DocumentationAPI ReferenceRelease Notes
Documentation

Gateway | PRA Pathfinder

What is a Gateway?

A Gateway is a secure connection point used in Privileged Remote Access to facilitate access to remote systems without requiring direct public internet exposure, enabling secure, controlled remote sessions. A Gateway lets you to have a virtual presence on a remote network, so you can connect to any endpoint on that remote network. If the endpoint is not on a network you can access, you need a Jump Client.

How is a Gateway useful to my organization?

A Gateway lets administrators securely manage remote connections through internal networks or firewalls which ensures protected access to remote systems while you maintain network security.

How do I access the Gateway page?

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Asset Management.
    The Asset Management page opens and the Jump Clients tab displays by default.
  3. Click the Gateway tab.
    The Gateway Management page displays.

The Gateway page

  1. Left menu: Easy access to all pages in Privilege Remote Access, including Status, Consoles & Downloads, My Account, Configuration, Asset Management, Vault, Console Settings, Users & Security, Reports, Management, and Appliance pages.
  2. Status: Opens the Status page.
  3. Header: Change your tenant site, manage your profile, and access documentation.

  1. Add: Adds a new Gateway.

  2. Gateway columns- The list of Gateway columns.

    Gateway columns
    • Gateway Name: Unique name of the Gateway.
    • Type: Displays the settings of the Gateway.
    • Last Status: Displays the status in date and time of the Gateway.
    • Properties: Displays the detailed information of the Gateway. For example, Hostname and IP addresses .

  3. Asset Roles options: You can redeploy, edit or delete an Asset role.

  4. Configuration Help: Suggestions on how to configure a Gateway or a clustered Gateway.

Gateway Management

A Gateway allows a user to upload the Privileged Remote Access Endpoint Client software to computers on remote networks. The networks a Gateway provides access to are collectively called a Proxy.

👍

Tip

When you select a system to host a Gateway, keep the following criteria in mind:

  • The host system should be a system on the same local area network as the systems to which you wish to connect.
  • The host system should be a system with high availability.
⚠️

Warning

The host system should not be a system already being used as a server. File servers, print servers, web server, email servers, etc. all make poor choices for Gateway host systems.

Gateways attempt to close any active network connections to the target system before attempting the connection, for security purposes. A Gateway that coexists on such a server often reports "Network error disconnecting from host" messages when attempting to connect, as it attempts to close a network connection but fails to do so because some other software is actively using that network connection.

Add new Gateway

  1. From the Gateway Management page, click Add.
    The Add Gateway page displays.
  2. In the Name field, create a unique name to help identify this Gateway. This name should help users locate this Gateway when they need to start a session with a computer on its same network.
  3. In the Code name field, create a code name for integration purposes. If you do not set a code name, one is created automatically.
  4. In the Comments field, add comments to help identify the purpose of this Gateway.
  5. In the Gateway Platform section, select either Windows or Linux as the operating system, and whether the Gateway is clustered or not.
  6. Check the Disabled field to make the Gateway unavailable to make connections. A disabled Gateway may still connect to the appliance, but is not usable by any users to perform connection operations.
  7. If Clustered is checked, you are able to add multiple, redundant nodes of the same Gateway on different host systems. This ensures that as long as at least one node remains online, the Gateway is available.
    ⚠️

    Warning

    Once the Gateway has been created, this option cannot be changed.

  8. If you want users to be able to connect to SSH-enabled and Telnet-enabled network devices through this Gateway, set the Enable SSH Method checkbox.
  9. If the Enable Protocol Tunnel Method option is checked, users may make connections from their systems to remote endpoints through these types of Gateway.
    ℹ️

    • If Network Tunnel is enabled on your system, and the Enable Protocol Tunnel Method is checked, a new option to Enable IP Tunnel Usage Consent displays. Check this option users must approve TCP and UDP connections that pass through active IP Tunnels. Approval can be granted once for the current session, for the duration of the active session, or permanently for both current and future IP Tunnel sessions. When granting approval, users can choose to allow access for a specific Application Path or for Any Process.
    • If Network Tunnel is enabled on your system, and the Enable Protocol Tunnel Method is checked, a new section to enter Managed IP Addresses for Protocol Tunnel displays. You can enter multiple IP address ranges. This allows using the Network Connection feature on networks without DHCP.
  10. Under RDP Service Account, select the vault account to be used by the Gateway to run a user-initiated client on the RDP server. This lets you to collect additional event information from an RDP session started with this Gateway.
    ℹ️

    This account in used only if the Remote RDP Asset is configured to enable the Session Forensics functionality. This option is not available for Linux Gateways.

    The RDP Service Account setting must not use a local admin account, and must use a domain admin account with privileges on the endpoint including access to remotely connect to the endpoint's C$ share, remotely create and start services on the endpoint machine, and access remote file systems.

    For more information, see Remote Desktop Protocol shortcuts.

  11. Check Enable Proxy to set up a Gateway to function as a proxy server. This allows it to proxy connections for Assets on the network that do not have a native internet connection, such as POS systems.
    ℹ️

    Using a Gateway as a proxy routes traffic only to the Appliance.

You can enable Proxy on either a standalone Gateway or a Gateway cluster. If you set up a Gateway cluster as a Proxy and an endpoint is connected to one Proxy, if that system goes down, the endpoint can connect to another Proxy in the cluster. Proxy Proxies are not supported for Atlas deployments.

  1. Under Proxy Host, type the hostname of the computer on which this Gateway is to be installed.

The hostname should not start with http://or https://. IP addresses are not recommended as they might change. The Gateway automatically detects the hostname if one is not provided. If this is a clustered Gateway, this field does not appear, and the Gateway automatically detects the hostname on install. If the hostname changes, you may have to redeploy any Assets that use this Gateway as a proxy.

ℹ️

The proxy host and port should be set carefully since any Asset deployed using this Gateway as a proxy server uses the settings available to it at the time of deployment and are not updated should the host or port change. If the host or port is changed, the Asset must be redeployed.

In order for a Gateway to function as a Proxy, its host system cannot reside behind a proxy. The Gateway must be able to access the internet without having to supply proxy information for its own connection.

  1. Under Proxy Port, type the port through which Assets connect to this Gateway. If the port changes, you may have to redeploy any Assets that use this Gateway as a proxy.

    ℹ️

    It is a best practice to make an exception in the Windows firewall for the port on which the proxy server listens for the process to accept connections.

  2. Check Allow HTTP GET to enable HTTP connections to proxy to the Appliance. This is needed only if you want to use a browser to access Remote Support for Admins from behind the proxy.

  3. Under Network restrictions > Restriction Type, set a network restriction for connections using the following values:

    NameDescription
    No access restrictionLets Asset connections from any IP address.
    Deny access only for the following IP addressesDenies access to a connection by adding network address prefixes.
    Allow access only from the following IP addressesLimits the allowed connection by adding network address prefixes.

    ℹ️

    Netmasks are optional, and they can be given in either dotted-decimal or integer bitmask format. Entries that omit a netmask are assumed to be single IP addresses.

Group policies

This displays a listing of the group policies which allow users access to this Gateway. You can create Gateway memberships on the Users & Security > Group Policies page.

Allowed Users

You can configure allowed users for the group by doing the following steps:

  1. To add a user, search in New Member Name for users to add to this Asset Group.
  2. Select the user's role in the New Member Role dropdown to set their permissions specific to Assets in this Asset Group.
  3. You can select User's default to use the default Asset Roles set on the Users & Security > Group Policies page or the Users & Security > Users page. A Asset Role is a predefined set of permissions regarding Asset management and usage.
  4. In the New Member Asset Policy field, select the appropriate policy.
  5. Click Add.
  6. Existing Asset Group users are shown in the table, along with their assigned role and how the role was granted. You can filter the view by entering a string in the Filter by name text box.
  7. To edit a user's settings, click or to delete a user from the Asset Group, click .
ℹ️

The edit and delete functionality may be disabled for some users. This occurs either when a user is added by using a group policy or when a user's system Asset Role is set to anything other than the No Access permission.

You can click the group policy link to modify the policy as a whole. Any changes made to the group policy apply to all members of that group policy.

To add groups of users to an Asset Group, go to the Users & Security > Group Policies page and assign that group to one or more Asset Groups.

You can click the user link to modify the user's system Asset role. Any changes to the user's system Asset role apply to all other Asset Groups in which the user is an unassigned member.

You also can add the individual to the group, overriding their settings as defined elsewhere

Edit a Gateway

  1. From the Gateway Management page, select a Gateway from the list, then click .
  2. Makes your changes, then click Save.

Delete a Gateway

  1. From the Gateway page, select a Gateway from the list, then click .
  2. Click Yes on the confirmation dialog.

Redeploy a Gateway

  1. From the Gateway page, select a Gateway from the list, then click .
  2. Click Yes on the confirmation dialog.

Updated 19 days ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.