Install an Advanced Server Access gateway

You can install an Advanced Server Access on an Ubuntu, Debian, or CentOS system. See Supported operating systems.

Before you begin

Verify that the gateway server:

  • Can download packages from
  • Can listen for incoming connections from clients.

    Note: If you’re installing the gateway on a cloud provider like AWS, you may need to modify your security group rules.

  • Can connect directly to your destination servers (also known as SSH target hosts).
  • Has adequate storage space to store your SSH session logs.
  • Is running the NTP service and correctly synchronized to external NTP pool servers.

See Advantages of Advanced Server Access gateways for more information on the advantages of gateways, and Capacity planning for more information on processing and storage requirements for gateways.

Start this procedure

Complete the following steps to configure and install an Advanced Server Access gateway:

Create a gateway setup token

Gateways need a setup token to enroll with Advanced Server Access. You can use a single setup token to enroll multiple gateways.

  1. Click Gateways > View All Setup Tokens > Create Setup Token.
  2. Enter a description for the token.
  3. Specify labels to apply to gateways using this token. Labels control server access for a given project.
  4. Click Submit to create the token.
  5. Click the clipboard clipboard icon to copy the token value.

Install a gateway setup token

After you create the gateway setup token, you need to add it to the gateway. You can choose between adding the token to a token file or adding it to a gateway configuration file.

Place setup token on gateway

Adding the setup token to a token file on the gateway is the recommended method. The setup token allows any server to enroll a gateway and record traffic, but using this method deletes the token after the gateway is enrolled. If you add the setup token to the gateway configuration file instead, the token remains available in plaintext.

By default, the token should be added to /var/lib/sft-gatewayd/setup.token. You can change the path to the setup token file by configuring the SetupTokenFile option in sft-gatewayd.yaml.

Note:  If the SetupToken option in sft-gatewayd.yaml is set and the setup token file is present on the server, then setup token defined by SetupToken is used.

Create a gateway configuration file

Create the file /etc/sft/sft-gatewayd.yaml on your gateway host with the following configuration, replacing yoursetuptoken with the token value that you copied from the previous task:

# The setup token from Advanced Server Access. This is required for the gateway to start correctly.

SetupToken: yoursetuptoken


# The network address clients will be instructed to use to access this gateway.

# AccessAddress: ""

# The network port clients will be instructed to use to access this gateway.

# AccessPort: 7234


# The network address that the gateway will listen on.

# ListenAddress: ""

# The network port that the gateway will listen on.

# ListenPort: 7234


# The URL to an HTTP CONNECT proxy used for outbound network connectivity to

# Advanced Server Access. Alternatively, use the HTTPS_PROXY environment

# variable to configure this proxy. Default: none

# ForwardProxy: https://proxy.mycompany.example


# Forces the gateway to use the bundled certificate store (instead of the OS certificate store)

# to secure HTTP requests with TLS. This also includes requests to the

# Advanced Server Access cloud service.

# To use the OS certificate store, set to false. Default: true

# TLSUseBundledCAs: true


# Verbosity of the logs. info is the default and recommended.

# Possible values: debug, info, warn, error

# LogLevel: info


# The directory where finalized session logs are stored.

# SessionLogDir: "/var/log/sft/sessions"


# Controls how frequently to sign and flush logs for an active session

# Logs are flushed after exceeding either value. Valid time units for

# the flush interval are "ns", "us" (or "µs"), "ms", “s”, ”m”, "h".

# The max buffer size is in bytes.

# SessionLogFlushInterval: 10s

# SessionLogMaxBufferSize: 262144

Note: If you installed the gateway before creating a configuration file, restart the gateway to load the new configuration. See Restart an Advanced Server Access gateway.

Install the gateway

Install the Advanced Server Access gateway onto Ubuntu or Debian

  1. Some versions of Debian require you to install GnuPG:

    sudo apt-get install gpg

  2. Add the Advanced Server Access repository key:

    curl -fsSL | gpg --dearmor | sudo tee /usr/share/keyrings/scaleft-archive-keyring.gpg > /dev/null

  3. Create a package resource list entry:

    echo "deb [arch=amd64 signed-by=/usr/share/keyrings/scaleft-archive-keyring.gpg] linux main" | sudo tee -a /etc/apt/sources.list.d/scaleft.list > /dev/null

  4. Update the list of available packages:

    sudo apt-get update

  5. Install the gateway:

    sudo apt-get install scaleft-gateway

Install the Advanced Server Access gateway onto Red Hat, CentOS, or Fedora

  1. Add the apt repository:

    curl -C - | sudo tee /etc/yum.repos.d/scaleft.repo

  2. Trust the repository signing key:

    sudo rpm --import

  3. Install the gateway:

    sudo yum install scaleft-gateway

Related topics

Gateways and bastions

Session capture