Use a Web Jump to Access Web Services

With the proliferation of infrastructure components that have moved to web-based interfaces for configuration, IT administrators are faced with an increasingly complex security management situation. With privileged access to web-based resources, it is a challenge to control, audit, and enforce proper authentication without negatively affecting business productivity. IT administrators need a way to effectively control and audit resources managed via web interfaces, including:

  • Externally hosted Infrastructure as a Service (IaaS) servers such as Amazon AWS, Microsoft Azure, IBM SoftLayer, and Rackspace
  • Internally hosted servers managed by hypervisor software such as VMware vSphere, Citrix XenServer, and Microsoft Hyper-V
  • Modern core network infrastructure that leverages web-based configuration interfaces

The identity and access management capabilities vary significantly between IaaS, hypervisor providers, and core infrastructure systems, and many do not offer native multifactor authentication support, thereby missing that additional layer of security. These inconsistencies across systems create opportunities for business vulnerabilities, such as misuse of accounts and access, leading to leaks of sensitive data. BeyondTrust Web Jump is the extra layer of security for authenticating to these systems.

 

Web Jump does not support Flash. Be sure to consult your hypervisor documentation and update it to a version that supports HTML5.

The Web Jump Item is an add-on for Privileged Remote Access, and requires additional purchase.

Create a Web Jump Shortcut

Before creating Web Jump shortcuts, ensure that your user account has the ability to access Web Jumps. This permission is set on your user account in the /login interface under Access Permissions > Jump Technology.

Create Jump Shortcut

To create a Web Jump shortcut, click the Create button in the Jump interface. From the dropdown, select Web Jump. Web Jump shortcuts appear in the Jump interface with Jump Clients and other types of Jump Item shortcuts.

Create New Web Jump Shortcut

Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

From the Jumpoint dropdown, select the Windows or Linux Jumpoint that hosts the computer you wish to access.

Copy/Paste functionality is not supported for Linux Jumpoints.

Type the URL for the web site you wish to access.

Check Verify Certificate if you want the site certificate to be validated before the connection is made. If this box is checked and issues are found with the certificate, the session does not start.

 

You should uncheck Verify Certificate only if you are Jumping to a site that you trust but that uses a self-signed certificate.

 

If you want to use credential injection, first select the Username Format:

  • Default: This is the default value for new and existing Web Jump Items. The username is not modified before injection into the web page and is used in the stored format. For the Endpoint Credential Manager (ECM), the credential may be in either UPN or DLLN format. For Vault, the username is always in UPN format.
  • Username Only: Independently of the format stored in either Vault or ECM (username@domain or domain\username), the domain is removed and only the username is used.

Under Login Form Detection, the recommended practice is to leave the three fields empty, and allow the system to auto-detect and use the information already stored for login. If auto-detection fails, the injection fails and a message states that the Username Field, Password Field, and/or Submit Button could not be found.

If entering the names of the input elements, enter the HTML id, HTML name, or CSS selector for each element on the login page.

This shows HTML ids with input fields and a submit button, as they might appear on the code view of a login page. The HTML ids here are user, pwd, and button.
<form action="/action_page.php">
Username: <input type="text" id="user"><br>
Password: <input type="password" id="pwd"><br>
<input type="submit" value="Submit" id="button">
</form>

Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each Jump Item is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.

Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.

Choose a Session Policy to assign to this Jump Item. The session policy assigned to this Jump Item has the highest priority when setting session permissions. The ability to set a session policy depends on your account permissions.

For more information about identifying HTML form fields, please see online resources such as this page explaining the use of CSS selectors.

Use a Web Jump Shortcut

To use a Jump shortcut to start a session, select the shortcut from the Jump interface and click the Jump button.

Once a connection is made to the web site, click the screen sharing button. The web site's login interface becomes available.

Web Jump to Website

If you want to open a new tab in Windows or Linux, hold down the CTRL key and click the mouse button. For iOS, hold down the Command key and click the mouse button.

You can copy and paste text to and from the website by using the copy/paste controls of your operating system.

Upload and Download Files using a Web Jump Shortcut

If you click a link to download a file from the web site, a prompt appears in your chat window asking you to accept or decline the download. If you accept, a window opens on your computer allowing you to choose a download location.

Uploading files to the web site works similarly, opening a window to allow you to choose which file to upload.

The privileged web access console does not support uploading files to a web page via a Web Jump. File upload to a web page via Web Jump is supported only by the desktop access console application.

Use Credential Injection

 

Credential injection is not supported for non-secure sites (non-HTTPS).

This feature is not supported for ARM-based Windows systems.

When integrating BeyondTrust PRA with a password vault system, you can seamlessly access your web site accounts without viewing the login screen or entering any credentials using credential injection.

Web Jump supports multi-step authentication, in which the username and password are not requested on the same browser page. Web Jump also supports scenarios in which a user connects to an unauthenticated portion of a website, but then attempts to enter an area using basic authentication. Furthermore, Web Jump supports sites that contain CAPTCHAs, by allowing the users to complete the CAPTCHA without ending the credential injection process. Once interaction with a CAPTCHA is complete, the user clicks the key icon in the access console to complete credential injection.

For seamless credential injection on a VMware console, some configuration is required.
  1. Go to the computer hosting the Jumpoint.
  2. Download and install the VMware Client Integration Plugin.
  3. Using admin permissions, open Windows services (services.msc) on the Jumpoint host.
  4. Right-click the BeyondTrust Jumpoint and select Properties.
  5. On the Log On tab under Local System account, check Allow service to interact with desktop.
  6. Click OK.
  7. On the user's local system, on which the access console is installed, start a Web Jump with the VMware URL specified above.
  8. Select Use Windows Credentials.
  9. This causes a prompt on the Jumpoint host system to allow services to interact with an external program. Give the service permission.
  10. A VMware credential injection prompt is displayed. Uncheck the box asking if you want the prompt to be displayed whenever the program is called. Click Accept.
  11. You can now start Web Jumps to the VMware console using Windows credentials without a prompt.
For more information on downloading the appropriate VMware Client Integration Plugin, please see Upgrading VMware Client Integration Plug-in to the latest version.