step authentication, in which the username and password are not requested on the same browser page. Web Jump also supports scenarios in which a user connects to an unauthenticated portion of a website, but then attempts to enter an area using basic authentication. Furthermore, Web Jump supports sites that contain CAPTCHAs, by allowing the users to complete the CAPTCHA without ending the credential injection process. Once interaction with a CAPTCHA is complete, the user clicks the key icon in the access console to complete credential injection.

ℹ️
Note
For seamless credential injection on a VMware console, some configuration is required.

Go to the computer hosting the Jumpoint.

Download and install the VMware Client Integration Plugin.

Using admin permissions, open Windows services (services.msc) on the Jumpoint host.

Right-click the BeyondTrust Jumpoint and select Properties.

On the Log On tab under Local System account, check Allow service to interact with desktop.

Click OK.

On the user's local system, on which the access console is installed, start a Web Jump with the VMware URL specified above.

Select Use Windows Credentials.

This causes a prompt on the Jumpoint host system to allow services to interact with an external program. Give the service permission.

A VMware credential injection prompt is displayed. Uncheck the box asking if you want the prompt to be displayed whenever the program is called. Click Accept.

You can now start Web Jumps to the VMware console using Windows credentials without a prompt.

Copy Jump Items

Jump to a Jump Item

ℹ️Note

Default credentials for Jump Items

Start multiple Jump sessions

Manage multiple Jump sessions

ℹ️Note

ℹ️Note

Schedule

Notification

Ticket ID

Authorization

ℹ️Note

Revoke an access approval request

Jump Clients

Use a Jump Client

ℹ️Note

ℹ️Note

Sort Jump Clients

Search for a Jump Client

Jump Client details pane

Wake-On-Lan (WOL)

ℹ️Note

Copy Jump Items

Jump Client properties

ℹ️Note

ℹ️Note

ℹ️Note

Export Jump Item details

Remote Jump

ℹ️Note

Create a Remote Jump shortcut

Use a Remote Jump shortcut

ℹ️Note

ℹ️Note

ℹ️Note

Local Jump

ℹ️Note

Create a Local Jump shortcut

Use a Local Jump shortcut

ℹ️Note

ℹ️Note

Remote Desktop Protocol

ℹ️Note

⚠️Important

Create an RDP shortcut

ℹ️Note

ℹ️Note

ℹ️Note

ℹ️Note

Inject credentials

ℹ️Note

ℹ️Note

ℹ️Note

Use an RDP shortcut

ℹ️Note

ℹ️Note

ℹ️Note

VNC

Create a VNC shortcut

ℹ️Note

Use a VNC shortcut

ℹ️Note

ℹ️Note

Protocol Tunnel

Set up a Protocol Tunnel Jump Item

ℹ️Note

ℹ️Note

ℹ️Note

Use a Protocol Tunnel Jump shortcut

ℹ️Note

Stipulations for correct use

Shell Jump

ℹ️Note

⚠️Important

Create a Shell Jump shortcut

ℹ️Note

Use a Shell Jump shortcut

ℹ️Note

Configure shell prompt filtering:

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

⚠️
Important

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

⚠️
Important

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

⚠️
Important

ℹ️
Note

ℹ️
Note

ℹ️
Note

⚠️
Important

✅
Example

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

⚠️
Important

ℹ️
Note

ℹ️
Note

ℹ️
Note