Frequently asked questions about LANCOM Trusted Access
LANCOM Trusted Access is the trusted network access security solution for corporate networks. It enables secure and scalable access to corporate applications for employees in the office, at home or on the move. Users can choose between comprehensive network access (cloud-managed VPN) or only access authorisation to applications that have been assigned to them (zero-trust principle).
Is the LTA solution GDPR-compliant?
Yes, as an IT security solution made in Germany, LANCOM Trusted Access is subject to and complies with European legal standards and is therefore GDPR-compliant. The LANCOM Trusted Access Client and the LANCOM Management Cloud (LMC) are developed in Germany, and all cloud data is hosted in data centres in Germany. For maximum data security and data protection, data exchange for user authentication takes place exclusively via the LMC. All other user data runs directly between the LTA client and LTA gateway - without being decoupled via an external cloud.
In which variants can LTA be implemented?
Whether you need cloud-managed VPN client networking for far-reaching network access or want to take the step to a comprehensive zero-trust security architecture - LANCOM Trusted Access offers suitable expansion levels. For further information, please refer to the LANCOM Trusted Access Client data sheet. Please note that LTA is not available for Private LMC.
Who can I contact for LTA support?
LANCOM Service & Support is there to help and advise you if you need assistance with software problems or have technical information requests. You can find out what requirements apply in the LANCOM Trusted Access support services info paper.
What redundancy functions are possible with LTA?
Device redundancy of the LTA Gateway
The device-side redundancy must be configured manually on the devices in the LMC and can be realised as a redundant dial-in point for LTA clients via an HA cluster (LCOS FX or for LCOS with different dial-in pools and VRRP).
Line redundancy (redundant connection…
Which network components are required for the LANCOM Trusted Access solution?
To operate the LANCOM Trusted Access solution, you need the following three LANCOM components and a central user database:
- LANCOM Trusted Access Client (LTA Client): Available as 1, 3 or 5 year licences, client licensing is done centrally via the LANCOM Management Cloud
- LANCOM Management Cloud (LMC) (LTA Controller): Configuration, monitoring, licence management and connection to Active Directory
- LANCOM Trusted Access Gateway (LTA Gateway): LANCOM VPN router or LANCOM R&S®Unified Firewall For small installations, an existing VPN router can be used for site networking and remote access. In larger scenarios, we recommend outsourcing the LTA gateway function to a firewall HA cluster in a DMZ, for example.
- Central user database with Microsoft Entra ID Connect (formerly Azure AD Connect) for linking to existing Microsoft Active Directory. Alternatively, internal user management in the LMC is also available for small installations without AD (LMC internal user table).
Which licences are required for the operation of LTA and how is licensing carried out?
LANCOM Trusted Access Client
Licences for the LANCOM Trusted Access Client can be purchased with terms of 1, 3 and 5 years for different numbers of users (1, 10, 25, 100, 250 or 1,000). Licences are per user (i.e. not per end device). With an LTA licence, up to three end devices can be used in parallel per user. All LTA licences are always assigned to exactly one project in the LANCOM Management Cloud (LMC) (queried when ordering) and are non-transferable. The employees of a company who are either added and activated in the local user administration or are included in the primary group of the IdP user administration (suitable Active Directory group, e.g. "LTA User") are decisive for the user count. All potentially authorised users are therefore subject to licensing.
Trusted Access Gateway (router or firewall)
All LTA gateways must have an active LMC licence.
On LCOS-based gateways, one free VPN channel is required per user. Content filtering for web traffic is only available in conjunction with the corresponding LANCOM Content Filter software option. An active Basic or Full licence is required on LCOS FX-based gateways. Content filtering, IDS / IPS, antivirus and SSL inspection for web traffic is only available in conjunction with a corresponding full licence.
Is there an LTA test licence?
Yes, a free LTA starter licence is available. This allows you to test LANCOM Trusted Access for a maximum of 30 days and 25 users. The prerequisite for this is an LMC organisation or an LMC project, which is made available free of charge via the partner programme. The LTA starter licence is stored once in your licence management under "LTA user licences" and is automatically activated after the configuration of the first LTA user or a user group activation from an Active Directory. LTA operation in NFR and demo projects without a chargeable LMC licence is not supported.
What happens if not enough licences are activated for a project?
If you have activated insufficient LTA licences for the number of managed LTA users, you will receive corresponding messages. After a multi-stage reminder process, all accesses will be blocked. To prevent this, please purchase additional licences in good time.
Can LANCOM LTA gateways be configured with LANconfig?
- Configuration of LTA gateways with LANconfig is currently not supported
How is user administration organised?
With LTA, user authentication according to the zero trust principle is usually carried out via a central user database ("identity provider", e.g. an Active Directory). This can be either a local Microsoft Active Directory (with LMC connection via Azure AD Connect) or a cloud-hosted Active Directory (Microsoft Entra ID, formerly Azure AD). For small companies without a centralised user database, a user management system integrated into the LANCOM Management Cloud is available as an alternative (LMC-internal user table).
How can Trusted Access be set up?
LANCOM Systems offers a comprehensive Trusted Access onboarding programme with step-by-step instructions and training videos as well as further information for different scenarios and thematic focuses (sales, technology). This programme is aimed at LANCOM partners who want to set up Trusted Access in their company and/or with their customers.
What is the difference between the LANCOM Trusted Access Client and the LANCOM Advanced VPN Client?
Features |
Advanced VPN Client |
Trusted Access Client |
Operating mode |
Unmanaged |
Cloud-managed |
Commissioning |
Manual pre-configuration of all access parameters per client |
Zero-touch / Auto-configuration: No pre-configuration is necessary. Users are automatically assigned to the correct project based on their e-mail domain. Client configuration and assignment is carried out centrally via the LMC. |
Monitoring |
- |
Central monitoring dashboard in the LMC |
Access rights |
Full access to the intranet |
Individual applications or alternatively in smaller deployment scenarios with full access to the intranet. However, it is recommended to limit access per user group to the required applications and to separate the local applications from each other on the network side. |
Lateral protection (e.g. against ransomware) |
Entire intranet accessible |
When using application filtering in conjunction with micro-segmentation (Private VLAN) |
Endpoint Security |
- |
Clients can be specified that the virus scanner and firewall must be active on every client and that there is a minimum version or patch level for the operating system. Clients that do not fulfil the requirements can be blocked automatically. |
ClientKonfiguration /ChangeManagement |
Manual per client |
Automatic / centralised via LMC |
Centralised user management |
- |
Via Active Directory or user tables in the LMC |
Two-factor or multi-factor authentication (2FA / MFA) |
- |
Only when using Microsoft Active Directory; not in conjunction with local user table |
Licensing |
Licence must be activated manually for each client |
Licensing takes place centrally via the LMC (pre-paid or pay-per-use) |
Regular software updates |
- |
Included over the entire term |