Skip to content

Installation on Windows (in Asset Mode)

XplicitTrust can run on Windows systems in two modes:

  • Client Mode: for regular users to access services (like SSH, HTTPS, remote desktop, etc).

  • Asset Mode: services (like SSH, HTTPS, remote desktop, etc) can be remotely accessed from an XplicitTrust client, or from another system running in Asset Mode.

On this page are the instructions for Asset Mode:


  1. On the firewall:
    Allow TCP port 443 (“HTTPS”) outgoing (usually already enabled).
    If possible, allow UDP port range 51820 - 60000 outgoing for best experience.


  1. Download client at

  2. Double click on the downloaded file to install (and accept any prompts, if necessary).
    Please wait until you see a system tray icon that looks as follows, before moving to the next step:

    # Only if “Server Core”
    # Run the following (in Downloads folder),
    # then wait ca. 30 seconds before next step:
    msiexec /i xtna-agent.msi /qn
  3. Run in cmd (use your email address instead of the placeholder):

    • New Users trying out the system may want to use -allow-all-clients flag to assign the asset to the "Allow All" policy. While to be used cautiously in production, it is a good way to quickly experience how easy it is to connect systems in XplicitTrust without worrying about policies:

      # Asset will be added to the "Allow All" policy:
      xtna-util -user <your_email_address> -allow-all-clients
    • Experienced users may want to take advantage of various command line options, depending on circumstances:

      -name <name>               Asset name (defaults to hostname)
      -tags <tag1,...,tagN>      Comma-separated list of tags to be assigned to asset
      -allow-all-clients         Assign created asset to the 'Allow All' policy
      -qr                        print authentication URL as QR code

      Some examples (you can of course also combine any way you like):

      # Simply create the asset ('Deny All' policy will apply) and print the authentication URL as a QR code (for scanning with the mobile phone):
      xtna-util -user <your_email_address> -qr
      # Create asset and name it 'crm-server' ('Deny All' policy will apply):
      xtna-util -user <your_email_address> -name crm-server
      # Create asset and assign the tags 'sales-servers,marketing-servers' ('Deny All' policy will apply):
      xtna-util -user <your_email_address> -tags 'sales-servers,marketing-servers'
      # Create asset and assign to 'Allow All' policy
      # Careful, it may be better to use policies
      xtna-util -user <your_email_address> -allow-all-clients

      A Note About Email Addresses

      The email adress needs to be the same one you use to login to the XplicitTrust admin portal. In almost all cases this is the email address you use for single-sign on at your company.

      xtna-util -user

      A Note About Policies

      The default policy is 'Deny All', meaning no client and / or asset has access to a new asset after it is created.

      You can grant access to this asset by creating or updating an existing policy:

      You also have the option of assigning an asset to the 'Allow All' policy during installation by using the '-allow-all-clients' command line option specified above.

      Special Case: Allowing Asset Access to Another Asset

      We currently have a special case (temporarily): Granting one or more asset(s) access to an asset (rather than granting clients access, as outlined above).

      This is possible, but does not happen on the regular policy page. Instead, you need to go the Asset Policy page:

  4. Copy the URL that cmd returns, and open it from a browser (on a machine where you are logged in to the XplicitTrust admin console).

  5. A window (on the machine where you are installing) will open asking if you want to import the XplicitTrust config file.

    If you don't see the window, please look in the task bar (not the system tray) for an icon that looks like this (highlighted in red), and click on it:

    Agree Window

    Please click "Yes" in the window:

    Agree Window

  6. The XplicitTrust icon in the system tray should now look like this:


    This means the installation was successful, and the system is now connected.

    Troubleshooting Tip

    If you encountered problems during the installation, please check that your Windows sandbox is disabled. Windows sandbox networking can interfere with the host machine's networking.

    How to Disable Windows Sandbox:

    Use the search bar on the task bar and type 'Turn Windows Features on or off' to access the Windows Optional Features tool. Unselect Windows Sandbox and then OK. Restart the computer if you're prompted.


Go to

  1. Click "Create new" button, fill out form, click "Apply"

  2. Click "Download Config" icon at top of the form box:

    Download Config Icon

  3. On the firewall Allow TCP port 443 (“HTTPS”) outgoing (usually already enabled).
    If possible, allow UDP port range 51820 - 60000 outgoing for best experience


1) Download client at

2) Double-click on the the downloaded xtna-agent.msi

# Only if “Server Core”: run in `cmd.exe`:
msiexec /i xtna-agent.msi /qn

3) Double-click on the downloaded config file xtna-*.xtconfig

# Only if “Server Core”: run in `cmd.exe`:
xtna-util -import xtna-*.xtconfig

System Tray Icons

If not "Server Core":

You can see the status of your XplicitTrust Windows client in the system tray at the bottom right of the screen:

Running XplicitTrust tunnels are up and running, click on it to see status information.

Authenticating Windows client is authenticating itself, tunnels are not up yet.

Offline Windows client is offline.

Tested Windows Versions:

Windows 10, Windows 11, Windows Server 2019, Windows Server 2019 Core, Windows Server 2012