# Gateways
## Overview
The Keeper Gateway is a service that is installed on any Docker, Linux or Windows machine in order to execute rotation, discovery, connection and tunneling. A single Gateway can be used to communicate with any target infrastructure, both on-prem and cloud. Typically, customers deploy a Keeper Gateway in each environment that is being managed.
### **Platforms Supported**
* [**Docker**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/gateway-with-docker)
* [**Windows**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/windows-installation)
* [**Linux**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/linux-installation)
### Platform Specific Capabilities
The Keeper Gateway offers different feature capabilities based on the underlying operating system and hardware. We recommend using Docker on a Linux or Windows host with x86-64 CPUs for full feature support and ease of management.
| Platform | Compatibility |
| ------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| **Docker (Linux or Windows host w/ x86-64)** |
All features supported
|
| **Docker** (Linux host on ARM) |
No Remote Browser Isolation
|
| **Linux (Enterprise Linux 8 and 9 variants)** |
All features supported
|
| **Linux** (Non-EL variants) |
No Remote Browser Isolation
|
| **Windows Native** |
No Remote Browser Isolation
No database connections
|
## System Requirements
System requirements vary based on the number of simultaneous user sessions and the types of connections being established. As the volume of simultaneous connections grows, CPU and memory resources must be scaled accordingly.
### Non-RBI Connections
For non-RBI connections, Keeper Gateway follows a predictable scaling model based on concurrent sessions.
**General Sizing Guidelines (Non-RBI Sessions)**
> **1 CPU core and 2 GB of memory for every 25 concurrent sessions**
| Non-RBI Concurrent Sessions | CPU Cores | Minimum RAM |
| --------------------------- | ---------- | ----------- |
| 0-25 | 2 | 8 GB |
| 26-50 | 3 | 12 GB |
| 51-100 | 4 | 16 GB |
| 101-200 | 8 | 32 GB |
| 200+ | Contact Us | Contact Us |
### RBI Connections
Remote Browser Isolation (RBI) sessions have significantly higher resource requirements compared to standard gateway connections.
Each RBI session launches a dedicated headless Chromium instance, which consumes substantially more memory than non-RBI sessions.
* Estimated memory usage per RBI session: up to 800 MB
* Memory consumption scales linearly with the number of concurrent RBI sessions
* CPU requirements also increase depending on page complexity and user activity
**General Sizing Guidelines (Non-RBI Sessions)**
> 800 MB per RBI Connection
| RBI Concurrent Sessions | CPU Cores | Minimum RAM |
| ----------------------- | ---------- | ----------- |
| 1-5 | 4 | 8 GB |
| 6-10 | 6 | 16 GB |
| 11-20 | 8 | 32 GB |
| 21-40 | 16 | 64 GB |
| 40+ | Contact Us | Contact Us |
### **Recommendation**
A minimum of 2 CPU cores and 8 GB of RAM is recommended for any deployment, even small environments.
#### **Test Environments**
For testing or sandbox environments, a minimum of 2 CPU cores, 8 GB of memory, and 10 GB of storage is required.
#### **Production Environments**
For production deployments, a minimum of 4 CPU cores and 16 GB of memory is required.
Scale CPU and memory resources based on the number of concurrent sessions, and refer to the sizing table above for guidance.
## Installation Steps
The Keeper Gateway generates encryption keys and a local Secrets Manager configuration that is used to authenticate with the Keeper cloud. The location depends on the context in which the Gateway is being run. It can be installed to the local user or installed as a service.
* Login to the **Keeper Web Vault** or **Desktop App**
* Click on **Secrets Manager** on the left side
* Create a new Secrets Manager Application or select existing application
* Click on the "**Gateways**" tab and click "**Provision Gateway**"
* Select Docker, Linux or Windows install method
* Install the Keeper Gateway using the provided method
During the creating of a Keeper Gateway using a one-time token method for Linux and Windows, you have the choice to select "Lock external WAN IP Address of device for initial request". This will additionally IP lock the Gateway in addition to the authentication and encryption built into the service.
#### Installation Methods
Based on your Operating System, refer to the corresponding guide on installing the Keeper Gateway:
* [**Docker**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/gateway-with-docker)
* [**Podman**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/gateway-with-podman)
* [**Linux**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/linux-installation)
* [**Windows**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/windows-installation)
Container Services:
* [**Azure Container Instance**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/gateway-on-azure-container-instance)
* [**Azure Container App**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/gateway-on-azure-container-app)
* [**AWS ECS**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/gateway-on-aws-ecs)
#### Additional Installation Configurations
If you are installing on an EC2 instance in AWS, the Keeper Gateway can be configured to use the instance role for pulling its configuration from AWS Secrets Manager. Detailed instructions on this setup can be [found here](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways/advanced-configuration/gateway-configuration-with-aws-kms).
