Nodes
Last modified on March 24, 2023
Nodes are gateways and relays.
Gateways serve as the primary entry point to a StrongDM network. Gateways have an assigned IP address and optional DNS entry.
Relays, much like gateways, are how the StrongDM network connects with resources such as databases and servers. Unlike a gateway, the relay does not listen for client connections. When might this be helpful? For a secure network where you are not able to expose ports, the StrongDM relay is the answer. The relay dials out to connect to your gateways, preserving the egress-only nature of your firewall, but allowing your StrongDM clients to reach any configured resources in the network via those connections.
Both gateways and relays decrypt end-user credentials and deconstruct requests for auditing purposes.
Gateways
Gateways serve as the primary entry point to a StrongDM network. Therefore, each gateway must be assigned an address that is accessible to your users. They can be deployed with a Domain Name System (DNS) entry or sit privately on the corporate network behind a Virtual Private Network (VPN). You can also assign an IP address directly if you prefer not to use DNS or a VPN. You need at least one gateway to connect to resources, but we recommend running them in pairs.
StrongDM gateways are usually exposed directly to the internet. In the case of a flat network, the gateway talks to the target systems on the corporate network. On a segmented network with no ingress, however, resources such as databases and servers may not be publicly accessible. If you wish to extend your StrongDM network into a more secure network or subnet, you may deploy a relay behind your firewall to route traffic and allow egress-only connections to secured resources.

Gateways are essentially relays with an assigned IP address and optional DNS entry. Both gateways and relays also decrypt end-user credentials and deconstruct requests for auditing purposes.
When clients connect to the StrongDM network, they request a list of available gateways. StrongDM determines the most suitable route and sends all connections through one or more of these gateways. From the point of view of a resource, such as a database or server, all traffic originates from any relay or gateway with access to the resource.
Gateway settings and configurations can be managed in the StrongDM Admin UI.
Add a Gateway
Log in to the Admin UI.
Go to Network > Gateways.
Click Add gateway. You can rename the gateway here or modify it later. Advertised host is the IP address or host that the gateway listens on. The Advertised port (default 5000) is the port that the service listens on.
Add a New Gateway Click Advanced to add a Bind IP or a Bind Port.
Add Advanced Bind Settings Click Create gateway and the gateway token appears in a modal. Copy the gateway token and save it for use in a later step.
Gateway Token Set up a 64-bit Linux instance to run the gateway. Machines should have at least 2 CPUs and 4 GB of memory. If the instance is using SELinux, you need to disable SELinux to install the gateway.
Log in to the gateway instance. Then download the StrongDM binary:
curl -J -O -L https://app.strongdm.com/releases/cli/linux
Unzip the binary:
unzip sdmcli_VERSION_NUMBER_linux_amd64.zip
Run the installer:
sudo ./sdm install --relay
The installer must be run by a user that exists in the/etc/passwd
file. Any users remotely authenticated, such as with LDAP or an SSO service, will fail to complete the installation.When you are prompted for the gateway token you created in Step 5, paste it into the terminal. Press enter. For security purposes, the token does not display in the terminal.
Log in to the Admin UI and go to Network > Gateways. The gateway you created appears online and healthy. You may need to hard refresh the page.
Confirm your gateway creation was successful by verifying that the LISTENADDR is accessible from the appropriate end user network, as in the following example.
telnet 10.0.50.17 5000 Trying 10.0.50.17... Connected to 10.0.50.17 Escape character is '^]'
Repeat this process to create a second gateway if you wish. We recommend running them in pairs for high availability.
Gateway Search Filters
Gateway search filters display gateways according to their name, status, listen address, or bind address. Once you have added at least one gateway, you can use filters to search for specific gateways.
On the Gateways page, type or copy/paste the following filters into the Search field, with or without other text. Do not use quotes or tick marks.
Filter | Description | Example search |
---|---|---|
bindaddr:<IP_ADDRESS> | Shows gateways with the specified bind address | bindaddr:0.0.0.0:5000 finds gateways that have a bind address of 0.0.0.0:5000 . |
listenaddr:<IP_ADDRESS> | Shows gateways with the specified listen address | listenaddr:10.0.0.021:5000 finds gateways that have a listen address of 10.0.0.021:5000 . |
name:<PARTIAL_STRING> or any free-form text | Shows gateways with names that match the entered string; partial string OK | name:keen-coffee or coffee finds all gateways whose names contain those characters. |
status:<BOOLEAN> | Shows gateways that are online (true ) or offline (false ) | status:false finds all offline gateways. |
Gateway Maintenance Windows
This section describes how to set a maintenance window for gateways. Scheduling a maintenance window allows you to have some control over the hour of the day when gateway upgrades happen. If a custom maintenance window is not specified, the default window of 7 Coordinated Universal Time (UTC) applies.
All gateways have a maintenance window and follow a standard process for upgrades:
When a gateway is notified of a new version and it has no client connections, it updates itself immediately. This is true whether a custom maintenance window is set or not.
If a gateway does have client connections, however, it enters the state Awaiting Restart and updates as soon as client connections drop to zero. If that doesn’t happen before the maintenance window is reached, the gateway terminates all connections, updates, and restarts with the new version.
There are several ways to schedule maintenance windows. The method you choose depends on your setup and what is easiest for you:
- Install a gateway on a Linux host and add an environment variable.
- Use YAML to deploy your gateway in a container.
- Run the
sdm relay
CLI command with the--maintenance-window-start
option.
General considerations
Please consider the following when scheduling maintenance windows:
- The maintenance window start value is an integer representing the hour of the day, 0 to 23 UTC, when the gateway can terminate connections and restart.
- The default value is 7.
- To ensure high availability for your StrongDM network, we recommend that you set unique maintenance window values for your gateways. At minimum, if your gateways are deployed in pairs, the members of each pair should have different windows. This enables each gateway to restart at a different hour, maintaining availability for users to continue to connect to your resources.
Install a gateway on a Linux host
If your gateway is installed on a Linux host, we recommend that you use the environment variable method to set a maintenance window:
Install your gateway using our default Linux gateway instructions. Doing so installs a systemd .service unit file and an environment file.
Open the environment file for editing. The default location is
/etc/sysconfig/sdm-proxy
.Add a new line with the
SDM_MAINTENANCE_WINDOW_START
variable and desired UTC time, like so:SDM_RELAY_TOKEN=[redacted] SDM_MAINTENANCE_WINDOW_START=15
SDM_RELAY_TOKEN
value in the environment file.Save the file.
Run the following to pick up the update:
systemctl daemon-reload
Restart the Gateway service:
systemctl restart sdm-proxy.service
Use YAML to deploy the StrongDM Gateway Container
If you are using YAML to deploy the StrongDM Gateway image in a container, you can use the SDM_MAINTENANCE_WINDOW_START
environment variable as follows:
spec: null
containers:
- name: sdm-relay
image: 'quay.io/sdmrepo/relay:latest'
imagePullPolicy: Always
environment:
- SDM_RELAY_TOKEN=[redacted]
- "SDM_ORCHESTRATOR_PROBES=:9090"
- SDM_MAINTENANCE_WINDOW_START=15
In the example shown, the environment variable sets a maintenance window at 15 UTC.
Build a container and pass CLI parameters to the StrongDM binary
If you are building a container and want to pass CLI parameters to the StrongDM binary, you can set a maintenance window by running the following command, where <VALUE>
is an integer representing the UTC hour:
sdm relay --maintenance-window-start <VALUE>
For example:
sdm relay --maintenance-window-start 15
In the example shown, we set the value to 15. If the gateway is under load when a new version is released, the maintenance window starts at 15 UTC. At that time, the gateway starts terminating client connections, restarts, and updates.
If any errors occur, please copy them into an email and send them to support@strongdm.com.
Relays
As with gateways, StrongDM uses relays to connect with network resources such as databases and servers. However, relays do not listen for client connections. They can be deployed behind your firewall when internal subnets do not allow ingress, and you are not able to expose ports publicly.
Relays create a reverse tunnel to form connections to the gateway. With this action, they preserve the egress-only nature of your firewall and allow your users to reach any configured resources in the network via the desktop app.

When clients connect to the StrongDM network, they request a list of available gateways. StrongDM determines the most suitable route and sends all connections through one or more of these gateways. From the point of view of a resource, such as a database or server, all traffic originates from any relay or gateway with access to the resource.
The relay component can be deployed as a native Linux service, Docker container, or Kubernetes container. For more, check the Download & Install page in the Admin UI.
Relay settings and configurations can be managed in the StrongDM Admin UI.
Generate a Relay Token

- Log into the Admin UI.
- Go to Network > Relays.
- Click the Add relay button.
- In the modal that appears, you can rename the relay, or you can do it later.
- Click Create relay and the relay token appears.
New Relay - Copy the relay token and save it for use in a later step.
- Set up a 64-bit Linux instance to run the relay. Machines should have at least 2 CPUs and 4 GB of memory. If the instance is using SELinux you need to disable SELinux to install the relay.
- Log in to the relay instance and download the StrongDM binary:
curl -J -O -L https://app.strongdm.com/releases/cli/linux
- Unzip it:
unzip sdmcli_*_linux_amd64.zip
- Run the installer:
sudo ./sdm install --relay
/etc/passwd
file. Any users remotely authenticated, such as with LDAP or an SSO service, will fail to complete the installation.- When prompted for the relay token you created in Step 5, paste it into the terminal and press enter. For security purposes you will not see the token on the screen.
- Log in to the Admin UI and the relay you created should now appear as online, with a heartbeat. You may need to hard refresh the page.
- Repeat this process to create a second relay if you wish. We recommend running them in pairs for high availability.
Relay Search Filters
Relay search filters display relays according to their name, status, listen address, or bind address. Once you have added at least one relay, you can use filters to search for specific relays.
On the Relays page, type or copy/paste the following filters into the Search field, with or without other text. Do not use quotes or tick marks.
Filter | Description | Example search |
---|---|---|
bindaddr:<IP_ADDRESS> | Shows relays with the specified bind address | bindaddr:0.0.0.0:5000 finds relays that have a bind address of 0.0.0.0:5000 . |
listenaddr:<IP_ADDRESS> | Shows relays with the specified listen address | listenaddr:10.0.0.021:5000 finds relays that have a listen address of 10.0.0.021:5000 . |
name:<PARTIAL_STRING> or any free-form text | Shows relays with names that match the entered string; partial string OK | name:keen-coffee or coffee finds all relays whose names contain those characters. |
status:<BOOLEAN> | Shows relays that are online (true ) or offline (false ) | status:false finds all offline relays. |
If any errors occur, please copy them into an email and send them to support@strongdm.com.
Install Your Gateway
The first step to deploy StrongDM is deciding where to host your StrongDM gateways. This is not a final decision; you can change your gateway or add additional gateways at any time. Check out the following guides for installation of a gateway on various tech stacks:
You can find resources and information about the following StrongDM topics in this section: