FAQ LANCOM Trusted Access

Your questions.
We answer.

Frequently asked questions about LANCOM Trusted Access

LANCOM Trusted Access is the trusted network access security solution for corporate networks. It enables secure and scalable access to corporate applications for employees in the office, at home or on the move. Users can choose between comprehensive network access (cloud-managed VPN) or only access authorisation to applications that have been assigned to them (zero-trust principle).

General information

Is the LTA solution GDPR-compliant?

Yes, as an IT security solution made in Germany, LANCOM Trusted Access is subject to and complies with European legal standards and is therefore GDPR-compliant.  The LANCOM Trusted Access Client and the LANCOM Management Cloud (LMC) are developed in Germany, and all cloud data is hosted in data centres in Germany. For maximum data security and data protection, data exchange for user authentication takes place exclusively via the LMC. All other user data runs directly between the LTA client and LTA gateway - without being decoupled via an external cloud.

In which variants can LTA be implemented?

Whether you need cloud-managed VPN client networking for far-reaching network access or want to take the step to a comprehensive zero-trust security architecture - LANCOM Trusted Access offers suitable expansion levels. For further information, please refer to the LANCOM Trusted Access Client data sheet. Please note that LTA is not available for Private LMC.

Who can I contact for LTA support?

LANCOM Service & Support is there to help and advise you if you need assistance with software problems or have technical information requests. You can find out what requirements apply in the LANCOM Trusted Access support services info paper.

What redundancy functions are possible with LTA?

Device redundancy of the LTA Gateway

The device-side redundancy must be configured manually on the devices in the LMC and can be realised as a redundant dial-in point for LTA clients via an HA cluster (LCOS FX or for LCOS with different dial-in pools and VRRP).

Line redundancy (redundant connection…
Device redundancy of the LTA Gateway

The device-side redundancy must be configured manually on the devices in the LMC and can be realised as a redundant dial-in point for LTA clients via an HA cluster (LCOS FX or for LCOS with different dial-in pools and VRRP).

Line redundancy (redundant connection of the LTA gateways)

Line-side redundancy must be configured manually on the devices in the LMC. Several WAN connections terminate on one device (up to 4 WAN connections with LCOS, up to 6 WAN connections with LCOS FX).

Controller redundancy (cloud)

The LANCOM Management Cloud (LMC) is geo-redundant. With LTA, it only serves as a "control plane", i.e. user data is transferred directly between the LTA client and LTA gateway after authorisation.

LTA client - autonomous continued operation

For an active, authorised client, continued operation without an LMC connection is possible as long as the respective session exists. For maximum resilience, autonomous continued operation of the LTA clients can be set as an option, so that once an LTA client has been authenticated, it can establish a connection to the assigned destinations within a defined period of time even without a connection to the LMC or after restarting the client or computer.

Technical requirements

Which network components are required for the LANCOM Trusted Access solution?

To operate the LANCOM Trusted Access solution, you need the following three LANCOM components and a central user database:

  • LANCOM Trusted Access Client (LTA Client): Available as 1, 3 or 5 year licences, client licensing is done centrally via the LANCOM Management Cloud
  • LANCOM Management Cloud (LMC) (LTA Controller):  Configuration, monitoring, licence management and connection to Active Directory
  • LANCOM Trusted Access Gateway (LTA Gateway): LANCOM VPN router or LANCOM R&S®Unified Firewall For small installations, an existing VPN router can be used for site networking and remote access. In larger scenarios, we recommend outsourcing the LTA gateway function to a firewall HA cluster in a DMZ, for example.
  • Central user database with Microsoft Entra ID Connect (formerly Azure AD Connect) for linking to existing Microsoft Active Directory. Alternatively, internal user management in the LMC is also available for small installations without AD (LMC internal user table).

On which operating systems can the LANCOM Trusted Access Client be operated?

  • Microsoft Windows 10 / 11 (on Intel x86 or x86-64 processor architecture)
  • MacOS (in preparation)

Which LANCOM gateways support LTA?

  • All LCOS-based routers (hardware or vRouter) as of LCOS 10.80
  • All LCOS FX-based firewalls (hardware or vFirewall) from LCOS FX 10.13


Which licences are required for the operation of LTA and how is licensing carried out?

LANCOM Trusted Access Client

Licences for the LANCOM Trusted Access Client can be purchased with terms of 1, 3 and 5 years for different numbers of users (1, 10, 25, 100, 250 or 1,000). Licences are per user (i.e. not per end device). With an LTA licence, up to three end devices can be used in parallel per user. All LTA licences are always assigned to exactly one project in the LANCOM Management Cloud (LMC) (queried when ordering) and are non-transferable. The employees of a company who are either added and activated in the local user administration or are included in the primary group of the IdP user administration (suitable Active Directory group, e.g. "LTA User") are decisive for the user count. All potentially authorised users are therefore subject to licensing.

Trusted Access Gateway (router or firewall)

All LTA gateways must have an active LMC licence.
On LCOS-based gateways, one free VPN channel is required per user. Content filtering for web traffic is only available in conjunction with the corresponding LANCOM Content Filter software option. An active Basic or Full licence is required on LCOS FX-based gateways. Content filtering, IDS / IPS, antivirus and SSL inspection for web traffic is only available in conjunction with a corresponding full licence.

Is there an LTA test licence?

Yes, a free LTA starter licence is available. This allows you to test LANCOM Trusted Access for a maximum of 30 days and 25 users. The prerequisite for this is an LMC organisation or an LMC project, which is made available free of charge via the partner programme. The LTA starter licence is stored once in your licence management under "LTA user licences" and is automatically activated after the configuration of the first LTA user or a user group activation from an Active Directory. LTA operation in NFR and demo projects without a chargeable LMC licence is not supported.

What happens if not enough licences are activated for a project?

If you have activated insufficient LTA licences for the number of managed LTA users, you will receive corresponding messages. After a multi-stage reminder process, all accesses will be blocked. To prevent this, please purchase additional licences in good time.

Setup & operation

Can LANCOM LTA gateways be configured with LANconfig?

  • Configuration of LTA gateways with LANconfig is currently not supported

How is user administration organised?

With LTA, user authentication according to the zero trust principle is usually carried out via a central user database ("identity provider", e.g. an Active Directory). This can be either a local Microsoft Active Directory (with LMC connection via Azure AD Connect) or a cloud-hosted Active Directory (Microsoft Entra ID, formerly Azure AD). For small companies without a centralised user database, a user management system integrated into the LANCOM Management Cloud is available as an alternative (LMC-internal user table).

How can Trusted Access be set up?

LANCOM Systems offers a comprehensive Trusted Access onboarding programme with step-by-step instructions and training videos as well as further information for different scenarios and thematic focuses (sales, technology). This programme is aimed at LANCOM partners who want to set up Trusted Access in their company and/or with their customers.

What is the difference between the LANCOM Trusted Access Client and the LANCOM Advanced VPN Client?


Advanced VPN Client

Trusted Access Client

Operating mode




Manual pre-configuration of all access parameters per client

Zero-touch / Auto-configuration: No pre-configuration is necessary. Users are automatically assigned to the correct project based on their e-mail domain. Client configuration and assignment is carried out centrally via the LMC.



Central monitoring dashboard in the LMC

Access rights

Full access to the intranet

Individual applications or alternatively in smaller deployment scenarios with full access to the intranet. However, it is recommended to limit access per user group to the required applications and to separate the local applications from each other on the network side.

Lateral protection (e.g. against ransomware)

Entire intranet accessible

When using application filtering in conjunction with micro-segmentation (Private VLAN)

Endpoint Security


Clients can be specified that the virus scanner and firewall must be active on every client and that there is a minimum version or patch level for the operating system. Clients that do not fulfil the requirements can be blocked automatically.

ClientKonfiguration /ChangeManagement

Manual per client

Automatic / centralised via LMC

Centralised user management


Via Active Directory or user tables in the LMC

Two-factor or multi-factor authentication (2FA / MFA)


Only when using Microsoft Active Directory; not in conjunction with local user table


Licence must be activated manually for each client

Licensing takes place centrally via the LMC (pre-paid or pay-per-use)

Regular software updates


Included over the entire term

More information

Your question was not included?

Then please use our contact form to clarify any open questions or give us a call. We look forward to helping you.

Back to LANCOM Trusted Access Client

We answer your questions

Your direct line to us

Most questions can be resolved best in direct contact.

We look forward to answering your questions and requests by phone or via the contact form.

Inside Sales International Team
+49 (0)2405 49936 122