Jump Items
To access an endpoint, install a Jump Item. You can install a Jump Item by clicking Create at the top of the Jump interface. Full details for creating Jump Items are provided later in this guide. To access an individual Windows, Mac, or Linux computer that is not on an accessible network, install a Jump Client on that system from the /login > Jump > Jump Clients page. Jump Clients appear in the Jump interface, as well as Jump Item shortcuts.
Jump Items are listed in Jump Groups. If you are assigned to one or more Jump Groups, you can access the Jump Items in those groups, with the permissions assigned by your admin.
Your personal list of Jump Items is primarily for your individual use, although your team leads, team managers, and users with permission to see all Jump Items may have access to your personal list of Jump Items. Similarly, if you are a team manager or lead with appropriate permissions, you may see team members' personal lists of Jump Items. Additionally, you may have permission to access Jump Items in Jump Groups you do not belong to and personal Jump Items for non-team members.
There are three ways that you can begin accessing endpoints:
- Locate and select an endpoint from the My Jump Groups list.
- Select a session from the Recently Used list.
- Choose a Jump Group and then select an endpoint from that group's listing of endpoints.
Note
The Jump Items list displays a maximum of 50 Jump Items.
To begin accessing Jump Items, follow the steps outlined below:
- Select a Jump Group and click the Refresh button.
- A list of all Jump Items populates, and you can review details about the Jump Item in the table. To review more details about the Jump Item, select the Jump Item, and a details pane slides out from the right.
- Click the Jump button to start a session with the endpoint.
- To cancel a Jump access request, click Cancel.
End-user and third-party authorization
Depending on the configuration of Jump Items within the /login administrative interface, a Jump Item may have a Jump Policy associated with it, and the policy may define an authorization component that forces you to request permission from a third-party or an administrator before you are able to start an access session with the Jump Item.
Note
For more information about how to configure third party and end-user notifications and approval, please see Jump Policies.
- After you have clicked the Jump button and requested access, a prompt appears, and you are required to enter a reason for wanting to access the system.
- Next, you must indicate when and for how long you will be accessing the system.
- Once the request has been submitted, the third party or person responsible for approving access requests is alerted through an email notification and has the opportunity to accept or deny the request. Although other approvers can see the email address of the person who approved or denied the request, the requestor cannot.
- After permission has been determined, an authorization notification appears within the Jump Item's information displaying either approved or denied. If access is granted, you can tap the Jump button to begin accessing the system.
- Then you are presented with a message asking if you would like to begin an access session.
- If you choose to begin the session, the approving party's comments appear, and you can begin accessing the system.
Revoke an access approval request
- Anyone Permitted to Request
- Requestor Only
If the Jump Policy is set to requestor Only, and an Access Request is presently approved for User A, User B is asked to create a new Access Request if they attempt to Jump to the Jump Item, since that request does not apply to them. Additionally, if User B attempts to cancel the Access Approval Request, the option is grayed out. The only user who can cancel the approved request is User A, because they are the approved user for the request.
However, if the Jump Policy is set to Anyone Permitted to Request, and an Access Request is presently approved for User A, User B is allowed to start a new session with the Jump Item if they attempt to Jump to it. In addition, anyone with permission to access the Jump Item is allowed to cancel / revoke the request.
Automatic log on credentials
Credentials from the Endpoint Credential Manager can be used for RDP and for performing Remote Jump. If a user selects to Jump to a Remote Jump or Remote RDP and no automatic log on credentials are available, a username and password must be entered into the prompt before the access session can begin with the endpoint. If the /login administrative interface has been configured with automatic log on credentials and returns only one set of credentials as being available for a particular user and Jump Item, the credential request is skipped, and the single credential is used to start the session. If there is more than one credential configured in the /login administrative interface, the user has the choice either to choose credentials from the credential store or to enter their own credentials manually.
Note
For more information on credential configuration and management, please see Security.
Default credentials for Jump Items
When starting a Jump session that requires credentials, after selecting the credentials, you can check Remember as my default. Once a credential is selected as a default, it displays with other Jump Item details, and subsequent sessions start without requesting credentials.
When a default credential is set, the Jump Item details (accessed by right-clicking the Jump Item) include a button for Jump (Change Credentials). This opens the credential selection window, and you can either change default credential, select a different credential for this session, or clear the saved default credential.
If a default credential is no longer available to the user for that Jump Item, the next time they start a session with that Jump Item there is a warning that the requested credentials for starting the session were not found, and the option to continue. If you continue, the credential selection window opens and you can select a credential as usual.
Jump Client upgrade
You can upgrade Jump Clients from within the privileged web access console. A Needs Upgrade banner displays under Status, in green if the Jump Client is online, red if offline. You can only upgrade Jump Clients that are online. To upgrade a given Jump Client, click the green banner.
In order to be able to upgrade a Jump Client from the privileged web access console, you must make sure that Automatic Jump Client Upgrades is disabled in /login. To do so, go to /login > Jump > Jump Clients > Upgrades and disable Automatic Jump Client Upgrades. If automatic upgrading is not disabled, Jump Clients needing to upgrade display an Upgrade Pending banner instead.
The rep must also have the right to perform the update. This can be set in /login > Users & Security > Users > Access Permissions > Jump Item Roles. Make sure that System is also set to Administrator.
Remote Jump
Remote Jump enables a privileged user to connect to an unattended remote computer on a network outside of their own network. Remote Jump depends on a Jumpoint.
A Jumpoint acts as a conduit for unattended access to Windows and Linux computers on a known remote network. A single Jumpoint installed on a computer within a local area network is used to access multiple systems, eliminating the need to pre-install software on every computer you may need to access.
Note
Jumpoint is available for Windows and Linux systems. Jump Clients are needed for remote access to Mac computers. To Jump to a Windows computer without a Jump Client, that computer must have Remote Registry Service enabled (disabled by default in Vista) and must be on a domain. You cannot Jump to a mobile device, though Jump Technology is available from mobile BeyondTrust consoles.
Create a Remote Jump shortcut
To create a Remote Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Remote Jump. Remote Jump shortcuts appear in the Jump interface, as well as Jump Clients and other types of Jump Item shortcuts.
Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.
Enter the Hostname / IP of the system you wish to access.
Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.
Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each Jump Item is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.
Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.
To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.
Choose a Session Policy to assign to this Jump Item. The session policy assigned to this Jump Item has the highest priority when setting session permissions. The ability to set a session policy depends on your account permissions.
Choose an Endpoint Agreement to assign to this Jump Item. Depending on what is selected, an endpoint agreement is displayed. If there is no response, the agreement is automatically accepted or rejected.
Use a Remote Jump shortcut
To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.
A dialog box opens for you to enter administrative credentials to the remote computer in order to complete the Jump. The administrative rights must be either a local administrator on the remote system or a domain administrator.
The client files are pushed to the remote system, and a session attempts to start.
Note
Because a Remote Jump attempts to connect directly back through the appliance, the end machine must be able to communicate with the appliance as well. If this is not the case, you can use the Jump Zone Proxy feature to proxy the traffic through the Jumpoint.
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.
Note
For more information on simultaneous Jumps, please see Simultaneous Jumps on the Jump Items page and the Jump Policies page.
Remote Desktop Protocol
Use BeyondTrust to start a Remote Desktop Protocol (RDP) session with remote Windows and Linux systems. Because RDP sessions are proxied through a Jumpoint and converted to BeyondTrust sessions, users can share or transfer sessions, and sessions can be automatically audited and recorded as your administrator has defined for your site. To use RDP through BeyondTrust, you must have access to a Jumpoint and must have the user account permission Allowed Jump Methods: RDP via a Jumpoint.
Note
For more information on simultaneous Jumps, please see Simultaneous Jumps on the Jump Items page and the Jump Policies page.
Important
In order to use your own tool, you must enable Protocol Tunnel Jump in /login > Users & Security > Users > Access Permissions > Jump Technology > Protocol Tunnel Jump. This may need to be enabled by a group policy. You must also enable the appropriate external tools in /login > Jump > Jump Items > Jump Item Settings.
Create an RDP shortcut
To create a Microsoft Remote Desktop Protocol shortcut, click the Create button in the Jump interface. From the dropdown, select Remote RDP. RDP shortcuts appear in the Jump interface with Jump Clients and other types of Jump Item shortcuts.
Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.
Enter the Hostname / IP of the system you wish to access.
Note
By default, the RDP server listens on port 3389, which is therefore the default port BeyondTrust attempts. If the remote RDP server is configured to use a different port, add it after the hostname or IP address in the form of <hostname>:<port> or <ipaddress>:<port> (for example, 10.10.24.127:40000).
Provide the Username to sign in as, along with the Domain.
Select the Quality at which to view the remote screen. This cannot be changed during the remote desktop protocol (RDP) session. Select the color optimization mode to view the remote screen. If you are going to be primarily sharing video, select Video Optimized; otherwise, select Black and White (uses less bandwidth), Few Colors, More Colors, or Full Color (uses more bandwidth). Both Video Optimized and Full Color modes allow you to view the actual desktop wallpaper.
To start a console session rather than a new session, check the Console Session box.
If the server's certificate cannot be verified, you receive a certificate warning. Checking Ignore Untrusted Certificate allows you to connect to the remote system without seeing this message.
Note
When RemoteApp or BeyondTrust Remote Desktop Agent is selected in the SecureApp section, the Console Session checkbox is unchecked. Remote applications cannot run in a console session on a RDP server.
To get more detailed information on the RDP session, check Session Forensics. For this feature to work, you must select an RDP Service Account for the Jumpoint being used. When checking this setting, the following reminder displays:
Enabling this feature requires the RDP server to be configured to receive the monitoring agent and an RDP Service Account to be configured with this Jumpoint. If these requirements are not met, all attempts to start a session will fail.
Note
In typical installations, the RDP service account requires privileges including access to create and control remote services and write access to remote file systems. We recommend that you create an Entra ID account and use Entra ID group policy settings to configure the permissions, however the exact permissions required depend on your Entra ID configuration.
When Session Forensics is checked, the following additional details are logged:
- Focused window changed event
- Mouse click event
- Menu opened event
- New window opened event
To start a session with a remote application, configure the SecureApp section. The following dropdown options are available:
- 
None: When accessing a Remote RDP Jump Item, no application is launched. 
- 
RemoteApp:The user can configure an application profile or command argument, which executes and opens an application on a remote server. To configure, select the RemoteApp option and enter the following information: - Remote App Name: Enter the name of the application you wish to connect to.
- Remote App Parameters: Enter the profile details or command line arguments needed to open the application.
 
- 
BeyondTrust Remote Desktop Agent: This option facilitates passing parameters through an agent in order to launch applications on a remote host. To configure, select the BeyondTrust Remote Desktop Agent option and enter the following information: 
- 
Executable Path: Enter the path of the application the agent will connect to. 
- 
Parameters: Enter any parameters that you could normally type from a command line when launching the app on the remote system. 
Note
For more information on Session Forensics and RDP service account, please see RDP service account.
Inject credentials
The option to Inject Credentials is made available when the BeyondTrust Remote Desktop Agent type is selected. This option facilitates passing parameters as well as credentials through an agent in order to launch applications on a remote host. The first set of credentials is in the Jump definition. These are the credentials for the user account you'll use to log into the remote system. There is a secondary prompt for additional credentials, either manually provided or from a password vault. These secondary credentials are made available to the command line you define through the %USERNAME% and %PASSWORD% macros (additional macros shown below). This allows you to pass additional credentials to the application you are launching (e.g., SQL Server Management Studio). To configure, select the BeyondTrust Remote Desktop Agent: option and enter the following information:
- Enter the Executable Path and Parameters as described above.
- Target System: Enter the name of the system running the application.
- Credential Type: Enter the credential type as defined by the credential management system (e.g., SQL).
| Macro Name | Result | 
|---|---|
| %USERNAME% | username | 
| %USERPRINCIPLENAME% | username@domain | 
| %DOWNLEVELLOGONNAME% | domain\username | 
| %DOMAIN% | domain | 
| %PASSWORD% | password | 
| %PASSWORDRAW% | password (without any attempt to escape special characters) | 
| %TARGETSYSTEM% | supplied target system value; in the case of SQL Server, this would be the SQL Server name. | 
| %APPLICATIONNAME% | optional application name; in the case of SQL Server, this can be hard-coded to "SQL Server" or something similar. | 
Note
The BeyondTrust Remote Desktop Agent option requires a BeyondTrust Remote Desktop Agent to be preconfigured on the target system. This agent can be downloaded from the My Account page in the /login interface. It is neither version nor site-specific, and thus the same agent can be used for as many applications as the admin wishes to support. Once the agent is installed, you can then use BeyondTrust to create RDP Jump Items that are configured to use the BeyondTrust Remote Desktop Agent option to launch any application installed on the remote system.
Note
RemoteApp relies on publishing applications using Microsoft RDS RemoteApps. Please refer to the Microsoft documentation for publishing applications.
Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.
Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each Jump Item is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.
Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.
To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.
Note
For more information about contained database users, please see Contained Database Users - Making Your Database Portable.
Use an RDP shortcut
To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.
You are prompted to enter the password for the username you specified earlier.
Your RDP session now begins.
Note
When starting an RDP session, the RDP keyboard automatically matches the language you have set in the access console. This functionality is available for Windows-based access consoles only.
Begin screen sharing to view the remote desktop. You can send the Ctrl-Alt-Del command, capture a screenshot of the remote desktop, share clipboard contents, use Alt and Shift commands, and perform key injection. You also can share the RDP session with other logged-in BeyondTrust users, following the normal rules of your user account settings.
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Start New Session, then a new independent session starts for each user who Jumps to a specific RDP Jump Item. The RDP configuration on the endpoint controls any further behavior regarding simultaneous RDP connections.
Note
For more information on simultaneous Jumps, please see Simultaneous Jumps on the Jump Items page and the Jump Policies page.
VNC
Use BeyondTrust to start a VNC session with a remote Windows or Linux system. Because VNC sessions are proxied through a Jumpoint and converted to BeyondTrust sessions, users can share or transfer sessions, and sessions can be automatically audited and recorded as your administrator has defined for your site. To use VNC through BeyondTrust, you must have access to a Jumpoint and have the user account permission Allowed Jump Methods: Remote VNC via a Jumpoint.
Create a VNC shortcut
To create a VNC shortcut, click the Create button in the Jump interface. From the dropdown, select Remote VNC. VNC shortcuts appear in the Jump interface along with Jump Clients and other types of Jump Item shortcuts.
Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.
Enter the Hostname / IP of the system you wish to access.
Note
By default, the VNC server listens on port 5900, which is, therefore, the default port BeyondTrust attempts. If the remote VNC server is configured to use a different port, add it after the hostname or IP address in the form of : or : (e.g., 10.10.24.127:40000).
Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.
Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each Jump Item is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.
Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.
To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.
Use a VNC shortcut
To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.
When establishing the connection to the VNC server, the system prompts you to enter the user name and password.
Your VNC session now begins. Begin screen sharing to view the remote desktop. You can send the Ctrl-Alt-Del command, capture a screenshot of the remote desktop, and share clipboard text contents. You also can share, transfer or record the VNC session, following the normal rules of your user account settings.
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.
Note
For more information on simultaneous Jumps, please see Simultaneous Jumps on the Jump Items page and the Jump Policies page.
Shell Jump
With Shell Jump, quickly connect to an SSH-enabled or Telnet-enabled network device to use the command line feature on that remote system. For example, run a standardized script across multiple systems to install a needed patch or troubleshoot a network issue. Administrators can enable command filtering to help prevent users from inadvertently using harmful commands on SSH-connected endpoints.
Note
You can use your own SSH tool for the SSH protocol. For more information, please see Change settings and preferences in the access console.
Important
In order to use your own tool, you must enable Protocol Tunnel Jump in /login > Users & Security > Users > Access Permissions > Jump Technology > Protocol Tunnel Jump. This may need to be enabled by a group policy. You must also enable the appropriate external tools in /login > Jump > Jump Items > Jump Item Settings.
Create a Shell Jump shortcut
To create a Shell Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Shell Jump. Shell Jump shortcuts appear in the Jump interface, as well as Jump Clients and other types of Jump Item shortcuts.
Note
Shell Jump shortcuts are enabled only if their Jumpoint is configured for open or limited Shell Jump access.
Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.
Enter the Hostname / IP of the system you wish to access.
Choose the Protocol to use, either SSH or Telnet.
Port automatically switches to the default port for the selected protocol but can be modified to fit your network settings.
Enter the Username to sign in as.
Select the Terminal Type, either xterm or VT100.
You can also select to Send Keep-Alive Packets to keep idle sessions from ending. Enter the number of seconds to wait between each packet send.
Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.
Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each Jump Item is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.
Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.
To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.
Choose a Session Policy to assign to this Jump Item. The session policy assigned to this Jump Item has the highest priority when setting session permissions. The ability to set a session policy depends on your account permissions.
Use a Shell Jump shortcut
To use a Shell Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.
If attempting to Shell Jump to an SSH device without a cached host key, you receive an alert that the server's host key is not cached and that there is no guarantee that the server is the computer you think it is.
If you choose Save Key and Connect, then the key is cached on the Jumpoint's host system so that future attempts to Shell Jump to this system do not result in this prompt. Connect Only starts the session without caching the key, and Abort ends the Shell Jump session.
When you Shell Jump to a remote device, you can click the Open SSH Client button to open a new terminal and start the SSH tunnel. You also see details about the connection.
If you Shell Jump to a provisioned SSH device with an unencrypted key or with an encrypted key whose password has been cached, you are not prompted for a password. Otherwise, you are required to enter a password. If you Shell Jump to an SSH device with keyboard interactive MFA enabled, there is a secondary prompt for input.
If the rep console setting Automatically add session aliases to SSH Config (when possible) is configured, you can copy the POSIX command and paste it into your command line interface. Otherwise, you will need to construct the POSIX command using the provided details. You are now connected via SSH to the remote system, and you can send it commands.
Administrators can configure command filtering on Shell Jump Items to block some commands and allow others in an effort to prevent the user from inadvertently using a command that may cause undesirable results. In the event a user attempts to use a command that matches an expression that is not allowed, they receive a prompt and are not allowed to execute the command.
Note
BeyondTrust's command filter uses egrep regular expressions. For more information, please see Regular expressions (C++).
Configure shell prompt filtering:
- Log into the /login interface as a user with permissions to configure Jump Items and session policies.
- Browse to Jump > Jump Items and scroll down to the Shell Jump Filtering section.
- In the Recognized Shell Prompts text box, enter regexes to match the command shell prompts found on your endpoint systems, one per line.
Note
Line breaks, or newlines, are not allowed within the command prompt patterns entered. If an endpoint system uses a multi-line prompt, enter an expression that matches only the final line of the prompt in the text box.
- Click Save.
Note
Once you have entered the regexes you wish to use, you can test a shell prompt to determine if it matches any of the regexes in the list. This allows you to test your regexes without starting a session. Enter the expression in the Shell Prompt text box and click the Check button. A notice displays whether or not the shell prompt you entered matches one of the regexes in the list.
Configure command filtering:
- Browse to Users & Security > Session Policies and either create a new policy or edit an existing one.
Note
You can also configure this for users and/or group policies.
- Locate the Command Shell settings in the Permissions section.
- Because you will use command filtering with Shell Jump Items, select the Allow radio button to allow the use of the command shell.
- Choose from Allow all commands, Allow the command patterns below, or Deny the command patterns below and specify in the text box which regex patterns you wish to allow or block.
Note
Once you have entered the command patterns you wish to allow or block, you can test commands in the Command Tester text box. A notice displays whether or not the command entered would be allowed to run on the remote system based on the regexes specified in the list.
The two possible messages are:
- "The entered command shall be allowed based on your selections."
- "The entered command shall not be allowed based on your selections."
Use credential injection with SUDO on a Linux endpoint
To use credential injection with SUDO, an administrator must configure one or more functional accounts on each Linux endpoint to be accessed via Shell Jump. As the process for configuring the sudoers file is complex and varies by platform, please refer to your platform's documentation for details on completing this process. Each functional account must:
- Allow authenticating via SSH (password or SSH key).
- Have the account credentials stored in the Endpoint Credential Manager (ECM).
- Have one or more entries in /etc/sudoers granting the functional account access to one or more commands to be executed as root without requiring a password (NOPASSWD).
An administrator must create a Shell Jump Item for the endpoint.
Next, an administrator must configure the ECM and/or password vault to grant users access to the appropriate functional accounts for that Jump Item.
When a user Jumps to the Shell Jump Item, they can choose from the list of functional accounts available for that endpoint. Each functional account has its own set of commands that can be executed using SUDO, as configured by the administrator on the endpoint. The credentials for the account are passed from the ECM to the endpoint.
Note
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.
Note
For more information on simultaneous Jumps, please see Simultaneous Jumps on the Jump Items page and the Jump Policies page.
Web Jump
With the proliferation of infrastructure components that have moved to web-based interfaces for configuration, IT administrators are faced with an increasingly complex security management situation. With privileged access to web-based resources, it is a challenge to control, audit, and enforce proper authentication without negatively affecting business productivity. IT administrators need a way to effectively control and audit resources managed via web interfaces, including:
- Externally hosted Infrastructure as a Service (IaaS) servers such as Amazon AWS, Microsoft Azure, IBM SoftLayer, and Rackspace
- Internally hosted servers managed by hypervisor software such as VMware vSphere, Citrix XenServer, and Microsoft Hyper-V
- Modern core network infrastructure that leverages web-based configuration interfaces
The identity and access management capabilities vary significantly between IaaS, hypervisor providers, and core infrastructure systems, and many do not offer native multifactor authentication support, thereby missing that additional layer of security. These inconsistencies across systems create opportunities for business vulnerabilities, such as misuse of accounts and access, leading to leaks of sensitive data. BeyondTrust Web Jump is the extra layer of security for authenticating to these systems.
Important
Web Jump does not support Flash. Be sure to consult your hypervisor documentation and update it to a version that supports HTML5.
Note
The Web Jump Item is an add-on for Privileged Remote Access, and requires additional purchase.
Create a Web Jump shortcut
Note
Before creating Web Jump shortcuts, ensure that your user account has the ability to access Web Jumps. This permission is set on your user account in the /login interface under Access Permissions > Jump Technology.
To create a Web Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Web Jump. Web Jump shortcuts appear in the Jump interface with Jump Clients and other types of Jump Item shortcuts.
Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
From the Jumpoint dropdown, select the Windows or Linux Jumpoint that hosts the computer you wish to access.
Note
Copy/Paste functionality is not supported for Linux Jumpoints.
Type the URL for the web site you wish to access.
Check Verify Certificate if you want the site certificate to be validated before the connection is made. If this box is checked and issues are found with the certificate, the session does not start.
Important
You should uncheck Verify Certificate only if you are Jumping to a site that you trust but that uses a self-signed certificate.
If you want to use credential injection, first select the Username Format:
- Default: This is the default value for new and existing Web Jump Items. The username is not modified before injection into the web page and is used in the stored format. For the Endpoint Credential Manager (ECM), the credential may be in either UPN or DLLN format. For Vault, the username is always in UPN format.
- Username Only: Independently of the format stored in either Vault or ECM (username@domain or domain\username), the domain is removed and only the username is used.
Under Login Form Detection, the recommended practice is to leave the three fields empty, and allow the system to auto-detect and use the information already stored for login. If auto-detection fails, the injection fails and a message states that the Username Field, Password Field, and/or Submit Button could not be found.
If entering the names of the input elements, enter the HTML id, HTML name, or CSS selector for each element on the login page.
Example
This shows HTML ids with input fields and a submit button, as they might appear on the code view of a login page. The HTML ids here are user, pwd, and button.
<form action="/action_page.php"> Username: <input type="text" id="user"><br> Password: <input type="password" id="pwd"><br> <input type="submit" value="Submit" id="button"> </form>
Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.
Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each Jump Item is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.
Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.
To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.
Choose a Session Policy to assign to this Jump Item. The session policy assigned to this Jump Item has the highest priority when setting session permissions. The ability to set a session policy depends on your account permissions.
Note
For more information about identifying HTML form fields, please see online resources such as this page explaining the use of CSS selectors.
Use a Web Jump shortcut
To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.
Once a connection is made to the web site, click the screen sharing button. The web site's login interface becomes available.
Note
If you want to open a new tab in Windows or Linux, hold down the CTRL key and click the mouse button. For iOS, hold down the Command key and click the mouse button.
Note
You can copy and paste text to and from the website by using the copy/paste controls of your operating system.
Upload and download files using a Web Jump shortcut
If you click a link to download a file from the web site, a prompt appears in your chat window asking you to accept or decline the download. If you accept, a window opens on your computer allowing you to choose a download location.
Uploading files to the web site works similarly, opening a window to allow you to choose which file to upload.
Note
The privileged web access console does not support uploading or downloading of files to a web page via a Web Jump. File upload to, or downloaded from, a web page via Web Jump is supported only by the desktop access console.
Use credential injection
Important
Credential injection is not supported for non-secure sites (non-HTTPS).
Note
This feature is not supported for ARM-based Windows systems.
When integrating BeyondTrust PRA with a password vault system, you can seamlessly access your web site accounts without viewing the login screen or entering any credentials using credential injection.
Note
Web Jump supports multi-step authentication, in which the username and password are not requested on the same browser page. Web Jump also supports scenarios in which a user connects to an unauthenticated portion of a website, but then attempts to enter an area using basic authentication. Furthermore, Web Jump supports sites that contain CAPTCHAs, by allowing the users to complete the CAPTCHA without ending the credential injection process. Once interaction with a CAPTCHA is complete, the user clicks the key icon in the access console to complete credential injection.
Note
For seamless credential injection on a VMware console, some configuration is required.
- Go to the computer hosting the Jumpoint.
- Download and install the VMware Client Integration Plugin.
- Using admin permissions, open Windows services (services.msc) on the Jumpoint host.
- Right-click the BeyondTrust Jumpoint and select Properties.
- On the Log On tab under Local System account, check Allow service to interact with desktop.
- Click OK.
- On the user's local system, on which the access console is installed, start a Web Jump with the VMware URL specified above.
- Select Use Windows Credentials.
- This causes a prompt on the Jumpoint host system to allow services to interact with an external program. Give the service permission.
- A VMware credential injection prompt is displayed. Uncheck the box asking if you want the prompt to be displayed whenever the program is called. Click Accept.
- You can now start Web Jumps to the VMware console using Windows credentials without a prompt.
Updated 8 months ago
