How to Cloak strongDM with Twingate

Cloaking strongDM gateways

strongDM is a platform that offers auditing and replay capabilities for protocols such as Secure Session Protocol (SSH) and Remote Desktop Protocol (RDP). By default strongDM requires a publicly exposed TCP/IP port to be opened but with Twingate, this can be made private, similar to how we recommend cloaking Bastion host servers. This means there are no inbound firewall ports to open, rendering your network perimeter invisible from the outside.

By following the steps below, your strongDM Gateway will no longer require a host with a publicly resolvable IP or hostname.


  • Deploy a Twingate Connector onto the same private subnet as your strongDM gateway.
  • From within the Twingate Admin console add the internal hostname or IP address of your strongDM gateway as a new Resource. You can restrict access to the strongDM proxy using a port restriction, which is set to port 5000 by default.
  • Within the strongDM Admin UI you can change the advertised host of the strongDM gateway to the internal hostname or IP that has been setup as a Twingate Resource.


  • Attempt to connect to strongDM resources while not connected to Twingate to verify that access is blocked.
  • Connect to Twingate using the Client application for your platform.
  • Attempt to access strongDM resources again to verify that the connection is successful.

Last updated 3 months ago