Requirements and Considerations to Install a PRA Jumpoint

A Jumpoint-facilitated BeyondTrust session involves three computers:

  • The BeyondTrust user's system
  • A computer that hosts the Jumpoint
  • The unattended computer targeted for remote control

There are various permission, hardware, software, and port requirements for these systems that must be met or should be considered when installing a Jumpoint.

Review Jumpoint Permission Requirements

The administrator deploying the Jumpoint must have administrative rights on the computer hosting the Jumpoint.

Users must have the following permissions to access the Jumpoint:

  • The user must have administrative rights to the target computer.
  • In the administrative interface, one or both of the following conditions must be true:
    • The user must have the account permission Allowed Jump Methods: Local Jump on the local network.
    • The user must have the account permission Allowed Jump Methods: Remote Jump via a Jumpoint and must be granted access to one or more Jumpoints, either individually or via a group policy.

For more information, please see the following:

Review Jumpoint Installation Considerations

The main objective of any BeyondTrust administrator should be to ensure the integrity of the BeyondTrust deployment. The simpler and more straightforward a BeyondTrust deployment is, the easier it is to maintain a level of integrity that is in line with your company's security objectives. Specifically, when deploying a Jumpoint on a remote network, another layer of complexity is introduced to your deployment. Therefore, BeyondTrust recommends using a dedicated resource for a Jumpoint in order to decrease any potential security risks, increase availability, and reduce management complexity. A dedicated resource is most often a virtual machine or sometimes a physical machine with the sole purpose of hosting the Jumpoint.

If a dedicated resource is not readily available, there are several factors to take into consideration before deciding to use a shared resource as a Jumpoint host. When using a shared resource, the BeyondTrust administrator must be aware of everything for which the shared resource is used. For example, the BeyondTrust administrator would need to identify and control any unwanted changes to or repurposing of the resource by other groups, especially in large organizations.

There are many other variables that are unique to any given network or business environment. The questions below are provided to encourage a proactive approach before pursuing the use of a shared resource as a Jumpoint host. BeyondTrust encourages adding your own list of pros and cons before deploying a Jumpoint on a shared resource.

Security Questions

  • Who has access to this resource?
  • Are file shares accessible on this resource?
  • Are there group policies in place that may restrict Jumpoint functionality?
  • What is the risk of virus infection or malware due to multi-user access?
  • What is the risk of another user changing the system permissions or deleting needed files?

File/Print Sharing Questions

  • What other programs will be competing for resources such as disk space, processor availability, bandwidth, and disk access?
  • Will the resource be available at all times? How critical is on-demand access?
  • What is the risk of permission modification on file shares?
  • Will this resource be used frequently for print jobs? Large or frequent print jobs can consume a large amount of resources, adversely affecting Jumpoint performance.

Other Shared Resource Questions

  • How critical is availability? What is the risk of the Jumpoint not being available?
  • How frequently will this Jumpoint be used?
  • What is the potential number of Jump sessions that will need to be run through this Jumpoint at the same time?
  • Will shared responsibility of this resource across different departments increase complexity?
A Jumpoint cannot be used to access itself, because that is an unsupported loopback connection.

Review Jumpoint Hardware and Software Requirements

Host Hardware and Software Requirements – All Session Types

An average server class machine for a supported operating system, with 16GB of RAM, can readily support 25 concurrent sessions of any type (200 Telnet or SSH sessions). Additional sessions are supported depending on the session types and other factors, or with higher server specifications.

For more information about hardware and software requirements, please see Privileged Remote Access Supported Platforms.

Session-Specific Host and Target Software Requirements

Except as noted, the target and the host must be on the same network.

Remote Jump Sessions – Host System Requirements

Admin rights on the remote system must use either a domain admin user or, in the case of a workgroup environment, a local admin user.

The following applies to Windows systems:

  • The host must be a member of the respective Active Directory domain.
  • By default, the Jumpoint runs under the local system account. In certain environments, this may need to be changed to a domain account that has local admin rights on the target computer(s).
  • Follow these steps if this account is changed:
    • Log on to the Jumpoint host system as an administrator.
    • Stop the BeyondTrust Jumpoint service using services.msc.
    • Navigate to C:\ProgramData\Bomgar\Jumpoint\hostname or C:\Users\All Users\Application Data\Bomgar\Jumpoint\hostname, depending on the Windows version.
    • Open the properties for bomgar.ini and go to the Security tab. Click Continue to view the security properties.
    • Select the Users or Everyone group, depending on the Windows version.
    • Uncheck the Read permission in the Deny column.
    • Apply the changes.
    • The Jumpoint may now be safely changed to be under a different account.
    • Restart the Jumpoint service using services.msc.
  • File sharing must be turned on, specifically IPC$ and ADMIN$.
  • The Remote Registry service must be running (check using services.msc).

Remote/Local Jump Sessions – Target System Requirements

For Remote Jump sessions, the target system must be on the same network as the Jumpoint host system. For Local Jump sessions, the target system must be on the same network as the BeyondTrust user's system.

The following applies to Windows systems:

  • The Workstation service must be running (check using services.msc).
  • The Server service must be running (check using services.msc).
  • The Remote Registry service must be running (check using services.msc).
  • The ADMIN$ share must be available (check using Computer Management).
  • The Windows Network must be running, and printer and file sharing must be activated.
  • Make sure firewall settings do not block the connection. If the firewall blocks incoming traffic, open port 445 (and possibly 135) on the target computer for incoming traffic.

RDP Sessions – Host System Requirements

No session-specific host system requirements.

RDP Sessions – Target System Requirements

Microsoft Remote Desktop Protocol (RDP) must be enabled on the target system.

Privileged Remote Access supports only Microsoft's RDP server implementation built into Windows operating systems and Remote Desktop Session (formerly Terminal Services) Hosts.

VNC Sessions – Host System Requirements

No session-specific host system requirements.

VNC Sessions – Target System Requirements

Listening VNC server supporting RFB protocol 3.8 or earlier, configured for basic or no authentication.

Protocol Tunnel Jump Sessions – Host System Requirements

No session-specific host system requirements.

Protocol Tunnel Jump Sessions – Target System Requirements

The target system must have a listening static port configured.

Shell Jump Sessions – Host System Requirements

No session-specific host system requirements.

Shell Jump Sessions – Target System Requirements

Any available SSH server.

Web Jump Sessions – Host System Requirements

If the target web server requires Flash, then the Jumpoint host system must have Flash installed.

Web Jump Sessions – Target System Requirements

Any available web server.

Review Port Requirements for Discovery and Rotation of Vault Accounts

Active Directory:

  • Port 389
  • Port 636

Local Account Management:

  • Port 445