Identity-Aware Access
vs. Network Extension
FactoryTalk Remote Access creates an industrial VPN. Agilicus AnyX replaces the need for one.
Discover why Layer 7 precision beats Layer 3 connectivity for modern security.
The Fundamental Difference
The choice between Agilicus and FactoryTalk Remote Access is a choice between Universal Application Access and Hardware-Bound VPN Connectivity.
Agilicus AnyX (Layer 7)
Understands Application layer like HTTP, VNC, SSH. Can block password stuffing, restrict specific URLs, and protect individual files. Users never touch the network.
FactoryTalk Remote Access (VPN Tunnel)
Creates a Layer 3 VPN tunnel to industrial equipment. Requires dedicated Stratix routers or runtime software, and requires a heavy client on the user’s PC.
Security Model Comparison
Agilicus User
HTTPS Only
→
App
Only
FactoryTalk User
Full Network Pipe
→
Network
Adjacency
*With FactoryTalk Remote Access, if a remote engineer’s device is compromised, malware can bridge into the OT network via the VPN tunnel. With Agilicus, they see nothing but the specific web app authorised.
Why Modern Teams Choose Agilicus
Compare capabilities side-by-side.
Feature
Agilicus AnyX
FactoryTalk Remote Access
Granular Authorisation
How specific can access rules be?
Per URL & File
Layer 7 Precision
Per Device
No application-layer inspection (e.g. no read-only VNC)
Client Requirement
What does the user need to install?
None (Browser Only)
Heavy Client & Local Gateway Required
Identity Providers
Can you use Google, Microsoft, Okta etc simultaneously?
Multiple Concurrent
Mix Okta, Google, Microsoft, etc
FactoryTalk Hub Identity
Layer 3 Adjacency
Can users ping devices on the network?
No (Zero Trust)
Prevent lateral movement
Yes (Layer 3 Tunnel)
Bridges engineer’s PC to the OT network
Threat Protection
Does it inspect traffic content?
Identity-Aware Web Application Firewall
Handle cross-site scripting, content vulnerabilities
Encrypted Tunnel
Opaque to industrial protocol content
Overlapping IPs
Handle duplicate subnets on local and remote site(s)?
Native Support
No conflict, operates at layer 7
Handled via 1:1 NAT mapping
Requires NAT+port-forward, or, re-subnetting
Vendor Agnostic
Does it work with all vendors?
Yes. Work with any PLC, HMI, Historian.
Any resource from any vendor.
Handled via 1:1 NAT mapping
Rockwell Automation proprietary
Clientless Universal Access
Stop managing VPN clients. Agilicus AnyX works on any device with a browser—desktop, tablet, or phone.
- Ideal for contractors & BYOD
- No MDM required
- Zero friction onboarding
Granular Authorisation
Don’t just grant network access. Control exactly what users can do inside the application.
- Restrict specific URLs
- Control file share access
- Stop password stuffing attacks
Network Simplification
Solve the hardest networking problems without re-architecting your infrastructure.
- Outbound-only (Starlink/CGNAT)
- Overlapping IP support
- Multi-IdP Single Sign-On
Ready to move beyond the VPN?
Experience the security of an Identity-Aware Proxy, Zero Trust, Zero Compromises. No Clients to manage, no lateral movement to fear.