Encryption and Ports in BeyondTrust Remote Support (On-Premises)
BeyondTrust Remote Support can be configured such that it enforces the use of SSL for every connection made to the B Series Appliance. Remote Support requires that the SSL certificate being used to encrypt the transport is valid.
Remote Support can natively generate certificate signing requests. It also supports importing certificates generated off the B Series Appliance. Configuration options also are available to disable the use of SSLv3, TLSv1, and/or TLSv1.1. BeyondTrust always has TLSv1.2 enabled to ensure proper operation of the B Series Appliance. Available cipher suites can be enabled or disabled and reordered as needed to meet the needs of your organization.
The BeyondTrust software itself is uniquely built for each customer. As part of the build, an encrypted license file is generated that contains the support portal Domain Name System (DNS) name and the SSL certificate, which is used by the respective Remote Support client to validate the connection that is made to the B Series Appliance.
The chart below highlights the required ports and the optional ports. Note that there is very minimal port exposure of the BeyondTrust Appliance B Series. This drastically reduces the potential exposed attack surface of the B Series Appliance.
| Firewall Rules | |
|---|---|
| Internet to the DMZ | |
| TCP Port 80 (optional) | Used to host the portal page without the user having to type HTTPS. The traffic can be automatically rolled over to port 443. |
| TCP Port 443 (required)* | Used for all session traffic. |
| UDP Port 3478 (optional) | Used to enable Peer-to-Peer connections if the Use Appliance as Peer-to-Peer Server option is selected. |
| Internal Network to the DMZ | |
| TCP Port 80 (optional) | Used to host the portal page without the user having to type HTTPS. The traffic can be automatically rolled over to port 443. |
| TCP Port 161/UDP | Used for SNMP queries via IP configuration settings in the /appliance interface. |
| TCP Port 443 (required)* | Used for all session traffic. |
| DMZ to the Internet | |
| TCP Port 443 to the specific host gwsupport.bomgar.com (optional) | Default port used to establish connections with BeyondTrust Support for advanced troubleshooting/repairs. |
| TCP Port 443 to the specific host btupdate.com (optional) | You can optionally enable access from the B Series Appliance on port 443 to this host for automatic updates, or you can apply updates manually. |
| DMZ to the Internal Network | |
| UDP Port 123 | Access NTP server and sync the time. |
| LDAP - TCP/UDP 389 (optional)‡ | Access LDAP server and authenticate users. |
| LDAP - TCP/UDP 636 (optional)‡ | Access LDAP server and authenticate users via SSL. |
| Syslog - UDP 514 (required for logging) | Used to send syslog messages to a syslog server in the internal network. Alternatively, messages can be sent to a syslog server located within the DMZ. |
| Syslog - TCP Port 6514 | Used to send syslog messages over TLS to a syslog server in the internal network. Alternatively, messages can be sent to a syslog server located within the DMZ. |
| DNS - UDP 53 (required if DNS server is outside the DMZ) | Access DNS server to verify that a DNS A record or CNAME record points to the B Series Appliance. |
| TCP Port 25, 465, or 587 (optional) | Allows the B Series Appliance to send admin mail alerts. The port is set in SMTP configuration. |
| TCP Port 443 (optional) | B Series Appliance to web services (e.g., HP Service Manager, BMC Remedy) for outbound events. |
| TCP Port 5696 | Allows the B Series Appliance to access the KMIP server located in the internal network for Data at Rest Encryption. |
| Internal Network to Internal Network | |
| Port 389, 636 (Active Directory), 445 (Local Account Management) | Ports used for discovery and rotation of Vault accounts. |
*Each of the following BeyondTrust components can be configured to connect on a port other than 443: representative console, customer client, presentation attendee client, Jumpoint, connection agent.
‡ If the LDAP server is outside of the DMZ, the BeyondTrust Connection Agent is used to authenticate users via LDAP.
