BeyondTrust Cloud Network Infrastructure

The architecture of the BeyondTrust application relies on the BeyondTrust Cloud instance as a centralized routing point for all communications between application components. All BeyondTrust sessions between users and remote systems occur through the server components that run on the B Series Appliance. To protect the security of the data in transit, BeyondTrust uses TLSv1.2 to encrypt all application communications.

Customers may configure the security features such that the BeyondTrust deployment complies with applicable corporate policies or regulations. Security features include role-based access control, secure password requirements, and features to give remote support recipients the ability to resume control of their computers.

BeyondTrust enables remote control by creating a remote outbound connection from the endpoint system to the BeyondTrust Cloud instance. The BeyondTrust Cloud site is designed and tested to ensure it works properly and securely in the BeyondTrust Cloud infrastructure. Since all BeyondTrust sessions are initiated via outbound connections from the client to the B Series Appliance, it is possible to remotely control computers using BeyondTrust through firewalls.

BeyondTrust Cloud Network Infrastructure Diagram

BeyondTrust Appliance B Series Network Infrastructure

Each BeyondTrust Cloud site comes with a subdomain of the DNS address, such as Optionally, if you would prefer to use your company web address with your own SSL certificate, you can use a Canonical Name (CNAME) record to point your default site address to your preferred address.

Since any customers you support using BeyondTrust use the public portal name you give them to request remote support, a simple yet descriptive name is the best approach. For instance, a company named 'Example' might use for their CNAME record.

Example Firewall Rules for Cloud Deployments

Below are example firewall rules for use with BeyondTrust Cloud, including port numbers, descriptions, and required rules.

Firewall Rules
Internal Network to the BeyondTrust Cloud Instance
TCP Port 80 (optional) Used to host the portal page without the user having to type HTTPS. The traffic can be automatically rolled over to port 443.
TCP Port 443 (required) Used for all session traffic.
BeyondTrust Cloud Instance to the Internal Network
TCP Port 25, 465, or 587 (optional) Allows the B Series Appliance to send admin mail alerts. The port is set in SMTP configuration.
TCP Port 443 (optional) B Series Appliance to web services (e.g., HP Service Manager, BMC Remedy) for outbound events.