Creating a Gateway Relay

Create a gateway when you need to provide ingress into your databases and servers.

Gateway relays are the initial entry point into the strongDM network and must therefore be assigned an address that is accessible to your users. strongDM gateways can be exposed directly to the public internet, or they may be deployed to a restricted network. As long as your users can access the configured “listen address”, the strongDM client will behave properly.

Note: If you will be deploying your gateway relay in a Docker container, please follow the steps in the Docker Gateway Relay Guide.

  1. Generate a gateway token. Log into the web UI and select Relays on the left navigation bar. Click on the add gateway button in the upper right, and a box will pop up. You can rename the relay here, or do it later. Advertised host should be the IP address or host that the gateway will be listening on. Select a port (default 5000) for the service to listen on. Bind IP should be unless you only want the gateway to listen on one specific interface. Finally, the second port field should match the first.

    Click on create and the gateway token will appear onscreen.

    New Gateway

    Copy the relay token and put it aside, being careful to capture every character. You will need it again below.

    Note: See sdm relay create-gateway if you want to generate a token via the CLI.

  2. Set up a 64-bit Linux instance that will run the gateway. If you have two gateways, you need two instances. Machines should have at least 2 CPUs and 4 GB of memory.

  3. Turn SE Linux off if it is running.

  4. Login to the relay instance and download the SDM binary:

    $ curl -J -O -L

  5. Unzip it:

    $ unzip

  6. Install the relay:

    $ sudo ./sdm install --relay

    Note: The installer must be run by a user that exists in the /etc/passwd file. Any users remotely authenticated, such as with LDAP or an SSO service, may fail to complete the installation.

  7. You will be prompted for the relay token you created in Step 1. Paste it in. It will not echo back to you for security purposes.

  8. Turn SE Linux on if you disabled it in step five.

  9. Login to the Admin UI and hard refresh. The Relays section will appear on the left hand navigation. In that section, the relay you created should appear Online, with a heartbeat.

  10. Confirm your gateway creation was successful by verifying that the LISTENADDR is accessible from the appropriate end user network:

     telnet 5000
     Connected to
     Escape character is '^]'
  11. Add a datasource using the internal IP address that the relay can access.

  12. Once added, you should see its name populate under ‘Datasources Served’ section of each Relay that is serving it. (another hard refresh might be required).

If you have multiple relays to create, follows steps 1 - 10 for each relay.

If any errors occur, please copy them into an email and send to