Privileged Remote Access 24.2 Admin Guide

Privileged Remote Access 24.2

Admin Guide

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC:7/8/2024

Table of Contents

BeyondTrust Privileged Remote Access Admin Interface 5

Search /login Administrative Interface 8

User Menu 9

Status 10

Information: View Privileged Remote Access Site Status and Software Details 10

Users: View Logged In Users and Send Messages 11

What's New: See Privileged Remote Access Software Release Details 12

Consoles & Downloads: Launch the Web Access Console and Download the Desktop

Access Console 13

Consoles & Downloads: Download Drivers 14

My Account: Email Settings and Extended Availability Mode 16

My Account: Change Password Settings and add Passwordless Authenticators 16

Configuration 19

Options: Manage Connection Options, Record Sessions, Speed Up Sessions 19

Teams: Group Users into Teams 22

Custom Fields: Create, Edit, Delete Custom API Fields 24

Jump 25

Jump Clients: Manage Settings and Install Jump Clients for Endpoint Access 25

Jump Groups: Configure Which Users Can Access Which Jump Items 31

Jump Policies: Set schedules, notifications, and approvals for Jump Items 33

Jump Item Roles: Create Permission Sets for Jump Items 37

Jumpoint: Set Up Unattended Access to a Network 39

Jump items: mass import Jump shortcuts and manage Jump item settings 42

Endpoint automation: run scripts on multiple endpoints without sessions 51

Manage vault accounts 53

Add account 54

Rotate 54

Search shared accounts 54

Check out and check in a shared account 54

Ellipsis menu for shared accounts 54

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

This page needed for table of

contents. Do not delete.

Search personal accounts 55

View password for personal account 55

Edit personal account 55

Account Groups: Add and Manage Account Groups 55

Account Policies: Add and Manage Account Policies 58

Endpoints: View and Manage Discovered Systems 60

Services: View and Manage Discovered Services 61

Domains: Add and Manage Domains 61

Discovery: Discover Accounts, Endpoints, and Services in a Domain 63

Options: Configure Global Default Account Policy Settings and Password Length for

Account Rotation 67

Access console 69

Access console settings: manage default access console settings 69

Custom Links: Add URL Shortcuts to the Access Console 72

Canned Scripts: Create Scripts for Screen Sharing or Command Shell Sessions 73

Special Actions: Create Custom Special Actions 75

Users and Security 77

Users: Add Account Permissions for a User or Admin 77

User Accounts for Password Reset: Allow Users to Set Passwords 88

Access Invite: Create Profiles to Invite External Users to Sessions 89

Security Providers: Enable LDAP, RADIUS, Kerberos, SCIM, and SAML2 Logins 90

Vendor Groups 106

Session Policies: Set Session Permission and Prompting Rules 109

Group Policies: Apply User Permissions to Groups of Users 115

Kerberos Keytab: Manage the Kerberos Keytab 129

Reports 130

Access: Report on Session Activity 130

Vault: Report on Vault Account and User Activity 132

Vendors: Report on Vendor Accounts and User Activity 133

Jump Item: Report on Jump Item Activity 134

Syslog: Download Report Containing All Syslog Files on the Appliance 135

Compliance: Make Privileged Remote Access Data Anonymous to Meet Compliance

Standards 136

Languages: Manage Installed Languages 138

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

This page needed for table of

contents. Do not delete.

Languages: Manage Installed Languages 138

Management 140

Software: Download a Backup, Upgrade Software 140

Security: Manage Security Settings 142

Site Configuration: Set HTTP Ports, Enable Prerequisite Login Agreement 149

Email configuration: configure the software to send emails 150

Outbound Events: Set Events to Trigger Messages 156

Cluster: Configure Atlas Cluster Technology for Load Balancing 159

Failover: Set Up a Backup B Series Appliance for Failover 162

API Configuration: Enable the XML API and Configure Custom Fields 165

Support: Contact BeyondTrust Technical Support 167

Ports and Firewalls 169

Disclaimers, Licensing Restrictions and Tech Support 170

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

This page needed for table of

contents. Do not delete.

BeyondTrust Privileged Remote Access Admin Interface

This guide offers a detailed overview of /login and is designed to help you administer BeyondTrust users and your BeyondTrust software.

The BeyondTrust Appliance B Series serves as the central point of administration and management for your BeyondTrust software and

enables you to log in from anywhere that has internet access in order to download the access console.

Use this guide only after an administrator has performed the initial setup and configuration of the B Series Appliance as detailed in the

BeyondTrust Appliance B Series Hardware Installation Guide at www.beyondtrust.com/docs/privileged-remote-access/getting-

started/deployment/hardware-sra/. Once BeyondTrust is properly installed, you can begin accessing your endpoints immediately. Should

you need any assistance, please contact BeyondTrust Technical Support at www.beyondtrust.com/support.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

The user administrative interface enables administrators to create user accounts and configure software settings. Log in to the user

administrative interface by going to your B Series Appliance's URL followed by /login.

Although your B Series Appliance's URL can be any registered DNS, it is most likely a subdomain of your company's primary domain, for

example, access.example.com/login.

Default Username: admin

Default Password: password

Note: For security purposes, the administrative username and password used for the /appliance interface are distinct from

those used for the /login interface and must be managed separately.

If two-factor authentication is enabled for your account, enter the code from the authenticator app.

Note: If more than one language is enabled for your site, select the language you want to use from the dropdown menu.

You can also change the language of your choice after you login to the admin site.

For more information, please see Log into the PRA Access Console at https://www.beyondtrust.com/docs/privileged-remote-

access/getting-started/access-console/login-to-the-access-console.htm.

Use Passwordless Login

FIDO2-certified authenticators can be used to securely log in to the desktop access console, privileged web access console, and the /login

administrative interface without entering your password. You can register up to 10 authenticators.

If passwordless login has been enabled, Authenticate Using may default to Passwordless FIDO2, or it can be selected. The exact

process for passwordless login depends on the type of device and manufacturer.

You can enable passwordless login and set the default authentication after logging into the /login administrative interface, by navigating to

Management > Security, and then registering passwordless authenticators at My Account > Security. Administrators can view and

manage passwordless login registration and usage at Users & Security > Users > Passwordless Authenticators

Note: Passwordless login for the desktop access console on macOS or Linux systems is supported only for roaming

authenticators (such as the YubiKey hardware security keys). Platform or integrated authenticators (such as Face ID and

fingerprint scanners) are not supported for the desktop access console login when using macOS or Linux systems.

Use Integrated Browser Authentication

If Kerberos has been properly configured for single sign-on, you can click the link to use integrated browser authentication, allowing you to

enter directly into the web interface without requiring you to enter your credentials.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Forgot your password?

If password reset has been enabled from the /login > Management > Security page and the SMTP server has been set up for your site,

this link is visible. To reset your password, click the link, enter and confirm your email address, and then click Send. If there is more than

one user sharing the same email address, you are required to confirm your username. You will receive an email with a link that takes you

back to the login page. On the login screen, enter and confirm your new password, and then click Change Password.

Administrators may restrict access to the login screen by enabling a prerequisite login agreement that must be confirmed before the login

screen is displayed. The login agreement can be enabled and customized from the /login > Management > Site Configuration page.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Search /login Administrative Interface

From every page within Privileged Remote Access /login, you can search for settings and features within the administrative interface using

the search bar in the top-right corner. This feature searches for static text, including titles and labels, within the entirety of /login. Search

results are listed in a dropdown, grouped by page. You can click any of the items in the listed search results to be taken directly to the page

within /login. Titles and labels specific to your search are highlighted on the page.

Note:

Search results include only areas within /login where you have permissions.

User-entered items are not searched.

Search supports all languages supported by /login — all languages are searched and indexed.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

User Menu

The user dropdown menu, located in the upper-right corner of the screen, offers access to a few key features from anywhere on the admin

site. Click the user icon to view the logged-in user name and email address, and available links and options.

Log Out: Click to log out of the /login administrative interface. This does not log you out of any consoles. Those must be logged out

separately.

Change Email Settings: This is a link to My Account > Profile.

Change Password: This is a link to My Account > Security.

Launch Privileged Web Access Console: This gives you convenient access to the web console from anywhere in /login.

Download Access Console: This gives you a quick link to download the access console.

Enable Extended Availability: Click to enable this feature in the access console. Once enabled, this option switches to Disable, and can

be clicked again to disable this feature. Extended Availability Mode allows you to receive email invitations from other users requesting to

share a session when you are not logged into the console.

Language: Displays the current language. If more than one language is enabled for your site, select the language you want to use from

the dropdown menu. This language is also applied to the privileged web access console.

Color Scheme: Select your preferred color scheme for the /login administrative interface. You can switch between Light and Dark

modes, or System, which uses whatever mode is selected for your system.

For more information on these features, please see the following:

"Change Your Email Settings" on page 16

"Change Your Password" on page 16

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Status

Information: View Privileged Remote Access Site Status and Software Details

Status INFORMATION

Site Status

The main page of the BeyondTrust Privileged Remote Access /login interface gives an overview of your B Series Appliance statistics.

When contacting BeyondTrust Technical Support for software updates or troubleshooting purposes, you may be asked to email a

screenshot of this page.

Restart Privileged Remote Access Software

You can restart the BeyondTrust software remotely. Restart your software only if instructed to do so by BeyondTrust Technical Support.

Time Zone

An administrator can select the appropriate time zone from a dropdown, setting the correct date and time of the B Series Appliance for the

selected region.

Total Active Jump Clients Allowed

Review the total number of active Jump Clients that are allowed on your system. If you need more Jump Clients, contact BeyondTrust

Technical Support.

Maximum Concurrent Users

Review the maximum number of concurrent users that are allowed on your system. If you need more users, contact BeyondTrust

Technical Support.

Endpoint Licenses

View the number of endpoint licenses available on your BeyondTrust Appliance B Series. If you need more licenses, contact BeyondTrust

Sales.

Endpoints Configured

View the number of endpoints currently configured on your system.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Download License Usage Report

Download a ZIP file containing detailed information (English only) on your BeyondTrust license usage. This file contains a list of all Jump

Items (not counting uninstalled Jump Clients), daily counts for Jump Item operations and license usage, and a summary for the B Series

Appliance and its endpoint license usage and churn.

Client Software

This is the hostname to which BeyondTrust client software connects. If the hostname attempted by the client software needs to change,

notify BeyondTrust Technical Support of the needed changes so that Support can prepare a software update.

Connected Clients

View the number and type of BeyondTrust software clients that are connected to your B Series Appliance.

For more information about the BeyondTrust Appliance B Series, please see B Series Appliance Overview at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/deployment/index.htm.

ECM Clients

View the number of BeyondTrust Endpoint Credential Managers (ECM) that are connected to your B Series Appliance. Also, view

information about the location and connection time for each ECM, as well as the group it belongs to.

Note: To ensure optimal up-time, administrators can install up to three ECMs on different Windows machines to communicate

with the same credential store. A list of the ECMs connected to the appliance site can be found at /login > Status >

Information > ECM Clients.

Note: When ECMs are connected in a high availability configuration, the BeyondTrust Appliance B Seriesroutes requests to

the ECM in the ECM Group that has been connected to the appliance the longest.

For more information, please see Log Into Endpoints Using Credential Injection at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/web-access/credential-

injection.htm.

Users: View Logged In Users and Send Messages

Status USERS

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Logged In Users

View a list of users logged into the access console, along with their login time and whether they are running any sessions.

Terminate

You can terminate a user's connection to the access console.

Send Message to Users

Send a message to all logged-in users via a pop-up window in the access console.

Extended Availability Users

View users who have extended availability mode enabled.

Disable

You may disable a user's extended availability.

What's New: See Privileged Remote Access Software Release Details

Status WHAT'S NEW

What's New

Easily review BeyondTrust features and capabilities newly available with each release. Learning about new features as they become

available can help you make the most of your BeyondTrust deployment.

The first time you log into the administrative interface after a BeyondTrust software upgrade, the What's New page will receive focus,

alerting you that new features are available on your site. You must be an administrator to view this tab.

The information shown on the What's New page is also available to users in the access console from the Help > About menu.

For more information, please see BeyondTrust Privileged Remote Access Update Documentation at

https://www.beyondtrust.com/docs/privileged-remote-access/updates/index.htm.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Consoles & Downloads: Launch the Web Access Console and

Download the Desktop Access Console

Consoles & Downloads ACCESS CONSOLE

BeyondTrust Privileged Web Access Console

Launch the privileged web access console, a web-based access console. Access remote systems from your browser without having to

download and install the full access console.

BeyondTrust Access Console

Choose Platform

Choose the operating system on which you wish to install this software. This dropdown defaults to the appropriate installer detected for

your operating system.

For more information, please see Privileged Web Access Console Guide at https://www.beyondtrust.com/docs/privileged-

remote-access/getting-started/access-console/web-access/index.htm.

Download BeyondTrust Access Console

Download the BeyondTrust access console installer.

For system administrators who need to deploy the console installer to a large number of systems, the Microsoft Installer can be used with

your systems management tool of choice. In your command prompt, when composing the command to install the console using an MSI,

change to the directory where the MSI was downloaded and enter the command included on the My Account page.

You can include optional parameters for your MSI installation.

INSTALLDIR= accepts any valid directory path where you want the console to install.

RUNATSTARTUP= accepts 0 (default) or 1. If you enter 1, the console runs each time the computer starts up.

ALLUSERS= accepts "" (default) or 1. If you enter 1, the console installs for all users on the computer; otherwise, it installs only

for the current user.

SHOULDAUTOUPDATE=1 If you install for only the current user, you can choose to have the console automatically update each

time the site is upgraded by entering a value of 1; a value of 0 (default) does not auto-update, and the console must be manually

reinstalled when the site is upgraded. If you install the console for all users, it does not auto-update.

/quiet or /q runs the installer without displaying any windows, spinners, error, or other visible alerts.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Consoles & Downloads: Download Drivers

Consoles & Downloads DRIVERS

Remote Desktop Agent

Download Remote Desktop Agent Installer

Click to download. Install the Remote Desktop Agent on 64-bit Windows servers with Remote Desktop Services to launch and inject

credentials in administrator-defined applications.

Virtual Smart Card

A virtual smart card allows you to authenticate to a remote system using a smart card on your local system.

To attempt virtual smart card authentication, the BeyondTrust user must have the BeyondTrust virtual smart card driver installed. The

computer being accessed must be running in elevated mode. It must also either have the BeyondTrust endpoint virtual smart card driver

installed or be accessed by the Jump To functionality of the access console.

Note: This feature is not supported for ARM-based Windows systems.

For more details and requirements, please see the Smart Cards for Remote Authentication at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/smart-card/index.htm.

Choose Windows Architecture

Select the appropriate virtual smart card installer for the BeyondTrust user system or the endpoint system.

Download Virtual Smart Card Installer

Click to download the virtual smart card installer selected above.

Access Console Network Tunneling Service

Note: Network Tunnel Jump is an advanced feature and disabled by default. This feature can be activated, at no additional

cost, by contacting your BeyondTrust representative.

Protocol Tunnel Jump shortcuts, including Network Tunnel Jump, are enabled only if their Jumpoint is configured for the

Protocol Tunnel Jump method on the /login > Jump > Jumpoint page.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

If a Privileged Remote Access user needs access to an endpoint through an IP Network Tunnel, then the Access Console Network

Tunneling Service must be installed on the user system. The Access Console Network Tunneling Service requires 64-bit Windows

Environments. This feature can be installed manually or via a software deployment tool. Once installed, it creates a service: BeyondTrust

Privileged Remote Access Network Tunnel Endpoint service.

Click Download Access Console Network Tunneling Service Installer if required.

For more information, including other requirements for Network Tunnels, see Network Tunnel Jump.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

My Account: Email Settings and Extended Availability Mode

My Account PROFILE

Change Your Email Settings

Email Address

Set the email address to where email notifications are sent, such as password resets or extended availability mode alerts.

Preferred Email Language

Displays the current language. If more than one language is enabled for your site, select the language you want to use from the dropdown

menu.

Password

Enter the password for your /login account, not your email password. The password is required to confirm your identity before changing

your email settings.

Note: To change your password, please see "Change Your Password" on page 16.

Extended Availability Mode

Enable or Disable

Enable or disable Extended Availability Mode by clicking the Enable/Disable button. Extended Availability Mode allows you to receive

email invitations from other users requesting to share a session when you are not logged into the console.

My Account: Change Password Settings and add Passwordless Authenticators

My Account SECURITY

Change Your Password

BeyondTrust recommends changing your password regularly.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Username, Current Password, New Password

Verify that you are logged into the account for which you want to change the password, and then enter your current password. Create and

confirm a new password for your account. The password may be set to whatever you choose, as long as the string complies with the

defined policy set on the /login > Management > Security page.

Passwordless Authenticators

This feature is available only if enabled under Management > Security. The default authentication method is also selected here. Either

authentication method can be selected when logging in.

FIDO2-certified authenticators can be used to securely log in to the desktop access console (Windows only), privileged web access

console, and /login without entering your password. You can register up to 10 authenticators.

Only FIDO2-certified hardware authenticators that perform user verification – biometrics or PIN – are allowed.

There are two types of authenticators:

Roaming

Roaming authenticators, or cross-platform security keys like YubiKeys, are FIDO2-certified external devices that use biometrics or a PIN

for user verification. They can be used instead of your password when logging into the desktop access console (Windows only), privileged

web access console, and /login on any machine and supported operating system that allows the use of external FIDO2 authenticators.

Platform

Platform authenticators such as Windows Hello or macOS Touch ID are integrated, FIDO2-certified biometric authenticators. These

authenticators are tied to the machine where you registered the authenticator. They can be used instead of your password when logging

into the desktop access console (Windows only), privileged web access console, and /login. On macOS and Linux, platform

authenticators can only be used in the browser they were registered in. Incognito or private browsing windows cannot be used for

authentication.

The screen shows all registered authenticators, with their name, type, registration date and time, and last usage date and time. Registered

authenticators can be edited or deleted by selecting them and clicking the appropriate icon.

To register a new authenticator, click Register.

Select Roaming or Platform, depending on your requirements.

Enter an Authenticator Name. Choose a name to help you identify this authenticator when viewing all registered authenticators in a list.

Enter your BeyondTrust Privileged Remote Access Account Password. This is the password used to log in with Username & Password

authentication, not the authenticator's PIN or passcode. It is used to confirm your identity before allowing a new authenticator to be

registered to your account. It is not associated with the authenticator in any way.

Click Continue.

The remaining steps for registering your authenticator depend on the type, the manufacturer, the browser, and the OS.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Tip: The browser or OS can timeout the authentication if there are delays responding to prompts.

Set up authenticators (for example, YubiKey or Windows Hello) within the OS before registering the authenticator. It is

important to follow the manufacturer's directions. For example, YubiKey Bio requires a PIN at setup, even for fingerprint

authentication.

Windows Hello can be set up using a PIN and a fingerprint. If this is done, either method can be used, regardless of how it is

registered.

Registering an authenticator might fail if the browser and OS combination does not support passwordless authentication. For

example, Firefox 110 does not support passwordless authentication for Linux and macOS. A warning message is usually

generated in these cases.

Note: Authenticators usually record failed authentication attempts, and may lock. They must be reset following the

manufacturer's instructions. A failed authentication at the authentication device does not count as a failed login to the

BeyondTrust site, as the incorrect information is not submitted to the site.

Two Factor Authentication

Activate Two Factor Authentication

Activate two-factor authentication (2FA) to increase the level of security for users accessing /login and the BeyondTrust access console.

Click Activate Two Factor Authentication and scan the displayed QR code using an authenticator app, such as Google Authenticator.

Alternatively, you can manually enter the alphanumeric code displayed below the QR code into your authenticator app.

The app automatically registers the account and begins providing you with codes. Enter your password and the code generated by the

authenticator app, and then click Activate. Please note that each code is valid for 60 seconds, after which time a new code is generated.

Once you log in, you have the option to switch to a different authenticator app or disable 2FA.

Note: If 2FA was deployed by your administrator, you do not have the option to disable it.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Configuration

Options: Manage Connection Options, Record Sessions, Speed Up Sessions

Configuration OPTIONS

Session Options

Require Closed Sessions on Logout or Quit

If you check Require Closed Sessions on Logout or Quit, users will be unable to log out of the console if they currently have any

session tabs open.

Connection Options

Reconnect Timeout

Determine how long a disconnected endpoint client should attempt to reconnect.

Restrict physical access to the endpoint if the endpoint loses its connection or if all of the users in

session are disconnected

If the session connection is lost, the remote system's mouse and keyboard input can be temporarily disabled, resuming either when the

connection is restored or when the session is terminated.

Access Session Logging Options

Enable Screen Sharing Recording

Choose if screen sharing sessions should be automatically recorded as videos.

Screen Sharing Recording Resolution

Set the resolution at which to view session recording playback.

Note: All recordings are saved in raw format; the resolution size affects playback only.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Enable User Recording for Protocol Tunnel Jump

Choose if Protocol Tunnel Jump sessions should be automatically recorded as videos. Because Protocol Tunnel Jumps require the use of

a third-party application of choice, the user's entire desktop is captured, including all monitors.

User Recording Resolution

Set the resolution at which to view session recording playback.

Note: All recordings are saved in raw format; the resolution size affects playback only.

Require User's Consent Before Recording Starts

Choose if users should receive a prompt telling them that their desktop will be recorded when beginning a Protocol Tunnel Jump session.

Please note that if the user does not consent, Protocol Tunnel Jump session will not continue.

Enable Command Shell Recording

Choose if command shell sessions should be automatically recorded as videos. Enabling command shell recordings also enables

command shell sessions to be available as text transcripts.

Command Shell Recording Resolution

Set the resolution at which to view session recording playback.

Note: All recordings are saved in raw format; the resolution size affects playback only.

IMPORTANT!

The recording settings enabled on this page can be overridden by a Jump Policy that has Disable Session Recordings selected.

This affects screen sharing, protocol tunnel Jump recording, and command shell recordings.

Enable Automatic Logging of System Information

Choose if system information should be automatically pulled from the remote system at the beginning of the session, to be available later

in the session report details.

Enable Session Forensics

Choose if you want the added capability to search across all sessions based on session events, which include chat messages, file

transfer, registry editor events, and session foreground window changed events. This feature is enabled by default.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Note: If Command Shell is enabled, Session Forensics allows you to do an in-depth search of shell recordings. When you

search for a key term and a match is made in a stored shell recording, the video will automatically be queued to that point in

time in the recording. No command output or passwords are recorded.

Peer to Peer Options

Enabling peer-to-peer connections for access sessions enhances the performance of screen sharing, file transfer, and command shell

tools. Additional firewall configuration might be required to successfully establish peer-to-peer connections.

Disabled

This is the default setting. Disables Peer to Peer connections. To enable this feature, you must choose a server to negotiate the session.

When screen sharing, file transfer, or command shell is detected, the peer-to-peer connection is attempted. If successful, this creates a

direct connection between the user and the client systems, while still sending a second data stream to the B Series Appliance for auditing

purposes. If for any reason a peer-to-peer connection cannot be established, the session traffic defaults to the B Series Appliance-

mediated connection.

Use BeyondTrust Hosted Peer to Peer Server

BeyondTrust clients attempt to reach a peer-to-peer connection through the server hosted by BeyondTrust. This requires that your

BeyondTrust clients can make outbound UDP 3478 connection requests to stun.bt3ng.com. This setting is expected to work in most

situations.

Use B Series Appliance as Peer to Peer Server

If your organization requires specific security settings for traffic, you can use the B Series Appliance as a peer-to-peer server. This

requires that your B Series Appliance be able to accept inbound UDP 3478 connection requests by your BeyondTrust clients. Further

firewall settings are required.

For more information, please see BeyondTrust Appliance B Series Administration: Restrict Accounts, Networks, and Ports,

Enable a STUN Server, Set Up Syslog, Enable Login Agreement, Reset Admin Account at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/deployment/web/security-appliance-

administration.htm.

Access Portal Logo

Administrators may upload a custom logo image to be displayed on public-facing web pages. This allows external users to verify they are

on your organization's web site, as well as enhancing the access portal with your organization's branding.

The logo image is displayed on the following public-facing web pages:

Access invite download page (the page shown after clicking a link in an access invite email)

Public recording URLs (view and download)

Extended availability responses (the page shown after clicking a link in an extended availability invitation email)

Jump approval authorizations (the page shown after clicking a link in a Jump approval email)

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Note: Uploaded logo image files may be in any standard image format. The logical image size maximum is 250 pixels wide

and 64 pixels high. However, BeyondTrust supports high density displays which allows for a maximum physical size of 500

pixels wide and 128 pixels high.

Teams: Group Users into Teams

Configuration TEAMS

Manage Teams

Grouping users into teams aids efficiency by assigning leadership within groups of users. In the access console, each team appears as a

separate queue for sessions.

Add New Team, Edit, Delete

Create a new team, modify an existing team, or remove an existing team. Deleting a team does not delete those user accounts, only the

team with which they are associated.

Add or Edit Team

Team Name

Create a unique name to help identify this team.

Code Name

Set a code name for integration purposes. If you do not set a code name, PRA creates one automatically.

Comments

Add comments to help identify the purpose of this object.

Group Policies

Note any group policies which assign members to this team. Click the link to go to the Group Policies page to verify or assign policy

members.

Team Members

Search for users to add to this team. You can set each member's role as a Team Member, Team Lead, or Team Manager. These roles

play a significant part in the Dashboard feature of the access console.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

In the table below, view existing team members. You can filter the view by entering a user's name in the filter box. You can also edit a

member's role or delete a member from the team.

To add a group of users to a team, go to Users & Security > Group Policies and assign that group to one or more teams in a given role.

Note: You may be unable to edit or delete some team members. This occurs when a user is added via group policy.

You can click the group policy link to modify the policy as a whole. Any changes made to the group policy apply to all members

of that group policy.

You can also add the individual to the team, overriding their settings as defined elsewhere.

Dashboard Settings

Within a team, a user can administrate only others with roles lower than their own. Note, however, that roles apply strictly on a team-by-

team basis, so a user may be able to administrate another user in one team but not be able to administer that same user in another team.

Monitoring Team Members from Dashboard

If enabled, a team lead or manager can monitor team members from the dashboard. Choose to Disable the ability to monitor, or choose

Only Access Console to allow a team lead or manager to monitor a team member's access console. Monitoring affects team leads and

managers for all teams on the site.

Enable Session Join and Take Over in Dashboard

If this option is checked, a team lead can join or take over a team member's sessions. Similarly, a team manager can administrate both

team members and team leads. The team lead must have start session access to the Jump Item that was used to create the session,

unless the option below is also checked.

Allow Team Managers/Leads to use "Transfer", "Take Over" and "Join Session" for sessions that are started

from Jump Items to which they do not have "Start Session" access.

If this option is checked, a team lead can join or take over a team member's sessions, even if the team lead does not have start session

access to the Jump Item that was used to create the session.

Team Chat History

Enable Replay of Team Chat History

If this option is checked, chat messages to everyone in the Team Chat area of the access console persist between access console logins.

This prevents loss of chat history if the connection is lost. This does not affect chat within a session, or private chats.

Hours of Team Chat History to Replay

By default, 8 hours of history is retained. This can be changed from a minimum of 1 to a maximum of 24, using the + and - icons or entering

the desired value. The time is set in one hour increments. Click Save after changing the time.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Note: A maximum of 1000 chat messages is replayed. This limit applies regardless of the number of hours selected.

Custom Fields: Create, Edit, Delete Custom API Fields

Configuration CUSTOM FIELDS

Create custom API fields to gather information about your customer, enabling you to more deeply integrate BeyondTrust with your existing

programs. Custom fields must be used in combination with the BeyondTrust API. Create a new field, modify an existing field, or remove an

existing field.

Add or Edit Custom API Field

Display Name

Create a unique name to help identify this custom field. This name is displayed in the access console as part of the session details.

Code Name

Set a code name for integration purposes. If you do not set a code name, PRA creates one automatically.

Show in Access Console

If you check Show in Access Console, this field and its values will be visible wherever custom session details are displayed in the

access console.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Jump

Jump Clients: Manage Settings and Install Jump Clients for Endpoint Access

Jump JUMP CLIENTS

Jump Client Installer List

This list shows all previously installed active Jump Client installers. Administrators and privileged users can view, download, delete, or

extend Jump Client installers.

A warning message appears at the top of the list: Installing more than one Jump Client on the same system is being phased out in a future

release. In the Access Console you may use the copy action on a Jump Client to apply different policies to the same endpoint. Click

Dismiss to remove the warning message.

Generic Jump Client Installer Download

The generic installer allows you to create Jump Client and Jumpoint installers that are not tied to a specific Jump Client or Jumpoint.

Generic installers can be used for automated or ephemeral deployments on VM images, and do not require authenticating and

downloading the Jump Client or Jumpoint-specific installer once deployed.

To use the generic Jump Client installer, select your desired platform, and click Download. When prompted, copy the Jump Client-

specific key to complete the installation.

Jump Client Mass Deployment Wizard

To access the Jump Client Mass Deployment Wizard, click Add at the top of the Jump Client Installer List.

The Mass Deployment Wizard enables administrators and privileged users to deploy Jump Clients to one or more remote computers for

later unattended access.

For more information, please see Privileged Remote Access Jump Client Guide: Unattended Access to Systems in Any

Network at https://www.beyondtrust.com/docs/privileged-remote-access/how-to/jump-clients/index.htm.

Jump Group

From the Jump Group dropdown, select whether to pin the Jump Client to your personal list of Jump Items or to a Jump Group shared by

other users. Pinning to your personal list of Jump Items means that only you can access this remote computer through this Jump Client.

Pinning to a shared Jump Group makes this Jump Client available to all members of that Jump Group.

Name

Add a name for the Jump Client.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Some Mass Deployment Wizard settings allow override, enabling you to use the command line to set parameters that are specific to your

deployment, prior to installation.

Jump Policy

You may apply a Jump Policy to this Jump Client. Jump Policies are configured on the Jump > Jump Policies page and determine the

times during which a user can access this Jump Client. A Jump Policy can also send a notification when it is accessed or can require

approval to be accessed. If no Jump Policy is applied, this Jump Client can be accessed without restriction.

Jumpoint Proxy

If you have one or more Jumpoints set up as proxies, you can select a Jumpoint to proxy these Jump Client connections. That way, if

these Jump Clients are installed on computers without native internet connections, they can use the Jumpoint to connect back to your B

Series Appliance. The Jump Clients must be installed on the same network as the Jumpoint selected to proxy the connections.

Attempt an Elevated Install if the Client Supports It

If Attempt an Elevated Install if the Client Supports It is selected, the installer attempts to run with administrative rights, installing the

Jump Client as a system service. If the elevated installation attempt is unsuccessful or if this option is deselected, the installer runs with

user rights, installing the Jump Client as an application. This option applies only to Windows and Mac operating systems.

Note: A Jump Client pinned in user mode is available only when that user is logged in. In contrast, a Jump Client pinned in

service mode, with elevated rights, allows that system to always be available, regardless of which user is logged in.

This Installer Is Valid For

The installer remains usable only as long as specified by the This Installer is Valid For dropdown. Be sure to leave adequate time for

installation. If someone should attempt to run the Jump Client installer after this time, installation fails, and a new Jump Client installer

must be created. Additionally, if the installer is run within the allotted time but the Jump Client is unable to connect to the B Series

Appliance within that time, the Jump Client uninstalls, and a new installer must be deployed. The validity time can be set for anywhere

from 10 minutes to 1 year. This time does NOT affect how long the Jump Client remains active.

Once a Jump Client has been installed, it remains online and active until it is uninstalled from the local system either by a user from the

Jump interface or by an uninstall script. It can also be uninstalled, or extended, from the Jump Client Installer List. A user cannot remove a

Jump Client unless the user is given appropriate permissions by their admin from the /login interface.

Comments

Add Comments, which can be helpful in searching for and identifying remote computers. Note that all Jump Clients deployed via this

installer have the same comments set initially, unless you check Allow Override During Installation and use the available parameters to

modify the installer for individual installations.

Session Policy

You may choose a session policy to assign to this Jump Client. Session policies are configured on the Users & Security > Session

Policies page. A session policy assigned to this Jump Client has the highest priority when setting session permissions.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

For more information, please see at Session Policies: Set Session Permission and Prompting Rules at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/admin/session-policies.htm.

Maximum Offline Minutes Before Deletion

You can set the Maximum Offline Minutes Before Deletion of a Jump Client from the system. This setting overrides the global setting, if

specified.

Prompt for Elevation Credentials if Needed

If Prompt for Elevation Credentials if Needed is selected, the installer prompts the user to enter administrative credentials if the system

requires that these credentials be independently provided; otherwise, it installs the Jump Client with user rights. This applies only if an

elevated install is being attempted.

Tag

Adding a Tag helps to organize your Jump Clients into categories within the access console.

Allow Override During Installation

Some Mass Deployment Wizard settings allow override, enabling you to use the command line to set parameters that are specific to your

deployment, prior to installation.

Mass Deploy Help

For system administrators who need to push out the Jump Client installer to a large number of systems, the Windows, Mac, or Linux

executable or the Windows MSI can be used with your systems management tool of choice. You can include a valid custom install

directory path where you want the Jump Client to install.

Note: It is common for receive an error message during the install, regarding a layout or appearance issue. This can be

disregarded.

Duplicate installations of Jump Clients or large numbers of installations can lead to installation failures or degraded

performance. Please see Review Best Practices for Jump Client Mass Deployment.

You can also override certain installation parameters specific to your needs. When you mark specific installation options for override

during installation, you can use the following optional parameters to modify the Jump Client installer for individual installations. Note that if

a parameter is passed on the command line but not marked for override in the /login administrative interface, the installation fails. If the

installation fails, view the operating system event log for installation errors.

Command Line Parameter Value Description

--install-dir <directory_path>

Specifies a new writable directory under which to

install the Jump Client. This is supported only on

Windows and Linux. When defining a custom install

directory, ensure that the directory you are creating

does not already exist and is in a location that can be

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

written to.

--jc-name <name...>

If override is allowed, this command line parameter

sets the Jump Client's name.

--jc-jump-group

user:<username>jumpgroup:<jumpgroup-

code-name>

If override is allowed, this command line parameter

overrides the Jump Group specified in the Mass

Deployment Wizard.

--jc-session-policy <session-policy-code-name>

If override is allowed, this command line parameter

sets the Jump Client's session policy that controls the

permission policy during an access session.

--jc-jump-policy <jump-policy-code-name>

If override is allowed, this command line parameter

sets the Jump Policy that controls how users are

allowed to Jump to the Jump Client.

--jc-max-offline-minutes <minutes>

The maximum number of minutes a Jump Client can

be offline before it is deleted from the system. This

setting overrides the global setting if specified.

--jc-ephemeral

Sets the maximum number of minutes a Jump Client

will be offline before it is deleted from the system to 5

minutes. This is a convenience option that specifies

the Jump Client as being ephemeral and is functionally

equivalent to specifying --jc-max-offline-minutes 5

--jc-tag <tag-name>

If override is allowed, this command line parameter

sets the Jump Client's tag.

--jc-comments <comments ... >

If override is allowed, this command line parameter

sets the Jump Client's comments.

--silent

If included, the installer shows no windows, spinners,

errors, or other visible alerts.

Note: When deploying an MSI installer on Windows using an msiexec command, the above parameters can be specified by:

1. Removing leading dashes (--)

2. Converting remaining dashes to underscores (_)

3. Assigning a value using an equal sign (=)

MSI Example:

msiexec /i bomgar-pec-win32.msi KEY_INFO=w0dc3056g7ff8d1j68ee6wi6dhwzfefggyezh7c40jc90

jc_jump_group=jumpgroup:server_support jc_tag=servers

When deploying an EXE installer, the above parameters can be specified by:

Adding dashes

Adding a space between the parameter and the value

EXE Example:

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

bomgar-pec-[unique id].exe --jc-jump-group jumpgroup:servers --jc-tag servers

Other rules to consider:

installdir has a dash in the EXE version but no dashes in the MSI version.

/quiet is used for the MSI version in place of --silent in the EXE version.

Jump Client Statistics

An administrator can choose which statistics to view for all Jump Clients on a site-wide basis. These statistics are displayed in the access

console and include CPU, console user, disk usage, a thumbnail of the remote screen, and uptime.

Upgrade

Maximum bandwidth of concurrent Jump Client upgrades

You can regulate the bandwidth used during upgrades by setting Maximum bandwidth of concurrent Jump Client upgrades.

Maximum number of concurrent Jump Client upgrades

Also set the maximum number of Jump Clients to upgrade at the same time. Note that if you have a large number of Jump Clients

deployed, you may need to limit this number to regulate the amount of bandwidth consumed.

Note: This setting does not affect access console upgrades.

Automatic Jump Client Upgrades

Use the radio buttons below to control automatic Jump Client upgrades. You can:

Permanently disable Jump Client upgrades.

Temporarily enable Jump Client upgrades for the current upgrade cycle.

Permanently enable Jump Client upgrades.

Note: In order to manually update Jump Clients in the privileged web access console, you must first disable Automatic Jump

Client Upgrades.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Maintenance

Number of days before Jump Clients that have not connected are automatically deleted

If a Jump Client goes offline and does not reconnect to the B Series Appliance for the number of days specified by the Number of days

before Jump Clients that have not connected are automatically deleted setting, it is automatically uninstalled from the target

computer and is removed from the Jump interface of the access console.

Note: This setting is shared with the Jump Client during normal operation so that even if it cannot communicate with the site, it

uninstalls itself at the configured time. If this setting is changed after the Jump Client loses connection with the B Series

Appliance, it uninstalls itself at the previously configured time.

Number of days before Jump Clients that have not connected are considered lost

If a Jump Client goes offline and does not reconnect to the B Series Appliance for the number of days specified by the Number of days

before Jump Clients that have not connected are automatically deleted setting, it is labeled as lost in the access console. No

specific action is taken on the Jump Client at this time. It is labeled as lost only for identification purposes, so that an administrator can

diagnose the reason for the lost connection and take action to correct the situation.

Note: To allow you to identify lost Jump Clients before they are automatically deleted, this field should be set to a smaller

number than the deletion field above.

Uninstalled Jump Client Behavior

Uninstalled Jump Client Behavior determines how a Jump Client deleted by an end user is handled by the access console. Depending

on dropdown option selected, the deleted item can either be marked as uninstalled and kept in the list or actually be removed from the

Jump Items list in the access console. If the Jump Client cannot contact the B Series Appliance at the time it is uninstalled, the affected

item remains in its offline state.

Miscellaneous

Allow Representative to attempt to wake up Jump Clients

Allow users to attempt to wake up Jump Clients provides a way to wake up a selected Jump Client by broadcasting Wake-on-LAN

(WOL) packets through another Jump Client on the same network. Once a WOL is attempted, the option becomes unavailable for 30

seconds before a subsequent attempt can be made. WOL must be enabled on the target computer and its network for this function to

work. The default gateway information of the Jump Client is used to determine if other Jump Clients reside on the same network. When

sending a WOL packet, the user has an advanced option to provide a password for WOL environments that require a secure WOL

password.

Note: You can set Jump Clients to allow or disallow simultaneous Jumps from the Jump > Jump Items > Jump Settings

section. If allowed, multiple users can gain access to the same Jump Client without an invitation to join an active session by

another user. If disallowed, only one user can Jump to a Jump Client at a time. Only an invitation by the user who originated

the session can allow for a second user to access the session.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

For more information, please see Manage Jump Client Settings at https://www.beyondtrust.com/docs/privileged-remote-

access/how-to/jump-clients/settings.htm.

Use screen state to detect Customer Presence

When enabled, a customer will be considered present only if a user is logged in, the system is not locked, and a screen saver is not

running. When disabled, a customer will be considered present if a user is logged in, regardless of the screen state. Customer Presence

affects the session policy used for sessions started from a Jump Client.

Global connection rate for Jump Clients

The global connection rate setting is used by disconnected Jump Clients as a clue to know how aggressively to try to reconnect.

Jump Groups: Configure Which Users Can Access Which Jump Items

Jump JUMP GROUPS

Jump Groups

A Jump Group is a way to organize Jump Items, granting members varying levels of access to those items. Users are assigned to Jump

Groups either from this page or from the Users & Security > Group Policies page.

Add New Jump Group, Edit, Delete

Create a new group, modify an existing group, or remove an existing group.

Search Jump Groups

To quickly find an existing group in the list of Jump Groups, enter the name, part of the name, or a term from the comments. The list filters

all groups with a name or comment containing the entered search term. The list remains filtered until the search term is removed, even if

the user goes to other pages or logs out. To remove the search term, click the X to the right of the search box.

Add or Edit Group

Name

Create a unique name to help identify this group. This name helps when adding Jump Items to a group as well as when determining which

users and group policies are members of a Jump Group.

Code Name

Set a code name for integration purposes. If you do not set a code name, PRA creates one automatically.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

ECM Group

Select which ECM group to associate with the Jump Group. The dropdown menu shows ECM groups have been created on the site. If

there are no custom ECM Groups, only Default is available as an option. Credential requests originating from Jump Items in a Personal

Jump Group are routed to the Default ECM group.

Note: This feature is only present if enabled when your site is built. If it is not present, please contact your site administrator.

Note: While the ECM Groups must exist to be associated with a Jump Group, they still need to be associated with an API

Account in order for routing to occur. For more information, please see "API Configuration: Enable the XML API and Configure

Custom Fields" on page 165.

Comments

Add a brief description to summarize the purpose of this Jump Group.

Group Policies

This displays a listing of the group policies which assign users to this Jump Group.

Allowed Users

Search for users to add to this Jump Group. You can set each user's Jump Item Role to set their permissions specific to Jump Items in

this Jump Group, or you can use the user's default Jump Item Roles as set on the Users & Security > Group Policies or Users &

Security > Users page. A Jump Item Role is a predefined set of permissions regarding Jump Item management and usage.

You can also apply a Jump Policy to each user to manage their access to the Jump Items in this Jump Group. Selecting Set on Jump

Items instead uses the Jump Policy applied to the Jump Item itself. Jump Policies are configured on the Jump > Jump Policies page and

determine the times during which a user can access this Jump Item. A Jump Policy can also send a notification when it is accessed or can

require approval to be accessed. If neither the user nor the Jump Item has a Jump Policy applied, this Jump Item can be accessed without

restriction.

Existing Jump Group users are shown in a table. You can filter the list of users by entering a username in the Filter box. You can also edit

a user's settings or delete the user from the Jump Group.

To add groups of users to a Jump Group, go to Users & Security > Group Policies and assign that group to one or more Jump Groups.

Note: Edit and delete functionality may be disabled for some users. This occurs either when a user is added via group policy

or when a user's system Jump Item Role is set to anything other than No Access.

You can click the group policy link to modify the policy as a whole. Any changes made to the group policy apply to all members

of that group policy.

You can click the user link to modify the user's system Jump Item role. Any changes to the user's system Jump Item role apply

to all other Jump Groups in which the user is an unassigned member.

You also can add the individual to the group, overriding their settings as defined elsewhere.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

For more information, please see Use Jump Groups to Configure Which Users Can Access Which Jump Items at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/jumpoint/jump-groups.htm.

Jump Policies: Set schedules, notifications, and approvals for Jump Items

Jump JUMP POLICIES

Jump Policies

Jump Policies are used to control when certain Jump Items can be accessed by implementing schedules, sending email notifications

when a Jump Item is accessed, or requiring approval or user entry of a ticket system ID before a Jump Item may be accessed.

Add new Jump Policy, edit, delete

Create a new policy, modify an existing policy, or remove an existing policy.

Add or edit a policy

Display Name

Create a unique name to help identify this policy. This name should help users identify this policy when assigning it to Jump Items.

Code Name

Set a code name for integration purposes. If you do not set a code name, PRA creates one automatically.

Description

Add a brief description to summarize the purpose of this policy.

Jump schedule

Enabled

Set a schedule to define when Jump Items under this policy can be accessed. Set the time zone you want to use for this schedule, and

then add one or more schedule entries. For each entry, set the start day and time and the end day and time.

If, for instance, the time is set to start at 8 am and end at 5 pm, a user can start a session using this Jump Item at any time during this

window but may continue to work past the set end time. Attempting to re-access this Jump Item after 5 pm, however, results in a

notification indicating that the schedule does not permit a session to start. If necessary, the user may choose to override the schedule

restriction and start the session anyway.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Force session to end when schedule does not permit access

If stricter access control is required, check Force session to end. This forces the session to disconnect at the scheduled end time. In this

case, the user receives recurring notifications beginning 15 minutes prior to being disconnected.

Jump notification

Notify recipients when a session starts

If this option is checked, a notification email is sent to the designated recipients whenever a session is started with any Jump Item that

uses this Jump Policy. When a user attempts to start a session with a Jump Item that uses this policy, a prompt states that a notification

email will be sent and asks if the user would like to start the session anyway.

Notify recipients when a session ends

If this option is checked, a notification email is sent to the designated recipients whenever a session ends for any Jump Item that uses this

Jump Policy. When a user attempts to start a session with a Jump Item that uses this policy, a prompt states that a notification email will be

sent at the end of the session and asks if the user would like to start the session anyway.

Email Address(es)

Enter one or more email addresses to which emails should be sent. Separate addresses with a space.This feature requires a valid SMTP

configuration for your B Series Appliance, set up on the /login > Management > Email Configuration page.

Display Name

Enter a name for the approver. This name appears on the prompt the user receives prior to a session with a Jump Item that uses this

policy.

Locale

If more than one language is enabled on this site, set the language in which to send emails.

Jump approval

Require a ticket ID before a session starts

If this option is checked, the user must enter a valid ticket ID before an access session can begin. When a user attempts to access an

endpoint with this Jump Policy applied, the user must enter a ticket ID from your existing ITSM or ticket ID approval process before access

is granted. Configure the ITSM or ticket system integration from the Jump Policies :: Ticket Systemsection.

Require approval before a session starts

If this option is checked, an approval email is sent to the designated recipients whenever a session is attempted with any Jump Item that

uses this Jump Policy. When a user attempts to start a session with a Jump Item that uses this policy, a dialog prompts the user to enter a

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

request reason and the time and duration for the request.

Maximum Access Duration

Set the maximum length of time for which a user can request access to a Jump Item that uses this policy. The user can request a shorter

length of access but no longer than that set here.

Access Approval Applies To

When approval has been granted to a Jump Item, that Jump Item becomes available either to any user who can see and request access to

that Jump Item or only to the user who requested access.

Jump Approvers

Enter an email address or user name, or a team name so that anyone on that team can approve the jump. Separate multiple entries with a

space.This feature requires a valid SMTP configuration for your B Series Appliance, set up on the /login > Management > Email

Configuration page.

Display Name

Enter a name for the approver. This name appears on the prompt the user receives prior to a session with a Jump Item that uses this

policy.

Locale

If more than one language is enabled on this site, set the language in which to send emails.

Disable recordings

Disable Recordings

If this option is checked, sessions started with this Jump Policy will not be recorded, even if recordings are enabled on the Configuration

> Options page. This affects screen sharing, user recordings for protocol tunnel Jump, and command shell recordings.

Email notification template

Subject

Customize the subject of this email. Click the link below the Body field to view the macros that can used to customize the text in your

emails for your purposes.

Body

Customize the body of this email. Click the link below the Body field to view the macros that can used to customize the text in your emails

for your purposes.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Email approval template

Subject

Customize the subject of this email. Click the link below the Body field to view the macros that can used to customize the text in your

emails for your purposes.

Body

Customize the body of this email. Click the link below the Body field to view the macros that can used to customize the text in your emails

for your purposes.

Ticket system

Ticket System URL

In Ticket System URL, enter the URL for your external ticket system. The B Series Appliance sends an outbound request to your external

ticketing system. The URL must be formatted for either HTTP or HTTPS. If an HTTPS URL is entered, the site certificate must be verified

for a valid connection. If a Jump Policy requiring a ticket ID exists, a ticket system URL must be entered or you will receive a warning

message.

Upload a certificate for HTTPS connections

Click Choose a certificate to upload the certificate for the HTTPS ticket system connection to the B Series Appliance. If your certificate is

uploaded, the B Series Appliance uses it when it contacts the external system. If you do not upload a certificate and the Ignore SSL

certificate errors box below this setting is checked, the B Series Appliance optionally falls back to use the built-in certificate store when

sending the request.

User Prompt

In User Prompt, enter the dialog text you want access console users to see when they are requested to enter the ticket ID required for

access.

Treat the Ticket ID as sensitive information

If this box is checked, the ticket ID is considered sensitive information and asterisks are shown instead of text. You must use an HTTPS

Ticket System URL. If an address with HTTP is entered, an error message appears to remind you HTTPS is required.

When this feature is enabled you cannot bypass issues with SSL certificates by checking the Ignore SSL certificate errors box. This

means you must have a valid SSL certificate in place. If you try to check the Ignore SSL certificate errors box, a message appears

stating that you cannot ignore SSL certificate errors.

When the Ticket ID is sensitive, the following rules apply:

Both the desktop and the web access consoles show asterisks instead of text.

The ticket is not logged anywhere by the access console or on the B Series Appliance.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

For more information, please see Create Jump Policies to Control Access to Jump Items at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/jumpoint/policies.htm.

Ignore SSL certificate errors

If checked, the B Series Appliance does not include the certificate validation information when it is contacting the external ticket system.

Leave this box unchecked if you are uploading a certificate for secure HTTPS connection.

Two factor authentication

Two Factor Authentication Challenge

For additional security, the Jump Policy can require an end-user to confirm their identity using a multi-factor authentication challenge

before starting or elevating a session. If desired, check Must complete a two factor authentication challenge before starting or

elevating a session.

Jump Item Roles: Create Permission Sets for Jump Items

Jump JUMP ITEM ROLES

Jump Item Roles

A Jump Item Role is a predefined set of permissions regarding Jump Item management and usage. Jump Item Roles are applied to users

either from the Jump > Jump Groups page or from the Users & Security > Group Policies page.

If more than one role is assigned to a user, then the most specific role for a user is always used. The order of specificity for Jump Item

Roles, from most specific to least specific, is:

The role assigned to the relationship between a user and a Jump Group on the Jump > Jump Groups page.

The role assigned to the relationship between a user and a Jump Group on the Users & Security > Group Policies page.

The Jump Item Roles configured for a user on the Users & Security > Users page or the Users & Security > Group Policies

page.

Note: A new Jump Item Role called Auditor is automatically created on new site installations. On existing installations it has

to be created. This role only has a single View Reports permission enabled, giving admins the option to grant a user just the

permission to run Jump Item reports, without the need to grant any other permission.

Add New Jump Item Role, Edit, Delete

Create a new role, modify an existing role, or remove an existing role.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Add or Edit a Jump Item Role

Name

Create a unique name to help identify this role. This name helps when linking a Jump Item Role with a user or group of users in a Jump

Group.

Description

Add a brief description to summarize the purpose of this role.

Permissions

Jump Group or Personal Jump Items

Create and deploy new Jump Items

Enables the user to create Jump Items and install them on remote systems.

Move and Copy Jump Items

Enables the user to move or copy Jump Items from one Jump Group into another. This permission must be enabled on both Jump Groups.

Copied Jump Items can be edited.

For more information on how to copy Jump Items, please see Jump Interface: Use Jump Items to Access Remote Systems at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/jump-interface.htm.

Remove existing Jump Items

Enables the user to delete Jump Items.

View Reports

Enables the user to view reports. This applies to the Jump Group to which the user is added with this role.

Jump Item

Start Sessions

Enables the user to Jump to remote systems.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Edit Tag

Enables the user to edit a Jump Item's tag field.

Edit Comments

Enables the user to edit a Jump Item's comments field.

Edit Jump Policy

Enables the user to set which if any Jump Policy is applied to a Jump Item.

Edit Session Policy

Enables the user to set which if any session policy a Jump Item should use. Changing the session policy may affect the permissions

allowed in the session.

Edit Connectivity and Authentication

Enables the user to modify a Jump Item's connection and authentication information. This includes such fields as hostname, Jumpoint,

port, and username, among others.

Edit Behavior and Experience

Enables the user to modify the behavior of Jump Items. This includes such fields as connection type, display size, and terminal type,

among others.

For more information, please see Use Jump Item Roles to Configure Permission Sets for Jump Items at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/jumpoint/jump-item-roles.htm.

Jumpoint: Set Up Unattended Access to a Network

Jump JUMPOINT

Jumpoint Management

BeyondTrust's Jump Technology enables a user to access computers on a remote network without having to pre-install software on every

machine. Simply install a single Jumpoint agent at any network location to gain unattended access to every PC within that network.

Add New Jumpoint, Edit, Delete

Create a new Jumpoint, modify an existing Jumpoint, or remove an existing Jumpoint.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Redeploy

Uninstall an existing Jumpoint and download an installer to replace the existing Jumpoint with a new one. Jump shortcuts associated with

the existing Jumpoint will use the new Jumpoint once it is installed.

Note: When an existing Jumpoint is replaced, its configuration is not saved. The new Jumpoint must be reconfigured.

Add or Edit Jumpoint

Name

Create a unique name to help identify this Jumpoint. This name should help users locate this Jumpoint when they need to start a session

with a computer on the same network.

Code Name

Set a code name for integration purposes. If you do not set a code name, PRA creates one automatically.

External Jump Item Network ID

On the Security page Access Console settings, when Jumpoint for External Jump Item Sessions is set to Automatically Selected

by External Jump Item Network ID, this value is matched against the Network ID property for external Jump Items returned by the

Endpoint Credential Manager to determine which Jumpoint handles a session.

Note: Network ID is equivalent to the Workgroup attribute on managed systems in Password Safe.

Comments

Add a brief description to summarize the purpose of this Jumpoint. This is helpful when managing Jumpoints.

Disabled

If checked, this Jumpoint is unavailable to make Jump connections.

Clustered

If checked, you will be able to add multiple, redundant nodes of the same Jumpoint on different host systems. This ensures that as long as

at least one node remains online, the Jumpoint will be available.

Enable Shell Jump Method

If you want users to be able to connect to SSH-enabled and Telnet-enabled network devices through this Jumpoint, check the Enable

Shell Jump Method option. Command filtering can be configured to prevent accidental use of commands that can be harmful to endpoint

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

systems.

For more information on command filtering, please see Use Shell Jump to Access a Remote Network Device at

www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/shell-jump.htm.

Enable Protocol Tunnel Jump Method

If the Enable Protocol Tunnel Jump Method option is checked, users may make connections from their systems to remote endpoints

through these types of Jumpoint.

When Enable Protocol Tunnel Jump Method is checked, there is an option to enter Managed IP Addresses for Protocol Tunnel

Jump. You can enter multiple IP address ranges. This allows using the Network Tunnel feature on networks without DHCP.

For more information, see Protocol Tunnel Jump Shortcuts and Network Tunnel Jump Shortcuts.

RDP Service Account

Select the vault account to be used by the Jumpoint to run a user-initiated client on the RDP server. This allows you to collect additional

event information from an RDP session started with this Jumpoint. This account in used only if the Remote RDP Jump Item is configured

to enable the Session Forensics functionality.

Note: The RDP Service Account setting must not use a local admin account, and must use a domain admin account with

privileges on the endpoint including access to remotely connect to the endpoint's C$ share, remotely create and start services

on the endpoint machine, and access remote file systems.

For more information, see Use RDP to Access a Remote Windows Endpoint in the Privileged Remote Access Jumpoint Guide.

Group Policies

This displays a listing of the group policies which allow users access to this Jumpoint.

Allowed Users

New Member Name

Search for users to add to this Jumpoint. Users must be added to the Jumpoint in order to create Jump Items using that Jumpoint or to

initiate ad hoc sessions through that Jumpoint. Users are not required to be added to the Jumpoint to start a session with a pre-existing

Jump Item using that Jumpoint, so long as they have access granted through Jump Group membership.

In the table below, view existing Jumpoint users. You can filter the view by entering a string in the Filter by Name text box. You can also

delete the user from the Jumpoint.

To add a group of users to a Jumpoint, go to Users & Security > Group Policies and assign that group to one or more Jumpoints.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Note: You may see some users whose Delete options are disabled. This occurs when a user is added via group policy.

You can click the group policy link to modify the policy as a whole. Any changes made to the group policy apply to all members

of that group policy.

You also can add the individual to the Jumpoint, overriding their settings as defined elsewhere.

For more information about Jumpoint configuration, please see Configure and Install a PRA Jumpoint at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/jumpoint/installation-windows.htm.

Jump items: mass import Jump shortcuts and manage Jump item settings

Jump JUMP ITEMS

Jump shortcuts mass import wizard

Through a Jumpoint, Jump shortcuts can be created to:

Start a standard access session.

Start a Remote Desktop Protocol session with Windows or Linux systems.

Jump to a web site on a remote browser.

Shell Jump to an SSH-enabled or Telnet-enabled network device.

Connect to a VNC server.

Make a TCP connection through a Protocol Tunnel Jump.

Note: Linux Jumpoints can only be used for RDP, SSH/Telnet, Protocol Tunneling, Web Jump, and VNC sessions, allowing

for credential injection from user or Vault, as well as RemoteApp functionality and Shell Jump filtering. Clustered Jumpoints

can only add new nodes of the same OS. You cannot mix Windows and Linux nodes.

When creating a large number of Jump shortcuts, it may be easier to import them via a spreadsheet than to add them one by one in the

access console.

For more information, please see Use a Jump Shortcut to Jump to a Remote System at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/jumpoint/jump-shortcuts.htm.

Download template

From the dropdown in the Jump Shortcuts Mass Import Wizard section of the /login interface, select the type of Jump Item you wish to

add, and then click Download Template. Using the text in the CSV template as column headers, add the information for each Jump

shortcut you wish to import. If any required fields are missing, import fails. Optional fields can be filled in or left blank.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Import Jump shortcuts

Once you have completed filling out the template, use Import Jump Shortcuts to upload the CSV file containing the Jump Item

information. The maximum file size allowed to be uploaded at one time is 5 MB. Only one type of Jump Item can be included in each CSV

file.The CSV file should use the format described in the tables below.

Local Jump shortcut

Field Description

Hostname

The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128

characters.

Name

The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session

tabs. This string has a maximum of 128 characters.

Jump Group

The code name of the Jump Group with which this Jump Item should be associated.

Note: When using the import method, a Jump Item cannot be associated with a personal list of

Jump Items.

Tag (optional)

You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024

characters.

Comments (optional) You can add comments to your Jump Items. This string has a maximum of 1024 characters.

Jump Policy (optional) The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.

Session Policy (optional)

The code name of a session policy. You can specify a session policy to manage the permissions available

on this Jump Item.

Endpoint Agreement

Policy (optional)

The value accept automatically accepts the endpoint agreement if it times out and allows the session the

start. The value reject automatically rejects the endpoint agreement and stops the session from starting.

The value no_prompt does not show an endpoint agreement even if the feature is configured. This field

has no effect if the global endpoint agreement is not enabled.

For more information about the global setting, please see Jump Items: Mass Import Jump Shortcuts and Manage Jump Item

Settings at https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/admin/jump-items.htm.

Remote Jump shortcut

Field Description

Hostname

The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128

characters.

Jumpoint The code name of the Jumpoint through which the endpoint is accessed.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Field Description

Name

The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session

tabs. This string has a maximum of 128 characters.

Jump Group

The code name of the Jump Group with which this Jump Item should be associated.

Note: When using the import method, a Jump Item cannot be associated with a personal list of

Jump Items.

Tag (optional)

You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024

characters.

Comments (optional) You can add comments to your Jump Items. This string has a maximum of 1024 characters.

Jump Policy (optional) The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.

Session Policy (optional)

The code name of a session policy. You can specify a session policy to manage the permissions available

on this Jump Item.

Endpoint Agreement

Policy (optional)

The value accept automatically accepts the endpoint agreement if it times out and allows the session the

start. The value reject automatically rejects the endpoint agreement and stops the session from starting.

The value no_prompt does not show an endpoint agreement even if the feature is configured. This field

has no effect if the global endpoint agreement is not enabled.

For more information about the global setting, please see Jump Items: Mass Import Jump Shortcuts and Manage Jump Item

Settings at https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/admin/jump-items.htm.

Remote VNC Jump shortcut

Field Description

Hostname

The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128

characters.

Jumpoint The code name of the Jumpoint through which the endpoint is accessed.

Port (optional) A valid port number from 100 to 65535. Defaults to 5900.

Name

The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session

tabs. This string has a maximum of 128 characters.

Jump Group

The code name of the Jump Group with which this Jump Item should be associated.

Note: When using the import method, a Jump Item cannot be associated with a personal list of

Jump Items.

Tag (optional)

You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024

characters.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Field Description

Comments (optional) You can add comments to your Jump Items. This string has a maximum of 1024 characters.

Jump Policy (optional) The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.

Session Policy (optional)

The code name of a session policy. You can specify a session policy to manage the permissions available

on this Jump Item.

Remote RDP Jump shortcut

Field Description

Hostname

The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128

characters.

Jumpoint The code name of the Jumpoint through which the endpoint is accessed.

Username (optional) The username to sign in as.

Domain (optional) The domain the endpoint is on.

Quality (optional)

The quality at which to view the remote system. Can be low (2-bit gray scale for the lowest bandwidth

consumption), best_perf (default - 8-bit color for fast performance), perf_and_qual (16-bit for medium

quality image and performance), best_qual (32-bit for the highest image resolution), or video_opt (VP9

codec for more fluid video). This cannot be changed during the remote desktop protocol (RDP) session.

Console Session

1: Starts a console session.

0: Starts a new session (default).

Ignore Untrusted

Certificate (optional)

1: Ignores certificate warnings.

0: Shows a warning if the server's certificate cannot be verified.

SecureApp Type

The SecureApp launch method. Can be "none", "remote_app" (to use RDP's built-in RemoteApp

functionality), "remote_desktop_agent" (to use BeyondTrust's Remote Desktop Agent), or "remote_

desktop_agent_credentials" (to use BeyondTrust's Remote Desktop Agent with Credential Injection). If

"remote_desktop_agent" or "remote_desktop_agent_credentials" are chosen then the BeyondTrust

Remote Desktop Agent must be installed on the remote system.>

RemoteApp Name The RemoteApp program name. This string has a maximum of 520 characters.

RemoteApp Parameters

A space-separated list of parameters to pass to the RemoteApp. Parameters with spaces can be quoted

using double-quotes. This string has a maximum of 16000 characters.

Remote Executable

Parameters

A space-separated list of parameters to pass to the remote executable that will be launched using the

BeyondTrust Remote Desktop Agent. Parameters with spaces can be quoted using double-quotes. This

can only be used if the SecureApp Type uses the BeyondTrust Remote Desktop Agent.

Remote Executable

Parameters

A space-separated list of parameters to pass to the remote executable that will be launched using the

BeyondTrust Remote Desktop Agent. Parameters with spaces can be quoted using double-quotes. This

can only be used if the SecureApp Type uses the BeyondTrust Remote Desktop Agent.

Target System

The name of the target system being accessed by the remote application. This value is used to limit the list

of injected credentials to only those that are valid on the target system. This value can only be used if the

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Field Description

SecureApp Type uses the BeyondTrust Remote Desktop Agent with Credential injection.

Credential Type

The type of credentials that will be injected into the remote executable. This value will depend on the

password vault from which credentials are retrieved. This value can only be used if the SecureApp Type

uses the BeyondTrust Remote Desktop Agent with Credential injection.

Name

The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session

tabs. This string has a maximum of 128 characters.

Jump Group

The code name of the Jump Group with which this Jump Item should be associated.

Note: When using the import method, a Jump Item cannot be associated with a personal list of

Jump Items.

Tag (optional)

You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024

characters.

Comments (optional) You can add comments to your Jump Items. This string has a maximum of 1024 characters.

Jump Policy (optional) The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.

Session Policy (optional)

The code name of a session policy. You can specify a session policy to manage the permissions available

on this Jump Item.

Shell Jump shortcut

Field Description

Hostname

The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128

characters.

Jumpoint The code name of the Jumpoint through which the endpoint is accessed.

Username (optional) The username to sign in as.

Protocol Can be either ssh or telnet.

Port (optional) A valid port number from 1 to 65535. Defaults to 22 if the protocol is ssh or 23 if the protocol is telnet.

Terminal Type (optional) Can be either xterm (default) or VT100.

Keep-Alive (optional)

The number of seconds between each packet sent to keep an idle session from ending. Can be any number

from 0 to 300. 0 disables keep-alive (default).

Name

The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session

tabs. This string has a maximum of 128 characters.

Jump Group

The code name of the Jump Group with which this Jump Item should be associated.

Note: When using the import method, a Jump Item cannot be associated with a personal list of

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Field Description

Jump Items.

Tag (optional)

You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024

characters.

Comments (optional) You can add comments to your Jump Items. This string has a maximum of 1024 characters.

Jump Policy (optional) The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.

Session Policy (optional)

The code name of a session policy. You can specify a session policy to manage the permissions available

on this Jump Item.

Protocol Tunnel Jump shortcut

Field Description

Tunnel Type The type of tunnel: TCP, SQL Server, Kuberbnetes Cluster, or Network (if enabled).

Hostname

The hostname of the endpoint to be accessed by this Jump Item. This string has a maximum of 128

characters.

Jumpoint The code name of the Jumpoint through which the endpoint is accessed.

TCP Tunnels (for TCP

Tunnel)

The list of one or more tunnel definitions. A tunnel definition is a mapping of a TCP port on the local user's

system to a TCP port on the remote endpoint. Any connection made to the local port causes a connection to

be made to the remote port, allowing data to be tunnelled between local and remote systems. Multiple

mappings should be separated by a semicolon.

Example: auto->22;3306->3306

In the example above, a randomly assigned local port maps to remote port 22, and local port 3306 maps to

remote port 3306.

Username and

Database (for SQL

Server Tunnel)

The username and database. Authentication is supported using Windows authentication and SQL login.

URL and CA Certificates

(for Kubenetes Cluster

Tunnel)

The base URL for the Kubernetes cluster. The maximum length is 256 characters.

For the certificates, a PEM-formatted certificate or chain of certificates used to validate the cluster URL. The

maximum length is 12,288 characters.

Filter Rules (for Network

Tunnel)

The IP address can be a list of addresses separated by commas, or a range of addresses separate

by a dash. You cannot enter a list and a range. CIDR notation can be used. Only IPv4 is supported.

Protocol is optional.

Tip: For information on protocols, see IANA Protocol Numbers.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Field Description

Port is optional, and may not be applicable, depending on the protocol. The port can be a list of

ports, or a range, but not both.

Local Address (optional)

The address from which the connection should be made. This can be any address within the 127.x.x.x

subrange. The default address is 127.0.0.1.

Name

The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session

tabs. This string has a maximum of 128 characters.

Jump Group

The code name of the Jump Group with which this Jump Item should be associated.

Note: When using the import method, a Jump Item cannot be associated with a personal list of

Jump Items.

Tag (optional)

You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024

characters.

Comments (optional) You can add comments to your Jump Items. This string has a maximum of 1024 characters.

Jump Policy (optional) The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.

Session Policy (optional)

The code name of a session policy. You can specify a session policy to manage the permissions available

on this Jump Item.

Web Jump shortcut

Field Description

Name

The name of the endpoint to be accessed by this Jump Item. This name identifies the item in the session

tabs. This string has a maximum of 128 characters.

Jumpoint The code name of the Jumpoint through which the endpoint is accessed.

Jump Group

The code name of the Jump Group with which this Jump Item should be associated.

Note: When using the import method, a Jump Item cannot be associated with a personal list of

Jump Items.

Tag (optional)

You can organize your Jump Items into categories by adding a tag. This string has a maximum of 1024

characters.

Comments (optional) You can add comments to your Jump Items. This string has a maximum of 1024 characters.

Jump Policy (optional) The code name of a Jump Policy. You can specify a Jump Policy to manage access to this Jump Item.

Session Policy (optional)

The code name of a session policy. You can specify a session policy to manage the permissions available

on this Jump Item.

URL The URL of the web site. The URL must begin with either http or https.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Field Description

Verify Certificate

(optional)

1: The site certificate is validated before the session starts; if issues are found, the session will not start.

0: The site certificate is not validated.

Username Format

passthru: Pass the username through directly from the credential provider. username_only: If the username

is in UPN (Username@Domain) or DLLN (DOMAIN\Username) format then the domain is removed. Only

the username is injected.

Username Field Hint

A CSS style query selector that identifies the username field to help with the initial credential injection. If this

value is provided and a matching element is not found, then the credential injection will fail.

Password Field Hint

A CSS style query selector that identifies the password field to help with the initial credential injection. If this

value is provided and a matching element is not found, then the credential injection will fail.

Submit Button Hint

A CSS style query selector that identifies the submit button to help with the initial credential injection. If this

value is provided and a matching element is not found, then the credential injection will fail.

Auth Timeout

The length of time the web jump client should wait for authentication to succeed before timing out. Valid

values are 1, 2, 3, 5, 10, 15, 30

For more information, please see Use a Jump Shortcut to Jump to a Remote System at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/jumpoint/jump-shortcuts.htm.

Endpoint user agreement

Enable Endpoint User Consent Configuration for Applicable Jump Items

Enable a dropdown in the access console which allows endpoint user agreement options to be configured for individual Jump Items.

Title

Customize the title of the agreement.The end-user sees this in the title bar of the prompt.You can localize this text for any languages you

have enabled. To revert to the default text, delete the text from the field and then save the blank field.

Text

Provide the text for the agreement. You can localize this text for any languages you have enabled. To revert to the default text, delete the

text from the field and then save the blank field.

Acceptance Timeout

If the user does not accept the agreement within the set Acceptance Timeout, the agreement is either accepted or rejected as

determined by the Jump Item properties.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Automatic Behavior

Choose Auto Accept or Auto Reject. The Auto Accept option automatically accepts the endpoint agreement if it times out and allows

the session to start. The Auto Reject option automatically rejects the endpoint agreement and stops the session from starting.

Jump Item settings

Simultaneous Jumps

For Jump Client, Local Jump, Remote Jump, Remote VNC, and Shell Jump

Set this option to Join Existing Session to provide a way for multiple users to gain access to the same Jump Item without an invitation to

join an active session by another user. The first user to access the Jump Item maintains ownership of the session. Users in a shared Jump

session see each other and can chat.

If Join Existing Session is selected, there is an option to apply the setting to copies of Jump Clients.

If checked, a user can join a session that was started from another copy of a Jump Client in a different Group. Session permissions

are based on the original Jump Client that started the session.

If not checked, a user cannot join a session that was started from another copy of a Jump Client, unless it is the same Jump Group.

Set this option to Disallow Jump to ensure only one user can Jump to a Jump Item at a time. Only an invitation by the user who originated

the session can allow for a second user to access the session.

This setting applies to the following Jump Item types: Jump Client, Local Jump, Remote Jump, Remote VNC, and Shell Jump.

For Remote RDP

Set this option to Start New Session to provide a way for multiple users to gain access to the same Jump Item without an invitation to join

an active session by another user. For Remote RDP, multiple users may gain access to a Jump Item, but each starts an independent

session.

Set this option to Disallow Jump to ensure only one user at a time can Jump to a Jump Item. Only an invitation by the user who originated

the session can allow for a second user to access the session.

This setting applies to Remote RDP Jump Item types only.

External tools

Allow Users to Open Remote RDP Jump Shortcuts with an External Tool

When enabled, you can use your own RDP tool for Remote RDP Jump shortcuts.

Allow Users to Open Shell Jump Shortcut with an External Tool

When enabled, you can use your own tool to open Shell Jump shortcuts.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

These features must be enabled, per user, in the access console. For more information, please see Change Settings and

Preferences in the Access Console at https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-

console/settings.htm.

Shell Jump filtering

Recognized Shell Prompts

Enter regular expressions, one per line, that will match against the command shell prompts found on your endpoint systems. A regular

expression should only attempt to match the final line of a multi-line prompt.

Shell Prompt Matching Validation

Enter an existing endpoint's shell prompt, and the output will indicate whether it matches any regular expression in the list. This

functionality will let you test your regular expressions without starting a session.

Endpoint automation: run scripts on multiple endpoints without sessions

Jump ENDPOINT AUTOMATION

With endpoint automation, you can remotely execute scripts across any number of endpoints at the same time, without starting any

sessions.

Note: The endpoint automation feature is only available to service mode Jump Clients with an active connection on Mac,

Windows, or Desktop Linux.

Jobs tab

The jobs tab lets your create a job, and shows a list of previously created jobs. The list can be searched and refreshed, and the list can be

modified by selecting visible columns, using the icon at the right edge above the top row.

For more information about a job, click the vertical ellipsis at the right end of the row for that job, then click Details. This view also shows

the results of a job. For more details about the results, click the eye icon at the right end of the results row. The results includes any exit

codes or error messages, and the last lines of the output log file, which may be useful for diagnosing errors. There is a link to the full output

log file. These files are stored for no more than 90 days.

The vertical ellipsis at the right end of the row for a job also has options to duplicate or rerun the job, and cancel the job if is it pending.

Create a job

You can create job with a script, or you can create a script template first and then use it to create jobs.

1. Click Create job.

2. Enter a name for the job.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

3. Select the starting date and time. To run a job immediately, select the current date and time.

4. Enter any notes if you would like to record more information about this job.

5. Select an existing script template, or complete the following:

Select the operating system. Scripts are usually specific to operating systems.

Complete the run script command.

Enter the script.

6. Now select your endpoint or endpoints, using the search and filter options. For more information about each option, click the i icon

beside it.

7. From the list of search results, you can select specific Jump Clients to add to the job, or select all search results. You can modify

the search criteria to find and add additional Jump Clients. You can also select and clear Jump Clients from the job.

8. The list of Jump Clients selected for the job appears at the bottom of the screen.

9. Once the list of Jump Clients for the job is complete, click Run job.

10. You can immediately view the job in the list of jobs.

Script Templates tab

The script templates tab lets you create a script, and shows a list of previously created script templates. The list can be searched and the

list can be modified by selecting visible columns, using the icon at the right edge above the top row. Scripts can also be edited or deleted.

Scripts are selected for jobs when creating a job.

Create Script Template

1. Click Create Script Template

2. Enter a name and description for the script.

3. Select the operating system. Scripts are usually specific to operating systems.

4. Complete the run script command.

5. Enter the script.

6. Save the script template.

7. You can immediately view the script template in the list of templates, and select it when creating a job.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Manage vault accounts

Vault ACCOUNTS

View and manage information about all discovered and manually added accounts.

Note: Vault can import, rotate, and manage up to 60,000 accounts.

Available information for shared accounts includes:

Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.

Name: The name of the account.

Username: The username associated with the account.

Group: The name of the account group to which the account belongs.

Endpoint: The endpoint with which the account is associated.

Account Policy: The account policy the Vault account is using.

Description: Short description about the account.

Last Checkout: The last time the account was checked out.

Password Age: The age of the password.

Status: This column displays when at least one of the accounts has a warning, error, or checked-out status to indicate. Accounts

managed by Entra ID are identified in the Status column, as well as an alert if there is no service principal for the account.

Accounts used to run a Windows service are indicated as Service Account in the Status column. Multiple statuses for an account

are stacked and displayed in different colors. You can mouse-over a specific status to view more details about it.

Note: The Status column is auto-hidden when none of the accounts have a status currently set.

Tip: You can filter the list of shared accounts displayed using the filters for Group and Password Age. Click the Select

visible columns button above the grid to customize the columns displayed in the grid.

Based on this information, you can perform various actions, including credential check out, check in, and credential rotation.

Available information for personal accounts includes:

Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.

Name: The name of the account.

Owner: The name of the person who created and owns the account.

Description: Short description about the account.

Password Age: The age of the password.

Tip: You can filter the list of personal accounts displayed by Owner and Password Age.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Add account

See Add and edit Vault accounts.

Rotate

Select one or more discovered (non-generic) accounts, click Rotate, and then click Start Rotation.

Note:

Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected.

Unable to change the run-as password for the service <service_name>" appears when a rotation attempt is made and

Rotation Failed is indicated in the Status column for the service.

Services using a Microsoft Graph account as the Run As account cannot be rotated.

Services that have dependent services cannot be rotated, due to the risk of services within the service chain not

restarting successfully.

For more information, please see Rotate Privileged Credentials Using BeyondTrust Vault at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/vault/rotation.htm.

Search shared accounts

Search for a specific shared account or a group of accounts based on Name, Endpoint Name, and Description.

Check out and check in a shared account

Click Check Out to view and use a shared credential. When selected, the Account Password prompt appears, displaying the credential

for 60 seconds to allow you to copy the password. Once the prompt is closed, the Check In option becomes available. When finished

using the account, click Check In to check the password back into the system.

For more information, please see Check Out Credentials from the PRA /login Interface at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/vault/check-out.htm.

Ellipsis menu for shared accounts

Click the ellipsis (...) to view more actions, such as Rotate Password, Edit, and Delete. When Rotate Password is selected, the system

automatically rotates or changes the password. When Edit is selected, you can modify the account's information. See Add and edit Vault

accounts for details on editing accounts. The Delete option removes the account from the Accounts list.

Note:

Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected.

Unable to change the run-as password for the service <service_name>" appears when a rotation attempt is made and

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Rotation Failed is indicated in the Status column for the service.

Services using a Microsoft Graph account as the Run As account cannot be rotated.

Services that have dependent services cannot be rotated, due to the risk of services within the service chain not

restarting successfully.

For more information, please see Rotate Privileged Credentials Using BeyondTrust Vault at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/vault/rotation.htm.

Search personal accounts

Search for a specific personal account or a group of accounts based on Name and Description.

View password for personal account

Click View Password to view and use a personal credential. When selected, the Account Password prompt appears, displaying the

credential for 60 seconds to allow you to copy the password.

Edit personal account

Click Edit Account to modify the account's information, specifically Name, Description, Username, and Password.

Account Groups: Add and Manage Account Groups

Vault ACCOUNT GROUPS

Shared Vault accounts can be added to an account group to allow Vault admins to grant users access to multiple shared Vault accounts

more efficiently. Account groups can also be used to associate a group of shared Vault accounts to a group policy.

Note: A shared Vault account can belong to only one group at a time and personal Vault accounts cannot be added to an

account group.

Account Groups

Add, view, and manage account groups.

Add Account Group

Click Add to add an account group, add Vault accounts to the group, and grant users access to the group of shared Vault accounts.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Search Account Groups

Search for a specific account groups based on Name or Description.

Add Account Group

The Add Account Group option allows you to add account groups for the purpose of granting users access to multiple Vault accounts at

once.

Name

Enter a name for the account group.

Description

Enter a brief and memorable description of the account group.

Account Policy

Select a specific policy for the account group or leave Account Policy set to the default value of Inherit Policy Settings, in which case

the accounts in this account group inherit the policy settings set for the global default account policy on the Vault > Options page.

Group Policies

If the account group was added to any group policies, they are listed here, along with their Vault account roles.

Accounts

Source Account Group

Filter the list of accounts available to add to the group by selecting a group from the Source Account Group list.

Search Selected Account Group

Filter the list of accounts available to add to the group by searching for an account group. You can search by Name, Endpoint, and

Description.

Accounts in Group "Default Group"

List of Vault accounts available to add to the account group.

Add

Select accounts from the list of available groups, and then click Add to add them to the Accounts in This Group list.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Remove

Select accounts from the list of Accounts in This Group, and then click Remove to remove them from the account group.

Search This Account Group

Filter the list of Accounts in This Group by searching for an account group by Name, Endpoint, and Description.

Accounts in This Group

List of Vault accounts that exist in this account group.

Allowed Users

New User Name

Select users who are allowed to access this account.

New Member Role

Select the Vault account role for the new user, and then click Add. Users can be assigned one of two roles:

Inject: (default value) Users with this role can use this account in Privileged Remote Access sessions.

Inject and Checkout: Users with this role can use this account in Privileged Remote Access sessions and can check out the

account on /login. The Checkout permission has no affect on generic SSH accounts.

Note: The Vault Account Role is visible in the list of users added to the Vault account.

Jump Item Associations

Select the type of Jump Item Associations for the account group. The Jump Item Associations setting determines which Jump Items

the accounts in this account group are associated with, so that only the accounts relevant to the target machine are available in the access

console during credential injection attempts. Select one of the following associations methods:

Any Jump Items: Accounts in this group can be injected into any Jump Item session in which the accounts are applicable.

No Jump Items: Accounts in this group cannot be injected into any Jump Item session.

Jump Items Matching Criteria: Accounts in this group can be injected only into Jump Item sessions that match the criteria you

define, in which the accounts are applicable.

You can define a direct association between applicable accounts in this account group and specific Jump Items by

selecting the Jump Items from the list, and then clicking Add Jump Item.

You can further define the association between applicable accounts in this account group and Jump Items by specifying

matching criteria based on the following Jump Item attributes. If configured, accounts in this account group are available

for injection for any Jump Items that match the specified attribute criteria in addition to any specific Jump Items you added

as matching criteria.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Shared Jump Groups: Select a Jump Group from the list.

Name: This filter is matched against the value that appears in the Name column of the Jump Item in the access

console.

Hostname / IP: This filter is matched against the value that appears in the Hostname / IP column of the Jump Item

in the access console.

Tag: This filter is matched against the value that appears in the Tag column of the Jump Item in the access

console.

Comments: This filter is matched against the value that appears in the Comments column of the Jump Item in the

access console.

Tip: Click the i icon for each option and attribute to view more specific information about it.

Note: Local accounts are available for injection within the endpoints on which they were discovered.

Account Policies: Add and Manage Account Policies

Vault ACCOUNT POLICIES

Vault account policies provide a method to define account settings related to password rotation and credential checkout and apply those

settings to multiple accounts at once.

Multiple account policies that apply to a single Vault account are applied in the following order, from top to bottom:

The account policy associated with the Vault account

The account policy associated with the Vault's account group

The global default account policy settings

If multiple account policies define a setting, then the value from the first applied policy is used.

Account Policies

Add, view, and manage account policies.

Add Account Policy

Click Add to add an account policy.

Copy Account Policy

Click Copy to copy an existing account policy.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Edit Account Policy

Click Edit to modify an existing account policy.

Add Account Policy

Add a new account policy.

Display Name

Enter a name for the account policy.

Code Name

Set a code name for integration purposes. If you do not set a code name, Privileged Remote Access creates one automatically.

Description

Enter a brief and memorable description of the account policy.

Permissions

Automatic Password Management

Scheduled Password Rotation Rules

Select Allow to schedule passwords for Vault accounts to automatically rotate when the password reaches a specified maximum

age.

Select Deny to disable scheduled password rotation for Vault accounts.

Maximum Password Age

If scheduled password rotation is enabled, specify the maximum number of days a password can be in place for Vault accounts before it is

automatically rotated.

Account Settings

Automatically Rotate Credentials after Check In Rules

Select Allow to automatically rotate passwords after a credential is checked in.

Select Deny to disable the automatic rotation of passwords after a credential is checked in.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Allow Simultaneous Checkout Rules

Select Allow to enable the ability for Vault credentials to be checked out simultaneously.

Select Deny to disable the ability for Vault credentials to be checked out simultaneously.

Note: If a setting in an account policy is not defined, it inherits the settings from the global default account policy, configured

from the Vault > Options page in /login.

Endpoints: View and Manage Discovered Systems

Vault ENDPOINTS

Endpoints

View information about all discovered endpoints, such as the name, hostname, operating system, domain, and distinguished name of the

system, as well as information about the accounts and Jump Items associated with those systems.

Search Endpoints

Search for a specific endpoint or a group of endpoints based on Name, Hostname, Description, or Domain Name.

Select Visible Columns

Click the Select Visible Columns button (columns icon) above the Endpoints grid and select the columns to display in the grid.

Accounts

View the number of accounts associated with each endpoint. Click the Accounts link to view the accounts associated with the system.

Jump Items

View the number of Jump Items associated with each endpoint. Click the Jump Items link to view the Jump Items associated with the

system.

You can add new or existing RDP Jump shortcuts. While viewing Jump Items, click Add and select Add Remote RDP Jump Shortcut

or Associate Existing RDP Jump Shortcuts.

Services

View the number of Windows services associated with each endpoint. Click the Services link to view the services associated with the

system.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Edit

Modify the endpoint's information, specifically Name, Description, and Hostname.

Note: If Windows services were discovered and imported into the Vault, any service used by the endpoint is listed and the

user account that runs the service is indicated.

Delete

Delete the endpoint from the Endpoints list.

Services: View and Manage Discovered Services

Vault SERVICES

Services

View the list of services found during discovery along with their associated endpoints and accounts, as well as the last status for each

service. You also have the option to restart the service upon rotation of the service account.

Search Account Groups

Search for specific services or a group of services based on Short Name, Description, Endpoint (Hostname) or Username.

Restart

Check the Restart box for the service to have the service restarted when the account running the service is rotated.

Delete

Delete the service from the Services list.

Domains: Add and Manage Domains

Vault DOMAINS

Add, view, and manage information about your domains.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Domains

Add Domain

Click Add to manually add a new domain to the Domains list.

Domain Name

View the name of the domain.

Jumpoint

View the Jumpoint used to discover accounts and endpoints on the domain.

Management Account

View the management account associated with the Jumpoint and domain.

Discover

Click Discover to initiate the Jumpoint to scan and discover endpoints and accounts on the domain.

Edit

Click Edit to modify domain information.

Delete

Click Delete to delete this domain from the Domains list.

Add or Edit Domain

DNS Name

Enter the DNS Name of the domain.

Jumpoint

Choose an existing Jumpoint located in the environment where you wish to discover accounts.

Management Account

Select the management account needed to initiate a discovery job for this domain. Choose to use a new account, which requires a

Username, Password, and Password Confirmation. Or choose to use an existing account discovered from a previous job or added

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

manually in the Accounts section.

Scheduled Domain Discovery

Enable and configure domain discovery to run on a set schedule.

Enable Scheduled Discovery

Check the box to enable the Discovery Schedule options.

Discovery Schedule

Select the days of the week and the time for the discovery job to run.

Discovery Scope

Select the objects you wish Vault to discover:

Domain Accounts

Endpoints

Local Accounts

Services

You can enter a Search Path, or leave it blank to search all OUs and containers. You can also use an LDAP Query to narrow the scope of

user accounts and endpoints searched.

Discovery: Discover Accounts, Endpoints, and Services in a Domain

Vault DISCOVERY

BeyondTrust Vault is an on-appliance credential store, enabling discovery of and access to privileged credentials. You can manually add

privileged credentials, or you can use the built-in discovery tool to scan and import Active Directory and local accounts into BeyondTrust

Vault.

For more information, please see BeyondTrust Vault Technical Whitepaper at https://www.beyondtrust.com/docs/privileged-

remote-access/how-to/vault/index.htm.

Discovery: Windows Domain

With the BeyondTrust Vault add-on, you can discover Active Directory accounts, local accounts, Windows service accounts, and

endpoints. Jumpoints are used to scan endpoints and discover the accounts associated with those endpoints.

Click New Discovery Job to initiate a discovery. The options are:

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Windows Domain: Discover endpoints, domain accounts, and local accounts accessible from a Jumpoint on a Windows domain.

Local Windows Accounts on Jump Clients: Discover local Windows accounts on machines where an active, service mode

Jump Client is currently online.

Note: The Local Windows Accounts on Jump Clients option only displays if you have the Jump Clients permission

located in Users & Security > Users > Access Permissions > Jump Technology. If you have any issues, contact your site

administrator.

Click Continue to start the discovery process.

If you selected Windows Domain, follow the steps in the Add Domain section. If you selected Local Windows Accounts on Jump

Clients, follow the steps in the Discovery: Jump Client Search Criteria.

For more information on Jumpoints, please see the BeyondTrust Privileged Remote Access Jumpoint Guide at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/jumpoint/index.htm.

Add Domain

DNS Name of the Domain

Enter the DNS name for your environment.

Jumpoint

Choose an existing Jumpoint located in the environment where you wish to discover accounts.

Management Account

Select the management account needed to initiate the discovery job. Choose to use a new account, which requires a Username,

Password, and Password Confirmation to be entered. Or, choose to use an existing account discovered from a previous job or added

manually in the Accounts section.

Username

Enter a valid username to use for discovery (username@domain).

Password

Enter a valid a password to user for discovery.

Confirm Password

Re-enter the password to confirm.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Note: You can define which parts of a domain to run a Discovery/Import job. Once you select the required fields for a

Discovery Job, you can refine the search by specifying which OU’s to target or entering LDAP queries.

Discovery Scope

Select the objects you wish Vault to discover:

Domain Accounts

Endpoints

Local Accounts

Services

You can enter a Search Path, or leave it blank to search all OUs and containers. You can also use an LDAP Query to narrow the scope of

user accounts and endpoints searched.

Discovery: Jump Client Search Criteria

Enter one or more search criteria to find active Jump Clients you'd like to use to discover local Windows accounts. All text field searches

are partial and case-insensitive. Jump Clients that match all the search criteria will be displayed on the next page for you to select before

discovery begins.

Note: The following types of Jump Clients cannot be used for local account discovery and will not be included in the search

results:

Jump Clients that are currently offline or disabled

Jump Clients that are not running as an elevated service

Jump Clients that are installed in a domain controller

Jump Groups

Administrators can search for Jump Clients via their Jump Groups and their attributes. If the user is not a member of any Jump Group, the

Jump Groups selection section is grayed out and either a tool tip or note is shown indicating that user must be a member of at least one

Jump Group to proceed with the Jump Client discovery process. This is similar to how domain discovery works when a user is not a

member of a Jumpoint during discovery or not a member of a Jump Group when importing an endpoint.

You can search All of Your shared Jump Groups or Specific Jump Groups.

Jump Client Attributes

You can select one or more shared Jump Groups. Private Jump Groups are not supported.

One or more Jump Client attributes can be entered. If more than one search criteria is entered, only Jump Clients matching all criteria are

used for discovery.

The following attributes can be used as search criteria:

Name: The Jump Client's name as it appears in the Name column in the access console.

Hostname: The Jump Client's hostname as it appears in the Hostname/IP column of the access console.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

FQDN: The Jump Client's fully qualified domain name, as it appears under the FQDN label of the Jump Client details pane in the

access console.

Tag: The Jump Client's tag as it appears in the Tag column of the Representative Console.

Public/Private IP: The Jump Client's public and private IP addresses, as they appear under the Public IP label of the Jump Client

details pane in the access console. Jump Clients whose IP address starts with the given search value will match.

Click Continue to initiate the discovery.

Discovery: Select Jump Clients

This screen displays the Jump Clients that will be used in discovery. Select one or more and click Start Discovery.

Discovery Results

The results display a list of discovered Endpoints and Local Accounts. Select one or more and click Import Select.

Import Discovered Items

A list of the selections you made displays.

Account Group

Select from which account group you want to import, then click Start Import. A warning display indicating this process cannot be stopped

once it has started. Click Yes to proceed, or No to abort.

Importing

A message displays indicating the import was completed successfully. A list of Endpoints and Local Accounts displays.

Accounts

Search Shared/Personal Accounts

If you get an extensive list of accounts discovered, use the Search field to search accounts by Name, Endpoint, or Description (by

Name and Description only for personal accounts).

Toggle between Shared and Personal accounts. Select one or more accounts. Click ... to Rotate Password, Edit or Delete the account.

You can also click Rotate at the top of the page to rotate the password for the select accounts.

Discovery Jobs

View discovery jobs that are in progress for a specific domain, or review the results of successful and failed discovery jobs.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

View Results

Click View Results for a discovery job to view the Discovery Results, which includes discovered endpoints, local accounts, domain

accounts, and services found in the domain.

You can filter the list of items based on their attributes using the filter box above the grid. For each tab, click the i next to the filter box to see

which attributes can be searched.

Select which endpoints, accounts, and services to import and store in your BeyondTrust Vault instance. For each list item you wish to

import, check the box beside it and click Import Selected.

For more information, please see Discover Domains, Endpoints, and Privileged Accounts Using BeyondTrust Vault at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/vault/discovery.htm.

Options: Configure Global Default Account Policy Settings and Password Length

for Account Rotation

Vault OPTIONS

Global Options

Configure the settings for the global default account policy.

The global default account policy must define an option for each setting. If an account does not have a setting defined using a specific

policy, it inherits the policy from the account group. If the account group does not have a setting defined using a specific policy, it inherits

the policy from the global default account policy.

Automatic Password Management

Scheduled Password Rotation Rules

Select Allow to schedule passwords for Vault accounts to automatically rotate when the password reaches a specified maximum

age.

Select Deny to disable scheduled password rotation for Vault accounts.

Maximum Password Age

If scheduled password rotation is enabled, specify the maximum number of days a password can be in place for Vault accounts before it is

automatically rotated.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Account Settings

Automatically Rotate Credentials after Check In Rules

Select Allow to automatically rotate passwords after a credential is checked in.

Select Deny to disable the automatic rotation of passwords after a credential is checked in.

Allow Simultaneous Checkout Rules

Select Allow to enable the ability for Vault credentials to be checked out simultaneously.

Select Deny to disable the ability for Vault credentials to be checked out simultaneously.

Generated Passwords for Account Rotation

Define the length of passwords generated during account rotation for domain and local accounts. You may set a minimum length of 20

characters and a maximum length of 256 characters.

Note: Password lengths do not apply to SSH and personal accounts.

Password Length

Set the minimum and maximum number of characters allowed for the password generated during manual, automatic, and scheduled

password rotation for accounts that are rotated through Windows API (non-Entra ID accounts).

Password Length of Entra ID Accounts

Set the minimum and maximum number of characters allowed for the password generated during password rotation of Entra ID Domain

Services accounts through MS Graph API.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Access console

Access console settings: manage default access console settings

Access Console ACCESS CONSOLE SETTINGS

Manage Access Console settings

You can configure the default access console settings for your entire user base, applying a consistent access console user experience

and increasing team efficiency. You can force settings, allow settings to be overridden by the user, or leave settings unmanaged. If you

select Unmanaged, the BeyondTrust default setting will be displayed alongside for your consideration.

Each Enable or Disable setting provides an administrative checkbox option to become a forced setting. Forced settings take effect on the

user's next login and do not allow configuration in the console. A forced setting cannot be overridden unless an administrator deselects the

Forced checkbox option for that setting in the /login administrative interface.

For details on how a user may configure settings in the access console to their preference, please see Change Settings and

Preferences in the Access Console at https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-

console/settings.htm.

Choose the settings you want to be the default for your users, and click the Save button at the top of the page.

Note that saved settings take effect only upon login to the console. Even if you save and apply the changes by clicking the Apply Now

button at the bottom of the page, detailed later, the user will not use the new settings until login.

If, for instance, you wish to set up default settings for new users but leave existing users' settings unchanged, save your managed settings

but do not apply them. This will make it so all new access console logins will begin with your managed default settings. Existing users will

have forced settings applied upon next login, but all other settings will remain unchanged.

Global settings

Enable spell checking

From the Global Settings section, you can choose to enable or disable spell check for chat. Currently, spell check is available for US

English only.

Configurable session side bar

Choose if you want the session menu icon to display, if the sidebar can be detached, and if the widgets on the session sidebar can be

rearranged and resized.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Alerts - chat alerts

Audible alerts - Play a sound when a chat message is received

Choose if a sound should be played when the user receives a chat message. If unmanaged or if enabled and not forced, the user may

designate a custom sound in WAV format no larger than 1MB.

Visual alerts - Flash the application icon when a chat message is received

Choose if the application icon should flash when the user receives a chat message.

Show status messages in team chat windows

Choose if the team chat should include status messages, such as users logging in and out, or only chats sent between team members.

Pop-up Notifications

Team Chat

Choose if a user should receive a pop-up notification for chat messages received in a team chat.

Access Sessions

Choose if a user should receive a pop-up notification for chat messages received in a access session

Alerts - queue alerts

Audible alerts - Play a sound when a session enters any queue

Choose if a sound should be played when a session enters any of a user's queues.

Pop-up Notifications

Pop-up notifications appear independent of the access console and on top of other windows. If the pop-up notification is enabled and not

forced or left unmanaged, the user will be able to choose how they receive pop-up notifications.

Personal Queue - Shared Sessions

Choose if a user should receive a pop-up notification for shared sessions in this queue.

Team Chat - Shared Sessions

Choose if a user should receive a pop-up notification for shared sessions in this queue.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Pop-up Behavior - Location and Duration

Set the default location and duration for pop-up notifications.

Access Sessions

Automatically request screen sharing

Choose if you want your users' sessions to begin with screen sharing.

Automatically detach

Choose if you want to open sessions as tabs in the access console or to automatically detach sessions into new windows.

Default Quality

Set the default quality for screen sharing sessions.

Default Scaling

Set the default size for screen sharing sessions.

Automatically enter full screen mode when screen sharing starts

When screen sharing starts, the user can automatically enter full screen mode.

Automatically restrict endpoint visibility when screen sharing starts

When screen sharing starts, the remote system can automatically have its display, mouse, and keyboard input restricted, providing a

privacy screen.

Command Shell

Number of lines of available command history

You can set the number of lines to save in the command shell history. The default value is 500 lines.

Additional external tools

You can define specific external tools that your end-users can use to connect to endpoints. This allows them to work with the tools and

applications that they're most familiar with, while taking advantage of the access and security of Privileged Remote Access.

Check Managed to add and use session external tools.

Click Add to make a new external tool in the access console.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

For each new tool, complete the following information:

Enter your desired Name for the tool. This is the name of the tool that appears to the end-user in the dropdown list for the Open

Client button, when starting a session.

Select a Platform. This is the Platform that the tool runs on. The options are Linux, macOS, and Windows.

Select a Tunnel Type. The options are MSSQL, RDP, and SSH.

Enter the Command. Click the i icon for example of commands that can be used.

Enter the Arguments. Click the i icon for example of commands that can be used. Enter one argument per line. Parameters

normally inside quotation marks are considered a single argument.

Select any external tool in the list to view and edit its information.

Save

Click Save, in the upper left, to save the profile settings you have configured. A message appears confirming settings saved or updated.

Users who download the access console after you save a new profile receive the new settings as the default settings.

Apply Access Console settings

Apply Now

To push the default settings to your users, click Apply Now. The page displays a confirmation message, Settings profile was

successfully applied.

Users receive an alert dialog for confirmation when they first log in to the access console after you apply the settings. The dialog warns

them that their settings have changed and prompts them with the option to acknowledge the dialog or to open their access console

settings window and review the changes.

Custom Links: Add URL Shortcuts to the Access Console

Access Console CUSTOM LINKS

Custom Links

Create links to sites your users can access during sessions. Examples could be a link to a searchable knowledge base, giving users a

chance to look for a solution to an issue on the endpoint system, or a customer relationship management (CRM) system.

Links created here become available through the Links button on the access console.

Add Custom Link, Edit, Delete

Add a new link, modify an existing link, or remove an existing link.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Add or Edit a Custom Link

Name

Create a unique name to help identify this link.

URL

Add the URL to which this custom link should direct. Click the link below the Body field to view the macros that can used to customize the

text in your emails for your purposes.

For more information, please see Access Session Overview and Tools at https://www.beyondtrust.com/docs/privileged-

remote-access/getting-started/access-console/session-overview.htm.

Canned Scripts: Create Scripts for Screen Sharing or Command Shell Sessions

Access Console CANNED SCRIPTS

Canned Scripts

Create custom scripts to be used in screen sharing and command shell sessions. The script will be displayed in the screen sharing or

command shell interface as it is being executed. Executing a script in the screen sharing interface displays the running script on the

remote screen.

For more information, please see Access Session Overview and Tools at https://www.beyondtrust.com/docs/privileged-

remote-access/getting-started/access-console/session-overview.htm.

For more information, please see Open the Command Shell on the Remote Endpoint Using the Access Console at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/command-shell.htm.

Team Availability and Categories Filters

Filter your view by selecting a team or category from the dropdown lists.

Add New Canned Script, Edit, Delete

Create a new script, modify an existing script, or remove an existing script.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Add or Edit Canned Script

Script Name

Create a unique name to help identify this script. This name should help users locate the script they wish to run.

Description

Add a brief description to summarize the purpose of this script. This description is displayed on the prompt to confirm that the user wants

to run the selected script.

Command Sequence

Write the command sequence. Scripts must be written in command line format, similar to writing a batch file or shell script. Note that only

the last line of the script may be interactive; you cannot prompt for input in the middle of the script.

Within the script, reference an associated resource file using "%RESOURCE_FILE%", making sure to include the quotation marks.

Please note that the command sequence is case sensitive.

You can access the resource file's temporary directory using %RESOURCE_DIR%. When you run a script with an associated resource

file, that file will be temporarily uploaded to the customer's computer.

Team Availability

Select which teams should be able to use this item.

Categories

Add Category, Delete

Create a new category or remove an existing category.

Resources

Choose and Upload Resource

Add any resource files you want to access from within your scripts. You may upload up to 100 MB to your resource file directory.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

If you upload a resource file with the same name as an existing resource file, there is a prompt to confirm replacing the file.

If you click YES, the updated resource file is uploaded and used for all applicable canned scripts.

If you click NO, the file is not uploaded.

Delete

Remove an existing resource file.

Special Actions: Create Custom Special Actions

Access Console SPECIAL ACTIONS

Special Actions

Create special actions to speed your processes. Special actions can be created for Windows, Mac, and Linux systems.

Add New Special Action, Edit, Delete

Create a new special action, modify an existing special action, or remove an existing special action.

Add or Edit Special Action

Action Name

Create a unique name to help identify this action. During a session, a user can see this name on the special actions dropdown.

Command

In the Command field, enter the full path of the application you wish to run. Do not use quotation marks; they will be added as necessary.

Windows systems may make use of the macros provided. If the command cannot be located on the remote system, then this custom

special action will not appear in the user's list of special actions.

Arguments

If the provided command will accept command line arguments, you may enter those arguments next. Arguments may use quotation marks

if necessary, and arguments for Windows systems may use the provided macros.

For help with Windows arguments, search for "command line switches" on docs.microsoft.com.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Confirm

If you check the Confirm box, users will be prompted to confirm they want to run this special action before it will execute. Otherwise,

selecting the special action from the menu during a session will cause that special action to run immediately.

Special Actions Settings

Show Built-In Special Actions

If you want to enable the default special actions provided by BeyondTrust, check Show Built-In Special Actions. Otherwise, to enable

only your custom special actions, deselect this option.

Note: The Windows Security (Ctrl-Alt-Del) special action cannot be disabled.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Users and Security

Users: Add Account Permissions for a User or Admin

Users &Security USERS

User Accounts

View information about all users who have access to your B Series Appliance, including local users and those who have access through

security provider integration.

Add User, Edit, Delete

Create a new account, modify an existing account, or remove an existing account. You cannot delete your own account.

Search Users

Search for a specific user account based on username, display name, or email address.

Security Provider

Select a security provider type from the dropdown to filter the list of users by security provider.

Synchronize

Synchronize the users and groups associated with an external security provider. Synchronization occurs automatically once a day.

Clicking this button forces a manual synchronization.

Reset Failed Login Attempts and Unlock Account

If a user has one or more failed login attempts, click the Reset button for their user account to reset the number back to zero.

If a user becomes locked due to too many failed consecutive login attempts, click the Unlock Account button for their user account to

reset the number back to zero and unlock their account.

Add or Edit User

Username

Unique identifier used to log in.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Display Name

User's name as shown in team chats, in reports, etc.

Email Address

Set the email address to where email notifications are sent, such as password resets or extended availability mode alerts.

Password

Password used with the username to log in. The password may be set to whatever you choose, as long as the string complies with the

defined policy set on the /login > Management > Security page.

Email Password Reset Link to User

When checked, admins can send a password reset link to a user.

Must Reset Password at Next Login

If this option is selected, then the user must reset their password at next login.

Password Never Expires

Check this box to set the user's password to never expire.

Password Expiration Date

Set a date for the password to expire.

Memberships

Group Policy Memberships

Listing of the group policies to which the user belongs.

This section allows you to search or select from a dropdown of Available Group Policies, and Add the policy to the user. Policies

selected for the user display in a list which can be filtered.

The user can be removed from one or more group policies by selecting the policy or policies and clicking Remove. The default policy

cannot be selected.

Unsaved changes to the list are identified as Addition or Removal. Changes can be undone by selecting the policy or policies and

clicking Undo.

If the user is a member of multiple group policies, the priority of the policies can be modified by selecting one or more policies and clicking

Priority, at the upper right of the list.

Group policies selected for a user can be edited by clicking the name of the policy in the list.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Note: Other memberships do not display while a new user is being created. Once the new user has been saved, the other

memberships appear, listing any to which the user may have been added, with links for updating these memberships and for

reviewing or editing details about the memberships.

Team Memberships

Listing of the teams to which the user belongs.

Jumpoint Memberships

Listing of the Jumpoints which the user can access.

Jump Group Memberships

Listing of the Jump Groups to which the user belongs.

Vault Account Group Memberships

Listing of the Vault Account Groups to which the user belongs.

Account Settings

Two Factor Authentication

Two factor authentication (2FA) uses an authenticator app to provide a time-based, one time code to login to the administrative interface,

as well as the access console. If Required is selected , the user will be prompted to enroll and begin using 2FA at the next login. If

Optional is selected, the user will have the option to use 2FA, but itis not required. Click Remove Current Authenticator App if you

want a user to stop login in with a specific authenticator.

Account Never Expires

When checked, the account never expires. When not checked, an account expiration date must be set.

Account Expiration Date

Causes the account to expire after a set date.

Account Disabled

Allows you to disable the account so the user cannot log in. Disabling does NOT delete the account.

Comments

Add comments to help identify the purpose of this object.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Passwordless Authenticators

Listing of the passwordless authenticators registered for this user. Admins can view the name, type, registration timestamp, and last used

timestamp. Admins can remove one or more authenticators from this list.

General Permissions

Administration

Administrative Privileges

Grants the user full administrative rights.

Allowed to Administer Vault

Enables the user access to the Vault.

Password Setting

Enables the user to set passwords and unlock accounts for non-administrative local users.

Jumpoint Editing

Enables the user to create or edit Jumpoints. This option does not affect the user's ability to access remote computers via Jumpoint, which

is configured per Jumpoint or group policy.

Team Editing

Enables the user to create or edit teams.

Jump Group Editing

Enables the user to create or edit Jump Groups.

Canned Script Editing

Enables the user to create or edit canned scripts for use in screen sharing or command shell sessions.

Custom Link Editing

Enables the user to create or edit custom links.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Allowed to View Access Session Reports

Enables the user to run reports on access session activity, viewing only sessions for which they were the primary session owner, only

sessions for endpoints belonging to a Jump Group of which the user is a member, or all sessions.

Allowed to View Access Session Recordings

Enables the user to view video recordings of screen sharing sessions and command shell sessions.

Allowed to View Vault Reports

Enables the user to view his or her own vault events or all Vault events.

Allowed to View Syslog Reports

Enables the user to download a ZIP file containing all syslog files available on the appliance. Admins are automatically permissioned to

access this report. Non-admin users must request access to view this report.

Access Permissions

Access

Allowed to access endpoints

Enables the user to use the access console in order to run sessions. If endpoint access is enabled, options pertaining to endpoint access

will also be available.

Session Management

Allowed to share sessions with teams which they do not belong to

Enables the user to invite a less limited set of user to share sessions, not only their team members. Combined with the extended

availability permission, this permission expands session sharing capabilities.

For more information, please see Control the Remote Endpoint with Screen Sharing at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/screen-sharing.htm.

Allowed to invite external users

Enables the user to invite third-party users to participate in a session, one time only.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

For more information, please see Invite External Users to Join an Access Session at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/access-invite.htm.

Allowed to enable extended availability mode

Enables the user to receive email invitations from other users requesting to share a session even when they are not logged into the access

console.

For more information, please see Use Extended Availability to Stay Accessible When Not Logged In at

https://www.beyondtrust.com/docs/remote-support/getting-started/rep-console/extended-availability.htm.

Allowed to edit the external key

Enables the user to modify the external key from the session info pane of a session within the access console.

For more information, please see Access Session Overview and Tools at https://www.beyondtrust.com/docs/privileged-

remote-access/getting-started/access-console/session-overview.htm.

User to User Screen Sharing

For more information, please see Share your Screen with Another User at https://www.beyondtrust.com/docs/privileged-

remote-access/getting-started/access-console/user-screensharing.htm.

Allowed to show screen to other users

Enables the user to share their screen with another user without the receiving user having to join a session. This option is available even if

the user is not in a session.

Allowed to give control when showing screen to other users

Enables the user sharing their screen to give keyboard and mouse control to the user viewing their screen.

Jump Technology

Allowed Jump Item Methods

Enables the user to Jump to computers using Jump Clients, Local Jump on the local network, Remote Jump via a Jumpoint,

Remote VNC via a Jumpoint, Remote RDP via a Jumpoint, Web Jump via a Jumpoint, Shell Jump via a Jumpoint, and Protocol

Tunnel Jump via a Jumpoint.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Jump Item Roles

A Jump Item Role is a predefined set of permissions regarding Jump Item management and usage. For each option, click Show to open

the Jump Item Role in a new tab.

The Default role is used only when Use User's Default is set for that user in a Jump Group.

The Personal role applies only to Jump Items pinned to the user's personal list of Jump Items.

The Teams role applies to Jump Items pinned to the personal list of Jump Items of a team member of a lower role. For example, a team

manager can view team leads' and team members' personal Jump Items, and a team lead can view team members' personal Jump Items.

The System role applies to all other Jump Items in the system. For most users, this should be set to No Access. If set to any other option,

the user is added to Jump Groups to which they would not normally be assigned, and in the access console, they can see non-team

members' personal lists of Jump Items.

Note: A new Jump Item Role called Auditor is automatically created on new site installations. On existing installations it has

to be created. This role only has a single View Reports permission enabled, giving admins the option to grant a user just the

permission to run Jump Item reports, without the need to grant any other permission.

For more information, please see Use Jump Item Roles to Configure Permission Sets for Jump Items at

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/jumpoint/jump-item-roles.htm.

Session Permissions

Set the prompting and permission rules that should apply to this user's sessions. Choose an existing session policy or define custom

permissions for this user. If Not Defined, the global default policy will be used. These permissions may be overridden by a higher policy.

Description

View the description of a pre-defined session permission policy.

Screen Sharing

Screen Sharing Rules

Select the representative's and remote user's access to the remote system:

If Not Defined, this option is set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Deny disables screen sharing.

View Only allows the representative to view the screen.

View and Control allows the representative to view and take action on the system. If this is selected, endpoint restrictions can be

set to avoid interference by the remote user:

None does not set any restrictions on the remote system.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Display, Mouse, and Keyboard disables these inputs. If this is selected, a check box is available to Automatically

request a privacy screen on session start. Privacy screen is applicable only for sessions started from a Jump Client, a

Remote Jump item, or a Local Jump item. We recommend using privacy screen for unattended sessions. The remote

system must support privacy screen.

For more information, please see Control the Remote Endpoint with Screen Sharing at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/screen-sharing.htm.

Clipboard Synchronization Direction

Select how clipboard content flows between users and endpoints. The options are:

Not allowed: The user is not allowed to use the clipboard, no clipboard icons display in the access console, and cut and paste

commands do not work.

Allowed from Rep to Customer: The user can push clipboard content to the endpoint but cannot paste from the endpoint's

clipboard. Only the Send clipboard icon displays in the access console.

Allowed in Both Directions: Clipboard content can flow both ways. Both Push and Get clipboard icons display in the access

console.

For more information about the Clipboard Synchronization Mode, please see "Security: Manage Security Settings" on page

142.

Application Sharing Restrictions

Limit access to specified applications on the remote system with either Allow only the listed executables or Deny only the listed

executables. You may also choose to allow or deny desktop access.

Note: This feature applies only to Windows operating systems.

Add New Executables

If application sharing restrictions are enforced, an Add New Executables button appears. Clicking this button opens a dialog that allows

you to specify executables to deny or allow, as appropriate to your objectives.

After you have added executables, one or two tables display the file names or hashes you have selected for restriction. An editable

comment field allows administrative notes.

Enter file names or SHA-256 hashes, one per line

When restricting executables, manually enter the executable file names or hashes you wish to allow or deny. Click on Add Executable(s)

when you are finished to add the chosen files to your configuration.

You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Browse for one or more files

When restricting executables, select this option to browse your system and choose executable files to automatically derive their names or

hashes. If you select files from your local platform and system in this manner, use caution to ensure that the files are indeed executable

files. No browser level verification is performed.

Choose either Use file name or Use file hash to have the browser derive the executable file names or hashes automatically. Click Add

Executable(s) when you are finished to add the chosen files to your configuration.

You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.

Note: This option is available only in modern browsers, not in legacy browsers.

Allowed Endpoint Restrictions

Set if the user can suspend the remote system's mouse and keyboard input. The user may also prevent the remote desktop from being

displayed.

For more information, please see Control the Remote Endpoint with Screen Sharing at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/screen-sharing.htm.

Annotations

Annotation Rules

Enables the user to use annotation tools to draw on the remote system's screen. If Not Defined, this option is set by the next lower priority

policy. This setting may be overridden by a higher priority policy.

For more information, please see Use Annotations to Draw on the Remote Screen of the Endpoint at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/annotations.htm.

File Transfer

File Transfer Rules

Enables the user to upload files to the remote system, download files from the remote system, or both. If Not Defined, this option is set by

the next lower priority policy. This setting may be overridden by a higher priority policy.

Accessible paths on the endpoint's filesystem

Allow the user to transfer files to or from any directories on the remote system or only specified directories.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Accessible paths on user's filesystem

Allow the user to transfer files to or from any directories on their local system or only specified directories.

For more information, please see File Transfer to and from the Remote System Endpoint at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/file-transfer.htm.

Command Shell

Command Shell Rules

Enables the user to issue commands on the remote computer through a virtual command line interface. If Not Defined, this option is set

by the next lower priority policy. This setting may be overridden by a higher priority policy.

Note: Command shell access cannot be restricted for Shell Jump sessions.

Configure command filtering to prevent accidental use of commands that can be harmful to endpoint systems.

For more information on command filtering, please see Use Shell Jump to Access a Remote Network Device at

www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/shell-jump.htm.

For more information, please see Open the Command Shell on the Remote Endpoint Using the Access Console at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/command-shell.htm.

System Information

System Information Rules

Enables the user to see system information about the remote computer. If Not Defined, this option is set by the next lower priority policy.

This setting may be overridden by a higher priority policy.

Allowed to use system information actions

Enables the user to interact with processes and programs on the remote system without requiring screen sharing. Kill processes; start,

stop, pause, resume, and restart services; and uninstall programs.

For more information, please see View System Information on the Remote Endpoint at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/system-info.htm.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Registry Access

Registry Access Rules

Enables the user to interact with the registry on a remote Windows system without requiring screen sharing. View, add, delete and edit

keys, search and import/export keys.

For more information, please see Access the Remote Registry Editor on the Remote Endpoint at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/registry-editor.htm.

Canned Scripts

Canned Script Rules

Enables the user to run canned scripts that have been created for their teams. If Not Defined, this option is set by the next lower priority

policy. This setting may be overridden by a higher priority policy.

For more information, please see Open the Command Shell on the Remote Endpoint Using the Access Console at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/command-shell.htm.

Session Termination Behavior

If unable to reconnect within the time you set by Reconnect Timeout, choose what action to take. To prevent an end-user from accessing

unauthorized privileges after an elevated session, set the client to automatically log the end user out of the remote Windows computer at

session end, to lock the remote computer, or to do nothing. These rules do not apply to browser sharing sessions.

Allow users to override this setting per session

You can allow a user to override the session termination setting from the Summary tab in the console during a session.

Availability Settings

Restrict user login to the following schedule

Set a schedule to define when users can log into the access console. Set the time zone you want to use for this schedule, and then add

one or more schedule entries. For each entry, set the start day and time and the end day and time.

If, for instance, the time is set to start at 8 am and end at 5 pm, a user can log in at any time during this window but may continue to work

past the set end time. They will not, however, be allowed to log back in after 5 pm.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Force logout when the schedule does not permit login

If stricter access control is required, check this option. This forces the user to log out at the scheduled end time. In this case, the user

receives recurring notifications beginning 15 minutes prior to being disconnected. When the user is logged out, any owned sessions will

follow the session fallback rules.

User Account Report

Export detailed information about your users for auditing purposes. Gather detailed information for all users, users from a specific security

provider, or just local users. Information collected includes data displayed under the "show details" button, plus group policy and team

memberships and permissions, and passwordless authentication registration and last usage.

User Accounts for Password Reset: Allow Users to Set Passwords

Users &Security USERS

User Accounts

Administrators can delegate, via user permission, the task of resetting local users' passwords and locked user accounts to privileged

users, without also granting full administrator permissions. Local users may continue to reset their own passwords.

Note: Administrators with the Allowed to Set Passwords permission will see no difference in the user interface.

When a privileged non-administrative user navigates to the Users & Security > Users page in the administrative /login interface, they will

see a limited-view User Accounts screen containing Change Password buttons for non-administrative users. The privileged user will

not be able to edit or delete user accounts. Privileged users are not allowed to reset administrator passwords, nor the passwords of

security provider users.

Search Users

Search for a specific user account based on username, display name, or email address.

Reset Failed Login Attempts and Unlock Account

If a user has one or more failed login attempts, click the Reset button for their user account to reset the number back to zero.

If a user becomes locked due to too many failed consecutive login attempts, click the Unlock Account button for their user account to

reset the number back to zero and unlock their account.

Change Password

Change the password for a non-administrative user.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Change Password

Username

Unique identifier used to log in.This field is not editable.

Display Names

User's name as shown in team chats, in reports, etc.This field is not editable.

Email Address

The email address to which email notifications are sent, such as password resets or extended availability mode alerts. This field is not

editable.

Comments

Comments about the account. This field is not editable.

Password

The new password to assign to this user account. The password may be set to whatever you choose, as long as the string complies with

the defined policy set on the /login > Management > Security page.

Email Password Reset Link to User

Send an email to the user containing a link to reset the password for their account. This feature requires a valid SMTP configuration for

your B Series Appliance, set up on the /login > Management > Email Configuration page.

Must Reset Password at Next Login

If this option is selected, then the user must reset their password at next login.

Access Invite: Create Profiles to Invite External Users to Sessions

Users &Security ACCESS INVITE

Access Invitation Email

With access invite, a privileged user can invite an external user to join a session one time only. When the user makes the invitation, they

will select a security profile to determine what level of privileges the external user should be granted. Access invite security profiles are

configured as session policies on the Users & Security > Session Policies page and must be enabled for access invite use.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

The invitation email is sent to external users when you invite them to join a session.

Subject

Customize the subject of this email. Click the link below the Body field to view the macros that can used to customize the text in your

emails for your purposes.

Body

Customize the body of this email. Click the link below the Body field to view the macros that can used to customize the text in your emails

for your purposes.

For more information, please see Invite External Users to Join an Access Session at

https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/access-invite.htm.

Security Providers: Enable LDAP, RADIUS, Kerberos, SCIM, and SAML2 Logins

Users &Security SECURITY PROVIDERS

Security Providers

You can configure your BeyondTrust Appliance B Series to authenticate users against existing LDAP, RADIUS, SCIM, SAML2, or

Kerberos servers, as well as to assign privileges based on the preexisting hierarchy and group settings already specified in your servers.

Kerberos enables single sign-on, while RSA and other two factor authentication mechanisms via RADIUS provide an additional level of

security.

Add Provider

From the Add dropdown, select LDAP, RADIUS, Kerberos, SCIM, or SAML2 to add a new security provider configuration.

Change Order

Click this button to drag and drop security providers to set their priority. You can drag and drop servers within a cluster; clusters can be

dragged and dropped as a whole. Click Save Order for prioritization changes to take effect.

Disable

Disable this security provider connection. This is useful for scheduled maintenance, when you want a server to be offline but not deleted.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Sync

Synchronize the users and groups associated with an external security provider. Synchronization occurs automatically once a day.

Clicking this button forces a manual synchronization.

View Log

View the status history for a security provider connection.

Duplicate Node

Create a copy of an existing clustered security provider configuration. This will be added as a new node in the same cluster.

Upgrade to a Cluster

Upgrade a security provider to a security provider cluster. To add more security providers to this cluster copy an existing node.

Copy

Create a copy of an existing security provider configuration. This will be added as a top-level security provider and not as part of a cluster.

Edit, Delete

Modify an exiting object or remove an existing object.

Note: If you edit the local security provider and select a default policy that does not have administrator permissions, a warning

message appears. Ensure other users have administrator permissions before proceeding.

Edit Security Provider - LDAP

Name

Create a unique name to help identify this provider.

Enabled

If checked, your B Series Appliance searches this security provider when a user attempts to log in. If unchecked, this provider is not

searched.

User Authentication

Choose if this provider should be used for user authentication. If deselected, options specific to user authentication are disabled.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

User Provision

By default, user provisioning occurs on this provider. If you have a SCIM provider set up, you can choose to provision users through that

provider instead. If this provider is not used for user authentication, then Do not provision users is selected.

Note: This setting cannot be modified after this security provider is first saved.

Keep user information synchronized with the LDAP server

Checking this option keeps a user's display name set to the name designated on the security provider rather than allowing the display

name to be modified in BeyondTrust.

Authorization Settings

Synchronization: Enable LDAP object cache

If checked, LDAP objects visible to the B Series Appliance are cached and synchronized nightly, or manually, if desired. When using this

option, fewer connections are made to the LDAP server for administrative purposes thereby potentially increasing speed and efficiency.

If unchecked, changes to the LDAP server are immediately available without the need to synchronize. However, when you make changes

on user policies through the administrative interface, several short-lived LDAP connections may occur as necessary.

For providers that have previously had the synchronization setting enabled, disabling or unchecking the synchronization option will cause

all cached records that are currently not in use to be deleted.

Lookup Groups

Choose to use this security provider only for user authentication, only for group lookups, or for both. If the User Authentication option

above is not checked, then Lookup groups using this provider is selected. The option to look up groups using a different provider is

available only if another provider capable of group lookup has already been created.

Default Group Policy (Visible Only if User Authentication is Allowed)

Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your B

Series Appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users

allowed to authenticate against the configured server.

If a default policy is defined, any allowed user who authenticates against this server might have access at the level of this default policy.

Therefore, we recommend you set the default to a policy with minimum privileges to prevent users from gaining permissions you do not

wish them to have.

Note: If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific

policy always take precedence over the settings for the default, even if the specific policy is a lower priority than the default,

and even if the default policy's settings are set to disallow override.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Connection Settings

Hostname

Enter the hostname of the server that houses your external directory store.

Note: If you will be using LDAPS or LDAP with TLS, the hostname must match the hostname used in your LDAP server's

public SSL certificate's subject name or the DNS component of its alternate subject name.

Port

Specify the port for your LDAP server. This is typically port 389 for LDAP or port 636 for LDAPS. BeyondTrust also supports global catalog

over port 3268 for LDAP or 3269 for LDAPS.

Encryption

Select the type of encryption to use when communicating with the LDAP server. For security purposes, LDAPS or LDAP with TLS is

recommended.

Note: Regular LDAP sends and receives data in clear text from the LDAP server, potentially exposing sensitive user account

information to packet sniffing. Both LDAPS and LDAP with TLS encrypt user data as it is transferred, making these methods

recommended over regular LDAP. LDAP with TLS uses the StartTLS function to initiate a connection over clear text LDAP but

then elevates this to an encrypted connection. LDAPS initiates the connection over an encrypted connection without sending

any data in clear text whatsoever.

If you select LDAPS or LDAP with TLS, you must upload the Root SSL Certificate used by your LDAP server. This is necessary to ensure

the validity of the server and the security of the data. The Root Certificate must be in PEM format.

Note: If the LDAP server's public SSL certificate's subject name, or the DNS component of its alternate subject name, does

not match the value in the Hostname field, the provider will be treated as unreachable. You can, however, use a wildcard

certificate to certify multiple subdomains of the same site. For example, a certificate for *.example.com would certify both

access.example.com and remote.example.com.

Bind Credentials

Specify a username and password with which your B Series Appliance can bind to and search the LDAP directory store.

If your server supports anonymous binds, you may choose to bind without specifying a username and password. Anonymous binding is

considered insecure and is disabled by default on most LDAP servers.

Username

Enter a username for the bind credentials.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Password and Confirm Password

Enter and confirm a password for the bind credentials.

Connection Method

If you are using an external directory store in the same LAN as your B Series Appliance, the two systems may be able to communicate

directly, in which case you can leave the option Proxy from appliance through the Connection Agent unchecked and move on.

If the two systems are unable to communicate directly, such as if your external directory server is behind a firewall, you must use a

connection agent. Downloading the Win32 connection agent enables your directory server and your B Series Appliance to communicate

via an SSL-encrypted, outbound connection, with no firewall configuration. The connection agent can be downloaded to either the

directory server or a separate server on the same network as your directory server (recommended).

In the case above, check Proxy from appliance through the Connection Agent. Create a Connection Agent Password for use in the

connection agent installation process. Then click Download Connection Agent, run the installer, and follow the installation wizard.

During installation, you will be prompted to enter the security provider name and the connection agent password you created above.

Note: BeyondTrust Cloud customers must run the connection agent in order to use an external directory store.

Directory Type

To aid in configuring the network connection between your B Series Appliance and your security provider, you can select a directory type

as a template. This pre-populates the configuration fields below with standard data but must be modified to match your security provider's

specific configuration. Active Directory LDAP is the most common server type, though you can configure BeyondTrust to communicate

with most types of security providers.

Cluster Settings (Visible Only for Clusters)

Member Selection Algorithm

Select the method to search the nodes in this cluster.

Top-to-bottom first attempts the server with the highest priority in the cluster. If that server is unavailable or the account is not found, the

next highest priority server is attempted. The search moves down through the list of clustered servers until either the account is found or it

is determined that the account does not exist on any of the specified and available servers.

Round-robin is designed to balance the load between multiple servers. The algorithm chooses at random which server to attempt first. If

that server is unavailable or the account is not found, another random server is attempted. The search continues at random through the

remaining servers in the cluster until either the account is found or it is determined that the account does not exist on any of the specified

and available servers.

Retry Delay

Set how long to wait after a cluster member becomes unavailable before trying that cluster member again.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

User Schema Settings

Override Cluster Values (Visible Only for Cluster Nodes)

If this option is unchecked, this cluster node will use the same schema settings as the cluster. If unchecked, you may modify the schema

settings below.

Search Base DN

Determine the level in your directory hierarchy, specified by a distinguished name, at which the B Series Appliance should begin searching

for users. Depending on the size of your directory store and the users who require BeyondTrust accounts, you may improve performance

by designating the specific organizational unit within your directory store that requires access. If you are not sure or if users span multiple

organizational units, you may want to specify the root distinguished name of your directory store.

User Query

Specify the query information that the B Series Appliance should use to locate an LDAP user when the user attempts to log in. The User

Query field accepts a standard LDAP query (RFC 2254 – String Representation of LDAP Search Filters). You can modify the query string

to customize how your users log in and what methods of usernames are accepted. To specify the value within the string that should act as

the username, replace that value with *.

Browse Query

The browse query affects how results are displayed when browsing via group policies. This filters results so that only certain results

display in the member selection dropdown when adding members to a group policy.

Object Classes

Specify valid object classes for a user within your directory store. Only users who posses one or more of these object classes will be

permitted to authenticate. These object classes are also used with the attribute names below to indicate to your B Series Appliance the

schema the LDAP server uses to identify users. You can enter multiple object classes, one per line.

Attribute Names

Specify which fields should be used for a user's unique ID, display name, and email address.

Unique ID

This field requests a unique identifier for the object. While the distinguished name can serve as this ID, a user's distinguished name may

change frequently over the life of the user, such as with a name or location change or with the renaming of the LDAP store. Therefore,

most LDAP servers incorporate some field that is unique per object and does not change for the lifetime of the user. If you do use the

distinguished name as the unique ID and a user's distinguished name changes, that user will be seen as a new user, and any changes

made specifically to the individual's BeyondTrust user account will not be carried over to the new user. If your LDAP server does not

incorporate a unique identifier, use a field that is least likely to have an identical entry for another user.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

E-mail

This determines which field should be used as the user's email address.

Display Name

This determines which field should be used as the user's display name.

Group Schema Settings (Visible Only if Performing Group Lookups)

Directory Type

To aid in configuring the network connection between your B Series Appliance and your security provider, you can select a directory type

as a template. This pre-populates the configuration fields below with standard data but must be modified to match your security provider's

specific configuration. Active Directory LDAP is the most common server type, though you can configure BeyondTrust to communicate

with most types of security providers.

Search Base DN

Determine the level in your directory hierarchy, specified by a distinguished name, at which the B Series Appliance should begin searching

for groups. Depending on the size of your directory store and the groups that require access to the B Series Appliance, you may improve

performance by designating the specific organizational unit within your directory store that requires access. If you are not sure or if groups

span multiple organizational units, you may want to specify the root distinguished name of your directory store.

Browse Query

The browse query affects how results are displayed when browsing via group policies. This filters results so that only certain results

display in the member selection dropdown when adding members to a group policy.

Object Classes

Specify valid object classes for a group within your directory store. Only groups that possess one or more of these object classes will be

returned. These object classes are also used with the attribute names below to indicate to your B Series Appliance the schema the LDAP

server uses to identify groups. You can enter multiple group object classes, one per line.

Attribute Names

Specify which fields should be used for a group's unique ID and display name.

Unique ID

This field requests a unique identifier for the object. While the distinguished name can serve as this ID, a group's distinguished name may

change frequently over the life of a group, such as with a location change or with the renaming of the LDAP store. Therefore, most LDAP

servers incorporate some field that is unique per object and does not change for the lifetime of the group. If you do use the distinguished

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

name as the unique ID and a group's distinguished name changes, that group will be seen as a new group, and any group policies defined

for that group will not be carried over to the new group. If your LDAP server does not incorporate a unique identifier, use a field that is least

likely to have an identical entry for another group.

Display Name

This value determines which field should be used as the group's display name.

User to Group Relationships

This field requests a query to determine which users belong to which groups or, conversely, which groups contain which users.

Perform recursive search for groups

You can choose to perform a recursive search for groups. This will run a query for a user, then queries for all of the groups to which that

user belongs, then queries for all groups to which those groups belong, and so forth, until all possible groups associated with that user

have been found.

Running a recursive search can have a significant impact on performance, as the server will continue to issue queries until it has found

information about all groups. If it takes too long, the user may be unable to log in.

A non-recursive search will issue only one query per user. If your LDAP server has a special field containing all of the groups to which the

user belongs, recursive search is unnecessary. Recursive search is also unnecessary if your directory design does not handle group

members of groups.

Test Settings

Username and Password

Enter a username and password for an account that exists on the server you are testing. This account must match the criteria for login

specified in the configuration above.

Try to obtain user attributes and group memberships if the credentials are accepted

If this option is checked, your successful credential test will also attempt to check user attributes and group lookup. Note that for these

features to be successfully tested, they must be supported and configured in your security provider.

Start Test

If your server is properly configured and you have entered a valid test username and password, you will receive a success message.

Otherwise, you will see an error message and a log that will help in debugging the problem.

Edit Security Provider - RADIUS

Name

Create a unique name to help identify this provider.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Enabled

If checked, your B Series Appliance searches this security provider when a user attempts to log in. If unchecked, this provider is not

searched.

Keep display name synchronized with remote system

Checking this option keeps a user's display name set to the name designated on the security provider rather than allowing the display

name to be modified in BeyondTrust.

Authorization Settings

Only allow the following users

You can choose to allow access only to specified users on your RADIUS server. Enter each username separated by a line break. Once

entered, these users will be available from the Add Policy Member dialog when editing group policies on the /login > Users & Security

> Group Policies page.

If you leave this field blank, all users who authenticate against your RADIUS server will be allowed; if you allow all, you must also specify a

default group policy.

LDAP Group Lookup

If you want users on this security provider to be associated with their groups on a separate LDAP server, choose one or more LDAP group

servers to use for group lookup.

Default Group Policy

Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your B

Series Appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users

allowed to authenticate against the configured server.

If a default policy is defined, any allowed user who authenticates against this server might have access at the level of this default policy.

Therefore, we recommend you set the default to a policy with minimum privileges to prevent users from gaining permissions you do not

wish them to have.

Note: If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific

policy always take precedence over the settings for the default, even if the specific policy is a lower priority than the default,

and even if the default policy's settings are set to disallow override.

Connection Settings

Hostname

Enter the hostname of the server that houses your external directory store.

SALES: www.beyondtrust.com/contact

SUPPORT: www.beyondtrust.com/support

DOCUMENTATION: www.beyondtrust.com/docs

depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/8/2024

PRIVILEGED REMOTE ACCESS 24.2

ADMIN GUIDE

Port

Specify the authentication port for your RADIUS server. This is typically port 1812.

Timeout (seconds)

Set the length of time to wait for a response from the server. Note that if the response is Response-Accept or Response-Challenge,

then RADIUS will wait the entire time specified here before authenticating the account. Therefore, it is encouraged to keep this value as

low as reasonably possible given your network settings. An ideal value is 3-5 seconds, with the maximum value at three minutes.