Jumpoint: Set Up Unattended Access to a Network
Bomgar's Jump Technology enables a representative to support both attended and unattended computers on a remote network without having to pre-install software on every machine. Simply install a single Jumpoint agent at any network location to gain unattended access to every PC within that network.
At the bottom of the Jumpoint page is the option to Enable network browsing. If checked, permitted representatives can view and select systems from the network directory tree. If unchecked, representatives can access a system through a Jumpoint only by entering the system's hostname or IP address. Either way, the representative must provide valid credentials to the remote system before gaining access.
At the top of the page, click Add New Jumpoint. Give this Jumpoint a name that will help users identify it when they need to start a session with a computer on the same network as this Jumpoint. If you want representatives to be able to connect to SSH-enabled and Telnet-enabled network devices through this Jumpoint, check Enable Shell Jump Access. Authorize at least one representative to use this Jumpoint. After the Jumpoint has been created, you can also grant access to groups of representatives from Users & Security > Group Policies and to embassy groups from Users & Security > Embassy.
Once you click the Add Jumpoint button, your new Jumpoint should appear in the list of configured Jumpoints, along with a link to download the 32-bit or 64-bit Jumpoint installer. Click on a link to install the Jumpoint agent on a single system in the remote network you wish to access. This system will serve as the initiation point for Jump sessions with other computers on the remote network.
As such, it is important that the host system NOT be a system already in use as a server, such as a file server, email server, or print server. For security purposes, a Jumpoint must close any active network connections to the computer it needs to access before it can attempt a Jump to that machine. Therefore, if the host system is being used as a server, the Jumpoint may be unable to complete a Jump because some other software is actively using a critical network connection which the Jumpoint is unable to close, causing the Jump to fail.
Instead, Bomgar recommends deploying the Jumpoint agent to a virtual system as the ideal setup scenario. If a virtual system is unavailable, you can deploy the Jumpoint agent to its own dedicated server or even a normal client PC, provided that the host system has high availability.
On the host system, run the Jumpoint installation wizard to configure further settings and start the service. To change the configuration after installation, locate the Bomgar folder in the Windows All Programs menu, open the site subfolder, and run Bomgar Jumpoint Configuration.
Once the Jumpoint is active, any representative with privileges to access that Jumpoint can start a Bomgar session with any accessible device on that network, provided that the representative has valid credentials on the system he or she is attempting to access.
For a Jumpoint to be deployed on a remote network that is behind a proxy, appropriate proxy information may be necessary for the Jumpoint to connect back to the Bomgar Appliance.
From dropdown on the Proxy tab, select Basic or NTLM to configure proxy settings. Enter the Proxy Host, Proxy Port, Username and Password. The Jumpoint will supply this proxy information whenever Jumping to another system on the remote network, providing the credentials necessary to download and run the customer client on the target system.
You also can set up this Jumpoint to function as a proxy itself by selecting Jump Zone Proxy Server from the dropdown on the Proxy tab. With Jump Zone Proxy Server selected, this Jumpoint can be used to proxy connections for clients on the network that do not have a native internet connection, such as POS systems. Using a Jumpoint as a proxy will route traffic only to the appliance. A Jumpoint can also be used to proxy Jump Client connections.
Note: In order for a Jumpoint to function as a Jump Zone Proxy Server, its host system cannot reside behind a proxy. The Jumpoint must be able to access the Internet without having to supply proxy information for its own connection.
Enter the hostname to use at the listening interface, and set which port to use.
IMPORTANT! Host and port fields should be set carefully since any Jump Client deployed using this Jumpoint as a proxy server will use the settings available to it at the time of deployment and will not be updated should the host or port change. If the host or port must be changed, the Jump Client would need to be redeployed.
Set whether to allow all IP addresses or to limit the IPs that can connect through this proxy. If allowing or denying access, enter one IP address or CIDR subnet range per line.
Note: It is a best practice to make an exception in the Windows firewall for the port which the proxy server will listen on for the process which will be accepting connections.
Intel® vPro Settings
Using Intel® Active Management Technology, privileged representatives can support fully provisioned Intel® vPro Windows systems below the OS level, regardless of the status or power state of these remote systems. Configure this Jumpoint to enable vPro connection by going to the Intel® vPro tab and checking Enable Intel® vPro.
Under Authentication, designate how the Jumpoint should attempt to authenticate to vPro-provisioned computers. Regardless of the authentication method, the provided credentials must match the authentication settings in the AMT firmware on the vPro systems.
To require representatives to provide credentials each time they connect to a vPro computer, select Basic Digest Password and then Prompt Representative for credentials. Prompting for credentials is useful if the vPro systems on this network do not share a common username and password. However, since the vPro AMT firmware is entirely separate from any user accounts on the computer, administrators frequently provision all vPro systems to have the same credentials. Additionally, note that there is little security risk in storing credentials in the Jumpoint. To use vPro support, a representative must have not only the vPro user account privilege but also access to the vPro-enabled Jumpoint. Therefore, prompting for credentials may be an unnecessary measure.
If the same credentials are used for all vPro systems on the network, you can select Basic Digest Password and then Use the following credentials for all connections. With this configuration, representatives are never prompted for vPro credentials; the Jumpoint automatically supplies the stored username and password for all vPro connections.
If you select Kerberos, the Jumpoint supplies the credentials for the account that the Jumpoint service is running as. These credentials can be modified to be a specific account that has permissions to access the AMT system. This configuration assumes that the account hosting the Jumpoint uses the same credentials as all provisioned vPro systems to which you wish to connect. With this configuration, representatives are never prompted for vPro credentials.
On the Encryption tab, set how the Jumpoint encrypts vPro network traffic. If the remote vPro systems are provisioned not to use TLS encryption, simply select No Encryption. Otherwise, you must define the path to the Base 64-encoded CER file which contains the certificates used during the provisioning of the remote vPro systems.
Under Disk Redirection, specify the folder location of any ISO or IMG disk images you would like to make available for mounting in a vPro session. Representatives can use these files for IDE-R, booting the remote vPro system to a disk image rather than the hard drive.
Shell Jump Settings
The Shell Jump tab determines how this Jumpoint can be used to connect to SSH-enabled and Telnet-enabled network devices.
Note: Shell Jump must also be enabled on the Configuration > Jumpoint page of the administrative interface. For a representative to use Shell Jump, he or she must be granted access to a Jumpoint with Shell Jump enabled and must have the user account permission Allowed to Use Shell Jump enabled.
On the Policy tab, if Open Access is selected, permitted representatives can Shell Jump to any remote device by entering its hostname or IP address or by selecting it from a list of provisioned devices.
If Limited Access is selected, representatives can Shell Jump to provisioned devices or can enter a device's hostname or IP address provided that it falls within the parameters set by the host list on the Limited tab.
If Provisioned Only is selected, representatives can Shell Jump only to provisioned devices.
If limited access is enabled on the Policy tab, the Limited list accepts IP addresses and CIDR subnet masks to which Shell Jump access will be limited.
Configure access to provisioned Shell Jump targets by going to the Provisioned tab and clicking Add.
Enter a Name that will help representatives to identify this device when starting a Shell Jump session with it. Enter the device's hostname or IP address. Choose the Protocol to use, either SSH or Telnet. Port automatically switches to the default port for the selected protocol but can be modified to fit your network settings. Select the Terminal Type, either xterm or VT100.
If you are using SSH, you can choose to use Public Key Authentication. If you choose to do so, select a Private Key to use. Private keys are configured from the Private Keys tab.
Representatives Shell Jumping to this provisioned device may connect only with the Username you provide.
You can also select to Send null packets to keep idle sessions from ending. Enter the number of seconds to wait between each packet send.
If you are going to be using SSH, you can upload a key file to use by going to the Private Keys tab and clicking Add. Give this key a Name and browse to the key file you wish to use. Keys must be in PuTTY format (PPK). PuTTYgen can be used to generate a PPK file if needed. If a Password is required, you can store the key file password for all representatives to use, or you can require representatives to enter the key file password each time they connect to a provisioned device using this key.
You can add SSH Host Keys prior to a representative's Jumping to that host. If no host key is cached, the representative will receive a message alerting him or her that the server's host key is not cached and that there is no guarantee that the server is the computer he or she thinks it is. Caching a server's host key prior to connection can help prevent confusion.
Enter the hostname or IP address. Enter the Port the device uses. The server will then return its host key, which you should verify. Clicking Update will poll the device for its host key and will let you know if it has changed.
A date and time can be set to specify when the Jumpoint should become active and when it should automatically uninstall. Setting these delimiters determines the duration of time for which representatives can access the remote network through this Jumpoint.
Note: Jumpoint is only available for Windows systems. Jump Clients are needed for remote access to Mac or Linux computers. To Jump to a Windows computer without a Jump Client, that computer must have Remote Registry Service enabled (disabled by default in Vista) and must be on a domain. If you need to access remote computers via Jumpoint when no user is available, make sure your account permissions are set either to disable prompting or to default to Allow. You cannot Jump to a mobile device, though Jump Technology is available from mobile representative consoles.