Protecting an asset with Enclaves

Dec 20th 2025

During your first encounter with Access Gate, you might be wondering how to create a security perimeter around your industrial assets.

In this tutorial, we are going to add assets in the inventory, create enclaves to manage access, and document our approach for compliance purposes.

Prerequisites

Your Access Gate should be configured to provide an overlay on top of your existing infrastructure (this is usually done during on-site installation with your IT team).

We are going to assume that your existing infrastructure uses address in the 10.0.0.0/16 range (for example 10.0.0.1 and 10.254.23.45 are valid), and the overlay is matching in the 100.64.0.0/16 range. This can be verified in the “Setting” page, under the “Networking” tab. 

Subnets in Access Gate Preferences

If your address scheme is different, fear not – the steps should be nearly identical, as long as the configuration in this screen matches your actual infrastructure.

Register a new industrial asset

Once Access Gate is installed and configured, adding a new asset to the inventory is fairly straightforward: choose the “Assets” page on the left bar, then click on the top-right “Create Asset” button. Enter basic information about your asset, for example:

Now, in the “Networking” tab, click on “Add DNS” to add a new network name. Do the same to register the actual IP and the services running on the device.

Click on “Save” to add the asset to the list, and it should display your newly added asset, as per the information you entered:

Note that the URL is created automatically from the name entered in the previous screen. If you do not anything in this column, this is usually because the IPs is not part of the overlay network defined in the prerequisite.

Repeat those steps to add two assets: a computer-aided manufacturing server feeding instructions to the robot, and an historian collecting data. You should end up with three devices:

At this point, you have successfully registered your assets in the inventory: they will now be available in our next topic: configuring enclaves.

Enclaves

By default, every connection with Access Gate is denied. We are going to allow two communications to happen to support the functioning of the robot:

  1. The CAM server is be allowed to submit jobs to the robot
  2. The robot sends progress data to the historian

Head to the “Enclaves” page, and create a new enclave, named “Robot Picking Workshop”.

Save to add the new enclave, and click on the entry that was just created. In the new screen, use the pencil icon on the right of the “Permission Matrix” to register a new permission:

Select the CAM server, the modbus/tcp service of the robot and the mqtt service of the historian to add them to the enclave.

Use matrix to allow the two flows discussed in this section: from the CAM server to the robot, and from the robot to the historian.

The CAM server should now be able to send jobs to the robot at the address kuka.fabcore.tr-sec.net! (I hope you can try it for real).

Document the access policy

For your own understanding, and demonstrating compliance, leave an explanation on the rationale to allow those flows.

Click in the editing space below the “Description” section to add a note, for example:

Robot picking on the loading bay. Rules allow: 1. Job submission from the CAM server 2. Data logging to historian

You now have a fully configured and documented enclave, creating a tight boundary around your industrial assets.

Summary

Congratulations on creating your first enclave! There were quite a few steps in the way, so let’s recap the important points:

  1. Assets were registered in the inventory, so Access Gate is now monitoring them
  2. An enclave was created around those assets to allow them to communicate

Enclaves are very lightweight, so it makes sense to create multiple enclaves depending on your business needs: for example, you could create another enclave to deal with the data flow from the robot to the historian – try it!

Access Gate is automatically monitoring network communication between those devices: you will quickly see how your users are accessing the new resources.