Short definitions for the terms used across the product, the UI, and the rest of the documentation. Use Ctrl-F to search, or jump to a letter:
A · B · C · D · E · F · I · J · L · M · N · O · P · R · S · T · U · V · Z
A
Access Agreement — A one-time approval screen a user accepts before reaching a protected system. Used to record vendor agreement to safety rules, confidentiality, or session length before PAM access is granted.
Access Gate — Trout's network access control appliance. Sits beside the network (not inline), mediates policies over assets, monitors traffic, and applies encryption or compliance rules without re-addressing the existing network.
Access Screen — The identity-checked login page a user hits before entering an enclave. Wires into your Identity Provider so authentication is centralized.
ACL (Access Control List) — The per-enclave table that decides whether a principal may reach an asset over a given protocol. Default-deny: only explicit allow rules open a path.
Alert — An event raised by Access Gate's detection engine (a triggered rule, a zone-boundary crossing, a missing asset). Alerts land in the Alerts view and can be forwarded to a SIEM.
Asset — A device or system Access Gate knows about — a PLC, a historian, a workstation. Assets live in the Asset Inventory and carry impact labels.
Asset Inventory — The list of assets Access Gate tracks. Built automatically from monitored traffic, or populated manually.
Audit Trail — The record of administrative and enclave-level changes: who did what, on which entity, when. Exportable over syslog to your SIEM.
B
Binat — A bidirectional 1:1 mapping between an overlay range and an underlay range. Binats let Access Gate re-expose assets on a separate address space without changing their real addresses.
C
CGNAT range (100.64.0.0/10) — The reserved address range defined by RFC 6598 for carrier-grade NAT. Access Gate uses it by default for overlay ranges because it rarely conflicts with customer networks.
Compliance Officer — A built-in user role focused on risk assessments and compliance reporting. See User Roles.
CSR (Certificate Signing Request) — The signed document Access Gate generates when you want your own CA to issue an intermediate certificate for the TLS proxy. You sign the CSR with your root CA, then upload the result back.
D
Default Deny — The ACL model Access Gate uses: a session is rejected unless a matching allow rule exists. No implicit trust between enclave members.
DNS Split — Configuration where some DNS names resolve via Access Gate's internal resolver (for overlay assets) and the rest via your corporate DNS. Lets overlay-only assets have names without polluting the wider DNS.
E
Enclave — A protected group of assets and principals with a shared policy. Enclaves are how Access Gate expresses "who can reach what, over which protocols."
Entra ID — Microsoft's cloud identity service (formerly Azure AD). Access Gate supports syncing users and groups from Entra ID — see Synchronize user directory.
F
Flow Record — A summary of a network conversation: source, destination, ports, byte counts, timing. Access Gate ingests flow records from NetFlow exporters on your existing routers.
I
IdP (Identity Provider) — The external system that authenticates users (Entra ID, Okta, Google Workspace). Access Gate binds sessions to IdP identities via OIDC or SAML.
Impact — A label on an asset (or vnet) that rates how critical it is to the business: Low, Medium, High, Critical. Drives alert prioritization and the Risk Matrix.
Interconnect Network — A small network (typically a /29) that only your edge router and Access Gate sit on. It's the path the router uses to hand overlay traffic to Access Gate.
J
Just-in-Time Access (JIT) — Granting a role for a defined window — a vendor gets ACL access from Monday 9 AM to Friday 5 PM, then the grant expires automatically without an operator action.
L
LDAP — A classic directory-service protocol. Access Gate can authenticate users against an LDAP server and sync group membership.
Line Manager — A management role with team-level admin rights over assets, enclaves, and scoped policies. Inherits contributor permissions.
Log Skimming — Extracting and forwarding only the high-value slices of a log stream to reduce volume downstream. Access Gate skims events before syslog export.
M
Monitoring Port — The passive, out-of-band Ethernet interface on Access Gate that receives NetFlow data. See Configure Monitoring Port.
N
NetFlow — A standard network telemetry format exported by routers and firewalls describing each flow (who talked to whom, how much, when). Access Gate builds its inventory and zone awareness from NetFlow.
Network Administrator — A built-in role for operators responsible for system and network configuration.
NIS2 — The EU Network and Information Security Directive (2022/2555). One of the compliance frameworks Access Gate can help you satisfy.
NTP (Network Time Protocol) — The protocol used to synchronize clocks across devices. Access Gate needs accurate time for certificate validation and log timestamps.
O
OIDC (OpenID Connect) — An identity-layer protocol on top of OAuth 2.0. Access Gate supports OIDC for browser-based authentication flows.
OT (Operational Technology) — Systems that monitor or control physical processes (industrial control systems, SCADA, PLCs, sensors, actuators). Distinct from IT, and often with different uptime and security constraints.
Overlay Network — A virtual network Access Gate places on top of your existing (underlay) network. Protected assets are re-exposed on overlay addresses without changing their real ones.
Overlay Range — The address range reserved for the overlay. Default: 100.64.0.0/16 (inside the CGNAT range).
P
PAM (Privileged Access Management) — Identity-bound, time-limited, recorded access to sensitive systems. In Access Gate, PAM is delivered via the Remote Access Scheme (browser-based RDP/SSH/VNC/HTTPS).
PKI (Public Key Infrastructure) — The set of CAs, intermediate certificates, and signing processes that underpin TLS. Access Gate has a built-in PKI for its own services and can accept an intermediate cert signed by your CA.
PLC (Programmable Logic Controller) — A ruggedized industrial controller that reads sensors and drives actuators. A core asset type in OT networks.
Principal — The identity a session is evaluated against — a user or a group from your IdP. ACLs operate on principals.
R
RBAC (Role-Based Access Control) — The model Access Gate uses to decide what each user can do in the admin UI. Five built-in roles, inheritable.
RDP (Remote Desktop Protocol) — Microsoft's remote-desktop protocol. Supported as a PAM session type.
Remote Access Scheme — Access Gate's browser-based proxied session flow for RDP, SSH, VNC, and HTTPS — the backbone of PAM.
Risk Matrix — A likelihood × impact grid Access Gate uses to prioritize alerts. See Risk Matrix and Vnet Labels.
S
SAML — An XML-based SSO protocol, common in enterprise IdPs. Access Gate supports SAML for browser authentication.
SCA (Sub-CA / Intermediate Certificate) — An intermediate certificate signed by your root CA that Access Gate uses to issue terminal TLS certs on the fly. Uploaded via "Upload SCA" in the TLS setup flow.
Secure Twin — Access Gate's overlay approach to access control: build a 1:1 virtual copy of a network on overlay addresses and let the gate mediate access without touching the underlay. See Secure Twin port.
Security Analyst — A built-in role focused on monitoring, alerts, and collection pipelines.
Security Level — The sensitivity tag on a user or asset (Low, Medium, High, Critical). A user cannot create another user at a higher security level than their own.
SIEM (Security Information and Event Management) — The platform (Splunk, Elastic, QRadar, Sentinel, …) you aggregate logs into for detection and investigation. Access Gate ships events there over syslog — see Log Forwarding.
Site Manager — The highest-privilege built-in role. Full administrative access, including site connection and user management.
Snort — An open-source network intrusion detection engine. Access Gate runs Snort rules against enclave flow traffic for payload-level detection.
SSH (Secure Shell) — A protocol for encrypted remote login and command execution. Supported as a PAM session type.
SSO (Single Sign-On) — The pattern where one IdP login grants access to multiple apps. Access Gate participates via OIDC or SAML.
Syslog — The standard message-logging protocol. Access Gate carries alerts, audit events, and flow records over syslog (UDP/TCP/TLS) to your SIEM.
T
Tailscale — A zero-config mesh VPN service Access Gate integrates with for remote ZT access. See Configure Tailscale VPN on Access Gate.
TLS (Transport Layer Security) — The cryptographic protocol that secures most modern network traffic (HTTPS). Access Gate can add TLS to protocols that don't natively support it — see Set up TLS Encryption.
Twin Network — The overlay address range assigned to a given Secure Twin. Expressed as a vnet.
U
Underlay — The real, pre-existing network — VLANs, subnets, IPs — that Access Gate sits on top of. The overlay protects by re-addressing, but the underlay keeps running unchanged.
User Group — A collection of principals, usually synced from your IdP. Group-based ACLs scale better than per-user entries.
V
Vnet — A network prefix in the overlay range mapped to an underlay network (typically a VLAN). Vnets are the building blocks of routing between Access Gates.
VNC (Virtual Network Computing) — A framebuffer-based remote-display protocol, common on HMI panels. Supported as a PAM session type.
VPN (Virtual Private Network) — A secure tunnel between endpoints over an untrusted network, making them appear on the same private network. Access Gate bundles Tailscale for this.
Z
Zero Trust — A security model where no network location implies trust — every session must re-authenticate and re-authorize. Access Gate is a zero-trust enforcement point for on-premise networks.
Zone — A named group of assets or subnets that share a trust level. Zones drive detection: an unexpected flow between two zones raises an alert. See Network Zones.