SPSA - Skillplan Secure Access

On-Premises Zero Trust Network Access Appliance

SPSA (Skillplan Secure Access) is a ready-to-run Zero Trust Network Access (ZTNA) appliance that provides secure remote access to your infrastructure without exposing services directly to the internet. Built on Apache Guacamole 1.6.0, SPSA delivers enterprise-grade security with European data sovereignty as a pre-configured virtual appliance.

Key Features

Secure Remote Access

  • RDP - Remote Desktop Protocol for Windows systems
  • SSH - Secure Shell for Linux/Unix systems
  • VNC - Virtual Network Computing for cross-platform access
  • Telnet - Legacy protocol support for specialized systems

Zero Trust Architecture

  • No direct network exposure of target systems
  • Lowest privileged access principle
  • All connections brokered through secure gateway
  • No VPN required

Multi-Factor Authentication

  • Built-in MFA with standard TOTP authenticator apps
  • Cisco DUO Authentication support
  • Time-limited user access
  • Active Directory Single Sign-On
  • Entra ID / SAML integration with native Conditional Access Policies

Session Management

  • Session recording and replay
  • Real-time session monitoring
  • Audit logging for compliance
  • Connection time limits

Product Editions

SPSA is available in two editions to meet different organizational needs:

Feature SPSA Foundation SPSA Pro
RDP/SSH/VNC/Telnet Access Yes Yes
Built-in User Database Yes Yes
MFA (TOTP) Yes Yes
Cisco DUO Authentication Yes Yes
Time-limited Access Yes Yes
Web-based Management (SPSA Portal) Yes Yes
Integrated Host Firewall Yes Yes
Active Directory SSO Yes Yes
Entra ID / SAML Integration Yes Yes
Conditional Access Policies (via Entra ID) Yes Yes
Session Recording & Replay Yes Yes
Distributed Recording Sync - Yes
SPSA Proxy Support (up to 5) - Yes
Multi-Site VPN Connectivity - Yes

SPSA Foundation

Ideal for:

  • Single-site deployments
  • Enterprise environments with AD/Entra ID integration
  • Compliance-driven organizations (NIS2, GDPR)
  • Session recording and audit requirements
  • Rapid deployment during security incidents
  • Ransomware recovery scenarios

SPSA Pro

Designed for:

  • Multi-site deployments with distributed SPSA Proxies (up to 5)
  • Organizations requiring site-to-site VPN connectivity
  • Geographically distributed infrastructure

Multi-Site Architecture (SPSA Pro)

flowchart TB subgraph Central["SPSA Portal (Central)"] PORTAL[SPSA Portal] DB[(Central DB)] REC[(Recording Storage)] end subgraph Site1["Site A"] P1[SPSA Proxy] T1[Target Systems] end subgraph Site2["Site B"] P2[SPSA Proxy] T2[Target Systems] end U[Users] -->|HTTPS| PORTAL PORTAL <-->|VPN| P1 PORTAL <-->|VPN| P2 P1 -->|RDP/SSH| T1 P2 -->|RDP/SSH| T2 P1 -.->|Recording Sync| REC P2 -.->|Recording Sync| REC style Central fill:#eff6ff,stroke:#2563eb style Site1 fill:#f0fdf4,stroke:#22c55e style Site2 fill:#fef3c7,stroke:#f59e0b

SPSA Pro supports up to 5 SPSA Proxies (guacd implementations) connected via integrated Multi-Site VPN to the central SPSA Portal, enabling secure access to geographically distributed infrastructure from a single management interface.

Use Cases

Active Directory Protection

Secure administrative access to domain controllers without exposing RDP to the network.

Disaster Recovery

Pre-configured emergency access for critical systems during ransomware or security incidents.

Remote Maintenance

Enable vendors and contractors to access specific systems with time-limited credentials.

Legacy System Isolation

Provide secure access to legacy systems that cannot be updated or hardened.

Jump Host Replacement

Replace traditional jump servers with a more secure, auditable solution.

RDP Security Hardening

Eliminate direct RDP exposure by proxying all connections through SPSA.

Architecture Overview

flowchart LR subgraph Internet U[Users] end subgraph DMZ S[SPSA Gateway] end subgraph Internal Network DC[Domain Controllers] SRV[Servers] WS[Workstations] LEG[Legacy Systems] end U -->|HTTPS| S S -->|RDP| DC S -->|SSH| SRV S -->|VNC| WS S -->|Telnet| LEG

SPSA acts as a secure broker between users and target systems:

  1. Users connect to SPSA via HTTPS (port 443)
  2. SPSA Gateway authenticates users and enforces access policies
  3. Target Systems receive connections only from the SPSA gateway
  4. No direct network path exists between users and target systems

Technology

SPSA is built on Apache Guacamole 1.6.0, an open-source clientless remote desktop gateway. The appliance includes:

Component Technology
Remote Access Gateway Apache Guacamole 1.6.0 (Docker-based)
Database PostgreSQL
Reverse Proxy Caddy (automatic HTTPS)
Security Integrated host firewall (nftables)
Operating System Alpine Linux

All administration and management is performed through the SPSA Portal web interface. The underlying infrastructure is pre-configured and secured - no manual Docker or database setup required.

SPSA Architecture

flowchart TB subgraph SPSA["SPSA Appliance"] direction TB FW[Host Firewall] CADDY[Caddy Reverse Proxy] GUAC[Guacamole Web App] GUACD[guacd Protocol Handler] DB[(PostgreSQL)] FW --> CADDY CADDY --> GUAC GUAC --> DB GUAC --> GUACD end U[Users] -->|HTTPS 443| FW GUACD -->|RDP/SSH/VNC| T[Target Systems] style SPSA fill:#eff6ff,stroke:#2563eb

Compliance & Data Sovereignty

  • 100% European Product - Developed and hosted in Switzerland
  • No Cloud Data Storage - All data remains on-premises
  • NIS2 Compliant - Meets EU cybersecurity directive requirements
  • GDPR Ready - Full compliance with EU data protection regulations
  • Audit Trail - Complete logging for compliance reporting

Getting Started

Ready to deploy SPSA in your environment?

  1. Review System Requirements - Ensure your infrastructure meets the prerequisites
  2. Quick Start Guide - Get up and running
  3. Installation Guide - Detailed deployment instructions
  4. Configuration Guide - Set up authentication and connections

Support & Contact
Email support@skill-plan.com
Sales sales@skill-plan.com
Website https://www.skill-plan.com
Address Skillplan GmbH, Kleinmatt 5, 6402 Merlischachen, Switzerland