Encryption and Ports in BeyondTrust Remote Support (Cloud)

BeyondTrust can be configured such that it enforces the use of SSL for every connection made to the site. BeyondTrust requires that the SSL certificate being used to encrypt the transport is valid.

BeyondTrust can natively generate certificate signing requests. Configuration options also are available to disable the use of TLSv1 and/or TLSv1.1. BeyondTrust always has TLSv1.2 enabled to ensure proper operation of the software. Available cipher suites can be enabled or disabled and reordered as needed to meet the needs of your organization.

The BeyondTrust software itself is uniquely built for each customer. As part of the build, an encrypted license file is generated that contains the support portal Domain Name System (DNS) name and the SSL certificate, which is used by the respective BeyondTrust client to validate the connection that is made to the Cloud site.

The chart below highlights the required ports and the optional ports. Note that there is very minimal port exposure of the BeyondTrust Cloud infrastructure. This drastically reduces the potential exposed attack surface of the site.

Below are example firewall rules for use with BeyondTrust Cloud, including port numbers, descriptions, and required rules.

Firewall Rules
Internal Network to the BeyondTrust Cloud Instance
TCP Port 80 (optional) Used to host the portal page without the user having to type HTTPS. The traffic can be automatically rolled over to port 443.
TCP Port 443 (required) Used for all session traffic.
BeyondTrust Cloud Instance to the Internal Network
TCP Port 25, 465, or 587 (optional) Allows the B Series Appliance to send admin mail alerts. The port is set in SMTP configuration.
TCP Port 443 (optional) B Series Appliance to web services (e.g., HP Service Manager, BMC Remedy) for outbound events.