B Series Appliance in the network
What is network infrastructure?
Network infrastructure refers to the hardware, software, and services required to operate and manage a network. It includes physical devices like routers, switches, firewalls, servers, and cables, along with the protocols and services that facilitate communication between them. It also encompasses wireless technologies, cloud services, and data storage systems that ensure connectivity and security across the network.
Why is network infrastructure important?
Network infrastructure is critical to the B Series Appliance because it ensures secure, reliable communication between the appliance and other systems within your network. The appliance relies on the network to route application data, provide remote support, and manage privileged access sessions securely. A robust network infrastructure, including firewalls, routers, and secure connections, supports the appliance's ability to function properly in a secure environment, whether placed internally or in a demilitarized zone (DMZ). Proper network infrastructure minimizes security risks, ensures high availability, and allows the appliance to scale with your organization's needs.
The role of the B Series Appliance in BeyondTrust architecture
The architecture of the BeyondTrust application environment relies on the B Series Appliance as a centralized routing point for all communications between application components. All BeyondTrust sessions between users and remote systems occur through the server components that run on the B Series Appliance. To protect the security of the data in transit, BeyondTrust uses TLS to encrypt all application communications.
BeyondTrust's architecture offers customers the ability to choose how and where the B Series Appliance is deployed. Additionally, customers may configure the security features such that the BeyondTrust deployment complies with applicable corporate policies or regulations. Security features include role-based access control and secure password requirements.
BeyondTrust enables remote control by creating a remote outbound connection from the endpoint system to the B Series Appliance through firewalls. For BeyondTrust to provide remote control securely, the B Series Appliance is designed to use the most common network infrastructure or architecture that supports internet-accessible applications - a demilitarized zone (DMZ) with firewall protection.
The B Series Appliance is designed and tested to ensure it works properly and securely in internet environments. While the B Series Appliance can be deployed internal or external to your organization, to achieve optimal security, BeyondTrust recommends that you place the B Series Appliance inside the DMZ, as illustrated. This diagram shows the recommended configuration for one B Series Appliance.
By locating the B Series Appliance in the DMZ, the B Series Appliance is within the secure buffer zone. Since all BeyondTrust sessions are initiated via outbound connections from the client to the B Series Appliance, it is possible to remotely control computers using BeyondTrust through the firewalls.
Network infrastructure
DNS: Each B Series Appliance needs a physical connection to the network and a separate IP address. Additionally, a Domain Name System (DNS) record for each B Series Appliance is recommended, along with the DNS A Record or a Canonical Name (CNAME) record pointing to the B Series Appliance. The simple yet descriptive name is a useful approach. For instance, a company named 'Example' might use support.example.com for their DNS record.
Some companies have network standards and guidelines for DNS names that may increase the complexity of the site name. For instance, the 'Example' company might require every DNS name to include the geographical region and department within the name, such as usa.hr.example.com. This name is difficult to use and remember. In this instance, the best practice is to create a CNAME that ultimately points to the B Series Appliance and public site. The CNAME is usa.hr.example.com, as shown below:
| support.example.com | CNAME | usa.hr.example.com |
|---|---|---|
| usa.hr.example.com | A | 192.0.2.23 |
Here is one more example, using the common foo bar terminology:
| foo.example.com | CNAME | bar.example.com |
|---|---|---|
| bar.example.com | A | 192.0.2.23 |
Deployment options
DMZ deployment (recommended)
Deploying the B Series Appliance into a perimeter-based DMZ segment meets security best practice standards and is BeyondTrust's recommended location for the secure deployment of the device. A DMZ, or de-militarized zone, is a network that is protected by access control mechanisms. Access control may be provided by a firewall device, a router, or a switch that provides port and address filtering capabilities. The purpose of the DMZ is to limit access to systems that are deployed within it. In the case of the B Series Appliance, the DMZ will limit connectivity to the device and allow access only to the appropriate ports.
Pros:
- Security best practice.
- DMZ provides access control, filters network segmentation, and additional logging capabilities.
Cons:
- Requires changes to the perimeter firewall or access control device.
Note
For more information, see Example firewall rules.
External deployment
In situations where a DMZ does not exist and is not possible due to technical or business constraints, the B Series Appliance may be deployed external to the perimeter firewall. The B Series Appliance consists of a hardened operating system and applications that are designed to be directly accessible.
Pros:
- Does not require any firewall changes.
Cons:
- The ability to implement access controls to block traffic to the appliance is more difficult due to potentially limited access control mechanisms.
Internal deployment
Deploying the B Series Appliance on an internal network segment is ideal when the client base is completely internal or accessible through a VPN. No firewall changes are required because the device and all of the endpoint clients are internal to the firewall. In environments where the remote systems are external to the firewall, BeyondTrust recommends this deployment location only in the event that a DMZ does not exist or when the B Series Appliance cannot be deployed externally. An internal deployment of the B Series Appliance requires numerous changes to the environment and a solid understanding of perimeter firewall controls and Network Address Translation.
Pros:
- Ideal deployment if remote access recipients are always internal to the firewall.
Cons:
- The appliance cannot be used to support systems external to the corporate firewall.
Example firewall rules
Below are example firewall rules for use with BeyondTrust, including port numbers, descriptions, and required rules. If a B Series Appliance has multiple IP addresses, outbound traffic for services such as LDAP can flow out of any configured address. Because of this, it is best practice to make firewall rules apply for all IP addresses configured on each B Series Appliance.
| Firewall Rules | |
|---|---|
| Internet to the DMZ | |
| TCP Port 80 (optional) | Used to host the portal page without the user having to type HTTPS. The traffic can be automatically rolled over to port 443. |
| TCP Port 443 (required)\* | Used for all session traffic. |
| UDP Port 3478 (optional) | Used to enable Peer-to-Peer connections if the **Use Appliance as Peer-to-Peer Server** option is selected. |
| Internal Network to the DMZ | |
| TCP Port 80 (optional) | Used to host the portal page without the user having to type HTTPS. The traffic can be automatically rolled over to port 443. |
| TCP Port 161/UDP | Used for SNMP queries via IP configuration settings in the /appliance interface. |
| TCP Port 443 (required)\* | Used for all session traffic. |
| DMZ to the Internet | |
| TCP Port 443 to the specific host **gwsupport.bomgar.com** (optional) | Default port used to establish connections with BeyondTrust Technical Support for advanced troubleshooting/repairs. |
| TCP Port 443 to the specific host **btupdate.com** (optional) | You can optionally enable access from the B Series Appliance on port 443 to this host for automatic updates, or you can apply updates manually. |
| DMZ to the Internal Network | |
| UDP Port 123 | Access NTP server and sync the time. |
| LDAP - TCP/UDP 389 (optional)‡ | Access LDAP server and authenticate users. |
| LDAP - TCP/UDP 636 (optional)‡ | Access LDAP server and authenticate users via SSL. |
| Syslog - UDP 514 (required for logging) | Used to send syslog messages to a syslog server in the internal network. Alternatively, messages can be sent to a syslog server located within the DMZ. |
| Syslog - TCP Port 6514 | Used to send syslog messages over TLS to a syslog server in the internal network. Alternatively, messages can be sent to a syslog server located within the DMZ. | |
| DNS - UDP 53 (required if DNS server is outside the DMZ) | Access DNS server to verify that a DNS A record or CNAME record points to the B Series Appliance. |
| TCP Port 25, 465, or 587 (optional) | Allows the B Series Appliance to send admin mail alerts. The port is set in SMTP configuration. |
| TCP Port 443 (optional) | B Series Appliance to web services (e.g., HP Service Manager, BMC Remedy) for outbound events. |
| TCP Port 5696 | Allows the B Series Appliance to access the KMIP server located in the internal network for Data at Rest Encryption. |
| Internal Network to Internal Network | |
| Port 389, 636 (Active Directory), 445 (Local Account Management) | Ports used for discovery and rotation of Vault accounts. |
*Each of the following BeyondTrust components can be configured to connect on a port other than 443: representative console, customer client, presentation attendee client, Jumpoint, connection agent.
‡ If the LDAP server is outside of the DMZ, the BeyondTrust Connection Agent is used to authenticate users via LDAP.
Ports and firewalls
BeyondTrust solutions are designed to work transparently through firewalls, enabling a connection with any computer with internet connectivity, anywhere in the world. However, with certain highly secured networks, some configuration may be necessary.
-
Ports 80 and 443 must be open for outbound TCP traffic on the remote system's and local user's firewalls. More ports may be available depending on your build. The diagram shows a typical network setup; more details can be found in B Series Appliance installation.
Note
BeyondTrust Cloud requires use of port 443 only.
-
Internet security software such as software firewalls must not block BeyondTrust executable files from downloading. Some examples of software firewalls include McAfee Security, Norton Security, and Zone Alarm. If you do have a software firewall, you may experience some connection issues. To avoid such issues, configure your firewall settings to allow the following executables, wherein {uid} is a unique identifier consisting of letter and numbers:
- bomgar-scc-{uid}.exe
- bomgar-scc.exe
- bomgar-pac-{uid}.exe
- bomgar-pac.exe
- bomgar-pec-{uid}.exe
- bomgar-pec.exe
-
For assistance with your firewall configuration, please contact the manufacturer of your firewall software.
-
See example firewall rules based on B Series Appliance location.
If you should still have difficulty making a connection, contact BeyondTrust Technical Support.
Updated 5 days ago