Any MSPs having a good experience with using a ZTNA for their own purposes, protecting access to O365 and typical MSP resources like RMM, product management consoles, etc? I don’t think its something we can get buy-in from most of our clients yet but I’m looking at protecting our own network. We have approx 20 techs, some WFH full time and some are out in the field on any given day. Seems like a better solution than VPNs we use now which often do cause issues and don’t protect everything. Any vendors to look at?
We have used cloudflare to protect our login portals for Screen Connect as well as Automate. Users must login first with their Office365 credentials to even be able to log in to our RMM / Screen Connect sessions.
This also stops our sessions from being listed on shodan and has stopped any brute force attempts at trying to log into our sessions.
We started using Todyl
Anyone have experience with zscaler? It’s interesting looking but haven’t gotten a call back ytet.
Moved to Perimeter81 last year and it’s been solid. Much better than our old VPN setup.
Easy to segment access based on roles and the SSO integration is clean. Support is decent too.
Just make sure your internet is stable - it can get wonky on poor connections.
You could look at open source OpenZiti - https://openziti.io/.
Timus Networks
We use them for both ZTNA VPN replacement (SSO with Entra and has a ton of rules/checks to verify against impossible travel, existence of a specific EDR in place on machine connecting from, etc.), as well as to function conditional access policies in Azure environments for remote users connecting to WVD environments and the like.
Super solid and great to work with.
We’ve been trialing ControlOne and it works pretty well. The main issue I see is that it isn’t Fedramp compliant. If you don’t have any customers in that space, it works.
We use Twingate for our MSP as well as resell for clients that are required to have ZTNA. Super easy to use and deploy SSO with their O365 account and can also enforce policies on connecting workstations as well as granular resource access. Support had been helpful as well. Margins are small at $1/user (MSP is $4/user and MSRP is $5/user) but it works well imo
I joined a company a few months ago that decided to replace its VPNs and move to ZTNA. I had to research some providers, and these were the ones that fit our needs best.
Thinfinity Workspace: Easy to set up and manage, super flexible for both WFH and field techs. It integrates with O365 and RMM, turned out to be the best fit for our setup, and we’re currently finishing the implementation without any issues so far.
Zscaler Private Access: Reliable and enterprise-grade, but it felt a bit overkill for a smaller team like ours, and the pricing was higher compared to other options.
Perimeter 81: Very user-friendly and straightforward, but the performance was occasionally inconsistent, especially for remote connections during peak hours.
We use twingate here. Works quite well
We JUST started this search ourselves. Perimeter 81 / Checkpoint has impressed us the most thus far.
We use cloudflare, have about a dozen techs across the US. And a Sophos firewall to keep cloudflare honest. With cloud flare the tunnel is free for 50 users (it might be 25, but pretty sure that’s its 50) and after that it’s 2 bucks a user for anything after 50. (51 users is 2 dollars a month). And then we fought most traffic over that. It’s worked pretty well
You may take a look at Securden PAM for VPN-less remote access, https://www.securden.com/privileged-account-manager/how-to-grant-secure-remote-access-for-employees.html
As a Sophos, Sonicwall and Datto partner, we use Datto Secure Edge internally as it works the best out of those three.
I like Cloudflare for Zero trust but they do not provide a simple way to get a dedicated egress IP. They require Enterprise subscription and don’t publish pricing. When I spoke to sales months ago, it sounded like they were going to be crazy expensive for my small firm.
We’re using Tailscale currently. Some would argue it is not the same as other ZTNA solutions but it is very compatible with most hardware, super easy to deploy and can configure your endpoints as exit nodes. I’m still tinkering but the idea is that I can have 2x exit nodes with static IPs to access IP restricted SaaS and keep our internal resources like Unifi Controller secure.
O365 is already publicly accessible. That’s not a valid use case. However, anything you host behind your FW is a good use case so you don’t have to expose them through your FW.
In terms of vendors, Palo Prisma, Zscaler ZPA, and Cloudflare are good.
Also interested in how you are doing this…
I put our self hosted screenconnect behind cloudflare waf, but sounds like you are even going a step further.
Are you using the free version of cloudflare?
How are you blocking users from login in directly to the saas apps. Is it via IP white-lists?