Appgate SDP
SDP Overview
Learn how Appgate SDP reduces risk and complexity, and why it's the industry's most comprehensive Zero Trust network access solution.
How Appgate SDP Works
Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.
SDP Integrations
Explore security, IT and business-system integrations that can enhance and help you adapt Appgate SDP to your existing workflows
SDP for Developers
Access developer tools and resources to maximize the value of your Appgate SDP deployment.
Zero Trust Network Access for:
Risk-Based Authentication
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Digital Threat Protection
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.

Chris ScheelsApril 22, 2021

ZTNA Guide, Part 2: ZTNA Architectures: Exploring Your Options

This blog is part 2 of our 4-part guide to Zero Trust Network Access (ZTNA). Part 1 provides a ZTNA definition and general conceptual overview. This part describes the different ZTNA architecture approaches. Part 3 explains what you should look for in a ZTNA solution and part 4 reviews the top considerations you should keep in mind during ZTNA implementation.


There are multiple ZTNA architecture approaches: client-based vs. browser-based, self-hosted vs. as-a-service. All approaches offer benefits over traditional access solutions. Still the differences in their architectural makeup are worth considering when determining the right ZTNA solution for your organization’s current and future requirements.

Exploring Different ZTNA Architectures

ZTNA Architecture, Option 1A: Client-based

This architecture is similar to the Cloud Security Alliance (CSA) Software-Defined Perimeter architecture. In this setup, a client is installed on a server or user’s device and the endpoint initiates the connection process.


This approach's advantage is the ability to apply Zero Trust for all private resources, including custom or legacy applications and enhance device posture checks as criteria for trusted access.


There can be situations where access from an unmanaged device is required to connect and a client can’t be installed. For example, this can occur when setting up third-party or contractor access.

ZTNA Architecture, Option 1B: Browser-based

This architecture is similar to the Google BeyondCorp vision, which is essentially a “clientless” or browser-based approach. In this instance, the user connects to the web application via a common internet browser.


A browser-based ZTNA architecture provides frictionless web application access, a viable option for unmanaged devices in which a client's installation isn’t allowed or possible. It is best to use this approach for smaller, less complex, web-only applications or a one-off use case.


This type of ZTNA architecture only supports web applications and web protocols, which have significant limitations. Therefore, browser-based is not a viable solution for a full Zero Trust deployment, which requires integration with non-web-based applications.

ZTNA Architecture, Option 2A: Self-hosted Deployment

This ZTNA architecture gives organizations complete control of their deployment without any ongoing management from the ZTNA provider. This includes infrastructure instantiation, management and monitoring, software upgrades and security patches, as well as the configuration of policies, integrations and user onboarding.


Less vendor-dependent, which typically translates to lower cost and greater control across the data plane without introducing a vendor cloud solution.


Requires internal resources for initial setup and ongoing management to ensure up-to-date software versions across the entire enterprise.

ZTNA Architecture, Option 2B: As-a-Service Deployment

Deploying ZTNA as-a-service is a simplified way for achieving Zero Trust and can be very appealing for SMB and mid-market businesses. This approach leverages the vendor for hosting and managing the ZTNA controller and gateway, assuming responsibility for infrastructure instantiation, management, monitoring and applying upgrades and security patches.


Less internal resources are required to set up and maintain the ZTNA architecture, as well as comfort in knowing software is the most up-to-date.


As-a-service solutions require a premium for vendor hosting and often data passing through a vendor cloud can impact data control or compliance requirements.

Taking A Hybrid Approach

There are select few ZTNA providers that offer a hybrid model, which allows an enterprise to blend the advantages of all architectural approaches, depending on the use case. For example, this might include selecting browser-based access for third-party access to a web-based application and using the client for critical and legacy applications. Or, leveraging as-a-service deployment for a resource-constrained region while self-hosting where your internal staff can handle the ongoing management.

Picking the Right ZTNA Architecture

Before starting your Zero Trust journey, you must consider how you want to set up your ZTNA instance. As described above, setup will impact what components of the network can or can't be secured. The long-term strategy with Zero Trust is to protect the entire enterprise ... any user, any device, any resource, in any location. Therefore, we recommend a solution that allows for flexibility with as many deployment options as possible as you ramp up your Zero Trust implementation.

Want to explore how ZTNA architectures play into your ZTNA vendor selection?

Read the complete guide to ZTNA eBook.

Want to see how a ZTNA solution works?

Schedule a demo

Receive News and Updates From Appgate