Network Tunnel Jump shortcuts

A network tunnel is a type of tunnel Jump, which makes a connection from your system to an endpoint on a remote network. Specifically, the network layer tunnel enables port tunneling of any TCP and non-TCP protocol (e.g. UDP) traffic to a network.

Because the connection occurs through a Jumpoint, the administrator can control which users have access, when they have access, and if the sessions are recorded.

Network Tunnel Jump shortcuts appear in the Jump interface along with Jump Clients and other types of Jump Item shortcuts.

Network Tunnel Jump is an advanced feature and disabled by default. This feature can be activated, at no additional cost, by contacting your BeyondTrust representative.

Prerequisites

Once the feature is activated for your installation, ensure the following requirements are met to create and use Network Tunnel Jump shortcuts:

  • The Privileged Remote Access access console and Jumpoint are on Windows systems.
  • The Jumpoint is configured for the Protocol Tunnel Jump method on the /login > Jump > Jumpoint page.
  • DHCP must be enabled on the endpoint network. If DHCP is not available, IP Address scopes can be defined on the /login > Jump > Jumpoint page. Select and edit a Jumpoint to manage the IP addresses.
  • The Access Console Network Tunneling Service is installed on the user's machine. It can be installed via a software deployment tool or manually from the /login > Consoles & Downloads > Drivers page.

DHCP

DHCP is required for Network Tunnel sessions, either via an existing DHCP service on the remote network, or by configuring a reserved set of IP addresses that will be managed by the Jumpoint. If you have DHCP services running on the remote network, then no further configuration is needed.

If you do not have DHCP services running on the remote network, you can configure a pool of IPv4 address ranges on each Jumpoint, on the /login > Jump > Jumpoint page. Select and edit a Jumpoint to manage the IP addresses.

The pool of managed IP address ranges is used to assign an IP to every session started with this Network Tunnel Jump Item.

Ensure that the provided pool of addresses are reserved from use by other systems on the remote network and that there are enough IPs provided to accommodate the number of simultaneous Network Tunnel sessions you expect to have with this remote network.

Create Protocol Tunnel Jump shortcut

Protocol Tunnel Jump Options

  1. Click the Create button in the Jump interface. From the dropdown, under Protocol Tunnel Jump, select Network Tunnel

 

Create a new Protocol Tunnel Jump Shortcut for a Network Tunnel.

  1. Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.

  2. From the Jumpoint dropdown, select the network that hosts the computer you wish to access. The access console remembers your Jumpoint choice the next time you create this type of Jump Item.
  3. Create a filter using the Filter Rules. You must create at least one filter, and the filter must specify at least one IP address.
    • IP Address: Enter an IP address, a list of addresses separated by commas, or a range of addresses separate by a dash. You cannot enter a list and a range. CIDR notation can be used. Only IPv4 is supported.
    • If desired, select a Protocol. Most commonly used protocols are listed first, in alphabetical order, followed by a full list of protocols in alphabetical order.
    • If desired, and if applicable to a selected protocol, enter a port, a list of ports separated by a comma, or a range of ports.
    • You can define multiple filters. From the list of added filters, filters can be removed but not edited.

For information on protocols, see IANA Protocol Numbers.

  1. Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.

  2. Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each Jump Item is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.

  3. Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.

  4. To set when users are allowed to access this Jump Item, if a notification of access should be sent, or if permission or a ticket ID from your external ticketing system is required to use this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.

  5. Choose a Session Policy to assign to this Jump Item. The session policy assigned to this Jump Item has the highest priority when setting session permissions. The ability to set a session policy depends on your account permissions.

Use Network Tunnels with TCP/UDP Protocol Filters

If configuring Network Tunnels specifically for filtering TCP traffic, you must account for the ephemeral port that TCP establishes during the connection process in the Network Tunnel filters you create. The TCP ephemeral port range is configurable at the operating system level, but its default varies by operating system. The recommended approach is to not configure any port range filters in combination with TCP protocol filters. As an alternative, you can specify a range of ports that the ephemeral port will most likely be established on (e.g. 1024-65535), in addition to the target TCP port.

If configuring Network Tunnels specifically for filtering UDP traffic, we also recommend not configuring any port range filters in combination unless absolutely necessary and the port ranges known. Some processes do not bind to specific UDP source ports, leaving this up to the operating system, making it difficult to predict which port ranges will be necessary to enable in the filter to allow UDP traffic as expected.