The Control Plane for Enterprise Access
TR7 AAM unifies SSO, MFA, per-application authentication, VPN, and clientless remote access on a single platform. Wherever the user connects from, every access request is evaluated against identity, session context, and service policy — without fragmented products, scattered rules, or unnecessary network exposure.
Every Request Passes Through Identity First
Before the application becomes visible, before the session begins, before service traffic opens, TR7 AAM is in the path. It authenticates the identity, applies MFA and access conditions, protects the session, and delivers the user only to the application they are authorized for.
A VPN moves the user onto the network. TR7 AAM delivers the user only to the application they're authorized for. Every access request is checked against identity, session, and service context; SSO, MFA, VPN, and clientless access converge on a single platform. The result: less network exposure, clearer policy, more secure enterprise access.
The traditional access model assumes a network boundary: a user inside is trusted, a user outside is brought in via VPN. Hybrid work, contractor and partner access, legacy enterprise applications, and privileged remote sessions all expand more network surface than they should under that model. Modern access isn't about admitting the user to the network; it's about admitting the right user, under the right conditions, to each application.
TR7 AAM is designed for that approach. With per-service authentication you can place SSO and MFA in front of a single application; with the application access portal you can show users only the services they have access to. OAuth2, OIDC, SAML, LDAP, RADIUS, and TACACS+ identity infrastructures all operate under the same access policy. SSL VPN, IKEv2, and clientless RDP/VNC/SSH access are managed from the same platform.
So the access architecture isn't trapped in one product type. Legacy applications, web services, remote desktops, SSH terminals, partner portals, and hybrid user scenarios converge in a central access layer. Authentication, MFA, session protection, lockout, bot protection, and CAPTCHA controls all engage before application traffic begins.
Not every application fits the same access pattern. TR7 AAM supports both placing an identity layer in front of a single application and operating a multi-application access portal — in the same deployment, with the same identity providers, MFA, and session policy.
Adds an authentication layer in front of an existing HTTP application. The application stays where it is; TR7 wraps it with login, SSO, and MFA. When the user authenticates successfully, they reach the application directly.
Best for: legacy applications without modern identity support, internal tools that need SSO added without touching application code, single-application secure-publishing scenarios.
An independent, branded portal runs on a vService. The user signs in once and sees only the applications they're authorized for. When they click an application, TR7 opens a secure tunnel to the corresponding backend service — whether it's HTTP, RDP, VNC, or SSH.
Best for: contractor and partner access, hybrid-workforce application launch screens, privileged RDP/SSH sessions, time-limited and auditable scoped access.
Both models share the same identity providers, MFA methods, login forms, page templates, and access protection. Workloads can move between the per-service model and the portal model without rebuilding the identity infrastructure.
OAuth2, OIDC, SAML, LDAP, RADIUS, TACACS+, and a local user database all converge on the same access platform. No per-protocol plugin, no premium connector bundle, no second identity layer.
Modern federation with standards-compliant identity providers. Token-based session, refresh management, and claim mapping for enterprise SSO flows.
SP- and IdP-initiated SAML flows, attribute mapping, signed/encrypted assertions, and SLO support.
Direct LDAP bind to Active Directory, 389 Directory Server, or OpenLDAP. Group lookup, attribute mapping, and multi-domain support.
Enterprise RADIUS support for VPN, network access, and administrator authentication flows; accounting included.
Command-level accounting and centralized authentication for network administrators. An auditable access trail for compliance reviews.
TOTP, SMS OTP, email OTP, and certificate-based MFA. Enforce on a per-policy basis, apply context-driven step-up.
Built-in user management when an external identity provider isn't available. Role binding, password policy, recovery flow, and audit logs.
Branded login screens, multi-language copy, and portal-based designs. Manage the user experience without touching the application code.
Some workloads need a full L3 VPN; for others, installing a client is unnecessary risk and operational overhead. TR7 AAM offers classical remote access through SSL VPN and IKEv2 tunnels, and browser-based privileged access through clientless RDP, VNC, and SSH — all under the same identity and MFA policy.
Provide full L3 remote access with SSL VPN and IPsec IKEv2. SSL VPN works in restrictive networks; IKEv2 uses native OS clients. Both run under the same TR7 AAM identity, MFA, session protection, and access policy.
VPN servicesOpen RDP, VNC, and SSH sessions through the browser without installing a client on the user's device. Windows desktops, Linux graphical sessions, and SSH terminals become identity-bound, auditable, and centrally manageable.
Clientless accessBots, credential stuffing, brute-force attempts, and session-hijacking attempts often target the front door, not the application. TR7 AAM meets these threats at the access layer; failed-login patterns, suspicious session shifts, and automated attack behavior are brought under control before they ever reach the identity infrastructure.
Detect failed-authentication patterns, credential stuffing, and brute-force attacks at the access point. Define thresholds, lockout, and action policies per portal, per application, and per identity provider.
DetailsCorrelate sessions with context signals like IP, user-agent, and TLS fingerprint. When context shifts mid-session, require re-authentication or terminate access.
DetailsApply local CAPTCHA on login screens without third-party JavaScript. Keep user verification in your own infrastructure; reduce data egress, align with GDPR, CCPA, PCI DSS 4.0 compliance expectations.
DetailsClassical access products check the device at connection time and make their decision. Modern risks evolve after the session begins. TR7 ETM turns device trust into a live signal: it measures throughout the session, feeds AAM policies, and acts on the endpoint when needed.
TR7 ADC publishes the application. TR7 WAAP protects it. TR7 AAM decides who can reach it. TR7 GTM routes traffic to the right region. Four products; one platform, one operator UI, and a shared backend-services pool — working together.
Each pillar is its own product, separately licensed. They share the same operator UI, backend-service definitions, certificate store, and reporting plane. That's why running access, delivery, protection, and routing together takes minutes, not weeks.
Every capability has its own technical reference page describing actual product behavior; open any title to see the details.
Bring your identity infrastructure, your legacy applications, your VPN needs, and your strictest compliance requirements — we'll walk through TR7 AAM together. We'll show you how to centralize access in your own infrastructure without being forced onto a cloud-only ZTNA service.