Title
Create new category
Edit page index title
Edit category
Edit link
Overview
Secure OT Access™ is a remote access tool that provides a platform for facilitating and monitoring connections between remote users and industrial assets. The software contains built-in tools for security and manageability.

Secure OT Access features include:
The ability to deploy in the Cloud or onsite
The Cloud deployment has no required hardware and can be set up in one day or less.
The onsite Management Console is easy to install. This deployment can also be set up in one day.
Integrates with your Active Directory server for user and Security Group authorization
Enables Policy Enforcement per user and per session
Outbound-only connection from endpoint gateway to Secure OT Access cloud or on-prem instance, with no inbound firewall exceptions required
Inexpensive and flexible pricing model on annual or monthly subscription
Cloud components are hosted on Amazon Web Services (AWS) for maximum reliability and performance
Secure OT Access deployments
Secure OT Access has two possible deployments:
Cloud: OPSWAT manages some aspects of Secure OT Access configuration, including uploading performing software updates at the customers request, and setting Management IPs.
Onsite: The customer manages all Secure OT Access configuration tasks. All traffic inspection and policy enforcement are performed in the onsite server, making it suitable for offline deployments with no internet access.
Except for the Management Console, both deployments have the same functionality. You will receive the equipment, software, etc. appropriate to your deployment.
Supported protocols
Both Secure OT Access deployments support various IT and OT protocols. Refer to Appendix 1 for a table of protocols and their associated policies.
IT protocols
The following IT protocols support both client-based client-less access:
RDP
SSH
The following IT protocols support client-based access only:
HTTP
HTTPS
RDP
SSH
Telnet
Generic TCP
OT protocols
OT protocols support client-based access only:
EtherNet/IP
FINS
MODBUS
OPCUA
S7Comm
SLMP
Secure OT Access components
Secure OT Access components differ, depending on the deployment:
System Configuration Console (on-prem only): Used to perform internal configuration tasks the Secure OT Access instance, such as license activation and static IP configuration. Refer to the Management Console Guide for more information.
Management Console (on-prem or cloud): Used to for everyday manage tasks such as provisioning users, configuring services, and monitoring connections between remote users the OT assets / services to which they have been granted access.
Windows Client / MetaDefender Endpoint: Connects the remote user's computer to the cloud or on-prem Secure OT Access instance, and ultimately to their OT assets.
Windows Service Client: Windows system-level service that can be used as an alternative to the Windows Client. The service launches automatically when the system boots.
Appendix 1: Protocols and Policies
Protocol | Policy | Description |
|---|---|---|
Ethernet IP | None | N/A |
FINS | Read Only | Read:
|
FINS | Full Access | Unrestricted access |
HTTP | Full Access | Protect against SQL injection and cross-site scripting |
HTTPS | None | N/A |
Modbus | Read Only | Read registers or coils |
Modbus | Standard_Ops | Allow the following Modbus operation codes:
|
Modbus | Full Access | Unrestricted access |
OPCUA | Read Only | Deny the following OPCUA operation codes:
|
OPCUA | All Access | Unrestricted access |
RDP | None | N/A |
S7COMM | Read Only | Read
|
S7COMM | Full Access | Unrestricted access |
SLMP | Read Only | Read:
|
SLMP | Full Access | Unrestricted access |
SSH | None | N/A |
Telnet | None | N/A |
VNC | None | N/A |