Connect to a remote system | RS

Once a Gateway has been installed on a remote network, permitted representatives can use the Gateway to initiate sessions with Windows and Linux computers on that same network, even if those computers are unattended. Additionally, a permitted representative can connect to computers on the same network segment as their local system, even without a Gateway.

A Gateway can be used to start a standard support session, to start a Remote Desktop Protocol session or VNC session, to connect to a SSH-enabled or Telnet-enabled network device, or to start a session with an Intel® vPro Windows system. Support sessions, RDP sessions, and VNC sessions can also be started with systems on the same network segment.

ℹ️

Linux Gateways can only be used for RDP and SSH/Telnet sessions.

Start a Local or Remote Session

To Jump through a Gateway, you must have access to a Gateway and must have the user account permission Allowed Connection Types: Remote Jump. To Jump on your local network, you must have the user account permission Allowed Connection Types: Local Jump.

To Jump without a pre-installed client, open the Connect to…** dialog from:

• The Support menu of the representative console
• The Start button at the top of the representative console
• The Connect to** button at the top of the representative console
• Or Create a Remote Jump in the web rep console

1. From the Gateway dropdown, select the network that hosts the computer you wish to access. Depending on your account permissions, you can connect to a system on your local network or to a network on which a Gateway is installed.
2. Select the public portal you wish to associate your session with. This lets the system know what customer agreement behavior should occur.
3. Enter the hostname or IP address of the system you wish to access. Alternatively, if network browsing is enabled from the /login > Asset Management > Gateway page, you can click the [...] button to browse the directory tree.
4. Once you have located the computer you wish to access, click Jump.
   You must provide administrative credentials to the remote computer in order to complete the Jump. The administrative rights must be either a local administrator on the remote system or a domain administrator.

The client files are pushed to the remote system, and a session attempts to start. Depending on the session permissions, the end-user may be prompted to accept or deny the session. If no response is received within a defined interval of time, the session either starts or cancels, again depending on the session permissions.

ℹ️

• If you need to access systems through a Gateway when no user is available, make sure the public portal permissions and your account permissions are set either to disable prompting or to default to Allow.
• Assets can be set to allow multiple users to simultaneously access the same Asset. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.

Local or Remote RDP

Use BeyondTrust to start a Remote Desktop Protocol (RDP) session with a remote Windows or Linux System. Because RDP sessions are converted to BeyondTrust sessions, users can share or transfer sessions, and sessions can be automatically audited and recorded as your administrator has defined for your site.

To use Local RDP through BeyondTrust, you must be on the same network segment as the target system and must have the user account permission Allowed Connection Types: Local RDP.

To use Remote RDP through BeyondTrust, you must have access to a Gateway and must have the user account permissions Allowed Connection Types: Remote RDP.

1. To start an RDP session, open the Remote Desktop Protocol dialog from:

• The Support menu of the representative console
• The RDP button at the top of the representative console
• Or Create a Remote RDP Jump in the web rep console

2. From the Gateway dropdown, select the network that hosts the computer you wish to access. If you generally access the same Gateway, check Remember as my preferred choice. Enter the Hostname / IP of the system you wish to access.
   By default, the RDP server listens on port 3389, which is therefore the default port BeyondTrust attempts. If the remote RDP server is configured to use a different port, add it after the hostname or IP address in the form of or (for example, 10.10.24.127:40000).
3. Provide the Username to sign in as, along with the Domain.
4. Select the Quality at which to view the remote screen. This cannot be changed during the RDP session. Select the color optimization mode to view the remote screen. If you are going to be primarily sharing video, select Video Optimized; otherwise, select between Black and White (uses less bandwidth), Few Colors, More Colors, or Full Color (uses more bandwidth). Both Video Optimized and Full Color modes allow you to view the actual desktop wallpaper.
5. To start a console session rather than a new session, check the Console Session box.
6. If the server's certificate cannot be verified, you receive a certificate warning. Check Ignore Untrusted Certificate to connect to the remote system without seeing this message.
7. Move Assets from one Asset Group to another using the Asset Group dropdown. The ability to move Assets to or from different Asset Groups depends upon your account permissions.
8. Further organize Assets by entering the name of a new or existing Tag. Even though the selected Assets are grouped together under the tag, they are still listed under the Asset Group in which each is pinned. To move an Asset back into its top-level Asset Group, leave this field blank.
9. Select the Public Portal through which this Asset should connect. If a session policy is assigned to this public portal, that policy may affect the permissions allowed in sessions started through this Asset. The ability to set the public portal depends on your account permissions.
10. Assets include a Comments field for a name or description, which makes sorting, searching, and identifying Assets faster and easier.
11. To set when users are allowed to access this Asset, choose a Asset Policy. These policies are configured by your administrator in the /login interface.
12. Choose a Session Policy to assign to this Asset. The session policy assigned to this Asset has the highest priority when setting session permissions. The ability to set a session policy depends on your account permissions.
13. To import an RDP file, click the Import button. This prepopulates some of the fields required for the RDP connection.
14. To begin the RDP session, click Jump.
    You are prompted to enter the password for the username you specified earlier.
15. Your RDP session now begins. Begin screen sharing to view the remote desktop.
    You can send the Ctrl-Alt-Del command, capture a screenshot of the remote desktop, and share clipboard contents. You can also share or transfer the RDP session with other logged-in BeyondTrust users, following the normal rules of your user account settings.

Multi-monitor support

An option allows you to open a Remote Support connection expanded across all the monitors on the client computer regardless of the client monitor configuration. With this feature, you can fully utilize all the monitors connected to the client computer, therefore being able to adjust screen sizing and scaling during an RDP session across multiple monitors.

ℹ️

• If you are using full screen view while using this feature, the remote system is displayed across all of your monitors.
• Assets can be set to allow multiple users to simultaneously access the same Asset. If set to Start New Session, then a new independent session starts for each user who Jumps to a specific RDP Asset. The RDP configuration on the endpoint controls any further behavior regarding simultaneous RDP connections.

VNC

Use BeyondTrust to start a VNC session with a remote system. Because VNC sessions are converted to BeyondTrust sessions, users can share or transfer sessions, and sessions can be automatically audited and recorded as defined by your administrator for your site.

To use Local VNC through BeyondTrust, you must be on the same network segment as the target system and must have the user account permission Allowed Connection Types: Local VNC.

To use Remote VNC through BeyondTrust, you must have access to a Gateway and must have the user account permission Allowed Connection Types: Remote VNC.

1. To start a VNC session, open the VNC dialog from:

• The Support menu of the representative console
• The VNC button at the top of the representative console
• Or Create a Remote VNC Jump in the web rep console

2. From the Gateway dropdown, select the network that hosts the computer you wish to access. If you generally access the same Gateway, check Remember as my preferred choice. Enter the Hostname / IP of the system you wish to access.
3. By default, the VNC server listens on port 5900, which is, therefore, the default port BeyondTrust attempts. If the remote VNC server is configured to use a different port, enter it in the Port field.
4. To begin the VNC session, click Jump.

ℹ️

Assets can be set to allow multiple users to simultaneously access the same Asset. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.

Jump

With Jump, quickly connect to an SSH-enabled or Telnet-enabled network device to use the command line feature on that remote system. For example, run a standardized script across multiple systems to install a needed patch, or troubleshoot a network issue.

To perform a Jump through BeyondTrust, you must have access to a Gateway with Jump enabled, and you must have the user account permission Allowed Connection Types: SSH.

1. To start a Shell Session, open the Jump dialog from:

• The Support menu of the representative console
• The SSH button at the top of the representative console
• Or Create a Jump in the web rep console

Your Gateway may be configured for provisioned connection only.

2. From the Gateway dropdown, select the network that hosts the computer you wish to access.
3. If you generally access the same Gateway, check Remember as my preferred choice.
4. Select the provisioned system you wish to access. Alternatively, your Gateway may be configured for open access or limited access.
5. From the Gateway dropdown, select the network that hosts the computer you wish to access. If you generally access the same Gateway, check Remember as my preferred choice.
6. To access a provisioned system, check Use Provisioned and select the system from the dropdown.
7. Alternatively, enter the Hostname / IP of the system you wish to access. If your Gateway is configured for limited access, the remote system must be in the delimited IP address range.
8. You can choose to Send Keep-Alive Packets to keep idle sessions from ending. Enter the number of seconds to wait between each packet sent.
9. Choose the Protocol to use, either SSH or Telnet.Port automatically switches to the default port for the selected protocol but can be modified to fit your network settings.Select the Terminal Type, either xterm or VT100.
10. Click Jump
    If attempting to connect to an SSH device without a cached host key, you receive an alert that the server's host key is not cached and that there is no guarantee that the server is the computer you think it is.
11. If you choose Save Key and Connect, then the key is cached on the Gateway's host system so that future attempts to connect to this system do not result in this prompt. Connect Only starts the session without caching the key, and Abort ends the Shell Session.
12. If you connect to an SSH device with keyboard interactive MFA enabled, there is a secondary prompt for input.
    When you connect to a remote device, a command shell session immediately starts with that device. If you connect to a provisioned SSH device with an unencrypted key or with an encrypted key whose password has been cached, you are not prompted for a password. Otherwise, you are required to enter a password. You can then send commands to the remote system.

Intel vPro

Using Intel® Active Management Technology, privileged users can support fully provisioned Intel vPro Windows systems below the OS level, regardless of the status or power state of these remote systems. To use Intel vPro, you must have access to a Gateway with Intel vPro enabled and must have the user account permission Allowed Connection Types: Intel® vPro.

ℹ️

• Remote systems using vPro with AMT version 5 or higher may be supported with BeyondTrust.
• Intel vPro is not supported with clustered Gateways.

1. To start a session with an Intel vPro system, open the Intel® vPro dialog from:

• The Support menu of the representative console
• The Intel® vPro button at the top of the representative console

2. From the Gateway dropdown, select the network that hosts the computer you wish to access. If you generally access the same Gateway, check Remember as my preferred choice. Enter the Hostname / IP of the system you wish to access.
3. Click Jump.
4. Depending on your Gateway setup, you might be prompted to enter a username and password.
   The Gateway detects the provisioned vPro hardware. If the credentials, provided during either the Gateway configuration or the Jump attempt, match the credentials of the vPro-provisioned system, the connection is initiated.
5. Depending on how the vPro computer is provisioned, you might be prompted to enter a user consent code before performing certain actions.
6. If a consent code is required, a pop-up appears on the remote screen. An end user must provide you with this code before you can gain hardware access.
7. Once the connection is made, you have control of the remote vPro hardware. You can then use the vPro session tools to work on the remote system.

ℹ️

Assets can be set to allow multiple users to simultaneously access the same Asset. If set to Join Existing Session, other users are able to join a session already underway. The original owner of the session receives a note indicating another user has joined the session, but is not allowed to deny them access.