A flat VPN tunnel into the corporate network used to be enough. Today it isn't. Users connect from anywhere, apps live anywhere — data center, cloud, SaaS — and a single VPN tunnel hands too much access to anyone who logs in. Contractors need short-lived access to specific apps. Help desks need to reach internal RDP or SSH targets without distributing client software. Security teams need to see who reached what, and to revoke access at the application level, not the network level.
The industry's modern answer has been Zero Trust Access. But the two paths the market offers each have a cost. Pure-play ZTNA platforms went cloud-only — your traffic and identity decisions move to someone else's edge. Traditional on-prem ADC vendors added ZTA as a separate, premium-priced module bolted onto the load balancer, with its own policy engine and its own learning curve.
TR7 puts access on the same platform that already delivers and protects your applications. The same vService model, the same operator console, the same audit trail — extended with two named operational modes for ZTA, clientless gateway protocols, and standards-based VPN. No separate module to license, no third-party network in the path of your sign-in flow.
Each of these matters alone. Taken together, they describe what zero trust access looks like when it doesn't depend on someone else's cloud and doesn't show up as a separate line item on your invoice.
Most modern ZTA platforms are SaaS. Your identity decisions, your session traffic and your audit logs live on their network. TR7 runs on your own hardware. Logins, posture checks, sessions and logs all stay where your security policy already governs them.
Mode A — Per-Service Authentication: attach login and SSO to an existing application. One service, one auth wrapper, users go straight to the app after login. Mode B — Branded Access Portal: a standalone, white-labeled portal. Users log in once and see a launchpad of every application they are entitled to. Each mode has its own UI; pick the one that fits the deployment, or run both at the same time.
Internal teams reach RDP, SSH and VNC targets directly from a browser tab — no client install, no VPN tunnel on the endpoint, no native software to maintain. Sessions are tunneled and centrally audited; revoking access takes effect at the next request.
Other on-prem platforms charge a separate module for access, another for the load balancer, another for the WAF and another for VPN. TR7 ships them on the same engine, with one operator console and one audit view. The transition from "we have a VPN" to "we have zero trust access" happens inside the same product.
IKEv2 and SSL VPN run on standards every modern operating system already speaks — iOS, Android, Windows and macOS users add a VPN profile, not a vendor app. OAuth 2.0, OIDC, SAML, LDAP and RADIUS are all native. Endpoint security signals (known device, current posture, compliance state) feed access decisions continuously, so a session that started trusted can be re-evaluated and restricted if the context changes.
Every capability below is part of the same platform that delivers and protects your applications.
Attach login and SSO to an existing HTTP service. The application stays where it is; TR7 wraps it with authentication, MFA and policy. One service, one auth wrapper, direct app entry after login. Useful when each app already has a stable URL and you want the smallest possible change.
A standalone portal with its own listener and your own branding. After login, users see a launchpad of every app they're entitled to reach — internal web apps, SaaS apps, RDP/SSH/VNC sessions. One portal, many backends. Useful when a single sign-in entry point makes operational sense.
Browser-based access to internal RDP, SSH and VNC targets. No native client on the endpoint, no VPN tunnel on the device. Sessions are tunneled and centrally audited; one revoke action ends every active session.
Standards-based VPN running on the same platform. SSL VPN for full or split tunnel; IPsec IKEv2 for site-to-site or strong-cipher remote access. Especially good on mobile: iOS and Android already speak IKEv2 natively, so users add a VPN profile to settings — no third-party app to install, distribute or maintain. Windows and macOS work the same way through their built-in VPN clients. Personal Device (BYOD)-friendly by default.
Native OAuth 2.0, OIDC, SAML, LDAP and RADIUS support. Plug into your existing IdP (Azure AD, Okta, ADFS, Google Workspace, OneLogin and others) without protocol shims.
MFA enforced at the access edge. Step-up authentication when the request context changes — different country, different device, higher-sensitivity application.
A session that starts trusted does not stay trusted by default. Endpoint posture, geo, device health and session anomalies are re-evaluated as the session continues; access can be restricted or revoked mid-session when the context changes.
For deployments where users are on devices managed by TR7's endpoint security layer, device-trust signals (known device, current posture, compliance state) feed access policy. Unmanaged endpoints still go through full inspection.
SSH sessions reaching internal targets through the gateway are logged at the command level — every command typed, every response received. The audit trail is investigation-ready, without needing a separate PAM product.
Each application gets its own access policy — identity, device posture, time-of-day, geo, MFA strength. A user who reaches the CRM is not implicitly granted the database. Lateral movement is bounded to what each app explicitly authorizes.
Applications behind TR7 are not directly reachable. Discovery scans, port sweeps and pre-authentication attacks see TR7, not your apps. Reduces the attack surface without changing application code.
Access policies, authentication flows and conditional rules are built in the same visual flow builder used elsewhere on the platform. No proprietary policy language, no vendor certification needed before your team can change a rule.
Access events, ADC traffic, WAAP detections and DDoS signals share one operator view and one audit trail. SIEM exports use the same taxonomy as the rest of the platform.
Both modes deliver Zero Trust Access. They differ in operator effort and end-user experience. You can run them side by side.
One application, one auth wrapper. The app keeps its existing URL; TR7 sits in front and enforces login, MFA, posture and policy. Users land directly on the app after authentication. Best when you have a clear app URL and want the simplest possible deployment per application.
One portal, many backends. A standalone, white-labeled portal with its own listener. Users sign in once and see a launchpad of every application they are entitled to reach. Best when consolidated sign-in is the user experience you want, or when an app launchpad makes operational sense.
The two modes can run simultaneously. Some apps wrapped with per-service auth, others reached through the portal. Same identity policies, same endpoint signals, same audit trail.
RDP, SSH and VNC sessions can be exposed through either mode — as a wrapped per-service URL or as portal launchpad tiles. The browser experience is the same; the operational framing differs.
SSL VPN and IPsec VPN keep working alongside both modes. Useful during transition: users move from VPN-into-the-network to per-application or portal access, on a schedule you set.
Whichever mode you choose, the configuration object is a vService. Health checks, traffic rules, observability and the bandwidth model all behave the same way — it's the same engine that delivers your other applications.
Move users off a flat VPN tunnel and onto per-application access — without a forklift. SSL VPN keeps working while teams migrate to Per-Service Auth or the Branded Portal.
External users get short-lived, scoped access to specific applications. No corporate device, no VPN client install — they sign in through the portal and see only what they are entitled to.
Operations teams reach internal RDP, SSH and VNC targets from a browser tab. Every session is tunneled and audited; revoking a contractor's access ends every active session immediately.
Per-application policies tied to MFA, device posture and session-level audit. PAM-grade SSH command logs satisfy regulator and internal audit requirements without a separate PAM product.
Data residency rules forbid identity and session traffic from leaving the network. On-prem deployment keeps every authentication decision, session and audit log under domestic control.
Two organizations, two identity providers, two app catalogs. The Branded Access Portal becomes the single front door while integration happens — users see one launchpad, even when the back-end identity work is still in progress.
Capabilities referenced by this solution — the technical pieces that compose the controls described above.
Manage VPN access as part of the AAM identity and device trust policy — not as a separate network exception.
Browser-only access to RDP, VNC, SSH, Kubernetes and legacy systems — with credential vault, recording, and watermark built in.
Three MFA methods, per-service policy, trusted-device shortcut — no third-party MFA cloud.
One flow engine decides every authentication outcome — who can reach what, after which factor, under which context.
Trust earned at login doesn't carry forever. Every session stays under evaluation, every step of the way.
Standards-correct SAML SP — enterprise IdPs, public-sector federation, and per-tenant routing, all coordinated with MFA, conditional access, and posture.
Standards-correct OIDC relying party — authorization code with PKCE, JWKS-verified ID tokens, nonce + state defenses, and per-tenant IdP routing.
Your enterprise directory already exists — TR7 AAM does not copy it, it connects to it and turns group membership into access policy.
Connect every identity source beyond SAML and OIDC to the same access and audit flow.
Lift the client certificate out of connection control and turn it into an identity object that drives traffic decisions.
Connect services without merging networks — manage overlapping IP plans and tenant isolation with a single vService model.
Stop credential stuffing, brute-force and session hijacking attempts based on combined risk decision — not a single signal.
Three tiers of graduated friction — warn, challenge, lock — across IP, username, or both. Self-hosted CAPTCHA, no external cloud.
From session ID generation to cookie security, IP+UA binding to idle and absolute timeout — protect every session under one policy graph.
The AAM-integrated pillar of the ETM add-on: device posture becomes a live signal in the access decision.
Branded login UX per gateway with template inheritance.
Modern auth at the front, identity injected downstream as header, Authorization, or cookie — legacy apps stay legacy.
Change, forgot, and reset flows on one engine — single-use tokens, recipient masking, audit on every step.
Request a live demo of TR7 Zero Trust Access. We'll walk through both operational modes, run a clientless RDP session in the browser and show how the same policy engine covers SSL VPN, per-app auth and the access portal.