Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Platform Operations

Edge Agents

Deploy Nuxari Edge Agents to collect governance evidence from air-gapped, on-premises, and isolated environments.

Last updated: June 2026

Who this is for

Admins managing hybrid or on-premises infrastructure who need governance coverage for systems that cannot be reached directly from the internet.

Before you start

You need an admin role to register, view, and revoke edge agents. Your network team should confirm that outbound HTTPS connectivity is available from the network segment where you plan to deploy the agent.

What edge agents are

Edge Agents are lightweight Nuxari components that you deploy inside your on-premises or air-gapped environment. They collect governance evidence from local systems, such as Linux hosts, on-premises directories, and isolated network segments, and send structured summaries back to Nuxari over an outbound-only HTTPS connection. No data is pulled directly into Nuxari; the agent decides what to send, and it sends only structured summaries, not raw file contents or logs.

Edge Agents make outbound-only connections. No inbound ports are required. Your network perimeter remains closed. The agent initiates all communication, Nuxari does not connect back into your network.

When to use edge agents

  • You have on-premises Linux or Windows servers that cannot be exposed to cloud connectors.
  • You operate in a classified or restricted network segment that cannot accept inbound connections.
  • You need governance evidence from isolated environments as part of a broader compliance posture.
  • You want to run the Linux Posture Pack against on-premises hosts.

How to register an agent

  1. 1

    Go to Settings > Edge Agents

    In Nuxari, navigate to Settings > Edge Agents. Click Register Agent.

  2. 2

    Name the agent

    Give the agent a name that identifies the environment it will cover, for example, 'datacenter-east' or 'isolated-segment-2'. Click Generate Token.

  3. 3

    Copy the registration token

    Nuxari generates a one-time registration token. Copy it, this token is shown only once. Use it to complete the agent setup in your target environment following your organization's deployment process.

  4. 4

    Confirm the agent is active

    After the agent starts and connects, return to Settings > Edge Agents. The agent should show a status of Active with a last-seen timestamp.

Viewing agent health

In Settings > Edge Agents, each registered agent shows one of the following statuses:

  • Active, the agent has checked in within the expected interval.
  • Disconnected, the agent has not checked in recently. Check network connectivity in the target environment.
  • Error, the agent encountered a problem. Review the error message in the agent detail view.

What agents collect

Edge Agents collect structured governance summaries from local systems, for example: a list of local user accounts and their enabled/disabled status, active sudo privilege assignments, and service account configurations. Agents never send raw log files, file contents, or unstructured data. Only structured, governance-relevant summaries are transmitted.

Revoking or archiving an agent

To revoke an agent, go to Settings > Edge Agents, select the agent, and click Revoke. The agent's token is immediately invalidated, the agent will no longer be able to connect. To archive an agent without revoking it immediately, click Archive. Archived agents are retained in your history but do not appear in active evaluations.

Related docs

Connectors

Cloud and SaaS integrations that do not require agents

Control Packs

The Linux Posture Pack requires an edge agent

Security Model

Trust principles for agents and connectors

Troubleshooting

Resolve common agent connectivity issues

Was this page helpful?