SMB (Server Message Block) is the protocol behind Windows file shares, network drives, and the folders where documents, engineering files, and PLC programs live. It runs over TCP port 445 (legacy 139) and is everywhere in IT — and increasingly bridged into OT for recipe, program, and report transfer. It's also one of the most common paths for ransomware to spread and for data to leave a site, which makes controlling who can reach a share a high-value security control.
Access Gate brokers SMB so only the right people and systems reach a share — and, with an access screen, only after they authenticate.
Protecting SMB with Access Gate
1. Create the asset, service, and enclave
Add the file server as an asset, define its SMB service, and place it in an enclave with an allow rule granting access. See Protecting an asset with enclaves and Access Control Lists.
2. Connect to the share over the overlay IP
Point the client at the share using the Access Gate overlay IP rather than the file server's raw address. The session is brokered through the gate.
The connection is established and packets flow through the gate.
Adding Identity
So far access is granted by network policy. Add an access screen to require the user to authenticate before the share is reachable — turning reachability into an identity-verified grant.
1. Protect the SMB enclave with an access screen
Enable an access screen on the enclave. See Authenticate users with access screens.
2. The user authenticates
The user must now authenticate through the access screen before access is granted. Until they do, the share stays unreachable.
Notes & Gotchas
- Keep server-side permissions as a second layer. The gate decides who reaches the share; the file server still decides what they can do once there. Use both.
- SMB version. Confirm the brokered path against the SMB dialect your servers require, and keep SMBv1 disabled.