Zscaler Private Access or Always-On-VPN as Checkpoint VPN exchange

Dear folks,

our Checkpoint VPN solution is old, unsecure and needs a reconfiguration as configuration is about 15 years old. MFA, Certificates or something like that is a must (using standard user + pass today). We have ZIA running and also using many Microsoft Services, have Azure AD with MFA, CA etc. running.Main goal is to connect (old) “on-prem” services which need a local connection like LDAP, SAP r/3 etc…

When doing now a redesign I want:- Having a pre-auth login (machinelogin) maybe combined with userlogin with MFA but anyway seamless with Azure AD and / or automatic certificates. No manual connection.- Use as less clients as possible (best are none) or a client we use already (Zscaler)- Pay not billions

I found ZPA very attractive, knowing it is not cheap. In general how I understood Always-On-VPN it is not the same but can make the same things somehow. Always on VPN sounds also nice in theorie but I don’t hear from many companies using it. ZPA doesn’t need any setup on-site as GRE and IPSec Tunnels are already running but it is more costy. Always on is free but I need two servers to administrate and need a more complex setup.

Any remarks here or maybe other ideas?

Lots of ways you could approach this. The general rule of thumb is phase out the old VPN servers in favour of ZTNA aligned products.

We (https://enclave.io) are working on building a list of products in the ZTNA space, which you might find useful. We’ve tried to group vendors together by architecture https://zerotrustnetworkaccess.info/ so it’s easier to compare apples with apples.

Looking at doing something similar though have not run the paces with ZPA yet. The closest solution I’ve seen that might do what you want is Twingate.

You can hook it up to Azure AD for SSO + MFA and then set up device access rules that lets users “pre-auth” to get policy updates. Here’s their page on it

Downside is that you have to have another client on the machine vs having it all run through a single ZIA client. Twingate is free though so it won’t cost you your first born child and is easy to kick tires, which is what I’m doing.

Very nice list to compare the products and vendors, thanks!

Useful page, thanks for sharing.