Skip to main content

Documentation Index

Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

Secure remote access lets you reach a managed site without opening permanent inbound firewall rules to the router. SDX creates temporary access through the site’s management server and automatically expires it.

Prerequisites

Before you create remote access, make sure:
  • The site is online.
  • The site has an active management tunnel and management server.
  • Your role allows transient access or transient port forwarding.
  • Your client network is allowed by the CIDR you enter.
  • You know whether you need router management access or access to an internal host behind the router.

Access Types

Transient Access

Creates temporary WinBox or SSH access to the managed router. You choose the access type, expiry, and allowed source CIDR.

Transient Port Forwarding

Creates a temporary forward to a specific destination IP and port behind the site. Use this for short-lived access to an internal service.
Transient access can last from 15 minutes up to 24 hours. Use the shortest useful duration for the task.

Create WinBox or SSH Access

1

Open the site

Go to Sites, open the target site, and select Remote Access.
2

Choose the access type

Select WinBox or SSH.
3

Set the duration

Choose an expiry between 15 minutes and 24 hours.
4

Limit the source

Enter the CIDR that should be allowed to use the temporary access.
5

Create and connect

Create the access record, copy the generated connection details, and connect before the expiry time.
For emergency work, create access for the specific engineer or jump-host CIDR instead of using a broad network range.

Create a Temporary Port Forward

Use transient port forwarding when you need to reach a device or service behind the managed router.
1

Open Remote Access

From the site, open Remote Access and choose the port-forwarding option.
2

Enter the destination

Provide the internal destination IP address and destination port.
3

Set the allowed source and expiry

Add the allowed source CIDR and select the shortest duration that supports the task.
4

Connect through the generated endpoint

Use the generated entry point while the forward is active.

Revoke Access

Revoke active access as soon as the task is complete. Expiry is a safety net, not a substitute for closing unused sessions.

Troubleshooting

If remote access fails:
  • Confirm the site is online.
  • Confirm the management server is available for the site.
  • Confirm your current public IP is inside the allowed CIDR.
  • Confirm you are connecting before the expiry time.
  • For port forwarding, confirm the internal destination IP and port are reachable from the router.
  • Try a shorter, newly generated access record if the first one expired or was copied incorrectly.
Do not use transient access as permanent remote access. It is designed for time-bounded operations, support, and incident response.