A general place for Privileged Remote Access conversations.
Recently active
How to Secure Cloud-Native Infrastructure at Scale and Speed: A Conversation with Madhu Adireddi May 21, 2026Author: Gayatri Karthy Product Marketing Manager In this Q&A, Director of Product Management for Privileged Remote Access, Madhu Adireddi, shares strategies for aligning security with DevOps velocity. She explains why databases and Kubernetes have become critical friction points for DevOps teams, the danger of relying on static credentials in dynamic environments, and how transitioning to just-in-time access helps organizations maintain speed without sacrificing control DevOps Moves Fast—Access Shouldn’t Be the Thing That Slows It DownWhite chain icon to symbolize the ability to copy a linkWhere do DevOps teams feel the most friction with access today?Madhu: It shows up in the systems they rely on most: databases and Kubernetes.Teams invest heavily in modernizing their infrastructure. They move to cloud-native platforms, adopt Kubernetes, and automate deployments. However, t
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.A patch has been applied to all Remote Support & Privileged Remote Access SaaS customers as of Feb 2, 2026 that remediates this vulnerability (No further action is required for these sites). For the latest information on this Security Advisory from BeyondTrust, please reference the below post on our Trust Portal. Updates: 13-Feb-26 - The Security Advisory has been updated.13-Feb-26 - Knowledge Base article added: KB0023293 BeyondTrust Trust Portal - BT26-02Knowledge Base Article: KB0023293
Hello,I am connecting to a target system through an RDP session launched from BeyondTrust PRA.I can upload files to the remote system, but I cannot download files from the remote system to my local machine.Is this expected behavior?
Hi all,I’m interested in hearing from anyone who has successfully implemented Azure Application Proxy as a front door to a BeyondTrust PRA appliance, specifically to reduce direct exposure to the internet. Current EnvironmentBeyondTrust PRA appliances hosted on-premises Appliances are internal-only (no direct internet exposure) Internal user authentication handled via SAML with Microsoft Entra ID RequirementWe are looking to enable access for external 3rd-party (guest) users while maintaining a zero/low direct exposure footprint.Key goals:Avoid publishing the PRA appliance directly to the internet Leverage Azure App Proxy as the external entry point Use Entra ID authentication (including B2B guest users) for access control Maintain alignment with our existing guest onboarding and governance model (via Entra B2B) Avoid using the BeyondTrust vendor portal where possible Proposed ApproachExpose a dedicated external URL via Azure App Proxy Require pre-authentication with Entra ID (includin
Hi everyone,I have a question regarding PASM. I have users and devices managed through Password Safe, and session delivery is handled by PRA. If I want a user connecting from PRA with credentials injected from Password Safe to provide a reason for connecting, where do I configure this in PS or PRA? Also, if they need an approval workflow, where do I configure that in PS or PRA?
The following articles were published last week. New Knowledge Base Articles: KB0022631 - How to allow users to copy and paste credentials from the RS or PRA vault KB0022647 - How to download the SIEM Q radar plugin for Remote Support or Privileged Remote Access integration KB0023715 - Vendor self-registration confirmation emails not sent after upgrade to 26.1.1 KB0023716 - Cannot download User Account Report in Remote Support and Privileged Remote Access 26.1.1 KB0023727 - Is Remote Support or Privilege Remote Access vulnerable to CVE-2026-49975?
Hi,We are experiencing an issue with the session termination behavior in PRA.We have configured the system so that when a session ends, the user's session on the target server should be logged off automatically. However, after ending a session and reconnecting, everything remains exactly as it was left previously, which indicates that the user session is not actually being logged off.Both the web console and the desktop console are running version 25.3.2.We found a KB article that appears to describe a similar issue, but it does not seem to apply to the version we are currently running.Additionally, we are currently applying the Session Policy through Group Policies. To rule out a policy inheritance issue, we also assigned the same Session Policy directly to the Jump Item, but the behavior remained exactly the same.If anyone has experienced a similar issue or knows why this might be happening, we would really appreciate any guidance or suggestions on what else we should verify.Thank yo
I would like to establish a connection to a closed network with a jumpoint/gateway every 30 Minutes, do some tasks and then close the connection again.I thought about using the tcp or network tunnel to establish the connection.Does anyone know a way how to automate this with the APIs? I couldn't find anything. thanks for your input on this
Hi team We're writing to report a problem that has been occurring with our client. Several users have reported that while connected to a session, their session suddenly disconnects. This has happened to multiple users, and we'd like to know the cause of this behavior and if it's a known bug.
The following articles were published last week. New Knowledge Base Articles: KB0022452 - Using an AD vault account to launch an SQL tunnel fails - Login failed. The login is from an untrusted domain and cannot be used with Integration authentication. KB0022465 - Warning message: Installing more than one Jump client being phased out KB0022554 - How to retrieve Integration Client connection string KB0022565 - Rotation of accounts failed for a subdomain in PRA and RS KB0023605 - Endpoints for local accounts are shown incorrectly in Vault accounts tab within the console KB0023608 - Console shows "Error initializing application" or "Account is already in use" KB0023634 - macOS Sequoia does not show RS or PRA as an option in settings to enable screen recording KB0023651 - Are Privileged Remote Access or Remote Support appliances vulnerable to PHP 7.1.29, 8.0.12, or 8.1.27 vulnerabilities?
Hi communityOur clients are currently starting to use SQL Tunnel and PostgreSQL Tunnel connections. When checking the recordings, they are not available; only the transcript is shown. I would like to know if PRA does not support these types of recordings.
Hi team My client is having this problem: some sessions are recording, and others aren't. They have several connections to the same device, and while some recordings are available, others only have the transcript. I'd like to know what's happening in this case and what the problem might be. As an additional note, the product is in version 25.3.2. All sessions are from the same user and are of type RDP
From what I can tell, dedicated account mapping (e.g. KB0017035) the only option available is to map the exact same attribute in both domains. For example, employeedomain\user1 has attribute1 set to “user1”privilegeddomain\admin1 has attribute1 set to “user1”to drive the mapping via smart rules. However, that implies that modifying attribute1 in employeedomain to a different value, say, “user2” would grant user1 access to user2’s privileged resources, giving domain1 authority over a privileged domain’s access. What I want to be able to do is have privilegeddomain\admin1 attribute1 set to “user1”, and map that to employeedomain\user1’s name field (or samaccountname, or SID - something not modifiable without breaking the employeedomain\user1 account). Is that possible?
The following articles were published last week. New Knowledge Base Articles: KB0022540 - Is there any effect when changing SMTP authentication from Legacy to Oauth2 with the Integration Client? KB0022553 - What operating system can BeyondTrust SRA Integration Client be installed on? KB0022568 - All new users getting all Asset or Jump Items by default in RS and PRA KB0023619 - Will local users stay in User Accounts after expiry? KB0023656 - Network Tunnel: The privileged remote access network tunnel endpoint service is not installed KB0023658 - Vault checkout error "System name is not configured for directory linked account checkout" KB0023662 - Console tab missing in /login KB0023671 - Can multiple connected screens be viewed simultaneously in separate, detachable windows?
I have a standalone Gateway (Jumpoint) and a Gateway cluster (jumpoint cluster).Wha can I configure my Jump Clients only to use a standalone gateway (jumpoint) and not the gateway cluster?
This might be a bit too big of a question for this forum. However, I am not sure where to start. We are still somewhat new to PRA. I am wanting to start using Docker containers for our jumpoints instead of putting them on Linux instances. First, where do I go to download the container image? I heard that there is a stock image that we would use and then just input the key to start the connection to our system. Second, can we put the container in a service like AWS container service or Azure container service? Third, and this will show my very beginner level of experience with containers, would we do the firewall rules for the containers the same way that we do them for the Linux servers that are jumpoints?I have a feeling there are other items that I am totally missing, but I figured this is a good start. If you know of documentation you can point me to I am more than happy to start reading and testing things out.
Hi everybody, hope y’all having a great friday so far.Even though we know Windows 2003 are out of support, we still have a couple running precious services, and we’re on track to upgrading them. There are accounts on our Password Safe that go through PRA ECM integration for injecting credentials. That works for 99% of the newer Windows machines except these. We realized that whenever we jump to these, the main issue is the “format” of the credentials are wrong (even it says in the login menu of the machine).Is there a workaround or any ideas that might worth a try? Thanks!
Anyway of being able to mass delete users in PRA? E.g. if not authenticated in X amount of days?GUI doesn’t have check boxes to select multiple users to perform bulk tasks. There’s a 5+ sec gap when deleting individual users one buy one and whilst waiting for the user table to refresh, quite tedious! No automated settings I’m aware of for internal users, whereas vendor users have this option -Will implementing SCIM (SAML only currently) address this or will it only disable users rather than delete?
The following articles were published last week. New Knowledge Base Articles: KB0022444 - Can USERID and DATETIMESTAMP be used in the Integration Client recording file format name? KB0022475 - Jump Client prompts for application selection after upgrade despite configuration KB0022505 - Unable to OIDC authenticate in Access Console - Error 403 KB0022517 - Protocol Tunnel Jumps using Docker Jumpoints fail with the error "failed with exit code 126" KB0022520 - API error Unsupported_grant_type KB0023589 - Remote RDP sessions disconnecting when injecting the same Vault credential KB0023639 - Can the RS or PRA Jump Client be installed using a PKG file? KB0023646 - What is the difference between Remote Jump and Remote RDP Jump? KB0023649 - Can the primary Atlas hostname be changed in Cloud? KB0023654 - Does CVE-2026-20833 affect Remote Support or Privileged Remote Access
Hi, is there a way in PRA console to identify which Jumpitems are being used by user to stablish connection to end points? Just want to make sure all my 4 jumpitems are being used.
The following articles were published last week. New Knowledge Base Articles: KB0022485 - Is Session Recordings required at all times, or only in specific cases? KB0022489 - Should the same upgrade package be used if appliances are in failover for RS and PRA? KB0023575 - Is RS and PRA vulnerable to CVE-2026-31431 Copy Fail? KB0023595 - Intermittent "Endpoint Client has encountered a problem" error when starting or during a PRA session KB0023622 - This primary node's configuration is newer than one or more traffic nodes' configuration
Geopolitics and Cybersecurity: Why Attackers Go After Identities and Privileged Access First Geopolitics and the 2026 Cybersecurity Landscape: Cybersecurity must no longer just focus on protecting against zero‑day vulnerabilities or malware. Increasingly, geopolitical instability is the motivation behind attacks, spilling global tensions into corporate environments. In many cases, attackers are going after the privilege pathways that real users rely on every day, like usernames and passwords, high‑level access rights, and paths into sensitive systems that are not well monitored or watched. How PASM+ Strengthens Your Cyber Defenses: Total PASM+, which amplifies Privileged Account and Session Management (PASM) capabilities with the cross-domain visibility and risk intelligence of BeyondTrust Identity Security Insights™, helps make these best practices a reality across your environments. Instead of leaving critical entry points unmonitored, Total PASM+ helps teams control and secure the
The supported platform matrix for the PRA Integration Client only goes up to SQL Server 2022. Is their a roadmap/timeline for supporting for Azure SQL PaaS offering (@2025), or is there a configuration on it which can be made to make it supportable? ThanksChris
Good afternoon community,I would like to ask a question regarding the installation of BeyondTrust Access Console on macOS devices.Currently, the Access Console installer for macOS is only available for download in .dmg format. We contacted BeyondTrust directly, and they confirmed that there is currently no native .pkg version officially available.However, they also mentioned that some customers have successfully created their own conversions to .pkg format for corporate deployments, although BeyondTrust does not provide support for that process.I would like to know if anyone in the community has previously completed this process and could share any recommendations, experiences, or best practices for correctly generating the .pkg file and deploying it while avoiding corruption issues or installation failures.I look forward to your comments, and thank you very much in advance.
Is it possitble to generate a Jump Client Installer, that can only be installed once, or that is restricted to specific endpoint? I think the answer is no, but a client really wants this.
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.