Configure the Jump Server Settings
- From the management console, go to Settings > Manage Web Application > Application Launch in the management console.
- Select Remote Servers.
Configuring Remote Servers
The Remote Servers tab identifies the available jump servers and other related settings used for launching applications. The option Enable launching applications on a remote server must also be selected on the Global tab to make use of these servers. The first time this dialog is opened no remote servers will be available for application launching.
To add a new server, click Add.
The following fields are mandatory:
- Server configuration identifier: The friendly name of the server.
- Remote server system name: The actual name of the jump server. This should be the name (FQDN, simple name, or IP) that can be reached from the client systems initiating the sessions.
- Use RemoteApp to launch the liebsoft launcher on the server: This option must be selected to remotely launch applications from the jump server using RemoteApp.
- Launcher path on jump server: The path to the launcher on the jump server. If the option Use RemoteApp to launch the liebsoft launcher on the server is enabled, this option is unavailable.
- Use RemoteApp connection broker (RDS 2012+ only)
- Connection broker: The fully qualified domain name (FQDN) of the connection broker, such as 2k12r2-3.demo.msft.
- Load balancer info: The loadbalanceinfo value from the .rdp file, such as tsv://MS Terminal Services Plugin.1.lsc.example.
Make sure your RDS collection name does not exceed 16 characters. Microsoft truncates names exceeding 16 characters when storing the name in the registry. If the truncated name does not match the configured load balancer info value, the following error message is returned "Your computer can't connect to the remote computer because the connection broker couldn't validate the settings in your RDP file."
- Use integrated Windows credentials to login to the jump server: This feature connects to the jump server using user credentials rather than a specific jump server login. This occurs when the following requirements are met:
- The jump server is properly configured for web single-server sign-on
- The web application is also configured for use with integrated authentication
- The user logs in using integrated authentication
- The login user has permissions to launch the application and RDP to the server
- Prompt for login credentials to application server: This prevents credentials from being automatically provided when connecting to the jump server. The user performing the application launch must provide credentials for the jump server.
- Login credential system name: Enter the name of the system as it appears in BeyondTrust Privileged Identity. If the application launcher is using stored (managed) credentials to log into the jump server, this field must be completed. It is recommended to use a domain credential for this purpose.
- Login credential account name: Enter the name of the account used to log in to the jump server. It is recommended to use a domain credential for this purpose.
- Login credential domain name: Enter the domain the account belongs to.
- Load saved password for connection from password store: Select this option to pull managed passwords from the password store. To use a hard-coded password, enter the actual password in the remote server logon password field.
- [Script Launch] Path to script files on client systems: Enter the path to the script automation files. This path is used when launching web-based applications. The default location for these scripts is C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.
- Update OIT agent data for agent running on the server: Select this option to change certain metadata attributes to reflect which user account is performing certain actions. This functionality works with ObserveIT only and affects auditing information stored within ObserveIT.
If using the built-in session recording from BeyondTrust instead of the ObserveIT session recorder, refrain from checking the Update OIT agent data for agent running on the server option. Checking this option prevents the built-in session recorder from operating.
Once the entries are validated, click OK.
If the option to Load saved password for connection from password store is selected and a stored password for the target account doesn't exist, a warning appears.
All of these settings can be changed at any time without having to make any changes to IIS, performing IISReset, or other administrative actions.