Quick start

This guide walks you through getting Access Gate operational in about 15 minutes. By the end, you'll have visibility into your network and a working protected enclave with access controls in place.

Prerequisites

Before starting, ensure you have:

  • Access Gate appliance with power supply
  • Three Ethernet cables
  • Available switch port with network access
  • IP address for Access Gate management interface
  • Web browser (Chrome, Firefox, or Edge)
  • Administrator credentials for initial setup
  • Understood the final network architecture layout

At the end of this tutorial, we will have add three capabilities to your network:

  • Access Gate will be accessible from a Web browser on IP 10.0.4.10 (part of the admin network)
  • Access Gate will listen to netflow data on IP 10.0.3.100 (part of the existing OT network)
  • A Secure Twin will be created to steer traffic through Access Gate for control
Final Network Layout

Overview: Four Steps to Visibility and Control

  1. Connect: Integrate Access Gate into your existing network
  2. Discover: Let Access Gate build your asset inventory
  3. Segment: Create a protected enclave around sensitive assets
  4. Authorize: Grant users access with identity-based policies

Time required: 15-20 minutes

Step 1: Physical Connection

Access Gate offers six physical ports, which can be configured to perform specific functions (Secure Twin overlay, administration, network monitoring).

We recommend starting with the following configuration:

  1. Port 1 (Overlay): To deploy access control capabilities
  2. Port 5 (Monitor): For network visibility and traffic inspection
  3. Port 6 (Admin): To access the admin interface

Basic Connection Topology:

Ports Configuration in Access Gate

Connection Steps:

  1. Connect Port 1 directly to your router (prefer 2.5Gb ports with CAT6 Ethernet cable for best performance)
  2. Connect Port 5 to your existing OT network
  3. Connect Port 6 to your management network (same VLAN as your admin workstation)
  4. Power on the appliance
  5. Wait 60 seconds for boot sequence to complete

The appliance will obtain an IP address via DHCP on Port 6, or fall back to 10.0.0.1/24 if DHCP is unavailable.

Finding Access Gate's IP Address:

The IP address can be found in your DHCP server logs.

Step 2: Initial Configuration

To access the admin interface:

  1. Open a web browser and navigate to Access Gate's IP address: https://
  2. Accept the self-signed certificate warning (we'll configure proper TLS later)
  3. Log in with default credentials: Username: admin, password: hello
  4. Once connected, head to Settings → Accounts.
    1. Change the admin password.
    2. Create a dedicated user for yourself with the adequate permission levels
Step 3: Asset Discovery

Now comes the interesting part: seeing what's actually on your network.

Start Discovery:

  1. Configure the second port as Monitor
  2. Head to your router to send Netflow towards this monitoring port
  3. The dashboard will begin populating with traffic & discovered devices
Example of monitoring Tab with devices populated

Generate Asset Inventory

  1. From the Monitor tab, click on the button Register Asset for unknown devices to add them to your inventory
  2. Fill the name of the asset
  3. Head to the Asset tab to see the inventory populated
Example of Assets in the Asset Inventory tab

For each asset, you can specify more information, from Name, Serial, Risk Level... by clicking on the pencil icon.

Step 4: Create a Protected Enclave

Now that you can see your network, you can deploy the protection pillars.

Configure Port 1 as Overlay

  1. Navigate to Settings → Device Ports Configuration
  2. Click on the first port (or the one you would like to configure)
  3. Enter the information relevant for your network
  4. Click Save

💡 Tip: We recommend configuring this as a dedicated route, with the interface IP set to 100.65.0.6/29 and the gateway to 100.65.0.1. On your router, you can then create a simple route that points traffic to the Access Gate

Configure The Secure Twin

Nota Bene: Trout Secure Twin is a unique approach for deploying network security. If you still have questions, do not hesitate to reach out!

A Secure Twin is a virtual copy of your existing network, that allows controlled migration from your existing set-up to a fully secure network, without downtime. Our explainer goes into greater details.

  1. Navigate to Settings → Twin Subnets
  2. Add a Twin block with the information relevant for your network.
  3. Enter a DNS Name (for example acme.tr-sec.net)
  4. Click Save

💡 Tip: We recommend setting a twin network in the 100.64/16 range. This range is reserved and should not conflict with your existing network, allowing a smooth deployment.

VNet Configuration to deploy an overlay

💡 Tip: Entering a DNS name will deploy a built-in DNS at the Access Gate. Any given asset in your asset inventory is then given a url, simplifying access later on.You can configure this functionality as a split DNS, or full DNS.

Now, in your router, you will need to install:

  1. A interconnect vlan between your router and the port 1 of access gate (in the 100.65.0.0/29 range here)
  2. A route to send all traffic on the secure twin to access gate
/ip/address/add interface=ether1 address=100.65.0.1/29
/ip/route/add gateway=100.65.0.4 dst-address=100.64.0.0/16

Create the Enclave

  1. Navigate to Enclaves → Create Enclave
  2. Give your enclave a descriptive name: Production_Floor or CUI Systems Sales Access
  3. Fill the Description & Security Level
  4. Click Save

Add Assets & Principal

  1. Navigate to your newly created enclave Enclaves → [Your Enclave]
  2. Add Assets & Principals by clicking on the Edit Principals button
  3. Select the entities you want to manage in this enclave.

At this point, the enclave exists but we need to now grant access.

Adding Users, User Groups and Assets to an Enclave
Step 5: Configure Access Control

Now, let's define permissions within the enclave

Grant Access

  1. In the table view in front of you, click a Blocked tile
  2. Use the toggle to grant access
  3. The Advanced drop-down will show you advanced Access Control capabilities: TLS, VPN, Access Screen
  4. Click Save

This is the moment where Access Gate begins actively controlling access.

Step 6: Test Access

Let's now test the access via the enclave and the proxy security:

  1. From your computer, check that you are now resolving for this asset: nslookup {asset_name}.{DNS_name} /// for example cui_server.acme.tr-sec.net
  2. Now, check you can ping the IP that has been returned
  3. And now let's test the intended protocol is accessible: curl http://cui_server.acme.tr-sec.net /// for example for an HTTP server

Access Gate's proxy transparently intercepts and forwards traffic based on permissions.

What You've Accomplished

In 15-20 minutes, you have:

  • Network visibility - Asset inventory across IT, OT, and IoT
  • Protected enclave - Sensitive systems isolated with overlay networking
  • DNS Access - Ability to resolve assets IP based on url
  • Zero infrastructure changes - No VLAN modifications or IP reassignments

This baseline configuration addresses multiple compliance requirements immediately:

  • Asset inventory and classification
  • Access control and authentication
  • Network segmentation

Next Steps

Next, implement identity-based access, so users must authenticate before reaching protected assets. Head over here.

Troubleshooting

Access Gate not responding on management interface
  • Check physical cable connections
  • Verify switch port is active (link light on)
  • Confirm IP address with DHCP or network logs
  • Ensure no firewall rules blocking HTTPS (port 443)
  • Ensure you are trying to access the admin interface with HTTPS
No devices appearing in discovery
  • Verify monitor port receives mirrored traffic (check switch netflow configuration)
  • Ensure monitor port includes both ingress and egress traffic
  • Check that monitored VLAN includes active devices
  • Review Settings → Logs** to see if any error is raised by the Access Gate
Enclave assets unreachable from Access Gate
  • Verify Access Gate can reach assets on underlay network
  • Check that asset firewalls allow Access Gate's IP
  • Check two routes have been created on your router, one for the Access Gate, one for the overlay range