> ## Documentation Index
> Fetch the complete documentation index at: https://docs.osto.one/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing Secure Servers

> Register the servers you want Osto to broker Zero Trust access to.

Once registered, end users can only reach the server through Osto — never directly.

Osto offers two patterns:

* **Standalone Secure Server** — install Osto's agent on each server.
* **Secure Gateway with Child Servers** — install one gateway, then register child servers by private IP. The gateway brokers the connections.

Both share the same access controls and policies; the difference is operational.

***

## Standalone Secure Server

> **Path:** Assets → Server Access → Secure Server

### Adding a Secure Server

<Steps>
  <Step title="Navigate to Secure Server">
    In the sidebar, go to **Assets → Server Access → Secure Server** and click **Add Secure Server +**.
  </Step>

  <Step title="Fill in the server details">
    * **Name** — a unique, identifiable name (appears in policies and logs).
    * **Secure Session Window** — how long a brokered session stays active, in minutes. Default is **60 minutes**.
    * **Multi-Factor Authentication** — enabled by default. We recommend leaving it on.
  </Step>

  <Step title="Generate the install script">
    Click **Generate Script**. The server appears in the list immediately, and a "Copy Installation Script:" panel opens with two buttons.
  </Step>

  <Step title="Copy and run the script on your server">
    Click **Script for Linux** or **Script for Windows** — the install command copies to your clipboard. SSH (or use RDP/PowerShell on Windows) into the server and execute the command.
  </Step>

  <Step title="Confirm registration">
    Once the script finishes, the server is registered. You can re-copy either script anytime from the **Linux** / **Windows** buttons in the Install Command column on the list.
  </Step>
</Steps>

#### Supported platforms

* **Linux:** Ubuntu 18.04, 20.04, 22.04, 24.04; Debian 10 (Buster), 11 (Bullseye), 12 (Bookworm).
* **Windows:** Windows Server 2019, 2022; Windows Enterprise Multi-Session 10, 11.

For any platform outside this list, talk to your Osto contact before deploying.

### Editing a Secure Server

1. Click the **edit (pencil)** icon on the server's row.
2. Update its name, session window, or MFA setting.
3. Save.

### Deleting a Secure Server

1. Click the **delete (trash)** icon on the server's row.
2. Confirm in the prompt.

<Warning>
  Deleting a Secure Server is irreversible. It removes the registration, revokes all access policies that reference it, and invalidates any active sessions. The agent on the server becomes orphaned — re-onboard with a fresh script if you intend to re-register it.
</Warning>

***

## Secure Gateway with Child Servers

> **Path:** Assets → Server Access → Secure Gateway

A Secure Gateway lets one Linux host inside your network broker access to many child servers. Child servers don't need the Osto agent installed — they're identified by private IP, and the gateway routes traffic to them.

### Adding a Secure Gateway

<Steps>
  <Step title="Navigate to Secure Gateway">
    Go to **Assets → Server Access → Secure Gateway** and click **Add Secure Gateway +**.
  </Step>

  <Step title="Name the gateway">
    Enter a **Name** for the gateway and click **Create Secure Gateway**. The gateway row appears with a "Copy Installation Script:" panel.
  </Step>

  <Step title="Install the gateway agent">
    Click **Script for Linux** — the install command copies to your clipboard. SSH into the gateway host and run the command.
  </Step>
</Steps>

<Note>
  Secure Gateway is **Linux-only** — Ubuntu, Debian, and similar distributions. Windows hosts can be Secure Servers (standalone) but not Gateways.
</Note>

### Adding child servers to a Gateway

Once the gateway is configured:

1. In the Secure Gateway list, click the **+ Add** button on the gateway's row.
2. The "Edit Secure Gateway" dialog opens with:
   * **Child Name** — a unique name for the child server.
   * **Private IP** — the internal IP address of the child host.
   * **Multi-Factor Authentication** — enabled by default.
   * **Session Window** — default 60 minutes.
3. Click **Add Child Server**.
4. Repeat for each child server you want behind this gateway.
5. Click **Save**.

Child servers don't require any agent installation. The gateway handles all brokering.

### Deleting a Gateway

Click the **delete (trash)** icon on the gateway's row and confirm.

<Warning>
  Deleting a Gateway removes the gateway *and* every child server it brokered, and invalidates all associated policies. The agent on the gateway becomes orphaned. The gateway's name cannot be edited after creation — to rename a gateway, you'd need to delete and recreate it (and re-add all child servers).
</Warning>

***

## Related

* [Secure Server Access Policy](/how-to-guides/policy-configuration/secure-server-access-policy) — define who can access which server, when, and for how long.
* [Core Concepts → Server Access](/getting-started/core-concepts) — the model behind Secure Server vs. Secure Gateway.
