BeyondTrust Remote Support Alternatives for MSPs in 2026
BeyondTrust Remote Support (formerly Bomgar) works for enterprise Windows fleets. Here's where it fails MSPs managing NVRs, switches, and PBX systems — and what covers the gap.
BeyondTrust Remote Support — known as Bomgar before the 2018 acquisition — occupies the high end of the remote access market. It is the tool large enterprise IT departments and government agencies deploy when they need privileged access management alongside remote support: full audit trails, role-based access, session recording, and a relay that can run on-premises. For regulated enterprise environments managing hundreds of corporate Windows endpoints, it is a complete solution.
For MSPs managing mixed client environments, the same architecture that makes BeyondTrust rigorous also creates friction that cheaper tools and different approaches avoid entirely.
What BeyondTrust Remote Support Does Well
BeyondTrust's strength is enterprise privileged access management. Jump Clients — their unattended access agents — support Windows, macOS, and Linux. Session recording is built in. The audit log captures technician identity, session duration, files transferred, and commands run. Role-based access controls allow different technicians to access different subsets of devices. For large enterprise IT departments where every managed machine can run an agent, the platform is thorough.
The appliance-based deployment option answers the third-party routing question: the relay runs inside the corporate network, and session traffic never leaves. This is the answer TeamViewer and AnyDesk cannot give.
Where It Breaks for MSPs
Agent-only architecture. Every device in a BeyondTrust deployment runs a Jump Client or goes through an intermediary Jump Box. This works for managed Windows and Mac endpoints. It does not work for:
- NVR camera systems (Hikvision, Dahua, Uniview) — embedded firmware, no agent installation path
- PBX telephone systems (Yeastar, Grandstream, Matrix Comsec, Avaya IP Office) — proprietary OS, installing third-party software voids support contracts
- Managed switches and routers (Cisco, Ubiquiti, MikroTik) — network equipment with no general-purpose software layer
- Industrial HMI terminals and IP access control panels — real-time operating systems, no agent support
For MSPs managing hotels, clinics, retail branches, or any site with mixed infrastructure, those unmanaged devices represent a significant portion of remote support calls. A hotel PBX that loses trunk lines or an NVR that needs a firmware update is not reachable through BeyondTrust. Those tickets require either a site visit or a separate parallel solution with its own licensing and complexity.
Enterprise pricing. BeyondTrust does not publish list prices. Sales-negotiated contracts typically start in the thousands of dollars per year for small team setups. The platform is priced for IT departments with IT department budgets — not for MSPs building a cost-effective service delivery model across dozens of SMB clients. The price differential compared to alternatives is difficult to justify below enterprise scale.
Deployment and maintenance overhead. BeyondTrust requires either a cloud-hosted tenant or an on-premises appliance. Either way, managing Jump Client deployments across 30 client sites with varied Windows versions, GPO policies, and endpoint configurations adds ongoing overhead. Appliance maintenance, certificate renewals, and keeping Jump Clients current across client machines are real costs that compound with site count.
The Router Tunnel Alternative
The agent-per-device model and the router-level tunnel model solve the same problem from opposite ends.
BeyondTrust installs a Jump Client on each device you want to reach. A WireGuard tunnel on the client router covers every device on the LAN through a single outbound connection that the router maintains permanently. From the relay, every IP on that LAN is reachable — including NVRs, PBX systems, switches, and anything else with an IP address, whether or not it runs any software.
CGNAT, dynamic IPs, and ISPs without static IP offerings are irrelevant: the tunnel initiates outbound from the router, so the relay can always reach back through it. Starlink sites, LTE-only locations, and client sites on residential ISPs all work the same way.
For multi-VLAN client sites — a hotel with a main LAN, a PBX VLAN, and a camera VLAN — one tunnel on the gateway router covers all three subnets. Declare each subnet when creating the tunnel in ProxyLink and all of them become reachable through the single WireGuard peer. No per-device registration, no Jump Client deployment, no version management across client machines.
What ProxyLink Covers
ProxyLink wraps the WireGuard tunnel in a browser-based access layer. Each device at each client site gets a URL in the dashboard:
- Browser RDP — full Windows Remote Desktop in a browser tab via Apache Guacamole. No mstsc.exe, no VPN client, no local software on the engineer's machine. Works from any locked-down corporate laptop.
- Browser SSH — terminal access for Linux servers, MikroTik, Cisco IOS (including enable mode), and any SSH-capable device.
- HTTP/HTTPS proxy links — NVR web UI, PBX admin panel, switch management interface, Synology DSM — any web-based interface on any port, accessible in a browser tab without port forwarding or static IPs.
- TCP/UDP links — raw protocol forwarding for RTSP video streams, SIP/VoIP, and proprietary non-HTTP protocols.
Session recording and an immutable audit log are included on paid plans. The log captures engineer identity, target device, timestamp, and session duration per connection. For NIS2-covered MSPs in the EU, this is the per-session evidence that Article 21 requires for privileged access to client network infrastructure.
Pricing Comparison
| Platform | Pricing | Reaches network devices | Traffic routing |
|---|---|---|---|
| BeyondTrust Remote Support | $5,000–20,000+/yr (negotiated) | Via Jump Box only | Cloud or on-prem appliance |
| TeamViewer | €200–500+/mo | No | TeamViewer servers (breached 2024) |
| Splashtop | €50–200/mo | No | Splashtop servers (US) |
| ProxyLink | €69/mo — 300 tunnels, 1,000 links | Yes, natively | Hetzner Germany |
Security Comparison
BeyondTrust's on-premises appliance option is its strongest security story: traffic stays inside the corporate network, no third-party relay sees session content. For government and high-security environments where that model is feasible, it is the right answer.
For MSPs, the appliance model adds per-client infrastructure overhead that most SMB clients cannot justify. The cloud-hosted BeyondTrust option routes sessions through BeyondTrust's infrastructure — a third-party relay model similar to TeamViewer's, with the associated trust assumptions.
ProxyLink routes traffic through a dedicated Hetzner server in Germany. WireGuard peer isolation is enforced at the kernel level — one client site's tunnel cannot reach another's regardless of configuration. Two-factor authentication is mandatory for all sessions. For EU MSPs, session traffic stays within German infrastructure throughout, satisfying the NIS2 supply chain question without per-client appliance deployment.
When BeyondTrust Makes Sense
BeyondTrust Remote Support is the right choice when the client has a large, homogeneous Windows endpoint fleet, a security requirement for on-premises relay, and an enterprise budget. Government agencies, financial institutions, and healthcare organizations with dedicated IT departments are its natural market. If session approval workflows, privileged password vaulting, and deep compliance reporting are requirements — and the budget exists — the platform covers that ground thoroughly.
If your client base includes hotels, restaurants, clinics, retail branches, or any environment where devices include cameras, IP phones, network switches, and systems that cannot run an agent — the agent-per-device model has a ceiling. A router tunnel covers the full device fleet at a fraction of the cost, with no Jump Client deployment to manage across client machines.
Try ProxyLink free at app.proxylink.dev — no card required, 14-day trial on all paid features. One tunnel per client router, every device on the LAN reachable from a browser. Setup guides for MikroTik, pfSense, OPNsense, and OpenWRT are in the docs.