Create a Gateway

Gateways are the initial entry point into the strongDM network and must therefore be assigned an address that is accessible to your users. Your users will need at least one Gateway to connect to resources, but we recommend running them in pairs. strongDM gateways can be exposed directly to the public internet, or they may be deployed to a restricted network. In the case where you're trying to extend your strongDM network into a secure network see: Relays.

Generating a Gateway token

  1. Generate a gateway token. Log into the Admin UI and select Gateways on the left navigation bar. Click on the add gateway button in the upper right, and a box will pop up. You can rename the gateway here, or do it later. Advertised host should be the IP address or host that the gateway will be listening on. Select a TCP port (default 5000) for the service to listen on. Bind IP should be unless you only want the gateway to listen on one specific interface. Finally, the second port field should match the first. Click on create and the gateway token will appear onscreen. Copy the gateway token and put it aside. You will need it again in a later step.

    New Gateway
    New Gateway
  2. Set up a 64-bit Linux instance that will run the gateway. Machines should have at least 2 CPUs and 4 GB of memory.

    If this is using SELinux you will need to disable to install the gateway: SE Linux

  3. Login to the gateway instance and download the SDM binary:

    $ curl -J -O -L

  4. Unzip it:

    $ unzip sdmcli_*

  5. Run the installer:

    $ sudo ./sdm install --relay

    The installer must be run by a user that exists in the /etc/passwd file. Any users remotely authenticated, such as with LDAP or an SSO service, will fail to complete the installation.

  6. You will be prompted for the Gateway token you created in Step 1. Paste it into the terminal and press enter. For security purposes you will not see the token on the screen.

  7. Login to the Admin UI the Gateway you created should now appear as Online, with a heartbeat. You may need to hard refresh the page.

  8. Confirm your gateway creation was successful by verifying that the LISTENADDR is accessible from the appropriate end user network:

    telnet 5000
    Connected to
    Escape character is '^]'
  9. Repeat this process to create a second Gateway, we recommend running them in pairs for high-availability.

If any errors occur, please copy them into an email and send to

Gateways and Relays