General

Hi all,I’m interested in hearing from anyone who has successfully implemented Azure Application Proxy as a front door to a BeyondTrust PRA appliance, specifically to reduce direct exposure to the internet. Current EnvironmentBeyondTrust PRA appliances hosted on-premises Appliances are internal-only (no direct internet exposure) Internal user authentication handled via SAML with Microsoft Entra ID RequirementWe are looking to enable access for external 3rd-party (guest) users while maintaining a zero/low direct exposure footprint.Key goals:Avoid publishing the PRA appliance directly to the internet Leverage Azure App Proxy as the external entry point Use Entra ID authentication (including B2B guest users) for access control Maintain alignment with our existing guest onboarding and governance model (via Entra B2B) Avoid using the BeyondTrust vendor portal where possible Proposed ApproachExpose a dedicated external URL via Azure App Proxy Require pre-authentication with Entra ID (includin

Hi communityOur clients are currently starting to use SQL Tunnel and PostgreSQL Tunnel connections. When checking the recordings, they are not available; only the transcript is shown. I would like to know if PRA does not support these types of recordings.

Hi team My client is having this problem: some sessions are recording, and others aren't. They have several connections to the same device, and while some recordings are available, others only have the transcript. I'd like to know what's happening in this case and what the problem might be. As an additional note, the product is in version 25.3.2. All sessions are from the same user and are of type RDP

I would like to establish a connection to a closed network with a jumpoint/gateway every 30 Minutes, do some tasks and then close the connection again.I thought about using the tcp or network tunnel to establish the connection.Does anyone know a way how to automate this with the APIs? I couldn't find anything. thanks for your input on this

From what I can tell, dedicated account mapping (e.g. KB0017035) the only option available is to map the exact same attribute in both domains. For example, employeedomain\user1 has attribute1 set to “user1”privilegeddomain\admin1 has attribute1 set to “user1”to drive the mapping via smart rules. However, that implies that modifying attribute1 in employeedomain to a different value, say, “user2” would grant user1 access to user2’s privileged resources, giving domain1 authority over a privileged domain’s access. What I want to be able to do is have privilegeddomain\admin1 attribute1 set to “user1”, and map that to employeedomain\user1’s name field (or samaccountname, or SID - something not modifiable without breaking the employeedomain\user1 account). Is that possible? 

The following articles were published last week. New Knowledge Base Articles: KB0022540 - Is there any effect when changing SMTP authentication from Legacy to Oauth2 with the Integration Client? KB0022553 - What operating system can BeyondTrust SRA Integration Client be installed on? KB0022568 - All new users getting all Asset or Jump Items by default in RS and PRA KB0023619 - Will local users stay in User Accounts after expiry? KB0023656 - Network Tunnel: The privileged remote access network tunnel endpoint service is not installed KB0023658 - Vault checkout error "System name is not configured for directory linked account checkout" KB0023662 - Console tab missing in /login KB0023671 - Can multiple connected screens be viewed simultaneously in separate, detachable windows?

I have a standalone Gateway (Jumpoint) and a Gateway cluster (jumpoint cluster).Wha can I configure my Jump Clients only to use a standalone gateway (jumpoint) and not the gateway cluster?

This might be a bit too big of a question for this forum. However, I am not sure where to start. We are still somewhat new to PRA. I am wanting to start using Docker containers for our jumpoints instead of putting them on Linux instances. First, where do I go to download the container image? I heard that there is a stock image that we would use and then just input the key to start the connection to our system. Second, can we put the container in a service like AWS container service or Azure container service? Third, and this will show my very beginner level of experience with containers, would we do the firewall rules for the containers the same way that we do them for the Linux servers that are jumpoints?I have a feeling there are other items that I am totally missing, but I figured this is a good start. If you know of documentation you can point me to I am more than happy to start reading and testing things out. 

Hi everybody, hope y’all having a great friday so far.Even though we know Windows 2003 are out of support, we still have a couple running precious services, and we’re on track to upgrading them.  There are accounts on our Password Safe that go through PRA ECM integration for injecting credentials. That works for 99% of the newer Windows machines except these. We realized that whenever we jump to these, the main issue is the “format” of the credentials are wrong (even it says in the login menu of the machine).Is there a workaround or any ideas that might worth a try? Thanks!     

Anyway of being able to mass delete users in PRA? E.g. if not authenticated in X amount of days?GUI doesn’t have check boxes to select multiple users to perform bulk tasks. There’s a 5+ sec gap when deleting individual users one buy one and whilst waiting for the user table to refresh, quite tedious!  No automated settings I’m aware of for internal users, whereas vendor users have this option -Will implementing SCIM (SAML only currently) address this or will it only disable users rather than delete?​​​​​​​

The following articles were published last week. New Knowledge Base Articles: KB0022444 - Can USERID and DATETIMESTAMP be used in the Integration Client recording file format name? KB0022475 - Jump Client prompts for application selection after upgrade despite configuration KB0022505 - Unable to OIDC authenticate in Access Console - Error 403 KB0022517 - Protocol Tunnel Jumps using Docker Jumpoints fail with the error "failed with exit code 126" KB0022520 - API error Unsupported_grant_type KB0023589 - Remote RDP sessions disconnecting when injecting the same Vault credential KB0023639 - Can the RS or PRA Jump Client be installed using a PKG file? KB0023646 - What is the difference between Remote Jump and Remote RDP Jump? KB0023649 - Can the primary Atlas hostname be changed in Cloud? KB0023654 - Does CVE-2026-20833 affect Remote Support or Privileged Remote Access

Hi, is there a way in PRA console to identify which Jumpitems are being used by user to stablish connection to end points? Just want to make sure all my 4 jumpitems are being used.

The following articles were published last week. New Knowledge Base Articles: KB0022485 - Is Session Recordings required at all times, or only in specific cases? KB0022489 - Should the same upgrade package be used if appliances are in failover for RS and PRA? KB0023575 - Is RS and PRA vulnerable to CVE-2026-31431 Copy Fail? KB0023595 - Intermittent "Endpoint Client has encountered a problem" error when starting or during a PRA session KB0023622 - This primary node's configuration is newer than one or more traffic nodes' configuration

The supported platform matrix for the PRA Integration Client only goes up to SQL Server 2022. Is their a roadmap/timeline for supporting for Azure SQL PaaS offering (@2025), or is there a configuration on it which can be made to make it supportable? ThanksChris

Good afternoon community,I would like to ask a question regarding the installation of BeyondTrust Access Console on macOS devices.Currently, the Access Console installer for macOS is only available for download in .dmg format. We contacted BeyondTrust directly, and they confirmed that there is currently no native .pkg version officially available.However, they also mentioned that some customers have successfully created their own conversions to .pkg format for corporate deployments, although BeyondTrust does not provide support for that process.I would like to know if anyone in the community has previously completed this process and could share any recommendations, experiences, or best practices for correctly generating the .pkg file and deploying it while avoiding corruption issues or installation failures.I look forward to your comments, and thank you very much in advance. 

Is it possitble to generate a Jump Client Installer, that can only be installed once, or that is restricted to specific endpoint? I think the answer is no, but a client really wants this.

We are interested in enabling this option: Force the closure of windows that were opened during the session. We expect that it will close any opened command prompts that are elevated from run as etc. But will it also close other applications that are open done by the user like word/outlook etc. The explanations found on internet and the bt documentation don't say much and would like to know more on this, or if anyone else has enabled it and can tell me what exactly is happening with all the apps that are open when the engineer jumps onto the machine does his bit and jumps off again. We also don't see an option to test it or assign it to a test group to experience the behaviour as it seems to be an all or nothing setting.  

The following articles were published last week. New Knowledge Base Articles: KB0022430 - Can SAML users be migrated to another provider in Remote Support or Privileged Remote Access? KB0022453 - What is the retention for RS and PRA Vault password history? KB0022455 - Is it possible to automatically add the user's name as a tag during Jump Client deployment? KB0022457 - Do RS or PRA Cloud sites use a static IP address? KB0022461 - How long are recordings saved for in RS and PRA? KB0022727 - Remote Support and Privileged Remote Access Atlas certificate requirements KB0023593 - Can NSS files be installed on Remote Support or Privileged Remote Access Cloud? KB0023601 - Create button missing in the Representative or Access Console KB0023602 - Jump Clients failing with error "Couldn't wrap message" KB0023605 - Endpoints for local accounts are shown incorrectly in Vault

The following articles were published last week. New Knowledge Base Articles: KB0021349 - Freshservice Remote Support or Privileged Remote Access integration receiving: Error validating parameter 'queue_id': No queue exists with the code name "general" KB0022393 - Is Local Jump supported for Linux Server OS? KB0022396 - What is the average input or output operations per second (IOPS) of the virtual SRA appliance under load? KB0023456 - Is MFA step-up supported for RS and PRA for credential injection during an active session? KB0023536 - PRA outbound email stops working after Microsoft OAuth secret expires KB0023538 - Can vendor users self-activate without approval in Privileged Remote Access? KB0023556 - Jumpoint or Gateway not working on Linux. BeyondTrust Jumpoint is not running KB0023577 - Jump Client screen blank when jumping to RHEL 9.1 and 9.7 machines with Wayland enabled

Hello!I am curious to know what type of filtering and packet inspection controls are typically recommended/used for on-prem PRA/RS appliances. As typical use cases (e.g. remote users, vendor access etc.) require the appliance to be external network facing , it is not feasible to restrict access to IP ranges. Based on KB articles SSL Offloading is not supported for client to appliance communication.Question: What typical network security controls are recommended apart from restricting the outbound from appliance, blocking known-bad source IPs, and segmentation.Anyone using Web App Firewalls , NGFWs or IDPS effectively ? Are there any resources available that can help identifying know benign traffic vs malicious traffic ?

We have enabled Log "Run As" Special Action Commands in the Session Reports, but is there a way to extract just this specific details to see on which devices this has been run? I've checked back and forth the reportings, exported many reports, but none seem to have this data..

The following articles were published last week. New Knowledge Base Articles: KB0022243 - Privileged Remote Access report types and how to create them KB0022284 - Linux Jumpoint installation error - Failed at step EXEC spawning /home/beyondtrust/jumpoint/init-script: Permission denied KB0022321 - What application parameters are available for the PRA BeyondTrust Desktop agent? KB0022322 - Can RS or PRA failover be configured so a specific appliance automatically reclaims the primary role once it comes back online? KB0022323 - Unable to remove users from a Jump Group KB0022345 - Where is the download license usage report? KB0022348 - Unable to override Jump Policy. Error - The Jump Policy's schedule does not permit a session to start at this time KB0022366 - How many concurrent sessions does a Jump Client Support? KB0022375 - Can session recordings be deleted? KB002