The best way to give users access to internal apps? Keep the network out of it.

Secure, private access that is better than virtually anything.


The (Zscaler) approach is more secure than VPN because it reduces the potential attack surface, while it also doesn't require hardware infrastructure.

Your users want internal application access. Why give them network access?

Providing secure access to private, internal applications has always required compromise. You have to balance your often legally-required security with the business requirement for remote access. And for over a decade, the answer has been the VPN.

The problem is that a VPN — a virtual private network — is still a network. Hidden malware on a trusted user’s device can wreak havoc to internal applications. Third parties can (and have) snagged user credentials and run amok. And worst of all, VPNs – like any network – are complicated to set up, difficult to change, and expensive. There has to be a better way. Now there is.

Introducing Zscaler Private Access

Zscaler’s market-leading Cloud Security Platform has been winning accolades and customers for years, providing security with robust centralized policy management and uber-fast global enforcement. The same Zscaler App that you use to access the Zscaler security platform can now also enable authorized users to access private, internal applications, regardless of where the user is located or where the application resides.

A revolutionary way to deliver secure remote access to internal applications

Take the network out of the equation

Zscaler Private Access works by decoupling your applications from the network. When an authorized user requests an internal application, the Zscaler policy engine enables a lightweight, application layer-based tunnel through the Zscaler cloud. If you try to route back to the asset, you won’t be able to find it. Because there is no direct connection between the user and the asset, malware has nowhere to go. Because the tunnel is encrypted, the traffic remains hidden from prying eyes. And if users aren't authorized to access an application, they can't even see it.

See what apps are really running

Because it is name or domain-based, Zscaler Private Access also offers an unexpected benefit – app discovery. By provisioning a ZEN Connector in front of your applications – wherever they are – and enabling wildcard app access, you’ll get an accurate mapping with the first user request. Then you can build the granular access policy around your apps without pre-provisioning policy.

Zscaler Private Access solves critical business and security challenges

Replace your legacy VPNs

Move your internal apps to the cloud

Provide app-specific access to business partners & contractors

Replace your legacy VPNs

Time to retire your VPN?

VPNs have provided a well-understood mechanism for site-to-site and remote access for over a decade. As your network has grown and changed, it has largely done so around this infrastructure. The result is a complicated tangle of NATing, Access Control Lists, over-provisioned client software in case of emergency, and more. You’ve deployed data centers around the world, and then re-provisioned them for high availability. You’ve installed load balancers to give users the best experience, and maybe even global load balancers for disaster recovery. It is complicated, it’s expensive, and it’s static.

Secure access that rolls out in hours instead of weeks or months

With Zscaler Private Access, you can phase your VPNs out on your schedule, while providing user-based access to specific applications. Zscaler Private Access dynamically provisions user access without touching the network, so complexity is replaced with flexibility. If an application is located in different places, the user is automatically routed to the site that delivers the best performance. And because the solution monitors application health, users will always get the best performance.

Legacy VPN Zscaler Private Access

Move your internal apps to the cloud

Can your network keep up with your business?

Enterprise agility and flexibility have been buzzwords for years. Distilled to their essence, these phrases simply mean that IT should be able to mirror the business. Historically, this has meant moves to the cloud, which are difficult or impossible when your assets are anchored to a network.

Enable enterprise agility

With Zscaler Private Access, you can move from the datacenter into Amazon Web Services, Microsoft Azure, or Google Cloud Platform without having to worry about specific cutover periods, site-to-site VPNs from your datacenter to the cloud, or awkward user traffic trombones. If you have instances of an application in the cloud and in the datacenter, Zscaler Private Access will automatically direct the Z App and Connector to set up the tunnel to deliver the best performance. Need to spin up another instance of your application? Simple – just spin up another Connector. The lightweight software takes only seconds to come up.

Legacy VPN Zscaler Private Access

Enable secure remote access for third parties

Access to internal apps should not be a security risk

Third party access to internal apps has always struck fear into the hearts of IT, and, as we’ve seen from recent headlines about security breaches, for good reason. Contractors and partners require access to private, internal applications to do the work that you are paying them to do. But their security stance, their device, and their environment are complete unknowns.

Simple, user-based access to specific applications

With Zscaler Private Access, you don’t need to worry. You can provision policy that enables a contractor to see the application that you want them to access, and only that application. Unbeknownst to them, however, they aren’t really connected to the application itself, so even if they want to do mischief, they can’t. They cannot roam around, either, because users can only see the assets that you have specifically provisioned their access to.

Ease mergers, acquisitions and B2B connections

Third party access between companies, such as business partners or those in a merger/acquisition can be even more complex, thanks to the fact that one group typically doesn’t want ALL of the other group’s users to see ALL of their internal applications. And because the use of identical internal IP addressing is common, you’ll need NAT rules and ACLs. But with Zscaler Private Access, the solution is as simple as it is for single remote user. Just provision access by user or group to the specific applications that they should see.

Legacy VPN Zscaler Private Access









Largest security cloud, trusted by the biggest brands

Zscaler is able to offer this revolutionary, cloud-based technology because we were born in the cloud, and all of our development has taken place there, for years.

Equally important, Zscaler understands security. Existing Zscaler customers will get the benefit of best-in-class integrated security functionality for Internet traffic, as well as secure, private access to all internal apps. All from the same Zscaler App your users probably already have.


  • Optimal security: Application access without network access means users can see only the apps and resources they are authorized to access, without getting on your network.
  • Better value: There’s no need to buy, maintain, or upgrade VPN hardware, no need for redundant VPNs or additional user licenses in case of emergency, and no need to set up site-to-site VPNs to facilitate a move to the cloud.
  • Better user experience: There’s no need to log in to a VPN client; if a user is authorized to access an application, it “just works.”
  • Rapid deployment: Automatically discover application locations, then provision the specific policies that you want; there are no complex NAT/ACL/firewall policies to configure or maintain.

The Zscaler Private Access Difference

Zscaler Private Access lets you take the network out of the remote access equation, so you can:

  • Phase out legacy VPNs to reduce costs, network complexity, and security risks, all at the same time.
  • Move private internal apps out of the data center and into the cloud, without the need to re-architect networks or set up site-to-site VPNs.
  • Give contractors and partners per-user access to specific applications; take the network out of the equation for simple, granular, user/group-based access to specific apps.

Zscaler Private Access solves the challenges posed by a traditional VPN infrastructure by decoupling your internal assets and applications from the limitations, cost, and complexity of direct IP network connections.

Read the solution brief >