Access Gate controls who can reach an asset and which protocol they may use to do it. A rule that allows alice@acme.com to reach plc-42 over ssh does not also allow rdp or smb, every protocol on every asset is an explicit grant. This section has pages for key protocols, covering the specifics that matter once you move past "allow the port." This section does not capture all protocols, just the common ones.
The Common Model
Every protocol guide in this section builds on the same three ideas. Read these once, then jump to the protocol you need.
Default-deny. A session is rejected unless a matching allow rule exists in the enclave's Access Control List. There is no implicit "members can do anything"; each protocol is granted explicitly.
Protocol-aware proxying. Access Gate terminates sessions, applies identity and policy, and proxies the connection to the asset. That is what makes protocol alerting, TLS encryption, and access screens possible, see Protecting an asset with enclaves.
Inline or out-of-band. The gate can sit inline (traffic passes through it) or out-of-band (you route selected flows through its proxy). The policy model is identical either way; the difference is how traffic reaches the gate. See Configuring overlay routes.
Key Protocols
| Protocol | Default port(s) | Typical use | Guide |
|---|---|---|---|
| HTTP / HTTPS | 80 / 443 | Web HMIs, device admin UIs, dashboards | Configure HTTP/HTTPS |
| SSH | 22 | Remote shell to network gear, gateways, controllers | Configure SSH |
| RDP | 3389 | Windows workstations, HMIs, jump hosts | Configure RDP |
| SMB | 445 | File shares, CUI/document flows, PLC programs | Configure SMB |
| Modbus | 502 | PLC/RTU read-write on the OT network | Configure Modbus |
| FTP | 21 | File transfer on legacy and industrial systems | Configure FTP |