SSH is the protocol for secure remote shell and file transfer. It runs on a wide range of equipment, from servers and network gear to the gateways and embedded controllers common in OT (a MOXA gateway in this example), and is often secured with a single shared credential that is hard to rotate. With Remote Access, Access Gate brokers each SSH session through a browser-based proxy: the device's credentials live on the Access Gate and are injected at login, so the operator never holds the key or password.
What You Get
- A proxy session, not a network path. The endpoint never gets a direct route to the target. The operator's machine talks only to the proxy; the proxy talks to the device.
- Server-side credentials. The SSH key or password is stored on the Access Gate and injected at login, never exposed to the end user.
- Revocation by grant. Revoking access means revoking a grant, not rotating a device credential.
Set It Up
1. Create the asset and its SSH service
Add the device as an asset and declare its SSH:22 service. Open the asset, click Edit Network, and enter the Remote Access Service information (the credentials Access Gate uses at login).
2. Create an enclave
Create an enclave containing the asset and the user or group you want to grant access to.
3. Enable Remote Access on the grant
To grant Remote Access, a proxy session that Access Gate maintains, select the Remote Access option. With this option, the credentials stored on the Access Gate are used at login, without being exposed to the end user. Then grant access.
On the User Side
The user authenticates through an access screen and sees the Remote Access sessions they can activate.
Clicking the link opens a browser session with Remote Access to the target machine.
Credentials do not live on the operator's machine. The grant (creds=...) is injected server-side, so the person at the keyboard never holds the SSH key or password for the MOXA box. Revoking access is revoking a grant, not rotating a device credential.
Recap
You loaded the device's credentials into Access Gate and granted Remote Access, so a user authenticates once and reaches the target through a remote session in a browser tab.
What you are running is SSH, already encrypted end to end, wrapped in a browser-based console that reaches the target through the Access Gate proxy over TLS. For the broader admin-session model (RDP, VNC, session recording), see Privileged Access Management.