Skip to content

XertifiedRemote Access

Introduction

This document outlines common example designs illustrating how to use XertifiedRemote Access. Choose a design that best fits your needs and proceed to the installation guides. For details about each component, please refer to their respective guides under "What is XoT Technology".

All setups using XoT technology require an XoT Management System (XMS). If you do not have an XMS installation, Xertified can provide one for you, or you can install one yourself using the XMS installation manual.

To configure your XoT you must have access to two XoT-Locks, one of which is configured as a bridge. You can either use the Xertified S1 devices, or install a XoT on an x86 system of your choice.

Communication requirements

Here is a quick look at the TCP/IP and UDP/IP ports that are required for operation. Please see the Network Considerations guide for more details. The arrows depict IP traffic and the direction of session setup for any firewall configuration.

Client to XoT-Lock

These ports are default and can be altered in the XMS system under each XoT-Lock if required.

XoT components to XMS

The XMS requires two IP addresses. One is used for HTTPS endpoints and one for MQTT, which is shown below. Please see the Network Considerations guide for more details.

Remote Access configuration examples

The deployment examples below assume that there is IP communication between the XoT clients and the XoT-Locks. The TCP and UDP ports needed for this communication are shown under the Network Considerations guide page of this document store.

XoT-Bridge in DMZ

Prerequisites

  • Admin access to an XMS installation
  • Access to two XoT-Locks (one of which will be configured as a bridge)
  • A client system with the XoT-Desktop client installed and configured with a user present in the XMS
  • A device that can be connected to the protected side of the XoT-Lock

Setup guide

  1. Designate one of your XoTs to be used as a XoT-Bridge. This should be set up at a location where it will be accessible from wherever your clients will be located, and from the external side, it must have access to the other XoT-Lock that will be used to protect devices. Only the external interfaces of the XoT-Bridge should be connected. The internal side shall remain unused.
  2. The other XoT-Lock should be connected on its external interface to a network that can reach the bridge, and on its internal interface either to a device or subnet that is to be protected.
  3. Enroll both the XoT-Lock and the soon-to-be XoT-Bridge, if they are not already enrolled in the XMS.
  4. Configure the XoT-Bridge with a Bridge Group and with Rendezvous mode disabled.
  5. Put a device of your choosing on the protected side of the XoT-Lock. Make sure this device exposes some sort of service that you can use to test access (e.g., HTTP/HTTPS/SSH/RDP).
  6. Assign one or more assets (device or subnet) to the XoT-Lock in XMS. Make sure the asset has a reasonable classification: Device type, group, and location settings, so it can be targeted by a policy.
  7. While still on the device page for the XoT-Lock, navigate to the Bridge tab, and assign the Bridge Group you created and assigned to your bridge in step 4.
  8. Create a policy which:
    • Source: Type is set to a User Group which your client user belongs to.
    • Destination: Device Type, Device Group and location settings match the classification of your XoT-Lock.
    • How: The services you want to access are added to the Services list.
  9. Connect the client system to a network from which it can reach both the XMS and the XoT-Bridge.
  10. Start the XoT-Desktop client and make sure that the user is selected in the top left dropdown.
  11. If everything has been set up correctly, the client will now get access to the device that is placed on the protected side of the XoT-Lock by connecting via the XoT-Bridge. You will see the status of this connection in the XoT-Desktop client.

XoT-Bridge in a cloud service

Prerequisites

  • Admin access to an XMS installation
  • Access to two XoT-Locks (one of which will be configured as a bridge)
  • A client system with the XoT-Desktop client installed and configured with a user present in the XMS
  • A device that can be connected to the protected side of the XoT-Lock

Setup guide

  1. Designate one of your XoTs to be used as a XoT-Bridge. This should be set up at a location where it will be accessible from wherever your clients will be located, and from any XoT-Lock that will be used to protect devices. Only the external interfaces of the Bridge XoT should be connected. The internal side will remain unused.
  2. The other XoT-Lock should be connected on its external interface to a network that can reach the bridge, and on its internal interface either to a device or subnet that is to be protected.
  3. Enroll both the XoT-Lock and the soon-to-be XoT-Bridge, if they are not already enrolled in the XMS.
  4. Configure the XoT-Bridge with a Bridge Group and with Rendezvous mode enabled.
  5. Put a device of your choosing on the protected side of the XoT-Lock. Make sure this device exposes some sort of service that you can use to test access (e.g., HTTP/HTTPS/SSH/RDP).
  6. Assign one or more assets (device or subnet) to the XoT-Lock in XMS. Make sure the asset has a reasonable classification: Device type, group, and location settings, so it can be targeted by a policy.
  7. While still on the device page for the XoT-Lock, navigate to the Bridge tab, and assign the Bridge Group you created and assigned to your bridge in step 4.
  8. Create a policy which:
    • Source: Type is set to a User Group which your client user belongs to.
    • Destination: Device Type, Device Group and location settings match the classification of your XoT-Lock.
    • How: The services you want to access are added to the Services list.
  9. Connect the client system to a network from which it can reach both the XMS and the bridge.
  10. Start the XoT-Desktop client and make sure that the user is selected in the top left dropdown.
  11. If everything has been set up correctly, the client will now get access to the device that is placed on the protected side of the XoT-Lock by connecting via the XoT-Bridge. You will see the status of this connection in the XoT-Desktop client.

Other Example Deployments

XoT-WebAccess in DMZ

XoT-WebAccess and XoT-Bridge in DMZ

Mix cloud and DMZ deployment

All cloud deployment