Gateways

Deploy dedicated gateways to proxy connections in your own infrastructure for lowest latency and data residency.

What Are Gateways?

By default, OnePAM routes sessions through shared gateways. With Dedicated Gateways Business+, you deploy your own gateway instances in your data centre or cloud region. This gives you control over data residency, reduces latency, and keeps traffic within your network perimeter.

Gateways connect to the OnePAM control plane via WebSocket and optionally accept agent connections over mTLS. All session data passes through the gateway but is never stored on it.

Registering a Gateway

Navigate to Gateways and click Register Gateway.

  1. Name — a descriptive name for this gateway instance.
  2. WebSocket Endpoint — the wss:// URL where the gateway will listen.
  3. mTLS Address (optional) — host:port for agent mTLS connections.
  4. Region — the deployment region (e.g. eu-west-1).
  5. Max Sessions — session concurrency limit; set to 0 for unlimited.
After registration the API returns a one-time Gateway ID and API Token. Save these immediately — the token cannot be retrieved later.

Managing Gateways

The gateway list shows each gateway's name, status, region, version, connection state, and last-seen timestamp.

Gateway Status
  • Online — connected and accepting sessions.
  • Offline — not connected to the control plane.
  • Draining — finishing active sessions but not accepting new ones (graceful shutdown).
Actions
  • Edit — update name, endpoint, mTLS address, region, max sessions, or status.
  • Delete — permanently unregister the gateway. Active sessions will be terminated.

Assigning Gateways to Resources

When creating or editing a resource, you can assign one or more dedicated gateways. Sessions for that resource will be routed through the assigned gateways instead of shared infrastructure. If no dedicated gateways are assigned, sessions use the default shared gateways.