Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.osto.one/llms.txt

Use this file to discover all available pages before exploring further.

Once registered, end users can only reach the server through Osto — never directly. Osto offers two patterns:
  • Standalone Secure Server — install Osto’s agent on each server.
  • Secure Gateway with Child Servers — install one gateway, then register child servers by private IP. The gateway brokers the connections.
Both share the same access controls and policies; the difference is operational.

Standalone Secure Server

Path: Assets → Server Access → Secure Server

Adding a Secure Server

1

Navigate to Secure Server

In the sidebar, go to Assets → Server Access → Secure Server and click Add Secure Server +.
2

Fill in the server details

  • Name — a unique, identifiable name (appears in policies and logs).
  • Secure Session Window — how long a brokered session stays active, in minutes. Default is 60 minutes.
  • Multi-Factor Authentication — enabled by default. We recommend leaving it on.
3

Generate the install script

Click Generate Script. The server appears in the list immediately, and a “Copy Installation Script:” panel opens with two buttons.
4

Copy and run the script on your server

Click Script for Linux or Script for Windows — the install command copies to your clipboard. SSH (or use RDP/PowerShell on Windows) into the server and execute the command.
5

Confirm registration

Once the script finishes, the server is registered. You can re-copy either script anytime from the Linux / Windows buttons in the Install Command column on the list.

Supported platforms

  • Linux: Ubuntu 18.04, 20.04, 22.04, 24.04; Debian 10 (Buster), 11 (Bullseye), 12 (Bookworm).
  • Windows: Windows Server 2019, 2022; Windows Enterprise Multi-Session 10, 11.
For any platform outside this list, talk to your Osto contact before deploying.

Editing a Secure Server

  1. Click the edit (pencil) icon on the server’s row.
  2. Update its name, session window, or MFA setting.
  3. Save.

Deleting a Secure Server

  1. Click the delete (trash) icon on the server’s row.
  2. Confirm in the prompt.
Deleting a Secure Server is irreversible. It removes the registration, revokes all access policies that reference it, and invalidates any active sessions. The agent on the server becomes orphaned — re-onboard with a fresh script if you intend to re-register it.

Secure Gateway with Child Servers

Path: Assets → Server Access → Secure Gateway
A Secure Gateway lets one Linux host inside your network broker access to many child servers. Child servers don’t need the Osto agent installed — they’re identified by private IP, and the gateway routes traffic to them.

Adding a Secure Gateway

1

Navigate to Secure Gateway

Go to Assets → Server Access → Secure Gateway and click Add Secure Gateway +.
2

Name the gateway

Enter a Name for the gateway and click Create Secure Gateway. The gateway row appears with a “Copy Installation Script:” panel.
3

Install the gateway agent

Click Script for Linux — the install command copies to your clipboard. SSH into the gateway host and run the command.
Secure Gateway is Linux-only — Ubuntu, Debian, and similar distributions. Windows hosts can be Secure Servers (standalone) but not Gateways.

Adding child servers to a Gateway

Once the gateway is configured:
  1. In the Secure Gateway list, click the + Add button on the gateway’s row.
  2. The “Edit Secure Gateway” dialog opens with:
    • Child Name — a unique name for the child server.
    • Private IP — the internal IP address of the child host.
    • Multi-Factor Authentication — enabled by default.
    • Session Window — default 60 minutes.
  3. Click Add Child Server.
  4. Repeat for each child server you want behind this gateway.
  5. Click Save.
Child servers don’t require any agent installation. The gateway handles all brokering.

Deleting a Gateway

Click the delete (trash) icon on the gateway’s row and confirm.
Deleting a Gateway removes the gateway and every child server it brokered, and invalidates all associated policies. The agent on the gateway becomes orphaned. The gateway’s name cannot be edited after creation — to rename a gateway, you’d need to delete and recreate it (and re-add all child servers).