Configure and Install a Jumpoint for Linux Systems

Linux Jumpoints can be used for the following session types:

  • RDP
  • SSH/Telnet
  • VNC

Setup of a Jumpoint on a remote network is a multi-step process that includes ensuring dependencies are met, configuring from the /login administrative interface, downloading the installer, and running the installation wizard.

Install Dependencies

Several Linux libraries must be installed on the Jumpoint host. Exact requirements depend on the distribution of Linux, however the following libraries are recommended.

  • libopengl0
  • libglx0
  • libxkbcommon-dev
  • libfontconfig
  • libx11 (for X server). X server does not need to be running.

If the Jumpoint installation fails due to missing libraries, the error message includes information on what is missing.

For more information about X servers, please see What is X11? or other online resources.

Understand Clustered Jumpoints

Before configuring a Jumpoint, it is important to understand the difference between clustered Jumpoints and stand-alone Jumpoints, because they have different feature sets and because a clustered Jumpoint cannot be converted to stand-alone, nor a stand-alone Jumpoint converted to clustered. A clustered Jumpoint allows you to install up to ten redundant nodes of the same Jumpoint on different host systems in the same local network.

A clustered Jumpoint is available as long as at least one of the installed nodes is online. This provides redundancy, preventing the failure of all Jump Items associated with the failure of a single, stand-alone Jumpoint, and improves load balancing across the system.

All configuration of clustered Jumpoints is done in /login, with no local configuration available on the local host either during or after the installation. This means that if you install a clustered Jumpoint, selecting the BeyondTrust Jumpoint Configuration item on the start menu of the Jumpoint host does not result in a configuration window, and only an About box is shown. Editing a clustered Jumpoint in /login loads the same configuration page that was used to create the Jumpoint. This means clustered Jumpoint configuration lacks the following options which are available to stand-alone Jumpoints:

  • Proxy
  • Intel vPro
  • Shell Jump
  • TTL

This also means that a clustered Jumpoint cannot be configured as a Jump Zone Proxy. vPro, RDP, VNC, Shell Jump, and normal Jump sessions are all supported when using clustered Jumpoints; however, the advanced configuration of these features is not available. This includes settings such as provisioned SSH hosts, vPro reimaging, Jump Zone Proxy, TTL, etc.

Configure

Manage Jumpoints

  1. From the administrative interface, go to Jump > Jumpoint.
  2. Click Add.

 

Adding and configuring a Jumpoint.

  1. Create a unique name to help identify this Jumpoint. This name should help users locate this Jumpoint when they need to start a session with a computer on its same network.
  2. Set a code name for integration purposes. If you do not set a code name, one is created automatically.
  3. Add comments to help identify this Jumpoint.
  4. Select the Jumpoint Platform. Options are Windows and Linux. Once the Jumpoint has been created, this setting cannot be changed.
  5. Leave the Disabled box unchecked.
  6. Check the Clustered box, if appropriate.

A Clustered Jumpoint allows you to install multiple, redundant nodes of the same Jumpoint on different host systems. If you select this option, the Jumpoint is available as long as at least one of the installed nodes is online. This provides redundancy, preventing the failure of all Jump Items associated with the failure of a single, standalone Jumpoint, and improves load balancing across the system. Once created, a clustered Jumpoint cannot be converted to standalone, nor a standalone Jumpoint converted to clustered.

 

Linux Jumpoints can only be used for RDP, SSH/Telnet, and VNC sessions, allowing for credential injection from user or Vault, as well as RemoteApp functionality and Shell Jump filtering. Clustered Jumpoints can only add new nodes of the same OS. You cannot mix Windows and Linux nodes.

 

Jumpoint cluster nodes must be installed on hosts residing in the same local area network.

  1. If you want users to be able to connect to SSH-enabled and Telnet-enabled network devices through this Jumpoint, check Enable Shell Jump Method.
  2. From the Jumpoint edit page, you can authorize users to start sessions through this Jumpoint. After the Jumpoint has been created, you can also grant access to groups of users from Users & Security > Group Policies.
  3. Save the configuration. The new Jumpoint appears in the list of configured Jumpoints.

Once you have installed the Jumpoint and started it for the first time, the table populates the hostname of the host system, as well as that system's public and private IP addresses. This information can help you locate the Jumpoint's host system in case you need to change the Jumpoint's configuration.

Download

Now that the Jumpoint is configured, you must install the Jumpoint on a single system in the remote network you wish to access. This system serves as the gateway for Jump sessions with other computers on the remote network. You can either install the Jumpoint directly to the host or email the installer to a user at the remote system. If this is to be a clustered Jumpoint, you add nodes after the Jumpoint is installed.

Download Linux 64 bit.

  1. From the table, find the appropriate Jumpoint and click the link to download the installer file.
  1. If you are logged into the system you want to use as the Jumpoint host, you can run the installation file immediately.
  2. Otherwise, save the file and then transfer it to and deploy it onto the system that will serve as the Jumpoint host.

If you need to change the Jumpoint's host system, click Redeploy. This uninstalls the Jumpoint from its current location and makes the download links available. You can then install the Jumpoint on a new host. The new Jumpoint replaces the old one for any existing Jump shortcuts that are associated with it.

Install

  1. Once the installer file is on the remote system, use a command interface to install the file and specify any desired parameters. The Jumpoint must be installed within 7 days of downloading it. The exact install process depends on the Linux distribution and version, but general steps are provided below.
    • Install the Jumpoint using --install-dir <path>. You must have permission to write to this location, and the path must not already exist.
      sh ./bomgar-jpt-{uid}.bin --install-dir /home/username/jumpoint
    • If you wish to install under a specific user context, you can pass the --user <username> argument. The user must exist and have rights to the directory where the Jump Client is being installed. If you do not pass this argument, the Jumpoint installs under the user context that is currently running.

      sh ./bomgar-jpt-{uid}.bin --install-dir /home/username/jumpoint --user jsmith

 

We do not recommend installing the Jumpoint under the root context. If you attempt to install when the current user is root, you receive a warning message and are required to pass --user <username> to explicitly specify the user that the process

  1. After installing the Jumpoint, you must start its process.
    /home/username/jumpoint/init-script start

    This init script also accepts the stop, restart, and status arguments. You can use ./init-script status to make sure the Jumpoint is running.

  2. You must also arrange for init-script start to run at boot in order for the Jumpoint to remain available whenever the system restarts. An example system.d service displays once the Jumpoint is installed. Copy this information and create the new service for the Jumpoint, filename.service (where filename is any name you choose), following these steps:
    • cd /etc/systemd/system
    • vi filename.service
    • Paste copied information.
    • Run chmod 777 filename.service
    • Reload the systemctl daemon.
    • Enable and start the service file:
      • Run sudo systemctl start filename.service to start the service file.
      • Run sudo su - to get to root.
      • Run systemctl enable filename.service to enable the service file, so the Jumpoint service will automatically start after every reboot.
      • Reboot the Jumpoint machine.
  3. To remove the files, use the uninstall.sh script included in the installation.

If the Jumpoint installation fails due to missing libraries, the error message includes information on what is missing.

Clustered Jumpoint Setup: Adding Nodes

The steps for creating a clustered Jumpoint in /login are the same as for a standalone, with one difference: once you have created the clustered Jumpoint, you add nodes to it. At least one node needs to be installed for the Jumpoint to be online.

  1. From the administrative interface, go to Jump > Jumpoint.
  2. From the table of existing Jumpoints, find the appropriate Jumpoint and click the Add Node link to download the installer file (bomgar-jpt-{uid}.bin).
  1. If you are logged into the system you want to use as the Jumpoint host, you can run the installation file immediately.
  2. Otherwise, save the file and then transfer it to and deploy it onto the system that will serve as the Jumpoint host.

Jumpoint Cluster Installed

  1. Install the node following the same steps for Install, as above.
  2. In the Jumpoint table, the clustered Jumpoint now shows information about each installed node, including public and private IP addresses and online or offline status.

Nodes can be deleted but cannot be individually edited. In the representative console, none of the nodes are visible; only the clustered Jumpoint under which they are installed is visible. Nodes function as redundant connection points. When a user needs to use the Jumpoint, one of the nodes is selected randomly. At least one node must be online for the Jumpoint to work.

Configure Linux Jumpoint as a Proxy Server

You can set up a Linux Jumpoint to function as a proxy server so it can be used for proxy connections for clients on the network that do not have a native internet connection, such as POS systems. Using a Jumpoint as a proxy routes traffic only to the B Series Appliance.

To configure proxy settings on a Linux Jumpoint, modify the jumpzone.ini file, which is located in the directory where you installed the Jumpoint. Below is the content of the jumpzone.ini file, which includes all of the applicable settings and a description of each:

[General]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; BeyondTrust Jump Zone Proxy Configuration ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; ALL configuration changes require a restart
; of the Jumpoint process/service/daemon

; * Enable the Jump Zone Proxy feature
; * Default is disabled.
;enable_proxy=1

; * Allow HTTP GET requests through the proxy
; * to the BeyondTrust appliance.
; * Default is to not allow HTTP GET requests.
;allow_http=1

; * Hostname or IP that resolves to this machine
; * Jump Clients will be deployed with and use
; * this information to connect back to this machine
; * Default hostname is detected using gethostname(2)
;proxy_host=myhost.local

; * Port number on this machine that should
; * listen for incoming Jump Client connections
; * Default port is 9995
;proxy_port=9995

; * Comma seperated IP addresses or CIDR subnets
; * that incoming connections should be restricted to.
; * Default is allow all connections.
; * Only one of allowOnlyIPs or denyOnlyIPs may be used.
;allowOnlyIPs=1.2.3.4,4.3.2.1/16

; * Comma seperated IP addresses or CIDR subnets
; * that should be denied incoming connections.
; * Default is allow all connections.
; * Only one of allowOnlyIPs or denyOnlyIPs may be used.
;denyOnlyIPs=1.2.3.4,4.3.2.1/16

In order for a Jumpoint to function as a Jump Zone Proxy Server, its host system cannot reside behind a proxy. The Jumpoint must be able to access the Internet without having to supply proxy information for its own connection.

 

The proxy host and port should be set carefully since any Jump Client deployed using this Jumpoint as a proxy server uses the settings available to it at the time of deployment and are not updated should the host or port change. If the host or port is changed, the Jump Client must be redeployed.

It is a best practice to make an exception in the firewall for the port on which the proxy server listens for the process to accept connections.