> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Secure Remote Access

> Use time-limited transient access and transient port forwarding to reach managed sites through the SDX management path.

Secure remote access lets you reach a managed site without opening permanent inbound firewall rules to the router. SDX creates temporary access through the site's management server and automatically expires it.

## Prerequisites

Before you create remote access, make sure:

* The site is online.
* The site has an active management tunnel and management server.
* Your role allows transient access or transient port forwarding.
* Your client network is allowed by the CIDR you enter.
* You know whether you need router management access or access to an internal host behind the router.

## Access Types

<CardGroup cols={2}>
  <Card title="Transient Access" icon="key-round">
    Creates temporary WinBox or SSH access to the managed router. You choose the access type, expiry, and allowed source CIDR.
  </Card>

  <Card title="Transient Port Forwarding" icon="git-fork">
    Creates a temporary forward to a specific destination IP and port behind the site. Use this for short-lived access to an internal service.
  </Card>
</CardGroup>

Transient access can last from 15 minutes up to 24 hours. Use the shortest useful duration for the task.

## Create WinBox or SSH Access

<Steps>
  <Step title="Open the site">
    Go to **Sites**, open the target site, and select **Remote Access**.
  </Step>

  <Step title="Choose the access type">
    Select WinBox or SSH.
  </Step>

  <Step title="Set the duration">
    Choose an expiry between 15 minutes and 24 hours.
  </Step>

  <Step title="Limit the source">
    Enter the CIDR that should be allowed to use the temporary access.
  </Step>

  <Step title="Create and connect">
    Create the access record, copy the generated connection details, and connect before the expiry time.
  </Step>
</Steps>

<Tip>
  For emergency work, create access for the specific engineer or jump-host CIDR instead of using a broad network range.
</Tip>

## Create a Temporary Port Forward

Use transient port forwarding when you need to reach a device or service behind the managed router.

<Steps>
  <Step title="Open Remote Access">
    From the site, open **Remote Access** and choose the port-forwarding option.
  </Step>

  <Step title="Enter the destination">
    Provide the internal destination IP address and destination port.
  </Step>

  <Step title="Set the allowed source and expiry">
    Add the allowed source CIDR and select the shortest duration that supports the task.
  </Step>

  <Step title="Connect through the generated endpoint">
    Use the generated entry point while the forward is active.
  </Step>
</Steps>

## Revoke Access

Revoke active access as soon as the task is complete. Expiry is a safety net, not a substitute for closing unused sessions.

## Troubleshooting

If remote access fails:

* Confirm the site is online.
* Confirm the management server is available for the site.
* Confirm your current public IP is inside the allowed CIDR.
* Confirm you are connecting before the expiry time.
* For port forwarding, confirm the internal destination IP and port are reachable from the router.
* Try a shorter, newly generated access record if the first one expired or was copied incorrectly.

<Warning>
  Do not use transient access as permanent remote access. It is designed for time-bounded operations, support, and incident response.
</Warning>