An internal application from 2012 still calculates a number the business runs on. Its code is plain HTTP, its session model is cookies, its authentication is a form posting to a stored procedure. Nothing about it is dangerous yet — but every external assessment, every audit and every security scan now flags it. Refactoring it would take a team a year, and the team isn't available. Moving it to a public cloud means rewriting the deployment model anyway, plus adopting a new vendor and a new bill. So the application keeps running, and the gap widens.
The third path is the one most operations teams actually want: leave the application where it is and place a modern, programmable layer in front of it. SSL termination and modern ciphers at the edge. A WAAP that understands HTTP semantics. Modern SSO replacing the form login without changing a line of application code. Clientless RDP and SSH for the admin who still maintains it. Multi-protocol listeners for the legacy parts that aren't HTTP at all.
TR7 is built for that path. The same delivery and protection platform that runs your modern services becomes the modern layer in front of the legacy ones — on the network you already operate, under the audit trail you already keep.
Each capability matters on its own. Taken together, they describe what a modernization layer looks like when it stays on your network and stays on one platform.
Define a vService in front of the legacy backend. SSL termination at the edge with modern ciphers. WAAP inspection on the way in. Health checks, rate limiting and content-aware rules apply to a service that was never designed for any of them. The legacy app keeps speaking plain HTTP behind TR7 — the public listener speaks 2026.
Most legacy applications authenticate through a form that posts to a database, a header the framework trusts, or HTTP basic. TR7 AAM in Per-Service Authentication mode replaces that interaction. Users sign in once through OIDC, SAML or your existing IdP. TR7 injects the legacy authentication artifact downstream — header, cookie, basic credential — exactly as the application expects. No code change in the application.
The team that still maintains the legacy application usually reaches it through a fat RDP client or a separate SSH/VNC tool. TR7 exposes those targets through the browser — no native client install, no VPN tunnel on the operator's machine. Every session is tunneled and audited at the command level; one revoke ends every active session.
Legacy estates include more than HTTP. FTP transfers between business partners. UDP-based industrial protocols. Plain TCP services. Static file hosting for archived assets. TR7 covers them on the same engine that protects the HTTP front — purpose-built listeners for FTP relay, UDP proxy, TCP passthrough and static hosting. No separate appliance, no parallel security model.
Legacy applications often need surgical fixes that don't justify a code change: a mixed-content URL in a response body, a missing security header, a form field name that needs translating, a cookie that needs a secure flag set. TR7's content-aware rules edit responses, inject headers and adjust forms in the visual policy builder — no proprietary scripting language, no recompile cycle. The legacy app keeps shipping; the modern behavior happens in front of it.
Every capability below runs on the same platform that delivers and protects your modern services.
Modern ciphers, current certificates and OCSP stapling in front of an application that still speaks plain HTTP or weak TLS. Legacy crypto becomes a back-end concern, not an exposed-to-the-internet concern.
Inspect every request before it reaches a backend written before injection attacks were a category. Signature plus scoring, full HTTP semantic awareness, content-aware rules for the framework-specific quirks of older stacks.
AAM Per-Service Authentication mode replaces the legacy login flow with OIDC or SAML through your IdP. TR7 then forges the artifact the legacy app expects — header, cookie, basic auth — and forwards the user as if they had signed in the old way.
Add multi-factor authentication at the access edge. The legacy application doesn't know — and doesn't need to know — that the user already passed an MFA prompt.
RDP, SSH and VNC through the browser. The maintenance team reaches the box through TR7; the operator's laptop doesn't need a native client. SSH command-level audit covers the operator's session end to end.
Active and passive health probes for backends that were never instrumented for them. Failed nodes drop out of rotation without the legacy application knowing what an availability zone is.
Per-route rate limits, conditional traffic shaping and request/response edits without scripting. Edit a misformatted header, inject a security header the framework never set, throttle a noisy endpoint — in the visual rule builder.
External clients connect to TR7. The legacy application is unreachable directly. Discovery scans, port sweeps and pre-auth probes terminate at the modern layer; the legacy code is no longer the attack surface.
Access logs, traffic statistics, error rates, latency histograms and security events — for an application that ships none of them itself. The legacy service becomes observable from the front without any back-end change.
FTP relay for partner data transfer. UDP proxy for industrial telemetry. TCP passthrough for proprietary protocols. Static hosting for archived assets. One platform, one operator console.
ADC, WAAP and AAM run on the same engine and share one bandwidth license. There is no separate access module, separate WAAP module or separate gateway module to license to put a modern layer in front of a legacy app.
The modern layer runs on your hardware, in your data center, under your audit trail. Identity decisions, session traffic and security events stay where the legacy application already lives.
Each layer adds one piece of modern posture. Together they replace a years-long rewrite project with a configuration object.
TR7 ADC fronts the legacy backend. SSL termination at the edge, modern ciphers, current certificates, health checks and load balancing across however many legacy nodes exist. The public listener speaks current TLS; the legacy backend keeps speaking what it always did.
TR7 WAAP inspects every request before it reaches a backend that was never designed for hostile traffic. OWASP top categories, signature-plus-scoring detection, content-aware rules for legacy-stack quirks, DDoS protection at L4 and L7.
TR7 AAM Per-Service Authentication replaces the legacy login flow. Users authenticate through your IdP via OIDC or SAML; MFA enforced at the edge. TR7 then injects whatever artifact the legacy app expects downstream — header, cookie or basic credential.
Clientless RDP, SSH and VNC for the team that still maintains the legacy application. Browser-only access, command-level audit, one-click revoke. The operator's endpoint never gets a native client just to reach a 12-year-old server.
When the legacy estate includes FTP, UDP telemetry, proprietary TCP services or static archive hosting, the same platform covers them with purpose-built listeners. No separate appliance, no separate operator console, no separate audit trail.
Each piece of the modernization layer is configured as a vService. The same configuration object that delivers your modern API delivers your legacy form-based application. Same operator skills, same observability, same audit trail.
Back-office HTTP applications written before modern threat models. TR7 wraps them with WAAP, modern SSO and MFA without touching their code. Audit-ready logs in front of an application that ships none.
Vendor-supplied clinical platforms that cannot be modified by the customer. TR7 places the modern security and access layer in front of them, satisfying compliance and audit requirements while the vendor's release cycle stays untouched.
Industrial telemetry over UDP, partner data over FTP, supervisory access over RDP. One TR7 instance handles all of them — modern security and observability for protocols that never had either.
Departmental applications accumulated over a decade. TR7 fronts them with modern SSO through the institution's IdP, replaces direct exposure with identity-aware access and gives the security team observability across the long tail.
Internal applications that cannot leave the network and cannot be rewritten on the timeline the new regulation demands. TR7 puts the modern compliance layer — SSL, WAAP, modern SSO, audit-ready logs — in front, on-prem.
Point-of-sale back-office, supply-chain integration and partner portals supplied by vendors with their own release schedules. TR7 modernizes the security and access posture in front of them without waiting for the vendor.
Capabilities referenced by this solution — the technical pieces that compose the controls described above.
Manage VPN access as part of the AAM identity and device trust policy — not as a separate network exception.
Browser-only access to RDP, VNC, SSH, Kubernetes and legacy systems — with credential vault, recording, and watermark built in.
Manage HTTP→HTTPS transitions, domain migrations, path moves and error redirects without touching application code.
Change the path, not the backend — the client keeps its URL while a new architecture runs inside.
Write rules visually, get compiled traffic behavior — manage request and response flow without scripting.
Move beyond headers — make body content part of the traffic and security decision.
Insert TR7 ADC into the traffic path without touching backend IP addresses, gateways or routes.
Connect services without merging networks — manage overlapping IP plans and tenant isolation with a single vService model.
Manage FTP not as an open port, but as a command-by-command controlled secure file transfer session.
From upstream NTP pools to internal infrastructure — centralized, controlled and isolated time delivery.
Collect, classify, replicate and forward UDP and TCP syslog traffic in front of your SIEM.
One TR7. Many tenants. Resources, network and operations boundaries each kept separate.
Close a vulnerability at the traffic layer in minutes — no code change required.
Modern auth at the front, identity injected downstream as header, Authorization, or cookie — legacy apps stay legacy.
Bring a real legacy application to a TR7 demo and we'll show the modernization layer go up in front of it — SSL termination, WAAP inspection, modern SSO and observability — without changing a line of its code.