Architecture of BeyondTrust Privileged Remote Access (On-Premises)
To make secure access possible, the BeyondTrust architecture places the BeyondTrust Appliance as the focal point of all communications. The appliance provides an interface using Hypertext Transfer Protocol (HTTP) for unauthenticated services, Secure HTTP (HTTPS) for authenticated services, and direct client connections accepted over a proprietary, BeyondTrust-defined protocol.
BeyondTrust has two primary binary components that provide the appliance's functionality. The first, called Base, is made up of the firmware that provides system-level configuration of a BeyondTrust Appliance. Settings such as IP addresses and security certificate configuration are all configured via the Base interface, which is accessed via the /appliance web interface.
The second component is made up of the software that provides site-level configuration and is accessed via the /login web interface. Behind the /login page is where user configuration and session options take place, and where the BeyondTrust access console, endpoint client, Jump Clients, Jumpoints, and security provider connection agents can be downloaded. Sessions always occur through the appliance, and since the connections are outbound from the clients to the appliance using well known ports, the application can communicate without local firewall changes.