TroutTrout
Zero-Trust Remote Access

Remote Access Is a Need. Implicit Trust Makes It a Risk.

As demand for remote access to OT keeps rising, granting it to a flat network is handing over the keys. Access Gate deploys Zero-Trust inside your LAN first, then opens controlled remote access to specific systems, not to your entire network.

Trusted by leading companies

John CockerillOrange CyberdefenseElna MagneticsThales
FD
Florian Doumenc
Quality tests - Repository
172.31.112.100
PermissionAllowedwithTLSVPN
Advanced
TLS required
VPN allowed
No Access Form required
http_method
POST
Save
What is actually happening

Remote access is the most common way into OT.

Remote access adoption is growing: integrators commission lines, OEMs service drives, and engineers support sites they rarely physically visit. The usual tools for it, VPNs and jump hosts, were built to extend the network to the remote user, not to constrain what that user can reach.

Once a VPN connects, the remote has implicit trust and access. A compromised vendor laptop, a reused credential, or a contractor who keeps access long after the job is done all inherit that reach. Third-party and remote access is, repeatedly, the vector behind the largest OT incidents.

The fix is not a bigger VPN. It is access that is brokered rather than routed: every remote session authenticated by identity, scoped to a single asset and protocol, recorded, and torn down when the window closes, so a remote connection is never a path into the wider network.

The model

Brokered, identity-bound sessions, not network tunnels.

Access Gate brokers each session through a protocol-aware proxy. The remote user authenticates against your existing identity provider in the browser, gets a session to one authorised resource over one authorised protocol, and never receives an IP address on your network. SSH, RDP, VNC, HTTP, Modbus, and OPC UA are inspected at the application layer, so you can allow a protocol while constraining what it may do.

Reference architecture: a remote user reaching a single OT asset through the Access Gate proxy, with no route to the wider network.
The remote user authenticates to Access Gate and is brokered to one asset over one protocol. There is no VPN tunnel and no IP on the internal network; the session is inspected and recorded at the gate.
How Access Gate deploys

Zero Trust inside the LAN first, then controlled remote access.

PHASE 1

Establish Zero Trust on the inside.

Access Gate deploys as an overlay and brings the internal network under identity-based access control first, with no agents and no rewiring. Before any remote access is opened, internal flows are already authenticated, least-privilege, and logged, so remote access is added to a controlled network, not a flat one.

PHASE 2

Open access to systems, not the network.

Remote users connect through the browser to the gate and are brokered to specific assets. Each session is authenticated, scoped per asset, protocol, method, and time window, recorded, and automatically terminated when the window closes. Access agreements can be required and logged before a session starts. Vendors install nothing; IT manages no endpoints it does not own.

Benefits at a Glance

Remote Access Built for Industrial Environments

The Trout Access Gate replaces VPNs and jump servers with protocol-aware remote access, designed for OT, legacy systems, and regulated environments.

No VPN Tunnels

Vendors connect through the Access Gate, not into your network. No lateral movement, no flat network exposure.

Protocol Inspection

HTTP, SSH, RDP, Modbus, every protocol is inspected and filtered at the application layer before reaching the target.

Session Recording

Every remote session is captured, indexed, and replayable. Full audit trail for compliance and incident response.

Per-Session Policies

Define access by user, resource, protocol, time window, and HTTP method. Every session is individually authorized.

Access Agreements

Require vendors to acknowledge security policies before every session. Logged and timestamped for compliance.

No Agent Required

Works through the browser. Vendors don't install software. IT doesn't manage endpoints they don't own.

The second layer of value

Access Gate secures your assets first, then exposes the simple services your teams and vendors actually want, so they run through the sanctioned path, not around it.

OT runs through you, not around you.

Datasheet

Download the Access Gate Datasheet.

Get the complete product overview with technical capabilities, deployment model, compliance alignment, and customer references.

Done

What's Inside

Product architecture, deployment model, key capabilities (proxy enforcement, micro-DMZs, identity-based access), compliance alignment, and real-world customer deployments.

4 pages

See It in Action

Request a live demo to see how the Access Gate deploys on your network without rewiring or downtime.

FAQ

Questions and Answers

0

VPN tunnels into your production network. The Access Gate proxies sessions at the application layer, vendors never touch your internal network.

Vendors open a browser and authenticate through the Access Gate. The Gate proxies their session to the target resource at the application layer. They never get an IP address on your network and can only interact with the specific resource and protocol you've authorized.

The Access Gate supports HTTP/HTTPS, SSH, RDP, VNC, Modbus TCP, and OPC-UA out of the box. Each protocol is inspected at the application layer, for example, you can allow SSH but block specific commands, or allow HTTP GET but deny POST.

Yes. Access rules support time-based constraints, you can allow a vendor to connect only during a scheduled maintenance window. Sessions are automatically terminated when the window closes.

Every remote session is recorded at the protocol level. SSH sessions capture terminal I/O, RDP sessions capture screen activity, and HTTP sessions log all requests. Recordings are indexed, searchable, and replayable for audits and incident response.

Yes. The Access Gate runs entirely on-premise with no cloud dependency. All session proxying, recording, and policy enforcement happens locally. It's designed for ITAR, CMMC, and air-gapped environments.

A VPN or jump host places the remote user on your network, with a route to everything once connected. Access Gate brokers the session at the application layer instead: the user authenticates by identity, reaches one authorised asset over one authorised protocol, never gets an internal IP, and the session is inspected, recorded, and time-bound. Access is to a system, not to the network.

OT remote access lets vendors, integrators, and off-site engineers reach industrial systems without exposing the plant network. Instead of a flat VPN into the LAN, Access Gate brokers each session through a proxy: identity-verified, scoped to specific assets, time-limited, and fully recorded. It is a secure remote access solution built for OT, with no agents on the target machines.