Multi-Site. Distributed Deployments.
One Access Gate per site, connected over secure inter-site tunnels. Enclaves extend between facilities — giving unified policy, visibility, and compliance across your entire infrastructure.
Architecture Overview.
The multi-site architecture deploys an Access Gate at each facility. Sites are connected via WAN or site-to-site tunnels. Secure tunnels between Access Gates allow enclaves to span site boundaries, enabling resource access and policy enforcement across facilities without a central cloud controller.
One Access Gate Per Site
Each site — Site A, Site B — runs its own Access Gate. Local traffic enforced locally, no latency introduced by cross-site routing.
Inter-Site Tunnels
Secure tunnels established between Access Gates over WAN or VPN. Enclaves extend between sites seamlessly.
No Cloud Dependency
All policy, data, and management stays on-premise. Sites operate independently — and connect when needed.
Distributed Bastion
Access Gate acts as local bastion, cloaking and protecting local devices, in case of multi-site connectivity.
Multi-Site Base Topology.
The base topology shows two sites (Site A and Site B) connected over WAN. Each site has its own router, WAN link and Gateway. The Access Gate at each site connects locally and establishes a secure tunnel to the peer site.
Site-Local Deployment
Each site deploys one Access Gate connected to the local Gateway. Site A and Site B operate independently.
WAN Link Between Sites
Sites connected via WAN. Access Gates establish secure tunnels over this link — between Access Gates.
Enclave Spanning
Enclaves defined on Site A automatically extend to Site B through the inter-site tunnel. Assets on both sites can join the same enclave.
Deployment Flexibility
Site A may use an Edge Gateway connection while Site B uses an OT Gateway connection. Each site configures independently based on local topology.
Enclave Connection.
The enclave connection diagram shows how a resource on Site A can be accessed from Site B over the inter-site tunnel. The Access Gates negotiate and establish the cross-site session — authentication and enforcement applied at both ends.
Cross-Site Enclave Access
A user or asset on Site B can reach an protected resource on Site A. The inter-site enclave carries the overlay traffic between Access Gates.
Secure Tunnel Negotiation
Access Gates negotiate a secure tunnel between sites. Deployment mode — Edge or OT Gateway — determined per site configuration.
Enclaves Extend Between Sites
Enclaves are not site-bound. A CUI enclave or OT protection zone defined on one site can include assets from remote sites.
Unified Policy
Access policy follows the enclave — not the physical site. The same authentication and permission rules apply regardless of which site the asset is on.
Download the Multi-Site Architecture.
Get both diagrams — base topology and enclave connection — as a downloadable architecture pack for your team.
One Firewall Architecture
Start with a single-site deployment. The one-firewall architecture is the simplest entry point — deploy inline, add zero-trust enforcement, expand later.
Double Firewall Architecture
Need separate IT and OT enforcement before scaling to multi-site? The double-firewall architecture covers both domains from a single appliance.
Common Questions About the Multi-Site Architecture.
sites supported. Each additional site adds one Access Gate — no central controller required.
No. Each site operates independently with its own Access Gate. If the WAN link between sites goes down, local enforcement continues uninterrupted. Inter-site enclave access is unavailable during the outage but resumes automatically when the link recovers.
The multi-site architecture scales to multiple sites. Each site adds one Access Gate. Enclaves can span any combination of connected sites — there is no central hub or cloud controller required.
Inter-site tunnels operate over standard IP connectivity — MPLS, internet VPN, or dedicated WAN links. The Access Gate establishes encrypted tunnels regardless of the underlying WAN technology.
Yes. Each site configures its Access Gate independently. Site A might connect via Core Bus while Site B connects via OT Bus. The inter-site tunnel handles the difference transparently.