Encryption and Ports in BeyondTrust Privileged Remote Access (Cloud)
BeyondTrust can be configured such that it enforces the use of SSL for every connection made to the site. BeyondTrust requires that the SSL certificate being used to encrypt the transport is valid.
BeyondTrust can natively generate certificate signing requests. Configuration options also are available to disable the use of TLSv1 and/or TLSv1.1. BeyondTrust always has TLSv1.2 enabled to ensure proper operation of the software. Available cipher suites can be enabled or disabled and reordered as needed to meet the needs of your organization.
The BeyondTrust software itself is uniquely built for each customer. As part of the build, an encrypted license file is generated that contains the site Domain Name System (DNS) name and the SSL certificate, which is used by the respective BeyondTrust client to validate the connection that is made to the Cloud site.
The chart below highlights the required ports and the optional ports. Note that there is very minimal port exposure of the BeyondTrust Cloud infrastructure. This drastically reduces the potential exposed attack surface of the site.
Below are example firewall rules for use with BeyondTrust Cloud, including port numbers, descriptions, and required rules.
|Internal Network to the BeyondTrust Cloud Instance|
|TCP Port 443 (required)*||Used for all session traffic.|
|BeyondTrust Cloud Instance to the Internal Network|
|TCP Port 25, 465, or 587 (optional)||Allows the appliance to send admin mail alerts. The port is set in SMTP configuration.|
|TCP Port 443 (optional)||Appliance to web services for outbound events.|