Remote access to PLCs behind firewalls
Commission, debug, and support industrial equipment inside a customer's network — without asking their IT for a single open port or a site-to-site VPN.
Plant networks are locked down — as they should be
Every inbound port is a finding in the next security audit. Requests to open one take weeks, vendor VPN boxes multiply in the cabinet, and the machine builder still ends up driving to site. Tollan's agent connects outbound only, so the plant firewall stays exactly as closed as IT wants it.
Put an agent next to the line
Download a preconfigured agent or mint an enrollment token, run one installer, and the device connects itself. It runs on the industrial PC or edge gateway you already have in the machine network.
Route the services you support
One agent can expose anything on the device network — cameras, PLCs, gateways — each service behind its own route. The PLC's web UI, an HMI, or a diagnostics endpoint each get their own hostname.
Decide who gets in
Attach IP allowlists, basic auth, or mutual-TLS to a route as edge access rules. Your service team reaches the machine; nobody else does.
Answers for the security questionnaire
- Every device holds its own CA-issued certificate. The private key is generated on the device and never leaves it.
- Revoke a device and its live tunnels drop in seconds — the relay re-checks certificate status continuously. An engineer leaving the project is one click, not a site visit.
- Passthrough traffic is never decrypted at the relay. We route by TLS SNI without reading a single byte of your payload.
- Console accounts get role-based access, optional TOTP two-factor, and an append-only audit trail.
The full detail — what we can and cannot see — is on the security page.
Put your first machine online
Free tier, no card required. Fleet pricing when you scale.