Frequently Asked Questions¶
Common questions about SPSA (Skillplan Secure Access).
General Questions¶
What is SPSA?¶
SPSA (Skillplan Secure Access) is an on-premises Zero Trust Network Access (ZTNA) appliance that provides secure remote access to your infrastructure without exposing services directly to the internet. It is delivered as a ready-to-run virtual appliance.
What is SPSA based on?¶
SPSA is built on Apache Guacamole 1.6.0, an open-source clientless remote desktop gateway. The SPSA appliance packages Guacamole with additional components:
| Component | Purpose |
|---|---|
| Apache Guacamole 1.6.0 | Remote access gateway |
| PostgreSQL | User and connection database |
| Caddy | Reverse proxy with automatic HTTPS |
| Docker | Application containerization |
| nftables | Host firewall |
| Alpine Linux | Minimal, secure operating system |
What protocols does SPSA support?¶
| Protocol | Use Case | Default Port |
|---|---|---|
| RDP | Windows remote desktop | 3389 |
| SSH | Linux/Unix shell access | 22 |
| VNC | Cross-platform desktop | 5900 |
| Telnet | Legacy systems only | 23 |
Do users need to install software?¶
No. SPSA is entirely browser-based using HTML5. Users only need a modern web browser (Chrome or Edge recommended). No plugins, Java, or ActiveX required.
What is the SPSA Portal?¶
The SPSA Portal is the web interface used to:
- Access remote connections
- Manage users and groups
- Configure connections
- View session history
It is based on the Guacamole web interface with SPSA customizations.
Editions¶
What editions are available?¶
| Edition | Use Case |
|---|---|
| SPSA Foundation | Small/medium environments, basic remote access |
| SPSA Pro | Enterprise features, session recording, multi-site |
| SPSA Demo | 30-day evaluation (cannot upgrade to production) |
What's the difference between Foundation and Pro?¶
SPSA Foundation includes:
- RDP/SSH/VNC/Telnet access
- Built-in user database
- TOTP multi-factor authentication
- Cisco DUO Authentication
- Active Directory SSO
- Entra ID / SAML integration
- Conditional Access Policies (via Entra ID)
- Session recording and replay
- Web-based management (SPSA Portal)
- Integrated host firewall
SPSA Pro adds:
- Up to 5 SPSA Proxies for multi-site deployments
- Integrated VPN for site-to-site connectivity
- Distributed recording synchronization (from remote proxies to central storage)
What is an SPSA Proxy?¶
An SPSA Proxy is a remote guacd (Guacamole daemon) implementation that can be deployed at remote sites. In SPSA Pro:
- Up to 5 SPSA Proxies supported
- Connected via integrated VPN to central SPSA Portal
- Session recordings synchronized to central storage
- Enables access to systems at multiple locations
Is there a trial available?¶
Yes. The SPSA Demo appliance is a fully functional SPSA Foundation installation with:
- 30-day runtime limit
- Single network adapter (DHCP)
- 4 GB RAM, 2 cores, 64 GB disk
Demo Limitations
The demo appliance cannot be upgraded to production. A fresh deployment is required.
Contact sales@skill-plan.com to request a demo.
Security¶
Where is my data stored?¶
All data is stored on-premises in the SPSA appliance:
- User credentials in PostgreSQL database
- Session history in PostgreSQL database
- Session recordings on local storage (SPSA Pro)
No data is sent to external servers or cloud services.
Does SPSA support MFA?¶
Yes. SPSA requires TOTP-based multi-factor authentication for all portal users. Compatible apps:
- Google Authenticator
- Microsoft Authenticator
- Authy
- Any TOTP-compatible authenticator
MFA cannot be disabled - this is by design.
Is SPSA compliant with GDPR?¶
Yes. SPSA supports GDPR compliance:
- 100% European product (developed in Switzerland)
- All data stored on-premises
- No cloud data transfer
- Full audit logging
- Access controls
How is SPSA secured?¶
SPSA includes multiple security layers:
| Layer | Protection |
|---|---|
| Host firewall | Blocks all unnecessary network access |
| Alpine Linux | Minimal OS reduces attack surface |
| Docker isolation | Applications run in containers |
| TOTP MFA | Required for all users |
| TLS encryption | All portal traffic encrypted |
| SSH disabled | Remote shell access blocked by default |
Deployment¶
What are the hardware requirements?¶
SPSA Foundation:
| Component | Minimum | Recommended |
|---|---|---|
| CPU | 2 cores | 4 cores |
| RAM | 4 GB | 8 GB |
| Disk | 50 GB SSD | 100 GB SSD |
SPSA Pro:
| Component | Minimum | Recommended |
|---|---|---|
| CPU | 4 cores | 8 cores |
| RAM | 8 GB | 16 GB |
| Disk | 100 GB SSD | 500 GB SSD |
What hypervisors are supported?¶
| Platform | Minimum Version | Format |
|---|---|---|
| VMware ESXi | 7.0 Update 1 | OVA |
| Microsoft Hyper-V | 2016 | ZIP (VHDX) |
Does SPSA require internet access?¶
No. SPSA can operate in fully air-gapped environments. The appliance only needs:
- Network access to target systems
- Network access from users to SPSA (port 443)
- DNS and NTP (optional but recommended)
How is SPSA deployed?¶
SPSA is deployed as a virtual appliance:
- ESXi: Import OVA template
- Hyper-V: Import from ZIP archive
- Console setup: Change passwords, verify IP
- Portal setup: Configure MFA, create connections
See the Installation Guide for details.
Usage¶
How do I create connections?¶
All connection management is done through the SPSA Portal:
- Log in as administrator
- Go to Settings > Connections
- Click New Connection
- Select protocol, enter hostname/IP
- Configure authentication and security settings
- Save
How do I manage users?¶
Through the SPSA Portal:
- Go to Settings > Users
- Create, edit, or delete users
- Assign connection permissions
- Configure time-based restrictions if needed
Can I organize connections into groups?¶
Yes. Use Connection Groups:
- Create groups (e.g., "Production Servers", "Development")
- Assign connections to groups
- Users see organized folder structure
What CLI commands are available?¶
From the VM console as spadmin:
| Command | Purpose |
|---|---|
getip |
Display IP addresses |
sudo kbmap |
Change keyboard layout |
sshping <host> |
Test SSH connectivity |
rdpping <host> |
Test RDP connectivity |
sudo sshon |
Enable SSH (temporary) |
sudo sshoff |
Disable SSH |
passwd |
Change console password |
Troubleshooting¶
Why can't I connect to a target?¶
Common causes and solutions:
| Cause | Solution |
|---|---|
| Target offline | Verify target is running |
| Firewall blocking | Check firewall allows SPSA → target |
| Wrong credentials | Verify target username/password |
| Wrong port | Check port in connection settings |
| Network routing | Test with sshping or rdpping |
See Troubleshooting Guide for details.
How do I test connectivity?¶
From the SPSA console:
# Test SSH connectivity
sshping 192.168.1.50
# Test RDP connectivity
rdpping 192.168.1.50
If tests fail, SPSA cannot reach the target. Check network and firewall.
How do I reset a user's password?¶
- Log in as administrator
- Go to Settings > Users
- Edit the user
- Enter new password
- Save
How do I reset MFA for a user?¶
Contact Skillplan support for MFA reset procedures.
Why is SSH access disabled?¶
SSH to the SPSA appliance is disabled by default for security. A running SSH server is an attack vector. Only enable temporarily when needed:
sudo sshon # Enable
# ... do maintenance ...
sudo sshoff # Disable immediately after
Apache Guacamole¶
What version of Guacamole does SPSA use?¶
SPSA uses Apache Guacamole 1.6.0.
Where can I find Guacamole documentation?¶
The Apache Guacamole User Guide is available at: https://guacamole.apache.org/doc/gug/
Relevant sections for SPSA users:
- Configuring Guacamole - Connection parameters
- Using Guacamole - User interface guide
- Administration - Administrative tasks
Do I need to configure Guacamole manually?¶
No. SPSA is pre-configured. All administration is done through the SPSA Portal web interface. You don't need to edit configuration files or manage Docker containers directly.
Support¶
How do I get support?¶
| support@skill-plan.com | |
| Sales | sales@skill-plan.com |
| Website | https://www.skill-plan.com |
What information should I provide for support?¶
- SPSA edition (Foundation/Pro/Demo)
- Guacamole version (visible in portal)
- Hypervisor platform (ESXi version, Hyper-V version)
- Error messages or screenshots
- Steps to reproduce the issue
- Connectivity test results (
sshping/rdppingoutput)
Licensing¶
How is SPSA licensed?¶
Contact Skillplan for licensing information:
- Sales: sales@skill-plan.com
- Website: https://www.skill-plan.com
Can I upgrade from Foundation to Pro?¶
Yes. Contact Skillplan sales for upgrade options.
Can I upgrade from Demo to Production?¶
No. The demo appliance cannot be converted to a production system. A fresh deployment of the production appliance is required.