App distribution + always-on encrypted tunneling to any backend service — in one self-hosted platform your team owns and operates.
Modern deployment tools were built for modern apps. Legacy Windows applications — VB6, Delphi, COM-heavy, older .NET — need COM registration, DLL placement, .NET assembly setup, INI file configuration, and more. AppTunnel handles all of it automatically.
See how deployment works →Files are content-addressed by SHA-256. Only changed files are downloaded on update — even across different applications if the content is identical.
COM/regsvr32, .NET assembly registration, silent MSI execution, NSIS and Inno Setup installers, and custom PowerShell scripts — in whatever order your app requires.
Automatically write environment-specific values into config files at install time using a variable placeholder system. No manual steps, no user-modified configs.
Mark any file as launchable. Set a default executable. Users can select an alternative from the tray with one click — no separate deployment needed.
AppTunnel proxies any TCP or UDP traffic over an encrypted WebSocket connection. SQL Server is the most common use case, but there's no protocol restriction. Your apps connect to a local port as if the service were running on their machine — because as far as they're concerned, it is.
See why HTTP tunneling isn't enough →All tunnels a user is permitted to access establish automatically when they log into the tray and stay open. No manual tunnel setup, no per-app activation, no prompts.
SQL Server, PostgreSQL, proprietary database protocols, internal APIs, licensing servers — if it runs over TCP or UDP, AppTunnel can tunnel it transparently.
True bidirectional TCP tunneling preserves session state. Long-running queries, transactions, and stateful protocols all work exactly as intended.
Define a remote host once. Map it to multiple local ports across different environments or applications without duplicating configuration.
ISVs and MSPs can run a single AppTunnel server and serve multiple completely isolated customer tenants from it. Each tenant has its own applications, users, tunnels, environments, and configuration — with zero cross-tenant visibility enforced at the API level.
Within each tenant, admins control exactly which users have access to which applications and tunnels, per environment. No more "everyone gets everything" deployments.
Tenants cannot see each other's users, apps, tunnels, or files. Isolation is enforced at the API layer — not just the UI.
Tenant Admins manage their own users, apps, and tunnels independently. Server Admins operate the platform globally. Neither can exceed their scope.
Assign specific users to specific environments. A user sees only the applications and tunnels you've explicitly granted them — within their tenant.
Identical files are stored once across all tenants, content-addressed by SHA-256. When multiple tenants deploy the same application, you don't pay the storage cost twice.
Each tenant can run multiple environments that share the same application catalog but point to different databases, use different configuration values, and carry different secrets. Users can switch environments from the tray, and their tunnels update accordingly — no reinstall, no manual reconfiguration.
Variables resolve across five scopes: Server → Tenant → Environment → Application → Version. More specific values always win. Manage sprawling legacy app configuration without touching individual machines.
Your Production environment points to your production SQL Server. QA points to QA. The tray switches automatically — the app never needs to know which environment it's in.
All permitted tunnels across all environments stay active while the tray is running. Users don't wait for reconnection when switching between environments.
Legacy apps often need per-user credentials — API keys, database passwords, license codes. AppTunnel's secrets system lets each user store their own encrypted values, which are injected into the app at launch as environment variables or configuration placeholders. Admins define which secrets are required; users set their own values. No admin can read what a user stored.
Secret values are encrypted before storage. The encryption key is derived at runtime — values are never stored or transmitted in plaintext, even to your own server.
Admins define which secret keys an app version requires or accepts. Users set and update their own values from the tray. Admins cannot read user secret values.
Resolved secret values are passed as environment variables or substituted into launch arguments at runtime. They are never written to disk or logged.
A user can have different secret values for Production vs. QA — the right value is used automatically based on the active environment.
Not everything is an application. Shared certificates, reference data, templates, configuration files — File Stores let you distribute any collection of files to users' machines and keep them in sync automatically. Users open the folder directly from the tray.
File stores sync to a configured local path when the tray starts. Only files that are missing or have changed are downloaded — the same content-addressed delta logic used for apps.
File stores are scoped to environments. Production users get production certificates. QA users get QA certificates. No manual management required.
Each file store shows as a card with file count, total size, and the local path. Users can open the folder in Explorer with one click.
Getting the tray client to a new user is one download. Tenant admins generate a single pre-configured .exe from the web admin panel. It has the server address, tenant ID, and initial auth embedded. The user runs it, signs in, and immediately sees their applications. No config files, no ZIP archives, no setup wizard.
All connection details are embedded at generation time. The user doesn't need to know your server address, configure anything, or follow a setup guide.
Every tray binary is signed with Ed25519 before distribution. The signature is verified before any update is applied. The private key never leaves the developer's machine.
The tray checks for updates at startup and every six hours. When a new version is available, it downloads, verifies the signature, and restarts silently. Users always have the current version without IT intervention.
Email it, put it on a shared drive, post it on your intranet, or include it in your onboarding flow. It's one file — there's nothing to package or wrap.
AppTunnel exposes standard Prometheus endpoints and per-tenant usage data so you can monitor your deployment with the tools you already use — Grafana, Datadog, or any Prometheus-compatible stack. ISVs and MSPs get the billing-grade per-tenant breakdowns they need to charge customers accurately.
Standard /metrics endpoint in Prometheus exposition format. Scrape active users, tunnel session counts, request rates, error rates, and per-tenant breakdowns directly into your existing monitoring stack.
Drill into each tenant's active seat count, bandwidth consumed, tunnel sessions, and API call volume independently. Understand how each customer uses the platform without any cross-tenant data bleed.
Export per-tenant seat counts, usage hours, and data transfer totals for accurate chargeback and customer billing. The data you need to invoice your customers is already there — no manual counting required.
Usage data is retained over time so you can track growth, detect anomalies, and plan capacity — not just a snapshot of what's happening right now.
Deploy, update, connect, and manage — self-hosted on your own infrastructure.