Remote Access — Frequently Asked Questions

Q: 1. What is the difference between the VPN and the Browser Proxy?

Both reach devices on a plant network, but at different levels. The VPN gives a full network connection from your computer to the plant networks you are authorized for, so any protocol works (web, SSH, Modbus, your own tools). The Browser Proxy is narrower and more controlled: it opens a specific device's HTTP or HTTPS web interface in your browser, with no VPN client, reaching only the web targets that have been configured. Use the Proxy for quick browser tasks and the VPN when you need a real network connection.

Q: 3. Who can connect to my plant's network via VPN?

Only people who hold Operator-level access to that plant get a VPN route to it — granted directly on the plant, inherited via the organization Administrator or Moderator role, or received through a cooperation that grants the Operator job. Technical Managers, Asset Managers, Viewers, and commercial roles do not receive VPN connectivity.

Q: 12. Who can use the Proxy?

The Proxy is open to a broader set of roles than the VPN — Operator and Technical Manager on the plant, including the organization Administrators and Moderators that map to those jobs and cooperation members holding them; Viewers are denied. It is deliberately wider than the Operator-only VPN because the browser proxy's blast radius is much smaller: it only reaches configured device web interfaces, never the raw plant network.

Q: 13. Does the Proxy require two-factor authentication?

Yes. Opening a device through the Proxy requires an active two-factor authentication (TOTP) setup on your account. Without it the Proxy refuses to open a device, regardless of your role. The device may additionally enforce its own login, so there can be two independent authentication layers.

Q: 9. How is access taken away — and how fast?

When your job is removed, your organization membership changes, or a cooperation ends, the plant is removed from your reachable routes within seconds of the permission change, and the network path is torn down shortly after. A periodic background verification re-checks every active profile to correct any drift. The same permission change also removes Proxy access.

Q: 20. Is every access recorded? Which standard does the log meet?

Yes — both VPN and Proxy access are recorded automatically. The access log is designed to meet German KRITIS and EU NIS2 remote-access logging requirements: it records who connected, when, from where, which plant subnets and devices were reached, which protocols and ports, and how much traffic moved; for the Proxy it also records the request activity at the web level. Records are retained for 730 days (24 months) and cannot be edited or deleted by users.

Q: 21. Who can see the access log? Can I see my own connections?

The full access log for a plant is reserved for the plant's responsible operators — Technical Manager level and above on that plant, including invited cooperation technicians. The connecting user cannot see the operator's audit log; they can review only their own connection history in their profile. Audit records cannot be edited or deleted by users.

Q: 18. Does my plant network need an open inbound port?

No. The on-site agent always dials outward to the Mirox cloud, so your plant network only needs outbound connectivity. No inbound port is opened, and the plant network is reachable only while the agent's outbound tunnel is up. This is true for both the VPN and the Proxy.

Q: 7. What encryption does the VPN use?

The personal VPN uses WireGuard with modern cryptography — Curve25519 key exchange and authenticated encryption. Your private key is generated on your own device and is never stored by Mirox. The tunnel is split: only traffic destined for private plant networks enters it, while your normal internet traffic stays on your own connection.

Q: 5. Can an external technician get access to one of my plants?

Yes, through a cooperation, and only under the same rules as your own staff: VPN access still requires the Operator job on the shared plant, Proxy access requires Operator or Technical Manager. The grant is scoped to exactly what you share, every connection is audited, and you can revoke it at any time.

Mirox gives you two ways to reach the devices on a plant network from anywhere: the VPN, a full network connection for any protocol, and the Browser Proxy, a browser-only path to a device's web interface. This page answers the security questions both raise — who can connect, how access is granted and taken away, what is recorded, and how the service stays available. The short version: remote access is a deliberately tiered, least-privilege capability, every connection is attributed to a named person and logged for compliance, and your plant network never has to expose an inbound port. For the full feature descriptions see VPN and Proxy; for the audit detail see Access Audit Logging.

Choosing Between the VPN and the Proxy

1. What is the difference between the VPN and the Browser Proxy?

They reach plant devices at two different levels. The VPN gives your computer a real network connection into the plant networks you are authorized for — any protocol works (a device's web UI, SSH, Modbus, SNMP, or your own engineering tools), which is powerful but means it is the most privileged form of access. The Browser Proxy is the deliberately narrower, more controlled option: it opens a specific device's HTTP or HTTPS web interface directly in your browser with no client to install, and it can reach only the web targets that have been configured for a device — never arbitrary addresses and ports on the plant LAN. Choose the Proxy for everyday browser tasks; choose the VPN when you genuinely need a network-level connection.

2. Which one should I use, and why are they restricted differently?

Use the Proxy when the task lives in a browser — checking an inverter portal, a datalogger UI, a switch's web admin. Use the VPN when you need a non-web protocol or your own tools talking directly to devices. They are intentionally gated differently: the VPN is reserved for the Operator role only, because a full network tunnel has a large blast radius; the Proxy is opened to a broader set of roles because it can only ever reach pre-approved web pages, so the worst case is far smaller. Restricting the powerful tool tightly and the limited tool more openly is the core of the least-privilege design.

VPN — Access and Permissions

3. Who can connect to my plant's network via VPN?

VPN connectivity is granted to the Operator job role only — it is the most privileged tier of plant access, and it is the only role that materializes VPN routes. A person reaches the Operator level in one of three ways: a direct Operator grant on the specific plant, inheritance through the organization Administrator or Moderator role (both map to Operator on their own organization's plants), or through a cooperation that grants the Operator job on a shared plant. Everyone below that — Technical Manager, Asset Manager (Technical), Asset Manager (Commercial), Viewer, plain members and guests — does not receive a VPN route. This is a deliberate tiered design: the broad day-to-day audience never gets a raw network tunnel into the plant.

4. What can a Technical Manager do, if not connect over VPN?

A Technical Manager does not get a network tunnel, but they are not locked out of remote work. They can use the Browser Proxy to open a device's web interface directly in the browser, they can read the plant's full access audit log, and at the organization level they can manage organization VPN services and plant assignments. The split is intentional: the browser-only Proxy has a much smaller blast radius than a full network tunnel, so it is opened to a wider set of roles, while the raw VPN route stays reserved for the Operator tier. See the Permission System for the complete role-to-job mapping.

5. Can an external technician get access to one of my plants?

Yes — through a cooperation — and under exactly the same rules as your own staff. VPN access still requires the cooperation to grant the external person the Operator job on the shared plant; Proxy access requires Operator or Technical Manager. No cooperation can hand out more than you choose to share, every connection the external technician makes is recorded in your plant's access audit log just like an internal one, and you can lower or revoke the cooperation at any time, which removes their access within seconds.

VPN — Profiles, Keys and Routing

6. Why does every person get their own VPN profile instead of a shared one?

A personal profile is what makes accountability possible. Because each connection is tied to a named Mirox account, the compliance audit log can answer "who connected" for every session — a shared key would make that impossible. A personal profile also lets each user rotate or revoke their own keys independently without disrupting anyone else, and it keeps key custody on the user's side: the private key is generated on the user's own device and is never stored by Mirox. The configuration is shown only once when you create or rotate it; if you lose it, you simply rotate to get a new one.

7. What encryption does the VPN use?

The personal VPN uses WireGuard with modern cryptography: Curve25519 key exchange and authenticated encryption. Your private key is generated on your own device and never leaves it — Mirox only ever sees your public key. The tunnel is a split tunnel: only traffic destined for private plant networks enters it, while your ordinary internet traffic (web, email, video calls) stays on your own connection and never passes through Mirox. See the personal VPN setup guide for how to issue and import your profile.

8. How do new plants appear in my VPN without re-downloading anything?

Your configuration file is fixed for the lifetime of your profile — you never re-import it when your access changes. The part that moves is maintained on the Mirox side: the set of plant subnets your profile is allowed to reach is computed from your current permissions and kept in sync continuously. The moment you are granted Operator access to a new plant, that plant's networks become reachable through your existing tunnel, typically within seconds, with no reinstall and no action on your part. A plant whose on-site agent is not yet deployed shows as "not yet reachable" and goes live automatically once its agent is online.

VPN — Revocation and Isolation

9. How is access taken away — and how fast?

When your Operator access ends — because your job is removed, your organization membership changes, or a cooperation is lowered or ended — the affected plant is removed from your reachable routes within seconds of the permission change, and the network path is torn down shortly after on the next reconciliation. A periodic background verification independently re-checks every active profile against current permissions and corrects any route that should no longer exist, so a single missed event cannot leave access open. The same permission change also withdraws your Proxy access. If your user account is deleted, your remote access stops within seconds while the compliance history you generated is preserved for the legal retention period.

10. How are different plants and organizations isolated from each other?

Each user's connection is confined to an isolated set of routes derived solely from that user's own Operator authorizations plus any explicitly invited cooperation scope. Subnets you are not authorized for are simply never routed for you — there is no network path from your tunnel to another organization's plant networks, and one organization's users cannot see another's. Reachability is permission-derived end to end, so isolation is enforced by what is routed, not merely by what is shown in the interface.

11. What happens when two plants use the same internal IP range?

This is handled explicitly. If two plants you can reach both use the same local range (for example two plants on 192.168.1.0/24), the system detects the overlap and marks it in your route list rather than guessing. You decide which of the conflicting plants takes priority for you, so there is never any ambiguity about which network you are reaching. You can also temporarily disable one route to reach the other, then switch back.

The Browser Proxy

12. Who can use the Proxy?

The Proxy is open to Operator and Technical Manager on the plant — including the organization Administrators and Moderators that map to those jobs, and cooperation members holding them. Viewers and commercial roles are denied. This is deliberately broader than the Operator-only VPN, for one reason: the Proxy can only ever reach pre-approved device web interfaces, so even in the worst case the exposure is far smaller than a full network tunnel. Configuring which device web pages exist as targets is itself a Technical-Manager-and-above action.

13. Does the Proxy require two-factor authentication?

Yes. Opening a device through the Proxy requires an active two-factor authentication (TOTP) setup on your account; without it the Proxy refuses to open a device, no matter your role. This is stricter than the rest of the platform precisely because the Proxy is a path to live equipment. On top of your Mirox login and 2FA, the device itself can require its own login, so there are often two independent authentication layers protecting a device.

14. Are my device passwords stored, and who can see them?

Device credentials you save for the Proxy (and for device connection checks) are held in an encrypted credential vault, and access to enter or use them is gated to Operator and Technical Manager on the plant. They are never exposed to other roles, never shown to the AI assistant, and never written into logs. The Proxy handles only the transport and the Mirox-side access control; the device's own authentication remains in force.

No — a proxy URL is not an access grant. The address for a device's proxied web interface is stable and shareable, but anyone who opens it still has to be logged in to Mirox, pass two-factor authentication, and hold the required role on that plant. A link on its own reaches nothing; the permission check happens on every request.

Availability and Resilience

16. How robust is remote access — what happens if a server or a region fails?

The platform runs across multiple independent European data-center regions at the same time, each running the complete stack, and within each region remote access is served by multiple servers — so there is no single point of failure. Your connection always attaches to a healthy entry point; if one becomes unavailable, it is re-established automatically against another healthy server, and you do not have to reconfigure anything. Combined with automatic supervision of the on-site agents, the architecture is engineered to deliver 99.999% availability.

17. What keeps the plant side available?

Each plant's on-site agent is supervised by an orchestration layer that continuously verifies both its existence and its readiness on a short cycle. If an agent is missing, stops responding, or its host fails, it is automatically restarted, redeployed, or relocated to another healthy host — without a site visit. A safeguard ensures the same agent is never run in two places at once. Because the agent is what terminates the plant-side connection for both the VPN and the Proxy, this supervision is what keeps your plant reachable.

18. Does my plant network need an open inbound port?

No. The on-site agent is always the party that dials outward to the Mirox cloud; the connection is established from inside your plant network. Your firewall therefore needs only outbound connectivity — no inbound port is opened, and nothing on the public internet can initiate a connection toward your plant network. This holds for both the VPN and the Proxy.

19. Is the agent the only way into my plant network?

Yes. The plant network becomes reachable over the platform only while the on-site agent's outbound tunnel is up, and all authorized traffic — VPN or Proxy — reaches the plant through that agent. It is the single point of entry, and it is bounded to its own plant: it cannot reach, and is not a path into, any other plant or network.

Audit and Privacy

20. Is every access recorded? Which standard does the log meet?

Yes — every VPN connection and every Proxy session is recorded automatically by the platform as traffic flows; users cannot influence what is captured. The access log is designed to meet German KRITIS and EU NIS2 remote-access logging requirements. For each access it records who connected, when, and from where (source IP and geographic region), which plant subnets and devices were reached, and which protocols and ports; for the Proxy it additionally records the web-request activity (the device reached, request counts and methods, data volume). Records are retained for 730 days (24 months) by default and then automatically purged. The depth of this audit is covered in full on the Access Audit Logging page.

21. Who can see the access log? Can I see my own connections?

The full plant access log is visible only to that plant's responsible operators — Technical Manager level and above on the plant, including invited cooperation technicians. The connecting user does not see the operator's audit log; that surface is reserved for the party with the reporting obligation. You can, however, review your own connection history from your profile: when each session started, from which region and source IP, the approximate location, and how much data moved. Neither operators nor users can edit or delete audit records — see the audit log's retention and tamper-resistance section.

22. Does Mirox see the content of my sessions?

No. The audit records metadata — connections, endpoints, ports, protocols, timestamps and traffic volumes, plus which device web pages a Proxy session touched — not the content of what you do. VPN packet payloads, the bodies of web pages, keystrokes and screen recordings are deliberately not captured, because that would be both privacy-problematic and unnecessary for compliance reporting. The privacy boundary is described in detail in the Access Audit Logging privacy section.

VPN — the personal tunnel that reaches every plant network you are authorized for
Proxy — browser-based access to plant device web interfaces, no VPN client required
Access Audit Logging — the KRITIS- and NIS2-aligned record of all VPN and Proxy access
Permission System — the role-to-job mapping that decides who reaches which plants
Personal VPN Setup — step-by-step guide to issuing, rotating, and using your VPN profile