Base Architecture with One Gateway.
Deploy the Access Gate connected to your Edge Gateway, alongside your existing router-firewall-switch stack. Adds Zero-Trust enforcement without touching the existing perimeter.
Architecture Overview.
The one-layer architecture is the simplest entry point for Access Gate deployment. Deployed in-line, the Access Gate can carry your VLANs and trunks and act as the machines' gateway, for the fullest coverage, and it works even on sites without managed switches. If you prefer minimal impact, it can instead connect to the Edge Gateway and create a secure overlay across all subnets while the existing router, firewall, and switch stay in place. Because the Access Gate is a VNF running on x86 you already own, the same host also runs the secure services that pull OT in: remote access, protocol gateways, DNS and time, historian, and update server.
Existing Stack Preserved
Router, Firewall, and Switch remain in place. No re-cabling or IP changes.
Inline on Core Bus
Recommended for the fullest coverage: the Access Gate carries your VLANs and trunks, and machines use it as their gateway. Works even without managed switches.
IT & OT Domains
Covers both IT and OT subnets in a single deployment. Subnets A and B protected.
Overlay Security
Bidirectional NAT and routing create a virtual security layer. No agents on endpoints.
Base Topology.
The base topology shows the Access Gate connected to the Edge Gateway. As the low-impact option, key traffic, both north-south and east-west, can be routed through the overlay for a "security loop", with no VLAN changes. For fuller coverage, deploy the Access Gate in-line so it carries the VLANs and trunks directly and acts as the gateway.
Connection to Edge Gateway
Access Gate connects to the Edge Gateway with Ethernet cable.
Secure Traffic Loop
The low-impact option: traffic destined for sensitive assets is looped through the Access Gate for inspection and enforcement, with no VLAN changes.
Route Creation
For the low-impact deployment, routes are added at the Edge Gateway to direct critical traffic through the Access Gate. No VLAN changes required.
VPN Flows (North-South).
North-south flows cover inbound VPN traffic destined for IT or OT assets. The Access Gate intercepts these sessions, applies authentication and permission policies, and logs actions.
VPN to IT (North-South)
VPN client connects to Access Gate and Access Gate build a second connection with local IT. Access Gate acts as a bastion with double NAT and session logging.
VPN to OT (North-South)
Remote OT access follows the same enforcement path, authentication enforced before reaching any OT subnet - with a bastion architecture.
Authentication & Permissions
MFA can be enforced as an authentication mechanism. Access policy are scoped to specific resources, protocol and action. Full audit trail maintained.
Protocol Analysis
Access Gate performs protocol-level inspection and breaks the session for analysis before forwarding.
East-West Flows.
East-west flows control lateral movement between assets within the LAN. It allows to apply a Zero-Trust architecture inside the local network. Can be deployed for Critical Assets only.
IT-OT (East-West)
IT to OT traffic routed through Access Gate. Protocol break enforced, no direct L2 path between domains.
OT-OT (East-West)
Lateral traffic between OT assets controlled via overlay. Each asset-to-asset session is authenticated and logged.
Double NAT & Session Logging
Access Gate applies double NAT at both ends of each connection, creating a full session-level audit trail.
Protocol Break
Sessions are broken and re-established through the Access Gate, enabling DPI, logging, and enforcement at the application layer.
Download the One Firewall Architecture.
Get all five diagrams, base topology, VPN flows, and east-west flows, as a single downloadable architecture pack.
Double Firewall Architecture
Need coverage for both IT and OT with separate enforcement zones? The double firewall architecture adds a second layer of protection for critical OT environments.
Multi-Site Architecture
Deploying across multiple facilities? The multi-site architecture shows how enclaves extend between sites over secure tunnels.
One Gateway Architecture.
One Gateway Architecture — Video Walkthrough
See how a single Access Gate deploys on your network to enforce Zero-Trust across IT and OT — without changing your existing infrastructure.
Request a DemoCommon Questions About the One Gateway Architecture.
Access Gate required. The One Gateway architecture deploys a single appliance connected to your Edge Gateway.
No. You can keep your current router, firewall, and switching infrastructure. As the low-impact option, a single additional route forms the secure loop, directing only selected traffic through Access Gate for identity-based control and inspection without altering existing policies. For fuller coverage, the Access Gate can instead be deployed in-line to carry your VLANs and trunks and act as the gateway.
The secure loop is a single routed path created at the Edge Gateways to direct selected traffic through the Access Gate for authentication, verification, and logging before it reaches its destination. It acts as a controlled checkpoint rather than a network redesign.
Yes. The one-firewall architecture covers both IT and OT subnets simultaneously from a single Access Gate deployment. You can start with OT-only enforcement and extend to IT incrementally.
Traffic not explicitly routed through the Access Gate continues on its existing path, unmodified. You control exactly which flows are enforced, you can migrate incrementally without disrupting production.