Hello,
Do any of you use BeyondTrust as a replacement for VPN remote access? We have about 1500-2000 users, and we’re looking to replace our current legacy VPN solution. Our setup includes around 300 servers and about 50 privileged accounts.
They mentioned that the licensing is per 25 resources. What does that actually mean? Can I cover my entire infrastructure with it?
Would any of you consider BeyondTrust Remote Access as a VPN replacement, instead of a ZTNA solution, for example?
It’s nothing like a VPN. It would allow you to connect remotely to on-prem devices and screen share, transfer files between them, but your representative PC wouldn’t have any connectivity to network resources.
The licensing we have is 25 jump clients (devices you can access remotely) per representative license, and the representative licenses are the ones you need for logging in.
What are you trying to achieve?
As @marcdk217 mentioned it’s not a VPN replacement solution.
Remote Support is a secure solution to support (remote control) end user for the IT Teams
Remote Access is for IT teams and External Partner s to remote access securely without any VPN to your internal resources (server, router, switch, admin webpages like Vsphere or others)
Privileged Remote Access (PRA) is the sister product of Remote Support (RS). PRA now comes with a feature called Network Tunnel. It allows to set up a tunnel connection to let’s say your office workstation and map all protocol and ports. Once connected, you can do the same stuff you would with a legacy VPN solution. Look it up…
Remote support is meant for usage of IT people and vendors. It’s not meant as a replacement for vpn. If you wanted each person to only have access to a single device, you’d need to make a jump group and group policy for every.single.user. That’s fine for like 50 vendors. However, when we’re talking thousands of users… That’s a lot. And keep in mind that those people need to be able to jump into a destination device. With vpn, you connect to a service, with remote support, you log into remote desktop environments (computers, servers, etc.).
We have an on Prem virtual appliance and it can handle up to 10k jump clients, and is licensed for a certain number of simultaneous rep logins. To me, an on Prem virtual appliance is substantially more cost effective if you already have a virtual server infrastructure. From what I understand, the cost is for support of the virtual appliance plus how many simultaneous rep logins you have. When we looked at their web hosted solution, it was more than what we pay - but again, we have the virtual infrastructure already. If you don’t, their aws solution may be better for you.
However, remote support would be an absolute nightmare as a vpn solution. Especially considering it isn’t what it is made for.
What I’m trying to achieve is a comprehensive remote access solution for all of the company’s needs. Regular users will connect to the remote access solution and then to a remote application server via HTTPS a terminal server solution. IT admins and privileged accounts will have access to specific RDP and SSH connections, and vendors will have access to their application servers. Can this product provide these capabilities in a secure and efficient manner, or should I consider other solutions?
This is exactly right, PRA offers both application layer ZTNA and Network Tunnels for generalize network access and is tailor designed to be a replacement for all VPN use cases.
I believe you can cover that with two BeyondTrust products: privileged remote access (PRA) for the servers, and remote support for the end users.
As u/peacefinder said - PRA can do this… You can have PRA Jump Items (Full Remote Jump, RDP, SSH, Remote Apps, VNC etc etc) for server and network access… Then you could use Remote Support for end points (users). Probably be $$$ depending.
Couple of side ball suggestions;
Have you looked at using something like Azure Virtual Desktop and publishing required Applications? (might already have this in your 365 subs).
If you just need to access your terminal solution via HTTPS - Why not publish it via Azure App Proxy - Authenticated of course.
Just to follow up on the below responses, PRA is indeed the BT product you would look to for exactly these needs and covers all of these use cases in the context of a VPN replacement.