Zero Trust Server Access

Securely connect to Linux and Windows servers over SSH and RDP through a pure client certificate architecture that eliminates the use of static credentials

Start a Free Trial  Watch a Demo

A more secure way to manage privileged access

One of the most common attack vectors leading to insider breaches is static credentials. Traditional methods such as storing in a vault service or checkout system are just a temporary fix for a bigger problem.

ScaleFT designed a revolutionary method for securely accessing servers through an ephemeral client certificate architecture. The ScaleFT client certificate PKI is transparent to the user, and built natively into the SSH and RDP protocols. ScaleFT performs the authentication and authorization behind the scenes, with the supporting PKI handled through a built-in Certificate Authority.


Why choose ScaleFT Server Access

Keyless Privileged Access
Eliminates Static Credentials

You no longer have to worry about how to manage, track, or rotate those dangerous static credentials. With a built-in Certificate Authority, ScaleFT allows you to login to servers using ephemeral client certificates.

Built for the Modern Cloud
Built for the Modern Cloud

Traditional PAM products were built for a different time, and it shows in their capabilities. ScaleFT was born in the cloud, with an architecture that better supports distributed teams, systems, and applications.

Transparent End User Workflow
Transparent User Friendly Workflow

You can use SSH and RDP just as you normally would. ScaleFT builds in the authentication and authorization workflows within the protocols themselves, without any additional configuration.

Our fresh approach to Linux & Windows server access

ScaleFT Zero Trust Server Access
  • Users run the ScaleFT Client on their devices to synchronize certificates with the local Operating System and monitor state

  • Every request is authenticated with the Identity Provider configured for the ScaleFT team - Okta, G Suite, Active Directory, etc.

  • The Certificate Authority built into the platform issues an ephemeral client certificate to the user scoped to the individual request
  • Servers enrolled with ScaleFT run a lightweight agent that manages local user accounts, configures the cert store, and captures event logs

  • For every request, the user and connecting device are authorized against the access controls & policies of the project and resource

  • The client certificate is used by the ScaleFT client to initiate a secure SSH or RDP session with the server without additional configuration

We deliver the most expansive feature set on the market

Built-in Certificate Authority
Built-in Certificate Authority

ScaleFT operates its own CA as a component of the platform, used to issue client certificates to the user on every login attempt. Each project has its own dedicated CA, and performs the crypto on servers without an outbound network connection.

Ephemeral Client Certificates
Ephemeral Client Certificates

Each client certificate has a default expiration of 3 minutes, and is scoped to the user and resource being accessed. User and device metadata is injected into the certificate, which is used as a point-in-time attestation of trust for initiating secure SSH and RDP sessions.

Bastion Support
Bastion Support

Users can route SSH and RDP connections over bastions to servers in private networks, without having to use SSH Agent Forwarding. Simply pass the bastion server as a flag in the connection string, and ScaleFT will make the hop transparently.

SSH & RDP Protocol Support
SSH & RDP Protocol Support

ScaleFT integrates natively with the transport protocols themselves to ensure a streamlined end user experience, and to provide visibility into the activities performed during a session. This is done without any additional configuration or patching.

Identity Provider Integration
Identity Provider Integration

ScaleFT integrates with your corporate identity provider (IdP) for authentication and to provide rich account management on both Linux and Windows servers. This includes Google Apps and Okta, and we directly support SAML or OpenID Connect.

Cloud Platform Integration
Cloud Platform Integration

The ScaleFT server agent integrates with cloud provider specific metadata services to automatically configure itself and enroll servers with the Platform. This saves time during deployment and ensures a seamless operations experience.

Technical specifications

Client App
Supported Operating Systems Mac OS
Linux: CoreOS, Ubuntu, Red Hat, CentOS, Fedora
SSH Configuration Options Use ProxyCommand
Save private keys in local crypto store
Netcat or native SSH port forwarding
Enable SSH agent
Enable service users
Print additional debugging info to stderr
URL Handler
RDP Configuration Options Screensize
Fullscreen Mode
URL Handler
ScaleFT Agent
Supported Operating Systems Windows
Linux: CoreOS, Ubuntu, Red Hat, CentOS, Fedora
Configuration Options Enable/Disable Autostart
Auto enroll servers
Config file location
Certificate path
Logging Log files will be rotated after 5MB, and the latest 10 log files will be kept
Certificate Authority
Client Certificates SSH, X.509
Default TTL 3 Minutes
Identity Providers
GitHub Basic OAuth authentication workflow. You can send invitations to add additional members to your team.
Google Apps Any user in your Google Apps Domain will be allowed to join your team.
Okta Any user to whom you have assigned the ScaleFT app will be allowed to join your team.
Cloud Platforms
Amazon Web Services Associate an AWS account with a ScaleFT project to automatically enroll launched instances.

Read our extensive Documentation for more information, getting started guides, and tutorials

"Our Passport feature leverages ScaleFT to give Rackers and Customers secure access control to their AWS environments. This capability is a key part of our value to Customers."

- Erik Carlin, Vice President, Fanatical AWS Product & Engineering at Rackspace

Latest Success Stories
BioTrackTHC Case Study
Coursera Case Study
Quid Case Study
Featured Resources
ScaleFT Web Access demo webinar
How to Go Zero Trust guide
ScaleFT remote access whitepaper
Latest Blog Posts

Sick of VPNs?

All of our plans start with a 30 day free trial. No credit card required. See our flexible Pricing Plans.

Start a Free Trial Request a Demo