TroutTrout

Base Architecture with One Gateway.

Deploy the Access Gate connected to your Edge Gateway, alongside your existing router-firewall-switch stack. Adds Zero-Trust enforcement without touching the existing perimeter.

Overview

Architecture Overview.

The one-layer architecture is the simplest entry point for Access Gate deployment. Deployed in-line, the Access Gate can carry your VLANs and trunks and act as the machines' gateway, for the fullest coverage, and it works even on sites without managed switches. If you prefer minimal impact, it can instead connect to the Edge Gateway and create a secure overlay across all subnets while the existing router, firewall, and switch stay in place. Because the Access Gate is a VNF running on x86 you already own, the same host also runs the secure services that pull OT in: remote access, protocol gateways, DNS and time, historian, and update server.

Existing Stack Preserved

Router, Firewall, and Switch remain in place. No re-cabling or IP changes.

Inline on Core Bus

Recommended for the fullest coverage: the Access Gate carries your VLANs and trunks, and machines use it as their gateway. Works even without managed switches.

IT & OT Domains

Covers both IT and OT subnets in a single deployment. Subnets A and B protected.

Overlay Security

Bidirectional NAT and routing create a virtual security layer. No agents on endpoints.

Base Topology Diagram

Base Topology.

The base topology shows the Access Gate connected to the Edge Gateway. As the low-impact option, key traffic, both north-south and east-west, can be routed through the overlay for a "security loop", with no VLAN changes. For fuller coverage, deploy the Access Gate in-line so it carries the VLANs and trunks directly and acts as the gateway.

Connection to Edge Gateway

Access Gate connects to the Edge Gateway with Ethernet cable.

Secure Traffic Loop

The low-impact option: traffic destined for sensitive assets is looped through the Access Gate for inspection and enforcement, with no VLAN changes.

Route Creation

For the low-impact deployment, routes are added at the Edge Gateway to direct critical traffic through the Access Gate. No VLAN changes required.

TAG Architecture: simple overlay security — base topology
VPN Diagrams

VPN Flows (North-South).

North-south flows cover inbound VPN traffic destined for IT or OT assets. The Access Gate intercepts these sessions, applies authentication and permission policies, and logs actions.

VPN to IT (North-South)

VPN client connects to Access Gate and Access Gate build a second connection with local IT. Access Gate acts as a bastion with double NAT and session logging.

VPN to OT (North-South)

Remote OT access follows the same enforcement path, authentication enforced before reaching any OT subnet - with a bastion architecture.

Authentication & Permissions

MFA can be enforced as an authentication mechanism. Access policy are scoped to specific resources, protocol and action. Full audit trail maintained.

Protocol Analysis

Access Gate performs protocol-level inspection and breaks the session for analysis before forwarding.

Flow VPN-IT (North-South)
Flow VPN-OT (North-South)
Lateral Traffic Diagrams

East-West Flows.

East-west flows control lateral movement between assets within the LAN. It allows to apply a Zero-Trust architecture inside the local network. Can be deployed for Critical Assets only.

IT-OT (East-West)

IT to OT traffic routed through Access Gate. Protocol break enforced, no direct L2 path between domains.

OT-OT (East-West)

Lateral traffic between OT assets controlled via overlay. Each asset-to-asset session is authenticated and logged.

Double NAT & Session Logging

Access Gate applies double NAT at both ends of each connection, creating a full session-level audit trail.

Protocol Break

Sessions are broken and re-established through the Access Gate, enabling DPI, logging, and enforcement at the application layer.

Flow IT-OT (East-West)
Flow OT-OT (East-West)
Architecture Pack

Download the One Firewall Architecture.

Get all five diagrams, base topology, VPN flows, and east-west flows, as a single downloadable architecture pack.

Done

Double Firewall Architecture

Need coverage for both IT and OT with separate enforcement zones? The double firewall architecture adds a second layer of protection for critical OT environments.

View Architecture

Multi-Site Architecture

Deploying across multiple facilities? The multi-site architecture shows how enclaves extend between sites over secure tunnels.

View Architecture
Watch the Walkthrough

One Gateway Architecture.

One Gateway Architecture — Video Walkthrough

See how a single Access Gate deploys on your network to enforce Zero-Trust across IT and OT — without changing your existing infrastructure.

Request a Demo
FAQ

Common Questions About the One Gateway Architecture.

1

Access Gate required. The One Gateway architecture deploys a single appliance connected to your Edge Gateway.

No. You can keep your current router, firewall, and switching infrastructure. As the low-impact option, a single additional route forms the secure loop, directing only selected traffic through Access Gate for identity-based control and inspection without altering existing policies. For fuller coverage, the Access Gate can instead be deployed in-line to carry your VLANs and trunks and act as the gateway.

The secure loop is a single routed path created at the Edge Gateways to direct selected traffic through the Access Gate for authentication, verification, and logging before it reaches its destination. It acts as a controlled checkpoint rather than a network redesign.

Yes. The one-firewall architecture covers both IT and OT subnets simultaneously from a single Access Gate deployment. You can start with OT-only enforcement and extend to IT incrementally.

Traffic not explicitly routed through the Access Gate continues on its existing path, unmodified. You control exactly which flows are enforced, you can migrate incrementally without disrupting production.