Hello RP-Nat, when our Support Team say ‘unsupported’ it typically means one of two things. Either a) we know it causes issues and thus, not recommended to use a feature with our SRA Products, or b) it was never put through our QA process and thus we cannot guarantee said features will work. That being said, there is nothing stopping any of our customers changing or editing the configuration of any external network features to allow them to work with our SRA products - but if they cause issues or continue to be an issue, then our Support Team will not be able to assist with that set up and would typically recommend either a whitelist or bypass for our SRA traffic through network system.

We have a Knowledge Base page which outlines the network features we know do not work, in KB0016891. For example, DPI (Deep packet inspection) is known to cause issues with our traffic and as such, typically recommend not using any network systems with DPI enabled with the SRA traffic.

Thanks Phill, understood.

AFAIK, which you may be able to correct me on, there is no way to have the jump clients use a specific domain (whitelisted from Cloudflare) and the public facing portal/login page use a different domain?

We have two main use cases:

1. Internal users accessing jump items (we dont have a VPN), they access via SSO
2. Third parties/contractors accessing jumpitems through the Third Party/Vendor in-built login feature

Therefore, we have to have the PRA login page public, in which case, i would rather we have WAF protection infront of it.

Hello RP-Nat, you absolutely can have different domains for different SRA Features, Jump Clients and Public Portals included.You just need to ask Support to build you a Software package which has the two (or more) DNS hostnames added to it. You will need to ensure you have an SSL Certificate which covers the new domain, however.

I am curious as to what use case or concern the WAF is going to be covering here. The SRA appliance is designed to be a hardened system and secured. Our default/recommended deployment mode is for it to sit in an DMZ with a network, outlined here: https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/dmz/dmz-deployment.htm, however an external deployment (external to the network firewalls) is also a very viable option as well.

Thanks Phill, good to know.

Cloudflare is used for a couple of things in this instance, WAF and DDoS protection.

From a WAF point of view, i appreciate its a hardened system, however, that doesnt rule out an attack. Having a WAF in place would give us two things: protection from known signatures/attacks and also the ability to quickly deploy new signatures if for example, BeyondTrust release a security issue/zero-day etc etc. Yes its unlikely, but as an MSP using PRA to access all our clients, its pretty much our “crown-jewels”.