Anti-Cloud Secure Connect (ACSC) consists of three components:
We provision each Anti-Cloud customer with their own private ACSC cluster on vetted and locked-down hardware, walled off within the hardened environment of the Anti-Cloud datacenter. Each customer’s data and networks are fully segregated from everything else in the datacenter.
You install the ACSC agent on each host that you want to connect to the ACSC network. Any workstation, server, handheld device, virtual machine, or container can be a host for the agent.
The agent runs as a background service on its host, and sets up an encrypted WireGuard tunnel between the host and a private ACSC network hub. Each agent on the ACSC network has its own unique private IP address, used exclusively for ACSC traffic.
We provide a separate hub for each organization you manage. This allows you to fully isolate all the hosts and the traffic of one organization from the hosts and traffic of all other organizations – establishing one secure, private network per organization.
The diagram above shows three separate, secure networks created by connecting ACSC agents on three different groups of hosts to three different network hubs in a private ACSC cluster.
Each ACSC network hub runs on an isolated server in the Anti-Cloud datacenter.
By default, all traffic of a host with an ACSC agent on it is routed through the organization’s ACSC hub. Any traffic sent through the hub to another host on the ACSC network is forwarded directly to the other host. All other traffic, such as Internet traffic, has SNAT (Source Network Address Translation) applied to it by the hub.
This allows hosts on the ACSC network to communicate directly to one another via their private IP address space, no matter where in the world they are. And it prevents everything not on the ACSC network, including LAN (Local Area Network) traffic, from connecting inbound to network services running on ACSC hosts.
Therefore, by default, once a host is enrolled into ACSC, only other hosts on the same private ACSC network can establish connections to it.
However, you can carve out exceptions for traffic that you don’t want to route through the ACSC network. In the diagram above, the administrator of this ACSC network has carved out an exception allowing an end user computer to connect to a server on the same LAN.
You use the ACSC management UI, hosted on the admin management server, to manage and monitor your private ACSC networks.
As an ACSC administrator, you use the UI to define which clients are allowed to connect to a particular hub (and therefore to the private network provided by the hub). You enable/disable access to ACSC through the UI, and you can see who’s been using ACSC from where and when through the UI.
ACSC end-users never need to see or touch the UI, or see or touch any other ACSC components. As an ACSC administrator, you download the agent configuration files from the UI, and apply them to your servers and end-user devices. (Each agent needs a unique config file customized for a particular device to enroll it; this allows the agent to set up strong credentials between it and the management server for the device.)
The management UI allows you to generate agent configuration files for many hosts at once. You can use this to automate the enrollment of a group of users through Windows GPOs (Group Policy Objects), or via other automation tools.
The diagram above shows an administrator using the ACSC management server to configure the agents on different hosts in the ACSC network.