Ensure Encryption and Ports in BeyondTrust Privileged Remote Access (Cloud)
BeyondTrust Privileged Remote Access (PRA) can be configured such that it enforces the use of SSL for every connection made to the site. PRA requires that the SSL certificate being used to encrypt the transport is valid.
PRA can natively generate certificate signing requests. Configuration options also are available to disable the use of TLSv1 and/or TLSv1.1. PRA always has TLSv1.2 enabled to ensure proper operation of the software. Available cipher suites can be enabled or disabled and reordered as needed to meet the needs of your organization.
The PRA software itself is uniquely built for each customer. As part of the build, an encrypted license file is generated that contains the site Domain Name System (DNS) name and the SSL certificate, which is used by the respective PRA client to validate the connection that is made to the Cloud site.
The chart below highlights the required ports and the optional ports. Note that there is very minimal port exposure of the PRA Cloud infrastructure. This drastically reduces the potential exposed attack surface of the site.
Below are example firewall rules for use with Privileged Remote Access Cloud, including port numbers, descriptions, and required rules.
| Firewall Rules | |
|---|---|
| Internal Network to the PRA Cloud Instance | |
| TCP Port 443 (required)* | Used for all session traffic. |
| PRA Cloud Instance to the Internal Network | |
| TCP Port 25, 465, or 587 (optional) | Allows the B Series Appliance to send admin mail alerts. The port is set in SMTP configuration. |
| TCP Port 443 (optional) | B Series Appliance to web services for outbound events. |
