Use a Web Jump to Access Web Services
With the proliferation of infrastructure components that have moved to web-based interfaces for configuration, IT administrators are faced with an increasingly complex security management situation. With privileged access to web-based resources, it is a challenge to control, audit, and enforce proper authentication without negatively affecting business productivity. IT administrators need a way to effectively control and audit resources managed via web interfaces, including:
- Externally hosted Infrastructure as a Service (IaaS) servers such as Amazon AWS, Microsoft Azure, IBM SoftLayer, and Rackspace
- Internally hosted servers managed by hypervisor software such as VMware vSphere, Citrix XenServer, and Microsoft Hyper-V
- Modern core network infrastructure that leverages web-based configuration interfaces
The identity and access management capabilities vary significantly between IaaS, hypervisor providers, and core infrastructure systems, and many do not offer native multifactor authentication support, thereby missing that additional layer of security. These inconsistencies across systems create opportunities for business vulnerabilities, such as misuse of accounts and access, leading to leaks of sensitive data. BeyondTrust Web Jump is the extra layer of security for authenticating to these systems.
Web Jump does not support Flash. Be sure to consult your hypervisor documentation and update it to a version that supports HTML5.
The Web Jump Item is an add-on for Privileged Remote Access, and requires additional purchase.
Create a Web Jump Shortcut
Before creating Web Jump shortcuts, ensure that your user account has the ability to access Web Jumps by navigating to Users & Security > User Settings > Jump Technology.
To create a Web Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Web Jump. Web Jump shortcuts appear in the Jump interface along with Jump Clients and other types of Jump Item shortcuts.
Organize and manage existing Jump Items by selecting one or more Jump Items and clicking Properties.
To view the properties of multiple Jump Items, the items selected must be all the same type (all Jump Clients, all Remote Jumps, etc.).To review properties of other types of Jump Items, please see the appropriate section in this guide.
Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
From the Jumpoint dropdown, select the network that hosts the computer you wish to access.
Type the URL for the web site you wish to access.
Check Verify Certificate if you want the site certificate to be validated before the connection is made. If this box is checked and issues are found with the certificate, the session does not start.
You should uncheck Verify Certificate only if you are Jumping to a site that you trust but that uses a self-signed certificate.
If you want to use credential injection, first select the Username Format:
- Default: This is the default value for new and existing Web Jump Items. The username is not modified before injection into the web page and is used in the stored format. For the Endpoint Credential Manager (ECM), the credential may be in either UPN or DLLN format. For Vault, the username is always in UPN format.
- Username Only: Independently of the format stored in either Vault or ECM (username@domain or domain\username), the domain is removed and only the username is used.
Under Login Form Detection, provide information for the three options, as needed:
- Username Field: This setting specifies the hint for the username field on the login page. If no username field is found, then injection fails. An error message is shown to the user stating the username field could not be found.
- Password Field: This setting specifies the hint for the password field on the login page. If no password field is found, then injection fails. An error message is shown to the user stating the password field could not be found.
- Submit Button: This setting specifies the hint for the submit button on the login page. If no such button is found, then injection fails. An error message is shown to the user stating the submit button could not be found.
If these three fields are left empty, the system auto-detects and uses the necessary information already stored for login.
Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.
Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.
Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.
To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.
Choose a Session Policy to assign to this Jump Item. The session policy assigned to this Jump Item has the highest priority when setting session permissions. The ability to set a session policy depends on your account permissions.
Use a Web Jump Shortcut
To use a Jump shortcut to start a session, simply select the shortcut from the Jump interface and click the Jump button.
Once a connection is made to the web site, click the screen sharing button. The web site's login interface becomes available. If you click a link to download a file from the web site, a prompt appears in your chat window asking you to accept or decline the download. If you accept, a window opens on your computer allowing you to choose a download location. Uploading files to the web site works similarly, opening a window to allow you to choose which file to upload.
If the site requests a new tab, a new tab opens. You cannot open new tabs arbitrarily.
You can copy and paste text to and from the website by using the copy/paste controls of your operating system.
Use Credential Injection
When integrating BeyondTrust PRA with a password vault system, you can seamlessly access your web site accounts without viewing the login screen or entering any credentials using credential injection.
Web Jump supports multi-step authentication, in which the username and password are not requested on the same browser page. Web Jump also supports scenarios in which a user connects to an unauthenticated portion of a website, but then attempts to enter an area using basic authentication. Furthermore, Web Jump supports sites that contain CAPTCHAs, by allowing the users to complete the CAPTCHA without ending the credential injection process. Once interaction with a CAPTCHA is complete, the user clicks the key icon in the access console to complete credential injection.
- Go to the computer hosting the Jumpoint.
- Download and install the client integration plugin from the VMware URL specified above.
- Using admin permissions, open Windows services (services.msc) on the Jumpoint host.
- Right-click on the BeyondTrust Jumpoint and select Properties.
- On the Log On tab under Local System account, check Allow service to interact with desktop.
- Click OK.
- On the user's local system - the one where the access console is installed - start a Web Jump with the VMware URL specified above.
- Select Use Windows Credentials.
- This causes a prompt on the Jumpoint host system to allow services to interact with an external program. Give the service permission.
- A VMware credential injection prompt is displayed. Uncheck the box asking if you want the prompt to be displayed whenever the program is called. Click Accept.
- You can now start Web Jumps to the VMware console using Windows credentials without a prompt.