Business VPN & ZTNA without the legacy appliance and the open-port footgun
Replace your aging VPN concentrator with zero-trust network access. Cloudflare Access, Tailscale, Twingate, Zscaler ZPA. Per-user conditional access, no listening ports on the internet, full audit trail your auditor will actually thank you for.
No agent install. No replacement firewall. Migration plan covers your existing concentrator, identity provider, and per-app cutover order. Delivered in 5 business days.
ZTNA right now
incidents on our managed estate
from request to first login
enforced on every session
Three lanes for remote access. Pay per user. Cancel any time after the first 12 months.
Same network engineers, same monitoring, same identity-provider integrations. The difference is which broker you sit on and whether branch SD-WAN and SSE bundles are in scope.
- Manage your existing IPsec or OpenVPN concentrator (SonicWall, Fortinet, Cisco ASA, Palo Alto, OpenVPN AS)
- MFA enforcement via Duo, Microsoft Authenticator, or Okta Verify
- Basic session logging shipped to your SIEM or our SOC
- Monthly account-hygiene report (stale users, orphaned tunnels)
- 24/7 break-fix on the concentrator with 15-min P1 response
- Quarterly review on whether you should be on ZTNA yet
- Cloudflare Access or Twingate as the broker (you pick or we recommend)
- Identity-aware proxying tied to Microsoft Entra, Okta, Google, or JumpCloud
- Device-posture enforcement: managed device, EDR healthy, OS patched within 30 days
- Per-app access policies, time-windowed sessions, agentless browser access for BYOD
- Full audit trail (user, device, app, time, action) for SOC 2 CC6 and NIST 800-207 evidence
- Migration plan, parallel run, and old-concentrator decom included
- Everything in ZTNA Standard, on Zscaler ZPA or Netskope
- Branch SD-WAN overlay: Cato Networks, Palo Alto Prisma SASE, or Versa
- Full SSE bundle: ZTNA + SWG + CASB + DLP under one console
- Microsegmentation for east-west traffic inside the data center
- Named network engineer on your account, monthly architecture review
- FedRAMP Moderate path for federal-adjacent vendors
Seven access patterns. The difference between "VPN tunnel into the LAN" and "per-app, per-user, per-session."
If you read one section on this page, read this one. It's the practical difference between an attacker getting one user's password and an attacker getting your whole network.
| Use case | Old way (VPN) | ZTNA way | Why it matters |
|---|---|---|---|
| Remote employee access | Full-tunnel VPN with split DNS, drop user onto the LAN | Per-app ZTNA broker with identity + device posture | No flat-network blast radius if a credential is stolen |
| Contractor / agency access | Shared VPN account, manual offboarding | Time-bounded SSO with posture check, auto-expires | No shared creds, no orphaned access after the contract ends |
| Site-to-site | IPsec tunnel to a hub, then trust everything | SD-WAN overlay or per-app ZTNA between sites | No static tunnel sprawl, no implicit trust between branches |
| BYOD / personal device | Full VPN agent on a personal laptop, full corporate access | Clientless browser-isolated access, no data on the device | No agent footprint, no data exfil to a personal hard drive |
| M&A IT integration | Peered VPN between two networks, weeks of firewall changes | Federated identity + ZTNA brokers, per-app access from day one | Weeks not months, and no flat-network bridge between two estates |
| Privileged admin access | Jump-host with shared SSH key, manual log review | Per-session approval, session recording, RDP / SSH proxied | Fully audited, every keystroke logged, no shared keys |
| Auditor / vendor access | Pre-shared link, often emailed in plain text | Time-windowed SSO with watermarked session recording | Clean evidence trail, expires automatically, no leaked links |
Want the per-app cutover playbook we use? Ask for the ZTNA migration packet. Includes a sample 60-day cutover plan and a decom checklist for SonicWall, Fortinet, and Cisco ASA.
One brute-forced shared VPN account. 380 users moved to ZTNA in a single Saturday.
A 380-employee logistics firm in Memphis ran a 7-year-old SonicWall concentrator with a non-MFA shared account for vendor access. A Russian threat actor brute-forced it, got dropped onto the LAN, and started enumerating shares. We arrived. Names changed, timing real.
"Mid-South Freightline" · 380 employees · Memphis, TN
- Day 0, 14:22 SonicWall logs show 9,400 failed logins in 6 hours from a Russian IP block, then a successful login on the shared vendor-share account. SOC isolates the session, kills the tunnel, password rotated.
- Day 0, 16:00 Blast-radius check. Attacker had 1 hour 38 minutes on the LAN. CrowdStrike telemetry shows enumeration of 4 file shares, no writes, no exfil over 50MB. Nothing pulled.
- Day 1 Joint call with client. Decision: cut over to Cloudflare Access immediately. Existing concentrator stays for 30 days as fallback only. Identity provider: Microsoft Entra (already in place for M365).
- Day 2 to 4 App inventory: 14 internal apps in scope (file shares via SMB connector, on-prem ERP, Jira, internal wiki, RDP to 3 Windows hosts, vendor portals). Cloudflare connectors deployed inside the LAN. Posture check: managed device + EDR healthy + OS patched within 30 days.
- Day 5, evening User comms sent. Self-serve enrollment guide, 5-minute video, support hotline staffed for the weekend.
- Day 6, Saturday Cutover day. 380 users enrolled between 06:00 and 18:00 CDT. Zero outage tickets. The 4 contractors who tried the old VPN were redirected to the new self-serve flow and were online inside 11 minutes.
- Day 7, Monday 09:00 Monday morning. Zero help-desk tickets tied to access issues. SonicWall logs go silent for the first time since installation. Old concentrator put in maintenance mode.
- Day 30 SonicWall powered down. Decom complete. Auditor signs off on NIST 800-53 AC-17 in one pass. Cyber insurance carrier downgrades the firm's network-access risk score, premium drops 9 percent at renewal.
The zero-trust framework your auditor and your insurance carrier are already scoring you against.
Every ZTNA deployment ships with a control-mapping packet. Your SOC 2 evidence binder, your HIPAA risk analysis, and your CMMC self-assessment all get a pre-built section on remote access. Below is the short list. The proposal includes the full mapping.
Your cutover is run by named, US-based network engineers. No overseas tier-one wall.
Our network and identity team is in-house across Tampa, Orlando, Chicago, Atlanta, and Detroit. The lead engineer on your migration is named in the scoping call and runs the cutover end to end.
Five questions. Honest answers.
Do we have to rip out our existing VPN today?
No. Most of our migrations run the legacy VPN and the new ZTNA broker side by side for 30 to 60 days. Critical apps go on ZTNA first, the long tail of intranet apps follows on a per-app schedule, and the old concentrator is decommissioned only when the last app moves over.
We have done this with SonicWall, Fortinet FortiGate, Cisco ASA, Palo Alto GlobalProtect, and OpenVPN concentrators. The longest cutover we have run was 11 weeks for a 900-user firm with 60-plus internal apps. The shortest was a Saturday.
What's the actual difference between a VPN and ZTNA?
A VPN drops a remote user onto the corporate network. Once they are in, they can route to anything the firewall allows, which is usually too much. A compromised laptop or stolen credential gets the attacker the same blast radius as a person sitting in your office.
ZTNA flips that. The user authenticates against an identity provider (Okta, Microsoft Entra, Google), the broker checks device posture (managed, patched, EDR running), and only then does it proxy a connection to the one specific app the user is allowed to reach. Nothing is exposed on the public internet. Every connection is logged with user, device, app, and time. NIST 800-207 calls this the zero-trust architecture, and CISA recommends it as the default for federal-adjacent work.
Will this work for our M365, Salesforce, and on-prem ERP all at once?
Yes. ZTNA brokers handle three patterns natively. Cloud SaaS like Microsoft 365 and Salesforce route through the IdP with conditional access policies (geo, device posture, risk score). Public web apps go through the broker as identity-aware proxies. On-prem and private-cloud apps (legacy ERP, internal Jira, file shares, RDP) get a lightweight connector inside the network and the broker proxies traffic to it.
The user experience is one login, one consistent posture check, and one audit trail across all three categories. Your auditor reviews one logging system, not three.
Can users get on without an agent?
Yes for browser-based apps. Cloudflare Access, Twingate, and Zscaler ZPA all offer agentless, browser-isolated access for web apps, which is how we handle BYOD and contractor laptops. The user goes to a branded URL, signs in with their corporate identity, and gets an isolated browser session that streams pixels back. No data lands on the device.
For native apps (RDP, SSH, thick-client ERP) the agent is required, and we deploy it via Intune, Jamf, or Kandji on managed devices. The agent is roughly 25MB and updates itself.
What does an attacker see if they get a user's password?
Without device posture and conditional access: nothing. Every ZTNA broker we deploy ships with phishing-resistant MFA (FIDO2 or hardware keys for executives, push with number-matching for everyone else), device-posture enforcement (managed device, EDR healthy, OS patched within 30 days), and risk-based step-up.
A stolen password from a phishing kit fails the posture check, gets flagged by the IdP risk engine, and the session is denied before any app sees it. Compare to a legacy VPN with username + password + a passive token: the same stolen credential walks right in and gets the attacker on your LAN.
Stop running a perimeter-shaped attack surface.
Every brute-forced VPN credential, every shared contractor account, every unpatched concentrator is a path to your LAN. ZTNA closes the listening port and puts identity and device posture in front of every app. Free 5-day migration plan, no commitment.