Use a Jump Shortcut to Jump to a Remote System
Once a Jumpoint has been installed on a remote network, permitted users can use the Jumpoint to initiate sessions with Windows and Linux computers on that same network, even if those computers are unattended. Additionally, a permitted user can Jump to computers on the same network segment as their local system, even without a Jumpoint.
Through a Jumpoint, Jump shortcuts can be created to:
- Start a standard access session.
- Start a Remote Desktop Protocol session with Windows or Linux systems.
- Jump to a web site on a remote browser.
- Shell Jump to an SSH-enabled or Telnet-enabled network device.
- Connect to a VNC server.
- Make a TCP connection through a Protocol Tunnel Jump.
You can add Jump shortcuts one by one from the access console, as detailed in Local Jump Shortcuts, Remote Jump Shortcuts, Remote Desktop Protocol Shortcuts, VNC Shortcuts, Use Web Jump to Access Web Services, Shell Jump Shortcuts, and Protocol Tunnel Jump Shortcuts.
You can organize and manage existing Jump Shortcuts by selecting one or more and clicking Properties.
When creating a large number of Jump shortcuts, it may be easier to import them via a spreadsheet than to add them one by one in the access console.From the dropdown in the Jump Shortcuts Mass Import Wizard section of the /login interface, select the type of Jump Item you wish to add, and then click Download Template. Using the text in the CSV template as column headers, add the information for each Jump shortcut you wish to import. If any required fields are missing, import fails. Optional fields can be filled in or left blank.
Once you have completed filling out the template, use Import Jump Shortcuts to upload the CSV file containing the Jump Item information. The maximum file size allowed to be uploaded at one time is 5 MB. Only one type of Jump Item can be included in each CSV file.The CSV file should use the format described in the tables below.
If a Jump Policy is applied to the Jump Item, that policy affects how and/or when a Jump Item may be accessed.
Authorization
If a Jump Policy requires authorization before the Jump can be performed, a dialog opens. In the dialog, enter the reason you need to access this Jump Item. Then enter the date and time at which you wish authorization to begin, as well as how long you require access to the Jump Item. Both the request reason and the request time are visible to the approver and help them decide whether to approve or deny access.
When you click OK, an email is sent to the addresses defined as approvers for this policy. This email contains a URL where an approver can see the request, add comments, and either approve or deny the request.
If a request was approved by one person, a second can access the URL to override approval and deny the request. If a request was denied, then any other approvers accessing the site can see the details but cannot override the denied status. If a user has already joined an approved session, that access cannot be denied. Although other approvers can see the email address of the person who approved or denied the request, the requestor cannot.Based on the Jump Policy settings, an approved request grants access either to any user who can see and request access to that Jump Client or only to the user who requested access.
In the Jump interface, the Jump Item's details pane displays the status of any authorization requests as either pending, approved, approved only for a different user, or denied. When an approver responds to a request, a pop-up notification appears on the requestor's screen alerting them that access has been either approved or denied. If the requestor has a configured email address, an email notification is also sent to the requestor.
When a user Jumps to a Jump Item which has been approved for access, a notification alerts the user to any comments left by the approver.
When approval has been granted to a Jump Item, that Jump Item becomes available either to any user who can see and request access to that Jump Item or only to the user who requested access. This is determined by the Jump Policy.
While multiple requests may be sent for different times, the requested access times cannot overlap. If a request is denied, then a second request may be sent for the same time.
Revoke an Access Approval Request
Permission to revoke approved access requests is controlled by Jump Policy. Any user who can approve requests on the Jump Policy can cancel requests, subject to the approval type. In the /login web management interface, go to Jump > Jump Policies. Under Jump Approval you have two options:
- Anyone Permitted to Request
- Requestor Only
If the Jump Policy is set to requestor Only, and an Access Request is presently approved for User A, User B is asked to create a new Access Request if they attempt to Jump to the Jump Item, since that request does not apply to them. Additionally, if User B attempts to cancel the Access Approval Request, the option is grayed out. The only user who can cancel the approved request is User A, because they are the approved user for the request.
However, if the Jump Policy is set to Anyone Permitted to Request, and an Access Request is presently approved for User A, User B is allowed to start a new session with the Jump Item if they attempt to Jump to it. In addition, anyone with permission to access the Jump Item is allowed to cancel / revoke the request.
Local Jump Shortcut
| Field | Description |
|---|---|
| Hostname |
The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters. |
| Name |
The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters. |
| Jump Group |
The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items. |
| Tag (optional) |
You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters. |
| Comments (optional) |
You can add comments to your Jump Items. This string has a maximum of 1024 characters. |
| Jump Policy (optional) |
The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item. |
| Session Policy (optional) |
The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item. |
| Endpoint Agreement Policy (optional) |
The value accept automatically accepts the endpoint agreement if it times out and allows the session the start. The value reject automatically rejects the endpoint agreement and stops the session from starting. The value no_prompt does not show an endpoint agreement even if the feature is configured. This field has no effect if the global endpoint agreement is not enabled. |
For more information about the global setting, please see Jump Items: Mass Import Jump Shortcuts and Manage Jump Item Settings.
Remote Jump Shortcut
| Field | Description |
|---|---|
| Hostname |
The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters. |
| Jumpoint |
The code name of the Jumpoint through which the endpoint is accessed. |
| Name |
The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters. |
| Jump Group |
The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items. |
| Tag (optional) |
You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters. |
| Comments (optional) |
You can add comments to your Jump Items. This string has a maximum of 1024 characters. |
| Jump Policy (optional) |
The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item. |
| Session Policy (optional) |
The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item. |
| Endpoint Agreement Policy (optional) |
The value accept automatically accepts the endpoint agreement if it times out and allows the session the start. The value reject automatically rejects the endpoint agreement and stops the session from starting. The value no_prompt does not show an endpoint agreement even if the feature is configured. This field has no effect if the global endpoint agreement is not enabled. |
For more information about the global setting, please see Jump Items: Mass Import Jump Shortcuts and Manage Jump Item Settings.
Remote VNC Jump Shortcut
| Field | Description |
|---|---|
| Hostname |
The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters. |
| Jumpoint |
The code name of the Jumpoint through which the endpoint is accessed. |
| Port (optional) |
A valid port number from 100 to 65535. Defaults to 5900. |
| Name |
The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters. |
| Jump Group |
The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items. |
| Tag (optional) |
You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters. |
| Comments (optional) |
You can add comments to your Jump Items. This string has a maximum of 1024 characters. |
| Jump Policy (optional) |
The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item. |
| Session Policy (optional) |
The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item. |
Remote RDP Jump Shortcut
| Field | Description |
|---|---|
| Hostname |
The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters. |
| Jumpoint |
The code name of the Jumpoint through which the endpoint is accessed. |
| Username (optional) |
The username to sign in as. |
| Domain (optional) |
The domain the endpoint is on. |
| Quality (optional) |
The quality at which to view the remote system. Can be low (2-bit gray scale for the lowest bandwidth consumption), best_perf (default - 8-bit color for fast performance), perf_and_qual (16-bit for medium quality image and performance), best_qual (32-bit for the highest image resolution), or video_opt (VP9 codec for more fluid video). This cannot be changed during the remote desktop protocol (RDP) session. |
| Console Session |
1: Starts a console session. |
| Ignore Untrusted Certificate (optional) |
1: Ignores certificate warnings. |
| SecureApp Type | The SecureApp launch method. Can be "none", "remote_app" (to use RDP's built-in RemoteApp functionality), "remote_desktop_agent" (to use BeyondTrust's Remote Desktop Agent), or "remote_desktop_agent_credentials" (to use BeyondTrust's Remote Desktop Agent with Credential Injection). If "remote_desktop_agent" or "remote_desktop_agent_credentials" are chosen then the BeyondTrust Remote Desktop Agent must be installed on the remote system.> |
| RemoteApp Name | The RemoteApp program name. This string has a maximum of 520 characters. |
| RemoteApp Parameters | A space-separated list of parameters to pass to the RemoteApp. Parameters with spaces can be quoted using double-quotes. This string has a maximum of 16000 characters. |
| Remote Executable Parameters | A space-separated list of parameters to pass to the remote executable that will be launched using the BeyondTrust Remote Desktop Agent. Parameters with spaces can be quoted using double-quotes. This can only be used if the SecureApp Type uses the BeyondTrust Remote Desktop Agent. |
| Remote Executable Parameters | A space-separated list of parameters to pass to the remote executable that will be launched using the BeyondTrust Remote Desktop Agent. Parameters with spaces can be quoted using double-quotes. This can only be used if the SecureApp Type uses the BeyondTrust Remote Desktop Agent. |
| Target System | The name of the target system being accessed by the remote application. This value is used to limit the list of injected credentials to only those that are valid on the target system. This value can only be used if the SecureApp Type uses the BeyondTrust Remote Desktop Agent with Credential injection. |
| Credential Type | The type of credentials that will be injected into the remote executable. This value will depend on the password vault from which credentials are retrieved. This value can only be used if the SecureApp Type uses the BeyondTrust Remote Desktop Agent with Credential injection. |
| Name |
The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters. |
| Jump Group |
The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items. |
| Tag (optional) |
You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters. |
| Comments (optional) |
You can add comments to your Jump Items. This string has a maximum of 1024 characters. |
| Jump Policy (optional) |
The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item. |
| Session Policy (optional) |
The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item. |
Shell Jump Shortcut
| Field | Description |
|---|---|
| Hostname |
The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters. |
| Jumpoint |
The code name of the Jumpoint through which the endpoint is accessed. |
| Username (optional) |
The username to sign in as. |
| Protocol |
Can be either ssh or telnet. |
| Port (optional) |
A valid port number from 1 to 65535. Defaults to 22 if the protocol is ssh or 23 if the protocol is telnet. |
| Terminal Type (optional) |
Can be either xterm (default) or VT100. |
| Keep-Alive (optional) |
The number of seconds between each packet sent to keep an idle session from ending. Can be any number from 0 to 300. 0 disables keep-alive (default). |
| Name |
The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters. |
| Jump Group |
The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items. |
| Tag (optional) |
You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters. |
| Comments (optional) |
You can add comments to your Jump Items. This string has a maximum of 1024 characters. |
| Jump Policy (optional) |
The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item. |
| Session Policy (optional) |
The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item. |
Protocol Tunnel Jump Shortcut
| Field | Description |
|---|---|
| Tunnel Type | The type of tunnel: TCP, SQL Server, Kuberbnetes Cluster, or Network (if enabled). |
| Hostname |
The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128 characters. |
| Jumpoint |
The code name of the Jumpoint through which the endpoint is accessed. |
| TCP Tunnels (for TCP Tunnel) |
The list of one or more tunnel definitions. A tunnel definition is a mapping of a TCP port on the local user's system to a TCP port on the remote endpoint. Any connection made to the local port causes a connection to be made to the remote port, allowing data to be tunnelled between local and remote systems. Multiple mappings should be separated by a semicolon. auto->22;3306->3306 In the example above, a randomly assigned local port maps to remote port 22, and local port 3306 maps to remote port 3306. |
| Username and Database (for SQL Server Tunnel) | The username and database. Authentication is supported using Windows authentication and SQL login. |
| URL and CA Certificates (for Kubenetes Cluster Tunnel) |
The base URL for the Kubernetes cluster. The maximum length is 256 characters. For the certificates, a PEM-formatted certificate or chain of certificates used to validate the cluster URL. The maximum length is 12,288 characters. |
| Filter Rules (for Network Tunnel) |
|
| Local Address (optional) |
The address from which the connection should be made. This can be any address within the 127.x.x.x subrange. The default address is 127.0.0.1. |
| Name |
The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters. |
| Jump Group |
The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items. |
| Tag (optional) |
You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters. |
| Comments (optional) |
You can add comments to your Jump Items. This string has a maximum of 1024 characters. |
| Jump Policy (optional) |
The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item. |
| Session Policy (optional) |
The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item. |
Web Jump Shortcut
| Field | Description |
|---|---|
| Name |
The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters. |
| Jumpoint |
The code name of the Jumpoint through which the endpoint is accessed. |
| Jump Group |
The code name of the Jump Group with which this Jump Item should be associated. When using the import method, a Jump Item cannot be associated with a personal list of Jump Items. |
| Tag (optional) |
You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024 characters. |
| Comments (optional) |
You can add comments to your Jump Items. This string has a maximum of 1024 characters. |
| Jump Policy (optional) |
The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item. |
| Session Policy (optional) |
The code name of a session policy. You can specify a session policy to manage the permissions available on this Jump Item. |
| URL |
The URL of the web site. The URL must begin with either http or https. |
| Verify Certificate (optional) |
1: The site certificate is validated before the session starts; if issues are found, the session will not start. |
| Username Format | passthru: Pass the username through directly from the credential provider. username_only: If the username is in UPN (Username@Domain) or DLLN (DOMAIN\Username) format then the domain is removed. Only the username is injected. |
| Username Field Hint | A CSS style query selector that identifies the username field to help with the initial credential injection. If this value is provided and a matching element is not found, then the credential injection will fail. |
| Password Field Hint | A CSS style query selector that identifies the password field to help with the initial credential injection. If this value is provided and a matching element is not found, then the credential injection will fail. |
| Submit Button Hint | A CSS style query selector that identifies the submit button to help with the initial credential injection. If this value is provided and a matching element is not found, then the credential injection will fail. |
| Auth Timeout | The length of time the web jump client should wait for authentication to succeed before timing out. Valid values are 1, 2, 3, 5, 10, 15, 30 |
