Horizon

What is Horizon?

Horizon is a Zero Trust access control and security monitoring service built directly into the Mutexer platform. It provides the capability to securely expose internal services - such as web-based HMIs, monitoring dashboards, REST APIs, configuration panels, or any HTTP/HTTPS-accessible application - running on agent-connected devices to the public internet, without requiring manual management of firewalls, DNS records, TLS certificates, or reverse proxy infrastructure. Each service exposed through Horizon is called a circuit (also referred to as a connection), and every circuit is automatically assigned a unique, publicly accessible domain under *.horizon.mutexercloud.com. Horizon is not a single tool but rather two tightly integrated components: a settings and management interface for creating circuits, configuring access policies, and defining security rules, and a real-time logging and monitoring dashboard for observing every request that passes through circuits, reviewing authentication attempts, visualizing geographic traffic patterns, and monitoring 24-hour aggregate statistics. Together, these components provide full control over who can access exposed services, from where, and under what conditions, while also providing complete visibility into how those services are being used.

Why Horizon?

In industrial automation environments, there is a growing need to provide controlled web-based access to devices and services that were traditionally only reachable on private, isolated networks. An operator may need to access a PLC's web-based configuration interface from a remote office. A vendor may require temporary access to a device's diagnostic API to troubleshoot an issue. A monitoring dashboard running on an edge device may need to be accessible to a distributed team of engineers. Historically, achieving this kind of access required either opening ports on firewalls and configuring port-forwarding rules on routers (which is inherently insecure, error-prone, and difficult to audit), or setting up and maintaining a full reverse proxy infrastructure with TLS certificate management, DNS configuration, and access control lists (which requires significant expertise and ongoing maintenance). Horizon eliminates all of this complexity by providing a fully managed, platform-integrated solution. When a circuit is created in Horizon, the platform automatically provisions a public domain, handles TLS termination, enforces the configured access policies, applies security rules, logs every request, and routes allowed traffic through the existing Mutexer Agent to the target service on the device's local network. No additional software is required on the device, no DNS records need to be created, no certificates need to be renewed, and no firewall rules need to be maintained.

Points of Difference

Horizon differentiates itself from traditional remote access solutions in several important ways. First, it operates on a Zero Trust by default model, meaning that every circuit starts with no implicit access - nothing is reachable until an access policy is explicitly configured, requiring a conscious decision about whether a circuit should be public, limited to project members, or restricted to specific named users. Second, Horizon is deeply integrated with the rest of the Mutexer platform, meaning it works seamlessly with existing Agents, projects, environments, and user management - there is no separate identity system, no additional credentials to manage, and no external services to configure. Third, Horizon provides layered security by combining multiple independent security mechanisms - access policies (who can connect), IP filtering via CIDR rules (where they can connect from), country-level geographic blocking, automated bot and vulnerability scanner detection - all operating simultaneously on every request. Fourth, Horizon delivers full observability out of the box, with detailed request logs, authentication and access logs, 24-hour aggregate statistics, and an interactive geographic world map, providing full visibility into the traffic reaching each circuit and whether it was allowed or blocked.

How it Works

At its core, Horizon operates as a managed reverse proxy service. Creating a circuit defines a mapping between an internal service (identified by agent, IP address, and port) and a publicly accessible HTTPS endpoint, along with the access policies and security rules that govern which requests are permitted to reach that service. The platform provisions a unique public domain for the circuit and begins accepting HTTPS traffic on that domain. When a request arrives at the domain, it first passes through the Horizon proxy layer, where it is subjected to every configured security check - the IP filtering rules verify the source address is not blacklisted (or is whitelisted if whitelist rules are configured), the country blocking rules verify the request does not originate from a blocked geography, the bot detection layer checks the User-Agent string against known scanner signatures, and the access policy verifies the user's identity and authorization. Only if the request passes every one of these checks is it forwarded through the Mutexer Core API to the appropriate Agent, which then delivers it to the target service on the device's local network. The response follows the reverse path back to the user. Every step of this process - including blocked requests - is logged and available in the monitoring dashboard.

Accessing Horizon

Horizon is available at the project level within the Mutexer platform. The settings interface, where circuits are created and managed, is accessible through the project settings tab. The logs and monitoring dashboard is accessible from within the same project context. Both interfaces require the user to be an authenticated member of the project.

INFO

Horizon requires at least one device with an active Agent connected to the project. The Agent acts as the bridge between the Horizon proxy and the services running on or accessible from the device.

WARNING

Horizon requires Agent version 1.0.19 or higher. Devices running an older Agent version are not compatible with Horizon and must be upgraded before circuits can be created or traffic routed through them. For upgrade instructions, see Upgrading the Agent.