Install an Advanced Server Access gateway

This is an Early Access feature. To enable it, contact Okta Support.

You can install an Advanced Server Access gateway on an Ubuntu, Debian, or CentOS system. See Supported operating systems.

Before you begin

Verify that the server to install the gateway on:

  • Has access to the public internet to download packages from
  • Has persistent access to listen on the network that you want clients to connect from (usually the public internet).
  • Has adequate storage space to keep your SSH session logs.
  • Can listen on an port that's configured for the gateway (the default is port 7234). Note: If you’re installing the gateway on AWS or another cloud provider, you’ll likely need to change your security group rules.
  • Can connect directly to your destination servers (also known as SSH target hosts).
  • Has the NTP service running and correctly synchronized to external NTP pool servers.

See Advantages of Advanced Server Access gateways for more information on the advantages of gateways, and Capacity planning for more information on processing and storage requirements for gateways.

Start this procedure

Complete the following steps to configure and install an Advanced Server Access gateway:

Create a gateway setup token

Gateways need a setup token to enroll with Advanced Server Access to receive connections. Gateway labels are used to control which gateways can access servers for a given project. You can use one setup token to enroll multiple gateways.

  1. Click Gateways > View All Setup Tokens > Create Setup Token.
  2. Enter a description for the token.
  3. Enter a label to apply to gateways that are set up using this token. A label is a key-value pair (for example, environment:staging). Press Enter after entering a label. Repeat this step for each additional label to add to the token.
  4. Click Submit to create the token.
  5. Click the clipboard clipboard icon to copy the token value.

Install a gateway setup token

Each gateway needs a gateway setup token to enroll in Advanced Server Access.

You can provide a gateway setup token to a gateway by placing the setup token on the gateway server or by copying it to a configuration file. Choose one of these methods to install the token:

Place setup token on gateway

You can install a gateway setup token by placing it in /var/lib/sft-gatewayd/setup.token on the server. You can change the path to the setup token file by setting the SetupTokenFile variable in sft-gatewayd.yaml.

This method is recommended because the token is deleted after the gateway is enrolled. When you use a gateway configuration file to install the setup token, the token remains available in plaintext. The setup token is sensitive since it can be used to enroll a gateway and record traffic.

Note:  If the SetupToken option in sft-gatewayd.yaml is set and the setup token file is present on the server, then setup token defined by SetupToken is used.

Create a gateway configuration file

Create the file /etc/sft/sft-gatewayd.yaml on your gateway host with the following configuration, replacing yoursetuptoken with the token value that you copied from the previous task:

# Setup token from ASA. This is required for the gateway to start correctly.

SetupToken: yoursetuptoken


# Verbosity of the logs. info is the default and recommended. debug or error

# levels are also available.

# LogLevel: info


# The network address clients will be instructed to use to access this gateway.

# AccessAddress: ""

# The network port clients will be instructed to use to access this gateway.

# AccessPort: 7234


# The network address that the gateway will listen on.

# ListenAddress: ""

# The network port that the gateway will listen on.

# ListenPort: 7234

# The directory where finalized session logs will be stored.

# SessionLogDir: "/var/log/sft/sessions"

# SessionLogFlushInterval controls how frequently logs for an active session

# are signed and flushed to disk. Logs are flushed when the flush interval or

# size constraint has been exceeded, whichever comes first.


# Valid time units for the flush interval are "ns", "us" (or "µs"), "ms", "s",

# "m", "h".


# The max buffer size is in bytes.

# SessionLogFlushInterval: 10s

# SessionLogMaxBufferSize: 262144

Note: If you installed the gateway before creating a configuration file, restart the gateway to load the new configuration. See Restart an Advanced Server Access gateway.

Install the gateway

Install the Advanced Server Access gateway onto Ubuntu or Debian

  1. Add the apt repository:

    echo "deb linux main" | sudo tee -a /etc/apt/sources.list

  2. Trust the repository signing key:

    curl -C - | sudo apt-key add -

  3. Update the list of available packages:

    sudo apt-get update

  4. Install the gateway:

    sudo apt-get install scaleft-gateway

Install the Advanced Server Access gateway onto Red Hat, CentOS, or Fedora

  1. Add the apt repository:

    curl -C - | sudo tee /etc/yum.repos.d/scaleft.repo

  2. Trust the repository signing key:

    sudo rpm --import

  3. Install the gateway:

    sudo yum install scaleft-gateway

Related topics

Gateways and bastions

Session capture