Encryption and Ports in BeyondTrust Privileged Remote Access (On-Premises)

BeyondTrust can be configured such that it enforces the use of SSL for every connection made to the B Series Appliance. BeyondTrust requires that the SSL certificate being used to encrypt the transport is valid.

BeyondTrust can natively generate certificate signing requests. It also supports importing certificates generated off the B Series Appliance. Configuration options also are available to disable the use of SSLv3, TLSv1, and/or TLSv1.1. BeyondTrust always has TLSv1.2 enabled to ensure proper operation of the B Series Appliance. Available cipher suites can be enabled or disabled and reordered as needed to meet the needs of your organization.

The BeyondTrust software itself is uniquely built for each customer. As part of the build, an encrypted license file is generated that contains the site Domain Name System (DNS) name and the SSL certificate, which is used by the respective BeyondTrust client to validate the connection that is made to the B Series Appliance.

The chart below highlights the required ports and the optional ports. Note that there is minimal port exposure of the B Series Appliance. This drastically reduces the potential exposed attack surface of the B Series Appliance.

Firewall Rules
Internet to the DMZ
TCP Port 443 (required)* Used for all session traffic.
UDP Port 3478 (optional) Used to enable Peer-to-Peer connections if the Use Appliance as Peer-to-Peer Server option is selected.
Internal Network to the DMZ
TCP Port 161/UDP Used for SNMP queries via IP configuration settings in the /appliance interface.
TCP Port 443 (required)* Used for all session traffic.
DMZ to the Internet
TCP Port 443 to the specific host gwsupport.bomgar.com (optional) Default port used to establish connections with BeyondTrust Support for advanced troubleshooting/repairs.
TCP Port 443 to the specific host btupdate.com (optional) You can optionally enable access from the B Series Appliance on port 443 to this host for automatic updates, or you can apply updates manually.
DMZ to the Internal Network
UDP Port 123 (optional) Access NTP server and sync the time.
LDAP - TCP/UDP 389 (optional)‡ Access LDAP server and authenticate users.
LDAP - TCP/UDP 636 (optional)‡ Access LDAP server and authenticate users via SSL.
Syslog - UDP 514 (required for logging) Used to send syslog messages to a syslog server in the internal network. Alternatively, messages can be sent to a syslog server located within the DMZ.
DNS - UDP 53 (required if DNS server is outside the DMZ) Access DNS server to verify that a DNS A record or CNAME record points to the B Series Appliance.
TCP Port 25, 465, or 587 (optional) Allows the B Series Appliance to send admin mail alerts. The port is set in SMTP configuration.
TCP Port 443 (optional) B Series Appliance to web services for outbound events.
TCP Port 5832 (required if Passive Jump Client option is used)

Used as a listening port by Passive Jump Clients. Operating system firewalls should also be aware of this port. The port number is configurable by an administrator. This port is purely used for wakeup calls to the clients and is therefore not encrypted. After the client is woken, it launches the BeyondTrust session over an encrypted outbound TCP 443 connection.

TCP Port 5696 Allows the B Series Appliance to access the KMIP server located in the internal network for Data at Rest Encryption.
Internal Network to Internal Network
Port 389, 636 (Active Directory), 445 (Local Account Management) Ports used for discovery and rotation of Vault accounts.

*Each of the following BeyondTrust components can be configured to connect on a port other than 443: access console, endpoint client, Jumpoint, connection agent.

‡ If the LDAP server is outside of the DMZ, the BeyondTrust Connection Agent is used to authenticate users via LDAP.