v26.6.1 focuses on operating Access Gate at scale: network-based upgrades for large fleets, protocol-aware access control, a broader set of built-in threat detections, and a deeper Tailscale VPN integration.
Highlights
Network upgrades over HTTP(S)
Access Gate can now be upgraded over the network, making fleet upgrades practical for environments running 100+ devices or virtualized deployments. Upgrade packages are fetched from a URL (a local air-gapped server, a partner-hosted server, or the Trout public server). Each package is cryptographically signed and verified before an A/B installation. A failed upgrade rolls back automatically to the last known-good state, including the pre-upgrade backup.
Protocol-aware ACL rules
You can now express allow and deny conditions on specific protocol values directly from the ACL table: for example, capping a Modbus coil value or filtering HTTP requests by User-Agent. A protocol-specific editor turns these conditions into detection rules, giving fine-grained, per-enclave control that goes beyond simple port access. This lets you enforce process-level safety and security limits, such as blocking an out-of-range Modbus write.
Independent remote-access control in enclaves
Assets reachable only through proxied remote access (SSH, RDP, or VNC) now appear in Enclave Search and get their own Remote Access control in the ACL, managed independently from network services. You can grant or revoke browser-based remote access per enclave, separately from opening a port. This is Privileged Access Management for OT: SSH, RDP, and VNC sessions are brokered through Access Gate, authorized per enclave, and audited, so a maintenance team or third-party vendor reaches only the assets a given enclave grants.
Reworked Tailscale VPN integration
The Tailscale VPN integration has been rebuilt for reliability. Virtual networks and assets synchronize from the Tailscale API, DNS resolves in both directions between Tailscale and local networks, and access-control rules apply consistently across Tailscale-to-local and Tailscale-to-Tailscale flows. This targets remote and distributed IT (branch sites, roaming engineers, cloud workloads): Tailscale handles connectivity, while Access Gate applies the same segmentation, access control, and audit to Tailscale flows as to on-premise traffic.
Automated risk-assessment reports
Risk assessments can now be exported as structured PDF documents generated directly from your control-measure data, using a customizable template. The report is generated from current control data rather than compiled by hand, covering frameworks CMMC L2, NIS2, ISO27001, SOC2, DOH5 and DEC 616/650/750.
New threat detections
This release adds detection coverage for several common attack patterns, tuned for IT and OT environments:
- SMB relay: NTLM-over-SMB authentication directed at hosts not declared as SMB servers, a strong indicator of a relay or rogue endpoint.
- Reverse shell: outbound shell traffic over suspicious ports and known payload patterns.
- Telnet usage: across zones, to critical assets, brute-force attempts, and recent Telnet CVEs (still common on legacy OT/IoT equipment).
- Tor and DNS tunnelling: traffic-pattern rules for anonymized and covert exfiltration channels.
These ship as built-in rules, so the patterns are detected without writing custom detection logic.
Smaller improvements
- Connection tracking for negotiated protocols: FTP, DCE/RPC, and OPC-DA, which negotiate a secondary port.
- Test-alert button: generate a known test alert to validate a syslog or SIEM destination end to end.
- HTTPS and SRV DNS forwarding: additional DNS record types are now forwarded, including for Active Directory environments.
- NetFlow subnet exclusion: exclude selected subnets to avoid double-counting traffic seen on both a sniffing and an overlay port.
- Sort by IP on the monitor page.
Fixes
- ACL rule expiration is cleared correctly when a rule changes, so updates take effect immediately.
- Improved stability for enclaves with very large rule sets.
- Log filtering options remain visible when switching the record-type filter.