TroutTrout
All docs

Quick start

Get Access Gate running in about 15 minutes, with network visibility and one protected enclave.

7 min read · Last updated 2026-05-06

Prerequisites

Before starting, ensure you have:

  • Access Gate appliance with power supply
  • Three Ethernet cables
  • Available switch port with network access
  • IP address for Access Gate management interface
  • Web browser (Chrome, Firefox, or Edge)
  • Administrator credentials for initial setup
  • Understood the final network architecture layout

At the end of this tutorial, we will have add three capabilities to your network:

  • Access Gate will be accessible from a Web browser on IP 10.0.4.10 (part of the admin network)
  • Access Gate will listen to netflow data on IP 10.0.3.100 (part of the existing OT network)
  • A Secure Twin will be created to steer traffic through Access Gate for control
Prerequisites
Prerequisites

Final Network Layout

Overview: Four Steps to Visibility and Control

  1. Connect: Integrate Access Gate into your existing network
  2. Discover: Let Access Gate build your asset inventory
  3. Segment: Create a protected enclave around sensitive assets
  4. Authorize: Grant users access with identity-based policies

Time required: 15-20 minutes

Step 1: Physical Connection

Access Gate offers six physical ports, which can be configured to perform specific functions (Zero-Trust overlay, administration, network monitoring).

We recommend starting with the following configuration:

PortRoleConnects ToPurpose
Port 1OverlayRouter (2.5Gb preferred)Access control enforcement
Port 5MonitorOT / existing networkNetFlow ingestion, discovery
Port 6AdminManagement VLANWeb UI access
  1. Port 1 (Overlay): To deploy access control capabilities
  2. Port 5 (Monitor): For network visibility and traffic inspection
  3. Port 6 (Admin): To access the admin interface

Basic Connection Topology

Basic Connection Topology
Basic Connection Topology

Ports Configuration in Access Gate

Connection Steps

  1. Connect Port 1 directly to your router (prefer 2.5Gb ports with CAT6 Ethernet cable for best performance)
  2. Connect Port 5 to your existing OT network
  3. Connect Port 6 to your management network (same VLAN as your admin workstation)
  4. Power on the appliance
  5. Wait 60 seconds for boot sequence to complete

The appliance will obtain an IP address via DHCP on Port 6, or fall back to 10.0.0.1/24 if DHCP is unavailable.

Step 2: Initial Configuration

To access the admin interface

  1. Open a web browser and navigate to Access Gate's IP address: https://{ip}
  2. Accept the self-signed certificate warning (we'll configure proper TLS later)
  3. Log in with default credentials: Username: admin, password: hello
  4. Once connected, head to Settings → Accounts.
    1. Change the admin password.
    2. Create a dedicated user for yourself with the adequate permission levels
Step 3: Asset Discovery

Now comes the interesting part: seeing what's actually on your network.

Start Discovery

  1. Configure the second port as Monitor
  2. Head to your router to send Netflow towards this monitoring port
  3. The dashboard will begin populating with traffic & discovered devices
Start Discovery
Start Discovery

Example of monitoring Tab with devices populated

Generate Asset Inventory

  1. From the Monitor tab, click on the button Register Asset for unknown devices to add them to your inventory
  2. Fill the name of the asset
  3. Head to the Asset tab to see the inventory populated
Generate Asset Inventory
Generate Asset Inventory

Example of Assets in the Asset Inventory tab

For each asset, you can specify more information, from Name, Serial, Risk Level... by clicking on the pencil icon.

Step 4: Create a Protected Enclave

Now that you can see your network, you can deploy the protection pillars.

Configure Port 1 as Overlay

  1. Navigate to Settings → Device Ports Configuration
  2. Click on the first port (or the one you would like to configure)
  3. Enter the information relevant for your network
  4. Click Save

Configure The Secure Twin

A Secure Twin is a virtual copy of your existing network, that allows controlled migration from your existing set-up to a fully secure network, without downtime. Our explainer goes into greater details.

  1. Navigate to Settings → Twin Subnets
  2. Add a Twin block with the information relevant for your network.
  3. Enter a DNS Name (for example acme.tr-sec.net)
  4. Click Save
Configure The Secure Twin
Configure The Secure Twin

VNet Configuration to deploy an overlay

Now, in your router, you will need to install:

  1. A interconnect vlan between your router and the port 1 of access gate (in the 100.65.0.0/29 range here)
  2. A route to send all traffic on the secure twin to access gate
/ip/address/add interface=ether1 address=100.65.0.1/29
/ip/route/add gateway=100.65.0.4 dst-address=100.64.0.0/16

Create the Enclave

  1. Navigate to Enclaves → Create Enclave
  2. Give your enclave a descriptive name: Production_Floor or CUI Systems Sales Access
  3. Fill the Description & Security Level
  4. Click Save

Add Assets & Principal

  1. Navigate to your newly created enclave Enclaves → [Your Enclave]
  2. Add Assets & Principals by clicking on the Edit Principals button
  3. Select the entities you want to manage in this enclave.

At this point, the enclave exists but we need to now grant access.

Add Assets & Principal
Add Assets & Principal

Adding Users, User Groups and Assets to an Enclave

Step 5: Configure Access Control

Now, let's define permissions within the enclave

Grant Access

  1. In the table view in front of you, click a Blocked tile
  2. Use the toggle to grant access
  3. The Advanced drop-down will show you advanced Access Control capabilities: TLS, VPN, Access Screen
  4. Click Save

This is the moment where Access Gate begins actively controlling access.

Step 6: Test Access

Let's now test the access via the enclave and the proxy security:

  1. From your computer, check that you are now resolving for this asset: nslookup {asset_name}.{DNS_name} /// for example cui_server.acme.tr-sec.net
  2. Now, check you can ping the IP that has been returned
  3. And now let's test the intended protocol is accessible: curl http://cui_server.acme.tr-sec.net /// for example for an HTTP server

Access Gate's proxy transparently intercepts and forwards traffic based on permissions.

What You've Accomplished

In 15-20 minutes, you have:

  • Network visibility - Asset inventory across IT, OT, and IoT
  • Protected enclave - Sensitive systems isolated with overlay networking
  • DNS Access - Ability to resolve assets IP based on url
  • Zero infrastructure changes - No VLAN modifications or IP reassignments

This baseline configuration addresses multiple compliance requirements immediately:

  • Asset inventory and classification
  • Access control and authentication
  • Network segmentation

Next Steps

Next, implement identity-based access, so users must authenticate before reaching protected assets. Head over here.

Troubleshooting

Access Gate not responding on management interface
  • Check physical cable connections
  • Verify switch port is active (link light on)
  • Confirm IP address with DHCP or network logs
  • Ensure no firewall rules blocking HTTPS (port 443)
  • Ensure you are trying to access the admin interface with HTTPS
No devices appearing in discovery
  • Verify monitor port receives mirrored traffic (check switch netflow configuration)
  • Ensure monitor port includes both ingress and egress traffic
  • Check that monitored VLAN includes active devices
  • Review Settings → Logs** to see if any error is raised by the Access Gate
Enclave assets unreachable from Access Gate
  • Verify Access Gate can reach assets on underlay network
  • Check that asset firewalls allow Access Gate's IP
  • Check two routes have been created on your router, one for the Access Gate, one for the overlay range
Next
Architecture Overview