Multi-Site. Distributed Deployments.
One Access Gate per site, connected over secure inter-site tunnels. Enclaves extend between facilities, giving unified policy, visibility, and compliance across your entire infrastructure.
Architecture Overview.
The multi-site architecture deploys an Access Gate at each facility. Sites are connected via WAN or site-to-site tunnels. Secure tunnels between Access Gates allow enclaves to span site boundaries, enabling resource access and policy enforcement across facilities without a central cloud controller.
One Access Gate Per Site
Each site, Site A, Site B, runs its own Access Gate. Local traffic enforced locally, no latency introduced by cross-site routing.
Inter-Site Tunnels
Secure tunnels established between Access Gates over WAN or VPN. Enclaves extend between sites seamlessly.
No Cloud Dependency
All policy, data, and management stays on-premise. Sites operate independently, and connect when needed.
Distributed Bastion
Access Gate acts as local bastion, cloaking and protecting local devices, in case of multi-site connectivity.
Multi-Site Base Topology.
The base topology shows two sites (Site A and Site B) connected over WAN. Each site has its own router, WAN link and Gateway. The Access Gate at each site connects locally and establishes a secure tunnel to the peer site.
Site-Local Deployment
Each site deploys one Access Gate, in-line to carry local VLANs or adjacent to the local Gateway. It also hosts site-local services (DNS and time, historian, update server) alongside cross-site enclaves. Site A and Site B operate independently.
WAN Link Between Sites
Sites connected via WAN. Access Gates establish secure tunnels over this link, between Access Gates.
Enclave Spanning
Enclaves defined on Site A automatically extend to Site B through the inter-site tunnel. Assets on both sites can join the same enclave.
Deployment Flexibility
Site A may use an Edge Gateway connection while Site B uses an OT Gateway connection. Each site configures independently based on local topology.
Enclave Connection.
The enclave connection diagram shows how a resource on Site A can be accessed from Site B over the inter-site tunnel. The Access Gates negotiate and establish the cross-site session, authentication and enforcement applied at both ends.
Cross-Site Enclave Access
A user or asset on Site B can reach an protected resource on Site A. The inter-site enclave carries the overlay traffic between Access Gates.
Secure Tunnel Negotiation
Access Gates negotiate a secure tunnel between sites. Deployment mode, Edge or OT Gateway, determined per site configuration.
Enclaves Extend Between Sites
Enclaves are not site-bound. A CUI enclave or OT protection zone defined on one site can include assets from remote sites.
Unified Policy
Access policy follows the enclave, not the physical site. The same authentication and permission rules apply regardless of which site the asset is on.
Download the Multi-Site Architecture.
Get both diagrams, base topology and enclave connection, as a downloadable architecture pack for your team.
One Firewall Architecture
Start with a single-site deployment. The one-firewall architecture is the simplest entry point, deploy inline, add zero-trust enforcement, expand later.
Double Firewall Architecture
Need separate IT and OT enforcement before scaling to multi-site? The double-firewall architecture covers both domains from a single appliance.
Multi-Site Architecture.
Multi-Site Architecture — Video Walkthrough
See how Access Gates create encrypted overlay networks across distributed sites — substations, factories, and remote facilities — with centralized policy management.
Request a DemoCommon Questions About the Multi-Site Architecture.
sites supported. Each additional site adds one Access Gate, no central controller required.
No. Each site operates independently with its own Access Gate. If the WAN link between sites goes down, local enforcement continues uninterrupted. Inter-site enclave access is unavailable during the outage but resumes automatically when the link recovers.
The multi-site architecture scales to multiple sites. Each site adds one Access Gate. Enclaves can span any combination of connected sites, there is no central hub or cloud controller required.
Inter-site tunnels operate over standard IP connectivity, MPLS, internet VPN, or dedicated WAN links. The Access Gate establishes encrypted tunnels regardless of the underlying WAN technology.
Yes. Each site configures its Access Gate independently. Site A might connect via Core Bus while Site B connects via OT Bus. The inter-site tunnel handles the difference transparently.