Install an Advanced Server Access gateway
You can install an Advanced Server Access on an Ubuntu, Debian, or CentOS system. See Supported operating systems.
Before you begin
Verify that the gateway server:
- Can download packages from scaleft.com.
- Can listen for incoming connections from clients.
Note: If you’re installing the gateway on a cloud provider like AWS, you may need to modify your security group rules.
- Can connect directly to your destination servers (also known as SSH target hosts).
- Has adequate storage space to store your SSH session logs.
- Is running the NTP service and correctly synchronized to external NTP pool servers.
Start this procedure
Complete the following steps to configure and install an Advanced Server Access gateway:
Gateways need a setup token to enroll with Advanced Server Access. You can use a single setup token to enroll multiple gateways.
- Click Gateways > View All Setup Tokens > Create Setup Token.
- Enter a description for the token.
- Specify labels to apply to gateways using this token. Labels control server access for a given project.
- Click Submit to create the token.
- Click the clipboard to copy the token value.
After you create the gateway setup token, you need to add it to the gateway. You can choose between adding the token to a token file or adding it to a gateway configuration file.
Adding the setup token to a token file on the gateway is the recommended method. The setup token allows any server to enroll a gateway and record traffic, but using this method deletes the token after the gateway is enrolled. If you add the setup token to the gateway configuration file instead, the token remains available in plaintext.
By default, the token should be added to
/var/lib/sft-gatewayd/setup.token. You can change the path to the setup token file by configuring the SetupTokenFile option in sft-gatewayd.yaml.
Note: If the SetupToken option in sft-gatewayd.yaml is set and the setup token file is present on the server, then setup token defined by SetupToken is used.
Create the file /etc/sft/sft-gatewayd.yaml on your gateway host with the following configuration, replacing yoursetuptoken with the token value that you copied from the previous task:
# The setup token from Advanced Server Access. This is required for the gateway to start correctly.
# The network address clients will be instructed to use to access this gateway.
# AccessAddress: "188.8.131.52"
# The network port clients will be instructed to use to access this gateway.
# AccessPort: 7234
# The network address that the gateway will listen on.
# ListenAddress: "0.0.0.0"
# The network port that the gateway will listen on.
# ListenPort: 7234
# The URL to an HTTP CONNECT proxy used for outbound network connectivity to
# Advanced Server Access. Alternatively, use the HTTPS_PROXY environment
# variable to configure this proxy. Default: none
# ForwardProxy: https://proxy.mycompany.example
# Forces the gateway to use the bundled certificate store (instead of the OS certificate store)
# to secure HTTP requests with TLS. This also includes requests to the
# Advanced Server Access cloud service.
# To use the OS certificate store, set to false. Default: true
# TLSUseBundledCAs: true
# Verbosity of the logs. info is the default and recommended.
# Possible values: debug, info, warn, error
# LogLevel: info
# The directory where finalized session logs are stored.
# SessionLogDir: "/var/log/sft/sessions"
# Controls how frequently to sign and flush logs for an active session
# Logs are flushed after exceeding either value. Valid time units for
# the flush interval are "ns", "us" (or "µs"), "ms", “s”, ”m”, "h".
# The max buffer size is in bytes.
# SessionLogFlushInterval: 10s
# SessionLogMaxBufferSize: 262144
Note: If you installed the gateway before creating a configuration file, restart the gateway to load the new configuration. See Restart an Advanced Server Access gateway.
Install the Advanced Server Access gateway onto Ubuntu or Debian
- Some versions of Debian require you to install GnuPG:
sudo apt-get install gpg
Add the Advanced Server Access repository key:
curl -fsSL https://dist.scaleft.com/pki/scaleft_deb_key.asc | gpg --dearmor | sudo tee /usr/share/keyrings/scaleft-archive-keyring.gpg > /dev/null
Create a package resource list entry:
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/scaleft-archive-keyring.gpg] http://pkg.scaleft.com/deb linux main" | sudo tee -a /etc/apt/sources.list.d/scaleft.list > /dev/null
- Update the list of available packages:
sudo apt-get update
- Install the gateway:
sudo apt-get install scaleft-gateway
Install the Advanced Server Access gateway onto Red Hat, CentOS, or Fedora
- Add the apt repository:
curl -C - https://pkg.scaleft.com/scaleft_yum.repo | sudo tee /etc/yum.repos.d/scaleft.repo
- Trust the repository signing key:
sudo rpm --import https://dist.scaleft.com/pki/scaleft_rpm_key.asc
- Install the gateway:
sudo yum install scaleft-gateway