How StrongDM Works

Last modified on March 24, 2025

Your StrongDM network is made up of several components: the client, node(s), and resource(s).

The client is the StrongDM Desktop application and/or CLI that is installed locally on a machine by a user, who is typically a member of your organization. Users use the client to authenticate to StrongDM, use StrongDM, manage their organization, and/or interact with resources.

StrongDM nodes are gateways and relays. A gateway is the entry point for the client into the rest of your StrongDM network. Responsible for routing your client’s traffic to other nodes as required and eventually to resources, gateways serve incoming and outgoing traffic. When users authenticate to StrongDM via their client, the StrongDM service checks their access grants and provides the client a list of available resources for that user, which they can view in the desktop app or from the CLI. Once a connection to resource is initiated and the client attempts to send traffic to it, the client reaches out to a gateway in the organization’s StrongDM network. That gateway routes the client’s traffic through other nodes as necessary and, when the traffic reaches the last node in the route, initiates a connection to the target resource. Every network must have at least one gateway.

Relays perform the same function as gateways, but for security reasons, they initiate connections with gateways and do not accept incoming traffic directly. Relays first initiate secure tunnels with gateways, and only once that connection is established do they accept user traffic along those tunnels and route it on to the destination resource. Relays are often used to allow traffic into private subnets, preventing the need to have ports open to incoming traffic, while still allowing access to the resources within.

Resources are the final part of your network. Whether you have only one gateway or a complicated network that requires many nodes, the same thing happens as your traffic arrives at the last node before reaching the target resource: the node acquires credentials from StrongDM or from your secret store, and authenticates with the target resource.

Your network, large or small, comprises routes that are constantly updated to allow for rapid connections. Clients and nodes are software provided by StrongDM, but the hardware you choose to use to host them is up to you. Additionally, in many cases, you can add the resources that you wish to facilitate access to directly to your StrongDM network without making changes to them.

The StrongDM service can provide information on the current user’s role and access grants, and provide the last gateway in the route with information about how to get credentials for the requested resource. Everything happens imperceptibly to the user, so that they can easily interact with resources by simply logging in to StrongDM.

For more information, see our admin, node, and security documentation.