DocumentationAPI ReferenceRelease Notes
Documentation

Install a Gateway | RS

Setup of a Gateway on a remote network is a multi-step process that includes configuring from the /login administrative interface, downloading the installer, and running the installation wizard.

Understand clustered Gateways

Before configuring a Gateway, it is important to understand the difference between clustered Gateways and stand-alone Gateways, because they have different feature sets and because a clustered Gateway cannot be converted to stand-alone, nor a stand-alone Gateway converted to clustered. A clustered Gateway allows you to install up to ten redundant nodes of the same Gateway on different host systems in the same local network.

A clustered Gateway is available as long as at least one of the installed nodes is online. This provides redundancy, preventing the failure of all Assets associated with the failure of a single, stand-alone Gateway, and improves load balancing across the system.

All configuration of clustered Gateways is done in /login, with no local configuration available on the local host either during or after the installation. This means that if you install a clustered Gateway, selecting the BeyondTrust Gateway Configuration item on the start menu of the Gateway host does not result in a configuration window, and only an About box is shown. Editing a clustered Gateway in /login loads the same configuration page that was used to create the Gateway. This means clustered Gateway configuration lacks the following options which are available to stand-alone Gateways:

  • Intel vPro
  • SSH
  • TTL

Configure

  1. From the administrative interface, go to Asset Management > Gateway.
  2. Click Add.
  3. Create a unique name to help identify this Gateway. This name should help users locate this Gateway when they need to start a session with a computer on its same network.
  4. Set a code name for integration purposes. If you do not set a code name, one is created automatically.
  5. If you have a Password Safe integration, and the Gateway for External Asset Sessions selection is set to Automatically Selected by External Asset Network ID, on the /login Security page, enter the External Asset Network ID. This value is equivalent to the Workgroup attribute for managed systems in Password Safe. It is matched against the Network ID property of external Assets returned by the Endpoint Credential Manager to determine which Gateway handles the session.
  6. Add comments to help identify this Gateway.
  7. Select Windows for the Gateway Platform. Once the Gateway has been created, this option cannot be changed.
  8. Leave the Disabled box unchecked.
  9. Check the Clustered box, if appropriate. Once the Gateway has been created, this option cannot be changed.
ℹ️

A clustered Gateway allows you to install up to ten redundant nodes of the same Gateway on different host systems on the same local network. If this option is selected, the Gateway will be available as long as at least one of the installed nodes is online. It selects the most optimal node based on latency or current load. This provides redundancy, preventing the failure of all Assets associated with the failure of a single, stand-alone Gateway, and improve session routing across clustered Gateways, improves load balancing performance while maintaining redundancy

All configuration of clustered Gateways is done in /login, with no local configuration available during the install. Once created, a clustered Gateway cannot be converted to stand-alone, nor a stand-alone Gateway converted to clustered.

🚧

Important info

Gateway cluster nodes must be installed on hosts residing in the same local area network.

  1. If you want users to be able to connect to SSH-enabled and Telnet-enabled network devices through this Gateway, check Enable SSH Method.

  2. From the Gateway edit page, you can authorize users to start sessions through this Gateway. After the Gateway has been created, you can also grant access to groups of users from Users & Security > Group Policies.

  3. Under RDP Service Account, select the vault account to be used by the Gateway to run a user-initiated client on the RDP server. This allows you to collect additional event information from an RDP session started with this Gateway. This account in used only if the Remote RDP Asset is configured to enable the Session Forensics functionality. This option is not available for Linux Gateways.

    ℹ️

    The RDP Service Account setting must not use a local admin account, and must use a domain account with sufficient privileges on the endpoint to remotely connect to the endpoint's ADMIN$ share, remotely create and start services on the endpoint machine, and access remote file systems.

  4. If you check Enable Proxy, you can set up this Gateway to function as a proxy server, allowing it to proxy connections for Assets on the network that do not have a native internet connection, such as POS systems. Using a Gateway as a proxy routes traffic only to the B Series Appliance.

    You can enable a Proxy on either a standalone Gateway or a Gateway cluster. If you set up a Gateway cluster as a Proxy, then if an endpoint is connected to one Proxy and that system goes down, the endpoint can connect to another Proxy in the cluster.

    • Optionally, under Proxy Host, you can enter the hostname of the machine on which this Gateway will be installed. Do not start the hostname with http://or https://. IP addresses are not recommended as they might change. The Gateway automatically detects the hostname if one is not provided. If this is a clustered Gateway, this field does not appear, and the Gateway automatically detects the hostname on install. If the hostname changes, you may have to redeploy any Assets that use this Gateway as a proxy.

    ℹ️

    The Proxy Host and port should be set carefully since any Asset deployed using this Gateway as a proxy server uses the settings available to it at the time of deployment and are not updated should the host or port change. If the host or port is changed, the Asset must be redeployed.

    In order for a Gateway to function as a Proxy, its host system cannot reside behind a proxy. The Gateway must be able to access the internet without having to supply proxy information for its own connection.


    🚧

    Important information

    In previous versions, proxy configuration was only for non‑clustered Gateways, which prevents consistent configuration across deployment types.

    As of RS 26.1.1, you can specify the Proxy Host and Proxy Port which enables the clustered Gateway to forward traffic through an upstream Gateway or through a specific node within another Gateway cluster.

    Image of the Proxy Configuration fields.
    • Under Proxy Port, enter the port through which Assets will connect to this Gateway. If the port changes, you may have to redeploy any Assets that use this Gateway as a proxy.
    • Check Allow HTTP GET to enable HTTP connections to proxy to the B Series Appliance. This is needed only if you want to use a browser to access /login or /console from behind the proxy.
    • Under Restriction Type, select No access restrictions to allow Asset connections from any IP address. You can limit allowed connections by selecting Deny access only for the following IP addresses or Allow access only from the following IP addresses, then entering network address prefixes, one per line. Netmasks are optional, and they can be given in either dotted-decimal or integer bitmask format. Entries that omit a netmask are assumed to be single IP addresses.

  5. Under Allowed Users, you may authorize users to start sessions through this Gateway. After you have created the Gateway, you can also grant access to groups of users from Users & Security > Group Policies.

  6. Save the configuration. The new Gateway appears in the list of configured Gateways.

ℹ️

Once you have installed the Gateway and started it at least once, Remote Support populates the table with the hostname of the system it is installed on, as well as with that system's public and private IP addresses. This information can help you locate the Gateway's host system in case you need to change the Gateway's configuration.

Download

Now that your Gateway is configured, you must install the Gateway on a single system in the remote network you wish to access. This system serves as the gateway for Sessions with other computers on the remote network. You can either install the Gateway directly to the host or email the installer to a user at the remote system. If this is to be a clustered Gateway, you will be able to add nodes later.

  1. From the table, find the appropriate Gateway and click the link to download the installer file (sra-jpt-{uid}.exe).
  2. If you are logged into the system you want to use as the Gateway host, you can run the installation file immediately.
  3. Otherwise, save the file and then transfer it to and deploy it onto the system that will serve as the Gateway host.
ℹ️

  • If you need to change the Gateway's host system, click Redeploy. This uninstalls the Gateway from its current location and makes the download links available. You can then install the Gateway on a new host. The new Gateway replaces the old one for any existing Assets that are associated with it. The new Gateway does not copy over the configuration from the old Gateway and must be reconfigured during installation.
  • The Gateway EXE installer can be deployed through a command line interface or a systems management utility, such as Microsoft Intune. When deploying an EXE installer, the /S option can be specified for a silent installation, without any user interaction on the target system. When the /S option is used, the Gateway installer uses the default installation options.
sra-jpt-24cf209c6aab939fc418813b9723995ev.exe /S
ℹ️

The Gateway installer expires 7 days after the time of download.

Install

  1. From the system that will host the Gateway, run the installation package. When the installation wizard appears, click Next.
  2. Read and accept the waiver agreement. You must accept the agreement to be able to proceed with the installation.
  3. Read and agree to the disclaimer.
  4. Choose where you would like the Gateway to install. The default location is C:\Program Files\BeyondTrust\Gateway\your-site or C:\Program Files (x86)\BeyondTrust\Gateway\your-site. Click Install.
  5. If you are installing a single Gateway, the Gateway Configuration application opens to allow you to configure further settings, documented below. If you are installing a clustered Gateway node, the installation finishes.
  6. After installing the Gateway, you receive a confirmation message. Click Finish.

Clustered Gateway setup: add nodes

The steps for creating a clustered Gateway in /login are the same as for a standalone, except that once you have created the clustered Gateway, you can add nodes to it. At least one node needs to be installed for the Gateway to be online.

Click the Add Node link to download the installer file.

Image of the Add Node link.

If you have access to the system you want to use as the Gateway host, you can run the installation file immediately.

Otherwise, save the file and then email it to the remote user to deploy on the system that will serve as the Gateway host.

Follow the prompts and install the node. Note that there are no configuration screens. Once installed, the clustered Gateway shows the new node as installed, associated information, such as the public and private IP addresses, and whether a node is online or offline, as well as the number of nodes installed.

Nodes can be deleted but cannot be individually edited. In the representative console, none of the nodes are visible; only the Gateway under which they are installed is visible. Nodes function as redundant connection points. When a user needs to use the Gateway, Remote Support selects one of the nodes at random. At least one node must be online for the Gateway to work.

ℹ️

A clustered Gateway allows you to install up to ten redundant nodes of the same Gateway on different host systems on the same local network. If this option is selected, the Gateway will be available as long as at least one of the installed nodes is online. This provides redundancy, preventing the failure of all Assets associated with the failure of a single, stand-alone Gateway, and improves load balancing across the system. All configuration of clustered Gateways is done in /login, with no local configuration available during the install. Once created, a clustered Gateway cannot be converted to stand-alone, nor a stand-alone Gateway converted to clustered.

Deploy behind proxy

ℹ️

In the case of clustered Gateways, keep in mind that there is no customization available at the local level. As a result, you will not see the configuration window that allows for Proxy or other configuration items available for stand-alone Gateways. If you are installing a clustered Gateway, you may skip the following steps and go directly to Clustered Gateway setup: add nodes.

For a Gateway to be deployed on a remote network that is behind a proxy, appropriate proxy information may be necessary for the Gateway to connect back to the B Series Appliance.

  1. From the dropdown on the Proxy tab in the Gateway Configuration application, select Basic or NTLM to configure proxy settings.
  2. Enter the Proxy Host, Proxy Port, Username, and Password, and then click OK. The Gateway supplies this proxy information whenever connecting to another system on the remote network, providing the credentials necessary to download and run the customer client on the target system.

Gateway through a Gateway deployed as a proxy server

You can configure a Gateway to go through another Gateway deployed as a proxy server. This allows secure access to isolated, non-routable, OT networks without being constrained to only Jump Clients. Follow these steps:

  1. On System 1, install a Gateway configured as a Proxy server.
  2. On System 2, which can be non-routable and on a network isolated from the internet, install a Gateway.
  3. On System 2, configure the Gateway's basic proxy configuration to point to the Proxy on System 1.
  4. You can now create new Assets using the Gateway on System 2, for endpoints in the same isolated network as System 2, and start sessions with them through the Proxy on System 1.
ℹ️

The Proxy, whether standalone or clustered, must be deployed to the target network before installing the Jump Client or Gateway used to create Assets. This enables automated discovery of the broadcasting proxy.

Automated discovery works only if the installing Gateway or Jump Client is on the same subnet as the Proxy or if you have configured mDNS broadcasts to route across networks.

Configure multiple outbound Gateway proxies

A Gateway can connect to other Proxy Proxies, allowing you to reach endpoints in target networks across multiple layers bridged by interconnected Gateways.

For example, there are three networks, Network A, Network B, and Network C. You want a Jump Client in Network C to be able to communicate with the appliance. Only Network A has direct access to appliance, while Network B and C have no direct access to appliance, as they are in separate subnets. These networks can communicate with each other only if a route exists between them, either through static routing or a router.

To resolve this problem so that Network C can communicate with the appliance, you need to create multiple Proxy proxies that communicate with each other.

Image of the Outbound Proxy steps.
Image of the Outbound Proxy workflow diagram.

Image of Step one. To configure Network C (192.168.44.1) as an outbound proxy to communicate with the inbound Proxy in Network B (192.168.16.1):

  1. Follow the steps in the Configure section.

  2. From the table, find the appropriate Gateway and click the link to download the installer file.

  3. If you have access to the system you want to use as the Gateway host, you can run the installation file immediately. Otherwise, save the file and then email it to the remote user to deploy on the system that will serve as the Gateway host.

  4. From the system that will host the Gateway, run the installation package. When the installation wizard appears, click Next.

  5. Read and accept the waiver agreement. You must accept the agreement to be able to proceed with the installation.

  6. Read and agree to the disclaimer.

  7. Choose where you would like the Gateway to install. The default location is C:\Program Files (x86)\BeyondTrust\Gateway\your-site.

  8. Click Install.

  9. If you are installing a single Gateway, the Gateway Configuration application opens to allow you to configure proxy settings.

  10. On the Proxy tab, select Gateway for the Proxy Configuration for Access Sessions section.

  11. For Proxy Host, enter an address. For this example, enter 192.168.16.1.

  12. For Proxy Port, enter a number or a port that is defined in your organization. The default port number is 9555. For this example, use the default port number.

  13. Click OK, then Finish.

Image of the Step two. To configure Network B (192.168.16.1) as an outbound proxy to communicate with inbound Proxy in Network A (192.168.154.1), repeat steps 1-12, but for Proxy Host, enter 192.168.154.1.

The network path is now configured for Jump Clients and Gateways from Network C through Network B to Network A, allowing Network C to communicate with the appliance.

Intel® vPro

ℹ️

Intel vPro configuration is available only for stand-alone Gateways. Clustered Gateways do not have this option.

Using Intel® Active Management Technology, privileged users can support fully provisioned Intel vPro Windows systems below the OS level, regardless of the status or power state of these remote systems. Configure this Gateway to enable vPro connection by going to the Intel® vPro tab and checking Enable Intel® vPro.

ℹ️

For a representative to use Intel® vPro support, they must be granted access to a Gateway with Intel® vPro enabled and must have the user account permission Allowed Connection Types: Intel® vPro.

Authentication

  1. Under Authentication, designate how the Gateway should attempt to authenticate to vPro-provisioned computers. Regardless of the authentication method, the provided credentials must match the authentication settings in the AMT firmware on the vPro systems.

  2. To require representatives to provide credentials each time they connect to a vPro computer, select Basic Digest Password and then Prompt Representative for credentials.

    Prompting for credentials is useful if the vPro systems on this network do not share a common username and password. However, since the vPro AMT firmware is entirely separate from any user accounts on the computer, administrators frequently provision all vPro systems to have the same credentials.

ℹ️

There is little security risk in storing credentials in the Gateway. To use vPro support, a representative must have not only the vPro user account privilege but also access to the vPro-enabled Gateway. Therefore, prompting for credentials may be an unnecessary measure.

  1. If the same credentials are used for all vPro systems on the network, you can select Basic Digest Password and then Use the following credentials for all connections. With this configuration, representatives are never prompted for vPro credentials; the Gateway automatically supplies the stored username and password for all vPro connections.
  2. If you select Kerberos, the Gateway supplies the credentials for the account that the Gateway service is running as. These credentials can be modified to be a specific account that has permissions to access the AMT system. This configuration assumes that the account hosting the Gateway uses the same credentials as all provisioned vPro systems to which you wish to connect. With this configuration, representatives are never prompted for vPro credentials.

Encryption

  1. On the Encryption tab, set how the Gateway encrypts vPro network traffic.
  2. If the remote vPro systems are provisioned not to use TLS encryption, simply select No Encryption.
  3. Otherwise, select TLS Encryption and define the path to the Base 64-encoded CER file which contains the certificates used during the provisioning of the remote vPro systems.

Disk redirection

  1. Under Disk Redirection, specify the folder location of any ISO or IMG disk images you would like to make available for mounting in a vPro session. Representatives can use these files for IDE-R, booting the remote vPro system to a disk image rather than the hard drive.

Shell

ℹ️

While Shell can be enabled and disabled from /login for both stand-alone Gateways and clustered Gateways, further configuration is available only to stand-alone Gateways; therefore, this section of the guide applies to stand-alone Gateways only.

The Shell tab determines how this Gateway can be used to connect to SSH-enabled and Telnet-enabled network devices.

ℹ️

Shell must also be enabled on the Asset Management > Gateway page of the administrative interface. For a representative to use Jump, they must be granted access to a Gateway with Jump enabled and must have the user account permission Allowed Connection Types: SSH.

Policy

  1. On the Policy tab, if Open Access is selected, permitted representatives can connect to any remote device by entering its hostname or IP address or by selecting it from a list of provisioned devices.
  2. If Limited Access is selected, representatives can connect to provisioned devices or can enter a device's hostname or IP address, provided that it falls within the parameters set by the host list on the Limited tab.
  3. If Provisioned Only is selected, representatives can Shell only to provisioned devices.

Limited

  1. If limited access is enabled on the Policy tab, the Limited list accepts IP addresses and CIDR subnet masks to which connection is limited.

Provisioned

  1. Configure access to provisioned Shell targets by going to the Provisioned tab and clicking Add.
  2. Enter a Name to help representatives identify this device when starting a Shell Session with it.
  3. Enter the device's hostname or IP address.
  4. Choose the Protocol to use, either SSH or Telnet.
  5. Port automatically switches to the default port for the selected protocol but can be modified to fit your network settings.
  6. Select the Terminal Type, either xterm or VT100.
  7. If you are using SSH, you can choose to use Public Key Authentication. If you choose to do so, select a Private Key to use. Private keys are configured from the Private Keys tab.
  8. Representatives connecting to this provisioned device may connect only with the Username you provide.
  9. You can also select to Send Keep-Alive Packets to keep idle sessions from ending. Enter the number of seconds to wait between each packet send.

Private keys

  1. If you are using SSH, you can upload a key file to use by going to the Private Keys tab and clicking Add.
  2. Give this key a Name and click the ellipsis to browse to the key File you wish to use. Keys must be in OpenSSH format. The ssh-keygen utility can be used to generate an OpenSSH format key file if needed.
  3. If a Password is required, you can check Store key file password to save the password for all representatives to use, or you can require representatives to enter the key file password each time they connect to a provisioned device using this key.

SSH host keys

  1. You can add SSH Host Keys prior to a representative's connecting to that host. If no host key is cached, the representative receives a message alerting them that the server's host key is not cached and that there is no guarantee that the server is the computer they think it is. Caching a server's host key prior to connection can help prevent confusion.
  2. Enter the Hostname or IP address.
  3. Enter the Port the device uses.
  4. The server then returns its host key, which you should verify.
  5. Click Update to poll the device for its host key; the device lets you know if the host key has changed.

TTL

ℹ️

TTL configuration is available only for stand-alone Gateways. Clustered Gateways do not have this option.

A date and time can be set to specify when the Gateway should become active and when it should automatically uninstall. Setting these delimiters determines the duration of time for which users can access the remote network through this Gateway.

  1. To activate this Gateway as soon as its setup is complete, select Always Active.
  2. Alternatively, select Do Not Activate Until, and then set a date and time upon which this Gateway should become active.
  3. To keep this Gateway available without a designated uninstall date, select Do Not Automatically Uninstall.
  4. Otherwise, select Automatically Uninstall At, and then set a date and time upon which this Gateway should uninstall itself.

Updated about 22 hours ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.