The architecture of the BeyondTrust application environment relies on the Secure Remote Access Appliance as a centralized routing point for all communications between application components. All BeyondTrust sessions between users and remote systems occur through the server components that run on the appliance. To protect the security of the data in transit, BeyondTrust uses TLS to encrypt all application communications.
BeyondTrust's architecture offers customers the ability to choose how and where the appliance is deployed. Additionally, customers may configure the security features such that the BeyondTrust deployment complies with applicable corporate policies or regulations. Security features include role-based access control, secure password requirements, and features to give remote support recipients the ability to resume control of their computers.
BeyondTrust enables remote control by creating a remote outbound connection from the endpoint system to the Secure Remote Access Appliance through firewalls. For BeyondTrust to provide remote control securely, the appliance is designed to use the most common network infrastructure or architecture that supports internet-accessible applications - a demilitarized zone (DMZ) with firewall protection.
The Secure Remote Access Appliance is designed and tested to ensure it works properly and securely in internet environments. While the appliance can be deployed internal or external to your organization, to achieve optimal security, BeyondTrust recommends that you place the Secure Remote Access Appliance inside the DMZ, as illustrated. This diagram shows the recommended configuration for one Secure Remote Access Appliance.
By locating the appliance in the DMZ, the appliance is within the secure buffer zone. Since all BeyondTrust sessions are initiated via outbound connections from the client to the appliance, it is possible to remotely control computers using BeyondTrust through the firewalls.