Use Jump shortcuts

Once a Jumpoint has been installed on a remote network, permitted users can use the Jumpoint to initiate sessions with Windows and Linux computers on that same network, even if those computers are unattended. Additionally, a permitted user can Jump to computers on the same network segment as their local system, even without a Jumpoint.

Through a Jumpoint, Jump shortcuts can be created to:

Start a standard access session.
Start a Remote Desktop Protocol session with Windows or Linux systems.
Jump to a web site on a remote browser.
Connect to a VNC server.
Make a TCP connection through a Protocol Tunnel Jump.
Shell Jump to an SSH-enabled or Telnet-enabled network device.

You can organize and manage existing Jump Shortcuts by selecting one or more and clicking Properties.

When creating a large number of Jump shortcuts, it may be easier to import them via a spreadsheet than to add them one by one in the access console.From the dropdown in the Jump Shortcuts Mass Import Wizard section of the /login interface, select the type of Jump Item you wish to add, and then click Download Template. Using the text in the CSV template as column headers, add the information for each Jump shortcut you wish to import. If any required fields are missing, import fails. Optional fields can be filled in or left blank.

Once you have completed filling out the template, use Import Jump Shortcuts to upload the CSV file containing the Jump Item information. The maximum file size allowed to be uploaded at one time is 5 MB. Only one type of Jump Item can be included in each CSV file. The CSV file should use the format described in the tables below.

If a Jump Policy is applied to the Jump Item, that policy affects how and/or when a Jump Item may be accessed.

Authorization

If a Jump Policy requires authorization before the Jump can be performed, a dialog opens. In the dialog, enter the reason you need to access this Jump Item. Then enter the date and time at which you wish authorization to begin, as well as how long you require access to the Jump Item. Both the request reason and the request time are visible to the approver and help them decide whether to approve or deny access.

When you click OK, an email is sent to the addresses defined as approvers for this policy. This email contains a URL where an approver can see the request, add comments, and either approve or deny the request.

If a request was approved by one person, a second can access the URL to override approval and deny the request. If a request was denied, then any other approvers accessing the site can see the details but cannot override the denied status. If a user has already joined an approved session, that access cannot be denied. Although other approvers can see the email address of the person who approved or denied the request, the requestor cannot.Based on the Jump Policy settings, an approved request grants access either to any user who can see and request access to that Jump Client or only to the user who requested access.

In the Jump interface, the Jump Item's details pane displays the status of any authorization requests as either pending, approved, approved only for a different user, or denied. When an approver responds to a request, a pop-up notification appears on the requestor's screen alerting them that access has been either approved or denied. If the requestor has a configured email address, an email notification is also sent to the requestor.

When a user Jumps to a Jump Item which has been approved for access, a notification alerts the user to any comments left by the approver.

When approval has been granted to a Jump Item, that Jump Item becomes available either to any user who can see and request access to that Jump Item or only to the user who requested access. This is determined by the Jump Policy.

ℹ️
Note
While multiple requests may be sent for different times, the requested access times cannot overlap. If a request is denied, then a second request may be sent for the same time.

Revoke an access approval request

Permission to revoke approved access requests is controlled by Jump Policy. Any user who can approve requests on the Jump Policy can cancel requests, subject to the approval type. In the /login web management interface, go to Jump > Jump Policies. Under Jump Approval you have two options:

Anyone Permitted to Request
Requestor Only

If the Jump Policy is set to requestor Only, and an Access Request is presently approved for User A, User B is asked to create a new Access Request if they attempt to Jump to the Jump Item, since that request does not apply to them. Additionally, if User B attempts to cancel the Access Approval Request, the option is grayed out. The only user who can cancel the approved request is User A, because they are the approved user for the request.

However, if the Jump Policy is set to Anyone Permitted to Request, and an Access Request is presently approved for User A, User B is allowed to start a new session with the Jump Item if they attempt to Jump to it. In addition, anyone with permission to access the Jump Item is allowed to cancel / revoke the request.

Local Jump shortcut

Field	Description
Hostname	The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters.
Name	The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
Jump Group	The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items.
Tag (optional)	You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters.
Comments (optional)	You can add comments to your Jump Items. This string has a maximum of 1024 characters.
Jump Policy (optional)	The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.
Session Policy (optional)	The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item.
Endpoint Agreement Policy (optional)	The value accept automatically accepts the endpoint agreement if it times out and allows the session the start. The value reject automatically rejects the endpoint agreement and stops the session from starting. The value no_prompt does not show an endpoint agreement even if the feature is configured. This field has no effect if the global endpoint agreement is not enabled.

Remote Jump shortcut

Field	Description
Hostname	The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters.
Jumpoint	The code name of the Jumpoint through which the endpoint is accessed.
Name	The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
Jump Group	The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items.
Tag (optional)	You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters.
Comments (optional)	You can add comments to your Jump Items. This string has a maximum of 1024 characters.
Jump Policy (optional)	The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.
Session Policy (optional)	The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item.
Endpoint Agreement Policy (optional)	The value accept automatically accepts the endpoint agreement if it times out and allows the session the start. The value reject automatically rejects the endpoint agreement and stops the session from starting. The value no_prompt does not show an endpoint agreement even if the feature is configured. This field has no effect if the global endpoint agreement is not enabled.

Remote VNC Jump shortcut

Field	Description
Hostname	The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters.
Jumpoint	The code name of the Jumpoint through which the endpoint is accessed.
Port (optional)	A valid port number from 100 to 65535. Defaults to 5900.
Name	The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
Jump Group	The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items.
Tag (optional)	You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters.
Comments (optional)	You can add comments to your Jump Items. This string has a maximum of 1024 characters.
Jump Policy (optional)	The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.
Session Policy (optional)	The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item.

Remote RDP Jump shortcut

Field	Description
Hostname	The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters.
Jumpoint	The code name of the Jumpoint through which the endpoint is accessed.
Username (optional)	The username to sign in as.
Domain (optional)	The domain the endpoint is on.
Quality (optional)	The quality at which to view the remote system. Can be low (2-bit gray scale for the lowest bandwidth consumption), best_perf (default - 8-bit color for fast performance), perf_and_qual (16-bit for medium quality image and performance), best_qual (32-bit for the highest image resolution), or video_opt (VP9 codec for more fluid video). This cannot be changed during the remote desktop protocol (RDP) session.
Console Session	1: Starts a console session. 0: Starts a new session (default).
Ignore Untrusted Certificate (optional)	1: Ignores certificate warnings. 0: Shows a warning if the server's certificate cannot be verified.
SecureApp Type	The SecureApp launch method. Can be "none", "remote_app" (to use RDP's built-in RemoteApp functionality), "remote_desktop_agent" (to use BeyondTrust's Remote Desktop Agent), or "remote_desktop_agent_credentials" (to use BeyondTrust's Remote Desktop Agent with Credential Injection). If "remote_desktop_agent" or "remote_desktop_agent_credentials" are chosen then the BeyondTrust Remote Desktop Agent must be installed on the remote system.>
RemoteApp Name	The RemoteApp program name. This string has a maximum of 520 characters.
RemoteApp Parameters	A space-separated list of parameters to pass to the RemoteApp. Parameters with spaces can be quoted using double-quotes. This string has a maximum of 16000 characters.
Remote Executable Parameters	A space-separated list of parameters to pass to the remote executable that will be launched using the BeyondTrust Remote Desktop Agent. Parameters with spaces can be quoted using double-quotes. This can only be used if the SecureApp Type uses the BeyondTrust Remote Desktop Agent.
Remote Executable Parameters	A space-separated list of parameters to pass to the remote executable that will be launched using the BeyondTrust Remote Desktop Agent. Parameters with spaces can be quoted using double-quotes. This can only be used if the SecureApp Type uses the BeyondTrust Remote Desktop Agent.
Target System	The name of the target system being accessed by the remote application. This value is used to limit the list of injected credentials to only those that are valid on the target system. This value can only be used if the SecureApp Type uses the BeyondTrust Remote Desktop Agent with Credential injection.
Credential Type	The type of credentials that will be injected into the remote executable. This value will depend on the password vault from which credentials are retrieved. This value can only be used if the SecureApp Type uses the BeyondTrust Remote Desktop Agent with Credential injection.
Name	The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
Jump Group	The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items.
Tag (optional)	You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters.
Comments (optional)	You can add comments to your Jump Items. This string has a maximum of 1024 characters.
Jump Policy (optional)	The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.
Session Policy (optional)	The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item.

Shell Jump shortcut

Field	Description
Hostname	The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters.
Jumpoint	The code name of the Jumpoint through which the endpoint is accessed.
Username (optional)	The username to sign in as.
Protocol	Can be either ssh or telnet.
Port (optional)	A valid port number from 1 to 65535. Defaults to 22 if the protocol is ssh or 23 if the protocol is telnet.
Terminal Type (optional)	Can be either xterm (default) or VT100.
Keep-Alive (optional)	The number of seconds between each packet sent to keep an idle session from ending. Can be any number from 0 to 300. 0 disables keep-alive (default).
Name	The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
Jump Group	The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items.
Tag (optional)	You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters.
Comments (optional)	You can add comments to your Jump Items. This string has a maximum of 1024 characters.
Jump Policy (optional)	The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.
Session Policy (optional)	The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item.

Protocol Tunnel Jump shortcut

Field	Description
Protocol Tunnel Hostname	The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters.
Jumpoint	The code name of the Jumpoint through which the endpoint is accessed.
Local Address (optional)	The address from which the connection should be made. This can be any address within the 127.x.x.x subrange. The default address is 127.0.0.1.
Tunnel Type	The type of tunnel: TCP, MySQL, PostgreSQL, SQL Server, Kubernetes Cluster, or Network (if enabled).
TCP Tunnels (for TCP Tunnel)	The list of one or more tunnel definitions. A tunnel definition is a mapping of a TCP port on the local user's system to a TCP port on the remote endpoint. Any connection made to the local port causes a connection to be made to the remote port, allowing data to be tunnelled between local and remote systems. Multiple mappings should be separated by a semicolon. auto->22;3306->3306 In the example above, a randomly assigned local port maps to remote port 22, and local port 3306 maps to remote port 3306.
Username and Database (for MySQL Server Tunnel, PostgreSQL Server Tunnel, and SQL Server Tunnel)	The username and database. Authentication is supported using Windows authentication and SQL login.
URL and CA Certificates (for Kubenetes Cluster Tunnel)	The base URL for the Kubernetes cluster. The maximum length is 256 characters. For the certificates, a PEM-formatted certificate or chain of certificates used to validate the cluster URL. The maximum length is 12,288 characters.
Filter Rules (for Network Tunnel)	The IP address can be a list of addresses separated by commas or a range of addresses separated by a dash, or it can be specified using CIDR notation. You cannot use multiple simultaneous methods to enter IP addresses. Only IPv4 is supported. Protocol is optional. For information on protocols, see IANA Protocol Numbers. Port is optional, and may not be applicable, depending on the protocol. The port can be a list of ports, or a range, but not both.
Name	The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
Jump Group	The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items.
Tag (optional)	You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters.
Comments (optional)	You can add comments to your Jump Items. This string has a maximum of 1024 characters.
Jump Policy (optional)	The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.
Session Policy (optional)	The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item.

Web Jump shortcut

Field	Description
Name	The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
Jumpoint	The code name of the Jumpoint through which the endpoint is accessed.
Jump Group	The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items.
Tag (optional)	You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters.
Comments (optional)	You can add comments to your Jump Items. This string has a maximum of 1024 characters.
Jump Policy (optional)	The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.
Session Policy (optional)	The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item.
URL	The URL of the web site. The URL must begin with either http or https.
Verify Certificate (optional)	1: The site certificate is validated before the session starts; if issues are found, the session will not start. 0: The site certificate is not validated.
Username Format	passthru: Pass the username through directly from the credential provider. username_only: If the username is in UPN (Username@Domain) or DLLN (DOMAIN\Username) format then the domain is removed. Only the username is injected.
Username Field Hint	A CSS style query selector that identifies the username field to help with the initial credential injection. If this value is provided and a matching element is not found, then the credential injection will fail.
Password Field Hint	A CSS style query selector that identifies the password field to help with the initial credential injection. If this value is provided and a matching element is not found, then the credential injection will fail.
Submit Button Hint	A CSS style query selector that identifies the submit button to help with the initial credential injection. If this value is provided and a matching element is not found, then the credential injection will fail.
Auth Timeout	The length of time the Web Jump Client should wait for authentication to succeed before timing out. Valid values are 1, 2, 3, 5, 10, 15, 30

Local Jump shortcuts

Local Jump enables a privileged user to connect to an unattended remote computer on their local network. Within the local area network, the BeyondTrust user's computer can initiate a session to a Windows system directly without using a Jumpoint, if appropriate user permissions are enabled. A Jumpoint is needed only when the BeyondTrust user's computer cannot access the target computer directly.

ℹ️
Note
Local Jump is only available for Windows systems. Jump Clients are needed for remote access to Mac computers. To Jump to a Windows computer without a Jump Client, that computer must have Remote Registry Service enabled (disabled by default in Vista) and must be on a domain.

Create a Local Jump shortcut

To create a Local Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Local Jump. Local Jump shortcuts appear in the Jump interface along with Jump Clients and other types of Jump Item shortcuts.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

Enter the Hostname / IP of the system you wish to access.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each Jump Item is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.

Choose a Session Policy to assign to this Jump Item. The session policy assigned to this Jump Item has the highest priority when setting session permissions. The ability to set a session policy depends on your account permissions.

Choose an Endpoint Agreement to assign to this Jump Item. Depending on what is selected, an endpoint agreement is displayed. If there is no response, the agreement is automatically accepted or rejected.

Use a Local Jump shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

A dialog box opens for you to enter administrative credentials to the remote computer in order to complete the Jump. The administrative rights must be either a local administrator on the remote system or a domain administrator.

The client files are pushed to the remote system, and a session attempts to start.

ℹ️
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.

Remote Jump shortcuts

Remote Jump enables a privileged user to connect to an unattended remote computer on a network outside of their own network. Remote Jump depends on a Jumpoint.

A Jumpoint acts as a conduit for unattended access to Windows and Linux computers on a known remote network. A single Jumpoint installed on a computer within a local area network is used to access multiple systems, eliminating the need to pre-install software on every computer you may need to access.

ℹ️
Note
Jumpoint is available for Windows and Linux systems. Jump Clients are needed for remote access to Mac computers. To Jump to a Windows computer without a Jump Client, that computer must have Remote Registry Service enabled (disabled by default in Vista) and must be on a domain. You cannot Jump to a mobile device, though Jump Technology is available from mobile BeyondTrust consoles.

Create a Remote Jump shortcut

To create a Remote Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Remote Jump. Remote Jump shortcuts appear in the Jump interface, as well as Jump Clients and other types of Jump Item shortcuts.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Use a Remote Jump shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

The client files are pushed to the remote system, and a session attempts to start.

ℹ️
Note
Because a Remote Jump attempts to connect directly back through the appliance, the end machine must be able to communicate with the appliance as well. If this is not the case, you can use the Jump Zone Proxy feature to proxy the traffic through the Jumpoint.

ℹ️
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.

RDP shortcuts

Use BeyondTrust to start a Remote Desktop Protocol (RDP) session with remote Windows and Linux systems. Because RDP sessions are proxied through a Jumpoint and converted to BeyondTrust sessions, users can share or transfer sessions, and sessions can be automatically audited and recorded as your administrator has defined for your site. To use RDP through BeyondTrust, you must have access to a Jumpoint and must have the user account permission Allowed Jump Methods: RDP via a Jumpoint.

Create an RDP shortcut

To create a Microsoft Remote Desktop Protocol shortcut, click the Create button in the Jump interface. From the dropdown, select Remote RDP. RDP shortcuts appear in the Jump interface with Jump Clients and other types of Jump Item shortcuts.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

ℹ️
Note
By default, the RDP server listens on port 3389, which is therefore the default port BeyondTrust attempts. If the remote RDP server is configured to use a different port, add it after the hostname or IP address in the form of <hostname>:<port> or <ipaddress>:<port> (for example, 10.10.24.127:40000).

Provide the Username to sign in as, along with the Domain.

Select the Quality at which to view the remote screen. This cannot be changed during the remote desktop protocol (RDP) session. Select the color optimization mode to view the remote screen. If you are going to be primarily sharing video, select Video Optimized; otherwise, select Black and White (uses less bandwidth), Few Colors, More Colors, or Full Color (uses more bandwidth). Both Video Optimized and Full Color modes allow you to view the actual desktop wallpaper.

To start a console session rather than a new session, check the Console Session box.

If the server's certificate cannot be verified, you receive a certificate warning. Checking Ignore Untrusted Certificate allows you to connect to the remote system without seeing this message.

ℹ️
Note
When RemoteApp or BeyondTrust Remote Desktop Agent is selected in the SecureApp section, the Console Session checkbox is unchecked. Remote applications cannot run in a console session on a RDP server.

To get more detailed information on the RDP session, check Session Forensics. For this feature to work, you must select an RDP Service Account for the Jumpoint being used. When checking this setting, the following reminder displays:

Enabling this feature requires the RDP server to be configured to receive the monitoring agent and an RDP Service Account to be configured with this Jumpoint. If these requirements are not met, all attempts to start a session will fail.

ℹ️
Note
The RDP Service Account requires privileges which provide remote file system access with write permissions and access to remotely create and control services to support the forensic monitoring activities. This is achieved by interacting with the default admin$ share on the Windows host being accessed, which requires that the RDP Service Account hold local administrator rights on that host. Either Active Directory or Entra ID accounts may be used (local accounts are not supported), with the delegation of the local administrator rights for those accounts configured using the customers available management systems and tools.

When Session Forensics is checked, the following additional details are logged:

Focused window changed event
Mouse click event
Menu opened event
New window opened event

To start a session with a remote application, configure the SecureApp section. The following dropdown options are available:

None: When accessing a Remote RDP Jump Item, no application is launched.
RemoteApp:The user can configure an application profile or command argument, which executes and opens an application on a remote server. To configure, select the RemoteApp option and enter the following information:
- Remote App Name: Enter the name of the application you wish to connect to.
- Remote App Parameters: Enter the profile details or command line arguments needed to open the application.
BeyondTrust Remote Desktop Agent: This option facilitates passing parameters through an agent in order to launch applications on a remote host. To configure, select the BeyondTrust Remote Desktop Agent option and enter the following information:
Executable Path: Enter the path of the application the agent will connect to.
Parameters: Enter any parameters that you could normally type from a command line when launching the app on the remote system.

Inject credentials

The option to Inject Credentials is made available when the BeyondTrust Remote Desktop Agent type is selected. This option facilitates passing parameters as well as credentials through an agent in order to launch applications on a remote host. The first set of credentials is in the Jump definition. These are the credentials for the user account you'll use to log into the remote system. There is a secondary prompt for additional credentials, either manually provided or from a password vault. These secondary credentials are made available to the command line you define through the %USERNAME% and %PASSWORD% macros (additional macros shown below). This allows you to pass additional credentials to the application you are launching (e.g., SQL Server Management Studio). To configure, select the BeyondTrust Remote Desktop Agent: option and enter the following information:

Enter the Executable Path and Parameters as described above.
Target System: Enter the name of the system running the application.
Credential Type: Enter the credential type as defined by the credential management system (e.g., SQL).

Macro Name	Result
%USERNAME%	username
%USERPRINCIPLENAME%	username@domain
%DOWNLEVELLOGONNAME%	domain\username
%DOMAIN%	domain
%PASSWORD%	password
%PASSWORDRAW%	password (without any attempt to escape special characters)
%TARGETSYSTEM%	supplied target system value; in the case of SQL Server, this would be the SQL Server name.
%APPLICATIONNAME%	optional application name; in the case of SQL Server, this can be hard-coded to "SQL Server" or something similar.

ℹ️
Note
The BeyondTrust Remote Desktop Agent option requires a BeyondTrust Remote Desktop Agent to be preconfigured on the target system. This agent can be downloaded from the My Account page in the /login interface. It is neither version nor site-specific, and thus the same agent can be used for as many applications as the admin wishes to support. Once the agent is installed, you can then use BeyondTrust to create RDP Jump Items that are configured to use the BeyondTrust Remote Desktop Agent option to launch any application installed on the remote system.

ℹ️
Note
RemoteApp relies on publishing applications using Microsoft RDS RemoteApps. Please refer to the Microsoft documentation for publishing applications.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

ℹ️
Note
For more information about contained database users, please see Contained Database Users - Making Your Database Portable.

Use an RDP shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

You are prompted to enter the password for the username you specified earlier.

Your RDP session now begins.

ℹ️
Note
When starting an RDP session, the RDP keyboard automatically matches the language you have set in the access console. This functionality is available for Windows-based access consoles only.

Begin screen sharing to view the remote desktop. You can send the Ctrl-Alt-Del command, capture a screenshot of the remote desktop, share clipboard contents, use Alt and Shift commands, and perform key injection. You also can share the RDP session with other logged-in BeyondTrust users, following the normal rules of your user account settings.

ℹ️
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Start New Session, then a new independent session starts for each user who Jumps to a specific RDP Jump Item. The RDP configuration on the endpoint controls any further behavior regarding simultaneous RDP connections.

VNC shortcuts

Use BeyondTrust to start a VNC session with a remote Windows or Linux system. Because VNC sessions are proxied through a Jumpoint and converted to BeyondTrust sessions, users can share or transfer sessions, and sessions can be automatically audited and recorded as your administrator has defined for your site. To use VNC through BeyondTrust, you must have access to a Jumpoint and have the user account permission Allowed Jump Methods: Remote VNC via a Jumpoint.

Create a VNC shortcut

To create a VNC shortcut, click the Create button in the Jump interface. From the dropdown, select Remote VNC. VNC shortcuts appear in the Jump interface along with Jump Clients and other types of Jump Item shortcuts.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

ℹ️
Note
By default, the VNC server listens on port 5900, which is, therefore, the default port BeyondTrust attempts. If the remote VNC server is configured to use a different port, add it after the hostname or IP address in the form of <hostname>:<port> or <ipaddress>:<port> (e.g., 10.10.24.127:40000).

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Use a VNC shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

When establishing the connection to the VNC server, the system prompts you to enter the user name and password.

Your VNC session now begins. Begin screen sharing to view the remote desktop. You can send the Ctrl-Alt-Del command, capture a screenshot of the remote desktop, and share clipboard text contents. You also can share, transfer or record the VNC session, following the normal rules of your user account settings.

ℹ️
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.

Shell Jump shortcuts

With Shell Jump, quickly connect to an SSH-enabled or Telnet-enabled network device to use the command line feature on that remote system. For example, run a standardized script across multiple systems to install a needed patch or troubleshoot a network issue. Administrators can enable command filtering to help prevent users from inadvertently using harmful commands on SSH-connected endpoints.

Create a Shell Jump shortcut

To create a Shell Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Shell Jump. Shell Jump shortcuts appear in the Jump interface, as well as Jump Clients and other types of Jump Item shortcuts.

ℹ️
Note
Shell Jump shortcuts are enabled only if their Jumpoint is configured for open or limited Shell Jump access.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Choose the Protocol to use, either SSH or Telnet.

Port automatically switches to the default port for the selected protocol but can be modified to fit your network settings.

Enter the Username to sign in as.

Select the Terminal Type, either xterm or VT100.

You can also select to Send Keep-Alive Packets to keep idle sessions from ending. Enter the number of seconds to wait between each packet send.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Use a Shell Jump shortcut

To use a Shell Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

If attempting to Shell Jump to an SSH device without a cached host key, you receive an alert that the server's host key is not cached and that there is no guarantee that the server is the computer you think it is.

If you choose Save Key and Connect, then the key is cached on the Jumpoint's host system so that future attempts to Shell Jump to this system do not result in this prompt. Connect Only starts the session without caching the key, and Abort ends the Shell Jump session.

When you Shell Jump to a remote device, you can click the Open SSH Client button to open a new terminal and start the SSH tunnel. You also see details about the connection.

If you Shell Jump to a provisioned SSH device with an unencrypted key or with an encrypted key whose password has been cached, you are not prompted for a password. Otherwise, you are required to enter a password. If you Shell Jump to an SSH device with keyboard interactive MFA enabled, there is a secondary prompt for input.

If the rep console setting Automatically add session aliases to SSH Config (when possible) is configured, you can copy the POSIX command and paste it into your command line interface. Otherwise, you will need to construct the POSIX command using the provided details. You are now connected via SSH to the remote system, and you can send it commands.

Administrators can configure command filtering on Shell Jump Items to block some commands and allow others in an effort to prevent the user from inadvertently using a command that may cause undesirable results. In the event a user attempts to use a command that matches an expression that is not allowed, they receive a prompt and are not allowed to execute the command.

ℹ️
Note
BeyondTrust's command filter uses egrep regular expressions. For more information, please see Regular expressions (C++).

Configure shell prompt filtering:

Log into the /login interface as a user with permissions to configure Jump Items and session policies.
Browse to Jump > Jump Items and scroll down to the Shell Jump Filtering section.
In the Recognized Shell Prompts text box, enter regexes to match the command shell prompts found on your endpoint systems, one per line.

ℹ️
Note
Line breaks, or newlines, are not allowed within the command prompt patterns entered. If an endpoint system uses a multi-line prompt, enter an expression that matches only the final line of the prompt in the text box.

Click Save.

ℹ️
Note
Once you have entered the regexes you wish to use, you can test a shell prompt to determine if it matches any of the regexes in the list. This allows you to test your regexes without starting a session. Enter the expression in the Shell Prompt text box and click the Check button. A notice displays whether or not the shell prompt you entered matches one of the regexes in the list.

Configure command filtering:

Browse to Users & Security > Session Policies and either create a new policy or edit an existing one.

ℹ️
Note
You can also configure this for users and/or group policies.

Locate the Command Shell settings in the Permissions section.
Because you will use command filtering with Shell Jump Items, select the Allow radio button to allow the use of the command shell.
Choose from Allow all commands, Allow the command patterns below, or Deny the command patterns below and specify in the text box which regex patterns you wish to allow or block.

ℹ️
Note
Once you have entered the command patterns you wish to allow or block, you can test commands in the Command Tester text box. A notice displays whether or not the command entered would be allowed to run on the remote system based on the regexes specified in the list.

The two possible messages are:

"The entered command shall be allowed based on your selections."
"The entered command shall not be allowed based on your selections."

Use credential injection with SUDO on a Linux endpoint

To use credential injection with SUDO, an administrator must configure one or more functional accounts on each Linux endpoint to be accessed via Shell Jump. As the process for configuring the sudoers file is complex and varies by platform, please refer to your platform's documentation for details on completing this process. Each functional account must:

Allow authenticating via SSH (password or SSH key).
Have the account credentials stored in the Endpoint Credential Manager (ECM).
Have one or more entries in /etc/sudoers granting the functional account access to one or more commands to be executed as root without requiring a password (NOPASSWD).

An administrator must create a Shell Jump Item for the endpoint.

Next, an administrator must configure the ECM and/or password vault to grant users access to the appropriate functional accounts for that Jump Item.

When a user Jumps to the Shell Jump Item, they can choose from the list of functional accounts available for that endpoint. Each functional account has its own set of commands that can be executed using SUDO, as configured by the administrator on the endpoint. The credentials for the account are passed from the ECM to the endpoint.

ℹ️
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.

Protocol Tunnel Jump shortcuts

A Protocol Tunnel Jump establishes a connection between your system and an endpoint on a remote network, or in the case of a Network Tunnel, multiple endpoints. Because the connection occurs through a Jumpoint, the administrator can control which users have access, when they have access, and if the sessions are recorded.

Set up a Protocol Tunnel Jump Item

Create a Protocol Tunnel Jump shortcut

To create a Protocol Tunnel Jump Shortcut, click the Create button in the Jump Item tab of the access console. From the dropdown, under Protocol Tunnel Jump, select the desired type of Protocol Tunnel Jump:

TCP Tunnel: This tunnel connects a TCP port on your system to a TCP port on a remote system through the Jumpoint. You can configure a TCP Tunnel to define one or more local-TCP-port-to-remote-TCP-port relationships. Once the session is active, external tools can access the remote port by using your local port value.
MySQL Tunnel: This tunnel uses the MySQL Server protocol as a database proxy, enabling credential injection for users and improved auditing. Authentication is supported using Vault username and password. The MySQL Server must be configured to use caching_sha2_password authentication. You must have the MySQL client already installed on the machine running the access console.
PostgreSQL Tunnel: This tunnel uses the PostgreSQL Server protocol as a database proxy, enabling credential injection for users and improved auditing. Authentication is supported using Vault credentials or manually entered credentials. External tools can establish a connection to the remote PostgreSQL database using the local address provided in the PostgreSQL Tunnel tab in the access console.
SQL Server Tunnel: This tunnel uses the Microsoft SQL Server protocol as a database proxy, enabling credential injection for users and improved auditing. Authentication is supported using Windows authentication and SQL login.
Kubernetes Cluster Tunnel: This tunnel uses the open source Kubernetes system, also known as K8s, to manage connections. To use this tunnel, the Jumpoint must be hosted on a Linux system. The necessary configuration file is created in a local cache, and deleted when the session is closed. Users are able to natively use the kubectl command line tool over this tunnel and have all commands and traffic fully proxied, logged, and auditable.
Network Tunnel: This network layer tunnel enables port tunneling of any TCP and non-TCP protocol (e.g. UDP) traffic to a network. This tunnel is unique from other types because it enables you to establish sessions allowing one-to-one or one-to-many connectivity.

A Network Tunnel session is defined by one or more filter rules. Each rule specifies the IP address accessible in the remote network and can either allow any protocol or restrict it to a single one. For protocols supporting ports, each rule can further limit access to specific ports.

Protocol Tunnel Jump shortcuts appear in the Jump interface along with Jump Clients and other types of Jump Item shortcuts.

Create a TCP tunnel

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Specify a Local Address. The default address is 127.0.0.1. If you need to connect to multiple systems on the same remote port at the same time, you can enable that connection by changing each Protocol Tunnel Jump Shortcut's address to a different address within the 127.x.x.x subrange.

In Local Port, specify the port that will listen on the user's local system. If you leave this as automatic, the access console allocates a free port.

In Remote Port, specify the port to connect to on the remote system. This is dictated by the type of server you are connecting to.

You can define multiple pairs of TCP Tunnels as necessary for your setup. Added tunnels can be removed but not edited.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Create a MySQL tunnel

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Optionally, enter a Username. This is applied if Vault credentials are not used.

Enter the applicable Database. This is required if the PostreSQL server will not be able to infer the database name from the username used during authentication.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Create a PostgreSQL server tunnel

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Enter the applicable Username and Database.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Create a SQL server tunnel

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the Hostname / IP of the system you wish to access.

Enter the applicable Username and Database.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Create a Kubernetes cluster tunnel

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.

Enter the base URL for the Kubernetes cluster, beginning with https://

For the CA Certificates, copy and paste a PEM-formatted certificate or chain of certificates used to validate the cluster URL. When using a chain of certificates, the typical order is domain, intermediate, and root.

ℹ️
Note
You may be able to obtain your certificate with the following command: kubectl get configmap kube-root-ca.crt -o jsonpath="{['data']['ca\.crt']}"

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

Use a Protocol Tunnel Jump shortcut

To use a Protocol Tunnel Jump shortcut to start a session, simply select the shortcut from the Jump interface and click the Jump button.

A session appears in your access console. Click the Protocol Tunneling button to establish the connection.

If screen recording is enabled, a prompt appears, informing you that your desktop will be recorded. Click OK to continue. If you click Cancel, the Protocol Tunnel will not be created.

If screen recording is enabled, an indicator appears at the top of your session screen.

The Current Tunnels section displays current connections and their statuses. You also can view brief Network Statistics.

You can now open a third-party client to perform tasks on the remote system. Use the port value appended to the local address to connect through the Jumpoint.

Use a TCP Tunnel

When you open a TCP tunnel, you can view details about all the connections set up for this Jump Item. Use the TCP Tunnel by pointing your client software to the corresponding local address and port. The client software will then be able to communicate to the remote system through the TCP Tunnel. Note that if you stop and restart the tunnel, the port will likely change.

Use a MySQL Tunnel

When you open a MySQL Tunnel, you can click the Open MySQL Client button to open a new terminal and start the MySQL client automatically in order to connect to the database. You must have the MySQL client already installed on the machine running the access console. Pressing the button launches the default database client tool. If multiple MySQL client tools are found, a drop-down appears to the right of the Open MySQL Client button, allowing you to select a specific tool. The selected tool becomes the new default.

This button is deactivated if the access console cannot find either mysql or mysqlsh in the list of paths to search as defined by the PATH environment variable. You also see details about the connection.

Copy the command and paste it into your command line interface. You are now connected to the MySQL instance on the remote endpoint.

ℹ️
Note
The credentials used to initiate the MySQL Tunnel are also used to authenticate as the user when connecting to the remote endpoint.

Use a PostgreSQL Tunnel

When you open a PostgreSQL Tunnel, you can click the Open PostgreSQL Client button to open a new terminal and start the PostgreSQL client automatically in order to connect to the database. Pressing the button launches the default database client tool. If multiple PostgreSQL client tools are found, a drop-down appears to the right of the Open PostgreSQL Client button, allowing you to select a specific tool. The selected tool becomes the new default.

This button is deactivated if the access console cannot find the pgAdmin tool or the psql client binary. You also can view details about the connection.

Copy the command and paste it into your command line interface. You are now connected to the PostgreSQL instance on the remote endpoint.

Use a SQL Server Tunnel

When you open a SQL Server Tunnel, you can click the Open SQL Client button to open a new terminal and start the SQL Server client automatically in order to connect to the database. Pressing the button launches the default database client tool. If multiple PostgreSQL client tools are found, a drop-down appears to the right of the Open SQL Client button, allowing you to select a specific tool. The selected tool becomes the new default.

This button is deactivated if the access console cannot find the correct tool. In Windows, this is azure-data-studio, Microsoft SQL Server Management Studio, or the sqlcmd utility. In Linux, this is the sqlcmd utility. You also can view details about the connection.

Copy the command and paste it into your command line interface. You are now connected to the SQL Server instance on the remote endpoint.

Use a Kubernetes Cluster Tunnel

Run your Kubernetes Cluster Tunnel Jump Item. Then, run kubectl or another Kubernetes-enabled tool of your choice. When the Jump Item starts, you will see an environment variable and a command line argument. Provide either of these to your Kubernetes tool to initiate the connection. You are now connected to the Kubernetes instance on the remote endpoint.

Stipulations for correct use

The Protocol Tunneling feature tunnels network traffic in a way that places some restrictions on how communication must occur between the user's system and the endpoint.

TCP, MySQL, PostgreSQL, and SQL Server tunnel requirements

All traffic must be TCP.
No more than 256 simultaneous connections can be handled.
All TCP connections must originate from the endpoint and must be accepted by the listening user's system. The application's protocol cannot require that the user's system make a separate connection back to the endpoint.
Any TCP connections that the endpoint is to make back to the user's system must be made over tunnels already defined within the Protocol Tunnel Jump Item properties.
Operating systems typically disallow non-elevated processes from listening on ports less than 1024. Therefore, the local port must generally be greater than 1024. The endpoint software connects to the server by connecting to the local port on which the access console (a non-elevated process) is listening.
The endpoint software cannot make connections to any system on the remote network other than the one specified in the Protocol Tunnel Jump Item properties.
The protocol must be agnostic toward the hostname that the endpoint used to connect to the server. Otherwise, other means must be made to satisfy the protocol's requirements, such as mapping a hostname to 127.0.0.1 in the hosts file or applying special configuration to the endpoint client.
If the tunnel definition has a local port that is different than the remote port (namely, when the local port must be greater than 1024 because the server's port is less than 1024), the protocol must be agnostic toward the port that the endpoint client used to connect to the server.
Any protocol which goes beyond the case of making a single TCP connection from the endpoint client to the user's system requires the administrator's understanding their specific protocol and the stipulations listed above.

Kubernetes tunnel requirements

No more than 256 simultaneous connections can be handled.
All connections must originate from the endpoint and must be accepted by the listening user's system. The application's protocol cannot require that the user's system make a separate connection back to the endpoint.
Kubernetes does not authenticate when the tunnel is initially established but instead each time a user runs a kubectl command.

Network Jump shortcuts

A network tunnel is a type of tunnel Jump, which makes a connection from your system to an endpoint on a remote network. Specifically, the network layer tunnel enables port tunneling of any TCP and non-TCP protocol (e.g. UDP) traffic to a network.

Because the connection occurs through a Jumpoint, the administrator can control which users have access, when they have access, and if the sessions are recorded.

Network Tunnel Jump shortcuts appear in the Jump interface along with Jump Clients and other types of Jump Item shortcuts.

ℹ️
Note
Network Tunnel Jump is an advanced feature and disabled by default. This feature can be activated, at no additional cost, by contacting your BeyondTrust representative.

Prerequisites

Once the feature is activated for your installation, ensure the following requirements are met to create and use Network Tunnel Jump shortcuts:

The Privileged Remote Access access console and Jumpoint are on Windows or Linux systems.
The Jumpoint is configured for the Protocol Tunnel Jump method on the /login > Jump > Jumpoint page.
DHCP must be enabled on the endpoint network. If DHCP is not available, IP Address scopes can be defined on the /login > Jump > Jumpoint page. Select and edit a Jumpoint to manage the IP addresses.
The Access Console Network Tunneling Service is installed on the user's machine. It can be installed via a software deployment tool or manually from the /login > Consoles & Downloads > Drivers page.

DHCP

DHCP is required for Network Tunnel sessions, either via an existing DHCP service on the remote network, or by configuring a reserved set of IP addresses that will be managed by the Jumpoint. If you have DHCP services running on the remote network, then no further configuration is needed.

If you do not have DHCP services running on the remote network, you can configure a pool of IPv4 address ranges on each Jumpoint, on the /login > Jump > Jumpoint page. Select and edit a Jumpoint to manage the IP addresses.

The pool of managed IP address ranges is used to assign an IP to every session started with this Network Tunnel Jump Item.

ℹ️
Note
Ensure that the provided pool of addresses are reserved from use by other systems on the remote network and that there are enough IPs provided to accommodate the number of simultaneous Network Tunnel sessions you expect to have with this remote network.

Create Protocol Tunnel Jump shortcut

Click the Create button in the Jump interface. From the dropdown, under Protocol Tunnel Jump, select Network Tunnel
Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
From the Jumpoint dropdown, select the network that hosts the com
puter you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.
Create a filter using the Filter Rules. You must create at least one filter, and the filter must specify at least one IP address.
- IP Address: Enter an IP address, a list of addresses separated by commas, or a range of addresses separate by a dash. You cannot enter a list and a range. CIDR notation can be used. Only IPv4 is supported.
- If desired, select a Protocol. Most commonly used protocols are listed first, in alphabetical order, followed by a full list of protocols in alphabetical order.
- If desired, and if applicable to a selected protocol, enter a port, a list of ports separated by a comma, or a range of ports.
- You can define multiple filters. From the list of added filters, filters can be removed but not edited.

ℹ️
Note
For information on protocols, see IANA Protocol Numbers.

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.
Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each Jump Item is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.
Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.
To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.
Choose a Session Policy to assign to this Jump Item. The session policy assigned to this Jump Item has the highest priority when setting session permissions. The ability to set a session policy depends on your account permissions.

Use network tunnels with TCP/UDP protocol filters

If configuring Network Tunnels specifically for filtering TCP traffic, you must account for the ephemeral port that TCP establishes during the connection process in the Network Tunnel filters you create. The TCP ephemeral port range is configurable at the operating system level, but its default varies by operating system. The recommended approach is to not configure any port range filters in combination with TCP protocol filters. As an alternative, you can specify a range of ports that the ephemeral port will most likely be established on (e.g. 1024-65535), in addition to the target TCP port.

If configuring Network Tunnels specifically for filtering UDP traffic, we also recommend not configuring any port range filters in combination unless absolutely necessary and the port ranges known. Some processes do not bind to specific UDP source ports, leaving this up to the operating system, making it difficult to predict which port ranges will be necessary to enable in the filter to allow UDP traffic as expected.

Use network tunnels with mapped network drives

Since network tunnels are creating generalized network access, you can even use them as the basis of adding mapped network drives in Windows and other environments. Here’s an example of steps to follow to add a mapped network drive in Windows that will connect over an active network tunnel session.

Create a network tunnel Jump Item pointing at the target Windows endpoint.
Ensure it has no port or protocol filters applied, except one protocol filter with ANY selected.
In Windows File Explorer, right-click Network (underneath This PC) and select Map network drive…’.
Enter the IP address of the target endpoint and target folder on that endpoint you want to add as a mapped drive.
You must check (enable) Reconnect at sign-in.
You must check (enable) Connect using different credentials if you need to use different credentials for the mapped drive than you use for logging into your local machine.
Supply the credentials required to access the target endpoint. These are either your Windows login credentials or another set that has been provided to you. You should only need to provide these one time.
The target endpoint and/or folder is now available as a mapped network drive any time that your Network Tunnel Jump Item session is active.

Web Jump shortcuts

With the proliferation of infrastructure components that have moved to web-based interfaces for configuration, IT administrators are faced with an increasingly complex security management situation. With privileged access to web-based resources, it is a challenge to control, audit, and enforce proper authentication without negatively affecting business productivity. IT administrators need a way to effectively control and audit resources managed via web interfaces, including:

Externally hosted Infrastructure as a Service (IaaS) servers such as Amazon AWS, Microsoft Azure, IBM SoftLayer, and Rackspace
Internally hosted servers managed by hypervisor software such as VMware vSphere, Citrix XenServer, and Microsoft Hyper-V
Modern core network infrastructure that leverages web-based configuration interfaces

The identity and access management capabilities vary significantly between IaaS, hypervisor providers, and core infrastructure systems, and many do not offer native multifactor authentication support, thereby missing that additional layer of security. These inconsistencies across systems create opportunities for business vulnerabilities, such as misuse of accounts and access, leading to leaks of sensitive data. BeyondTrust Web Jump is the extra layer of security for authenticating to these systems.

⚠️
Important
Web Jump does not support Flash. Be sure to consult your hypervisor documentation and update it to a version that supports HTML5.

ℹ️
Note
The Web Jump Item is an add-on for Privileged Remote Access, and requires additional purchase.

Create a Web Jump shortcut

ℹ️
Note
Before creating Web Jump shortcuts, ensure that your user account has the ability to access Web Jumps. This permission is set on your user account in the /login interface under Access Permissions > Jump Technology.

To create a Web Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Web Jump. Web Jump shortcuts appear in the Jump interface with Jump Clients and other types of Jump Item shortcuts.

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the Windows or Linux Jumpoint that hosts the computer you wish to access.

ℹ️
Note
Copy/Paste functionality is not supported for Linux Jumpoints.

Type the URL for the web site you wish to access.

Check Verify Certificate if you want the site certificate to be validated before the connection is made. If this box is checked and issues are found with the certificate, the session does not start.

⚠️
Important
You should uncheck Verify Certificate only if you are Jumping to a site that you trust but that uses a self-signed certificate.

If you want to use credential injection, first select the Username Format:

Default: This is the default value for new and existing Web Jump Items. The username is not modified before injection into the web page and is used in the stored format. For the Endpoint Credential Manager (ECM), the credential may be in either UPN or DLLN format. For Vault, the username is always in UPN format.
Username Only: Independently of the format stored in either Vault or ECM (username@domain or domain\username), the domain is removed and only the username is used.

Under Login Form Detection, the recommended practice is to leave the three fields empty, and allow the system to auto-detect and use the information already stored for login. If auto-detection fails, the injection fails and a message states that the Username Field, Password Field, and/or Submit Button could not be found.

If entering the names of the input elements, enter the HTML id, HTML name, or CSS selector for each element on the login page.

✅
Example
This shows HTML ids with input fields and a submit button, as they might appear on the code view of a login page. The HTML ids here are user, pwd, and button.

<form action="/action_page.php">
Username: <input type="text" id="user"><br>
Password: <input type="password" id="pwd"><br>
<input type="submit" value="Submit" id="button">
</form>

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

ℹ️
Note
For more information about identifying HTML form fields, please see online resources such as this page explaining the use of CSS selectors.

Use a Web Jump shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

Once a connection is made to the web site, click the screen sharing button. The web site's login interface becomes available.

ℹ️
Note
If you want to open a new tab in Windows or Linux, hold down the CTRL key and click the mouse button. For iOS, hold down the Command key and click the mouse button.

ℹ️
Note
You can copy and paste text to and from the website by using the copy/paste controls of your operating system.

Upload and download files using a Web Jump shortcut

If you click a link to download a file from the web site, a prompt appears in your chat window asking you to accept or decline the download. If you accept, a window opens on your computer allowing you to choose a download location.

Uploading files to the web site works similarly, opening a window to allow you to choose which file to upload.

ℹ️
Note
The privileged web access console does not support uploading or downloading of files to a web page via a Web Jump. File upload to, or downloaded from, a web page via Web Jump is supported only by the desktop access console.

Use credential injection

⚠️
Important
Credential injection is not supported for non-secure sites (non-HTTPS).

ℹ️
Note
This feature is not supported for ARM-based Windows systems.

When integrating BeyondTrust PRA with a password vault system, you can seamlessly access your web site accounts without viewing the login screen or entering any credentials using credential injection.

ℹ️
Note
Web Jump supports multi-step authentication, in which the username and password are not requested on the same browser page. Web Jump also supports scenarios in which a user connects to an unauthenticated portion of a website, but then attempts to enter an area using basic authentication. Furthermore, Web Jump supports sites that contain CAPTCHAs, by allowing the users to complete the CAPTCHA without ending the credential injection process. Once interaction with a CAPTCHA is complete, the user clicks the key icon in the access console to complete credential injection.

ℹ️
Note
For seamless credential injection on a VMware console, some configuration is required.

Go to the computer hosting the Jumpoint.

Download and install the VMware Client Integration Plugin.

Using admin permissions, open Windows services (services.msc) on the Jumpoint host.

Right-click the BeyondTrust Jumpoint and select Properties.

On the Log On tab under Local System account, check Allow service to interact with desktop.

Click OK.

On the user's local system, on which the access console is installed, start a Web Jump with the VMware URL specified above.

Select Use Windows Credentials.

This causes a prompt on the Jumpoint host system to allow services to interact with an external program. Give the service permission.

A VMware credential injection prompt is displayed. Uncheck the box asking if you want the prompt to be displayed whenever the program is called. Click Accept.

You can now start Web Jumps to the VMware console using Windows credentials without a prompt.

Authorization

ℹ️Note

Revoke an access approval request

Local Jump shortcut

Remote Jump shortcut

Remote VNC Jump shortcut

Remote RDP Jump shortcut

Shell Jump shortcut

Protocol Tunnel Jump shortcut

Web Jump shortcut

Local Jump shortcuts

ℹ️Note

Create a Local Jump shortcut

Use a Local Jump shortcut

ℹ️Note

Remote Jump shortcuts

ℹ️Note

Create a Remote Jump shortcut

Use a Remote Jump shortcut

ℹ️Note

ℹ️Note

RDP shortcuts

Create an RDP shortcut

ℹ️Note

ℹ️Note

ℹ️Note

Inject credentials

ℹ️Note

ℹ️Note

ℹ️Note

Use an RDP shortcut

ℹ️Note

ℹ️Note

VNC shortcuts

Create a VNC shortcut

ℹ️Note

Use a VNC shortcut

ℹ️Note

Shell Jump shortcuts

Create a Shell Jump shortcut

ℹ️Note

Use a Shell Jump shortcut

ℹ️Note

Configure shell prompt filtering:

ℹ️Note

ℹ️Note

Configure command filtering:

ℹ️Note

ℹ️Note

Use credential injection with SUDO on a Linux endpoint

ℹ️Note

Protocol Tunnel Jump shortcuts

Set up a Protocol Tunnel Jump Item

Create a Protocol Tunnel Jump shortcut

Create a TCP tunnel

Create a MySQL tunnel

Create a PostgreSQL server tunnel

Create a SQL server tunnel

Create a Kubernetes cluster tunnel

ℹ️Note

Use a Protocol Tunnel Jump shortcut

Use a TCP Tunnel

Use a MySQL Tunnel

ℹ️Note

Use a PostgreSQL Tunnel

Use a SQL Server Tunnel

Use a Kubernetes Cluster Tunnel

Stipulations for correct use

TCP, MySQL, PostgreSQL, and SQL Server tunnel requirements

Kubernetes tunnel requirements

Network Jump shortcuts

ℹ️Note

Prerequisites

DHCP

ℹ️Note

Create Protocol Tunnel Jump shortcut

ℹ️Note

Use network tunnels with TCP/UDP protocol filters

Use network tunnels with mapped network drives

Web Jump shortcuts

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

⚠️
Important

ℹ️
Note

ℹ️
Note

ℹ️
Note

⚠️
Important

✅
Example

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

⚠️
Important

ℹ️
Note

ℹ️
Note

ℹ️
Note