<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=7086586&amp;fmt=gif">
Skip to content
Kostenlose Beratung anfordern

SASE with Unifi and Zscaler

SASE mit Zscaler und Unifi

SASE is still considered unnecessarily complicated in many companies: more appliances, more licenses, more special solutions, more operating costs. Yet the best SASE architecture is often the one that generates the least complexity locally and consistently moves security to where it belongs today: the cloud.

This is exactly where the combination of UniFi and Zscaler becomes so exciting. UniFi takes over the WAN edge - i.e. routing, SD-WAN, switching, WiFi, redundancy and site networking. Zscaler takes care of the Security Service Edge (SSE) - i.e. zero trust, secure Internet access, access to private applications and centralized policy control. The result is an architectural blueprint that achieves three goals simultaneously: maximum simplicity, high security and radical cost efficiency.

If you really think SASE through to the end, you almost inevitably end up with precisely this division of tasks: an extremely simple, stable and license-free WAN edge locally - and a strong, central security platform in the cloud. This is precisely the core of the Rheintec approach.

What is SASE?

SASE mit Zscaler und Unifi_2-1

SASE stands for Secure Access Service Edge and describes the convergence of network and security in a modern, cloud-oriented architecture. Put simply, SASE answers two key questions at the same time:

  1. How do locations, users and devices access the network in a high-performance, stable and cost-efficient manner?

  2. And how are these accesses secured centrally, granularly and based on zero trust?

SASE essentially consists of two building blocks: WAN edge and SSE.

WAN edge

The WAN edge is the classic network part of SASE. It deals with site networking, routing, SD-WAN, resilience, WAN redundancy and the clean connection of sites, data centers and cloud environments.

The goal is not to set up an overloaded mini data center stack at every location. The aim is to provide simple, stable and affordable connectivity. A modern WAN edge connects locations, uses inexpensive internet providers instead of expensive legacy models, ensures failover and redundancy and creates the technical basis for users and applications to communicate with high performance.

SSE

The Security Service Edge is the security part of SASE. This is where web access, SaaS usage, access to private applications, user identities, device statuses and policies are centrally controlled.

Today, this not only affects home office users. It also affects users at locations, external partners, service providers, access to data center resources, public cloud workloads and secure access to internal IT and OT environments. Modern SSE models make precisely this possible without companies having to resort to traditional VPN or VDI constructs.

Only together does it become SASE

SASE is so strong because it brings both worlds together. The WAN edge ensures that traffic reaches the right place intelligently and with high performance. The SSE ensures that every access is centrally controlled, logged and secured on a zero-trust basis.

Or to put it more simply:
WAN Edge brings the traffic into the network. SSE decides what is allowed.

Only together can a modern target architecture be created.

Why UniFi and Zscaler fit together so well

Anyone who thinks SASE consistently quickly realizes that the local network is no longer the place where complex security decisions should be made in most companies. These decisions belong in a central platform. Three things are needed locally: a stable Internet connection, clean segmentation and an easy-to-operate WAN edge.

This is exactly what UniFi is ideal for.

UniFi delivers an extremely lean, cloud-managed WAN edge. Sites can be rolled out quickly, managed centrally and segmented cleanly. SD-WAN, policy-based routing, path selection, WAN failover, redundancy and, if desired, 5G fallback can be implemented in an understandable and economical operating model. At the same time, UniFi can not only map the WAN edge, but also switching and WiFi from the same management level.

Zscaler complements this model perfectly. This is because Zscaler takes over exactly the part that should no longer be implemented locally as an appliance-heavy patchwork: secure Internet access, zero-trust access to private applications, centralized security policies and consistent control across users, devices and applications.

The result is architecturally extremely clean:

UniFi simplifies the local edge. Zscaler centralizes security.

The site no longer becomes a security monolith, but a controlled on-ramp to the cloud.

Why the Rheintec architecture blueprint is so strong

The key idea behind this architecture model is simple: for most companies, the local network is primarily a transport layer and no longer the center of all security logic. The more consistently security is enforced via a modern SSE platform, the lower the requirements for local complexity become.

This brings several massive advantages.

Less local complexity

Many companies today are still carrying around legacy issues from previous network and security models: heavy branch firewalls, separate SD-WAN systems, WiFi controllers, MPLS constructs, complex NAC landscapes and multiple management platforms in parallel.

The problem is not just the price. The main problem is the complexity. Each additional product world generates operating costs, know-how dependencies, renewals, support issues and project risks.

The Rheintec blueprint reduces precisely this overhead. Only what really adds value locally remains local: connectivity, segmentation, routing, redundancy and high-performance access to the cloud.

Security is patched together centrally instead of locally

The actual security logic moves to where it belongs in a modern architecture: a central, cloud-based security platform.

This does not mean less security. On the contrary. In many cases, it means more consistency, better enforcement, fewer exceptions and less attack surface, because access is no longer trusted implicitly based on a location or an internal network, but is decided explicitly on the basis of identity, device, application and policy.

This is not a cost-saving measure. It is simply a better architecture.

The operating model is drastically simpler

Another key advantage lies in operations. If the WAN edge, switching and WiFi are operated from a simple, central management level and security is centralized in a clear SSE platform, the daily workload is massively reduced.

Locations can be standardized. Rollouts become reproducible. Troubleshooting becomes easier. Changes become more controllable. And the entire construct becomes significantly less dependent on historically grown individual configurations or specialized knowledge.

The budget flows to where it really adds value

One of the biggest mistakes of classic reference architectures is that huge budgets are spent on local complexity that is no longer necessary in modern cloud and zero-trust models.

With UniFi, this ballast can be massively reduced. The freed-up budget can instead be invested in precisely those security components that are actually crucial today: SSE, Zero Trust, protection for users, applications and data.

This is exactly where the combination with Zscaler becomes so strong.

Let's talk about costs

This is perhaps the biggest lever of the entire architecture.

In traditional network stacks, costs are spread over years across expensive hardware, lifecycle renewals, recurring platform licenses, complex maintenance contracts, dedicated WAN constructs and high operating expenses. This not only adds up in CAPEX, but above all in OPEX.

The UniFi and Zscaler model fundamentally changes this calculation.

Depending on the initial situation, we see savings of around 60 to 80 percent in many environments in terms of acquisition and lifecycle renewals for perimeter and network. The classic network license costs can be completely eliminated because UniFi is essentially operated without this typical license model. And even if a conscious decision is made to invest in modern cloud security with Zscaler, the total costs in many scenarios are still around 40 to 50 percent lower than classic reference architectures.

There are also other levers:

Anyone still relying on expensive legacy WAN models today can critically scrutinize many of these constructs.
Those who operate several product worlds for WiFi, switching, SD-WAN and perimeter can consolidate massively.
Those with oversized local security stacks or heavy NAC setups can simplify or specifically replace many of these constructs.

The actual cost advantage therefore does not arise at a single point. It arises simultaneously in hardware, licenses, WAN, operation and rollout.

And this is precisely why, in large multi-site environments, a technical architecture decision can quickly turn into massive annual savings.

Why the model is so attractive for Cisco-heavy environments in particular

Over the years, many companies have built up a stack consisting of separate WiFi, switching, SD-WAN, NAC, MPLS and perimeter security. Each discipline has its own product world, its own management console, its own renewals and its own specialist knowledge.

This has grown historically. Today, however, it often no longer makes economic or architectural sense.

This is exactly where the Rheintec approach comes in. UniFi consolidates the local network and WAN edge part into a much leaner, centrally managed platform. Zscaler takes over security from the cloud. This allows companies to reduce legacy burdens without falling behind in terms of availability, segmentation or security levels.

This model is therefore particularly exciting for organizations that are facing major Cisco renewals, operate many locations or are looking for a clean way out of license-heavy branch architectures.

This is what the target architecture looks like in practice

In a modern target architecture with UniFi and Zscaler, the main site, production sites and smaller branches are standardized via a common WAN edge blueprint.

At the main site, UniFi provides redundant WAN connectivity, routing, segmentation and the connection of internal IT and OT zones. Production sites follow the same pattern, with a focus on robust connectivity, clear segmentation and easy reproducibility. Small sites run particularly lean, but with the same central policy logic.

Internet and SaaS traffic is handed over to Zscaler in a controlled manner.
Remote users no longer have to connect to a central fortress via a traditional VPN, but instead receive zero-trust access to exactly the applications and data they need.
Azure and other cloud workloads can be integrated just as cleanly as private applications in the data center.

Depending on the size of the site, dual ISP, HA setups, WAN failover and 5G fallback can be integrated. Larger branches receive full redundancy, smaller locations a deliberately lean, secure minimal architecture.

This means that the site is no longer a special security case, but a standardized, economical and highly controllable component of a modern SASE architecture.

Why Rheintec is particularly relevant here

Many providers talk about SASE. Few can design, migrate and operate it cleanly end to end.

Rheintec deliberately pursues a best-of-breed approach. This means: not one manufacturer for everything at any price, but the best role for the best component. This is precisely why the combination of UniFi and Zscaler is so convincing. UniFi is extremely strong at the WAN edge. Zscaler is extremely strong at SSE and Zero Trust. Together, the result is not a compromise model, but a precise, modern target architecture.

The decisive factor here is not just the product selection, but the architectural discipline behind it:
What must remain local?
What should be centralized?
Where does simplicity bring real added value?
And where is complexity just expensive without increasing security?

This is precisely where marketing separates from real architecture.

For whom this approach is particularly worthwhile

This model is particularly strong for companies with multiple locations, hybrid user groups, production or OT components, lean IT teams and high cost pressure on existing network stacks.

Likewise for organizations that are facing major upgrades in the areas of WiFi, switching, SD-WAN or perimeter and do not simply want to purchase the next generation of the same complexity.

Those who want to implement Zero Trust cleanly but are not prepared to pile up even more appliances, licenses and operating costs in every branch office will find a much smarter way here.

Conclusion

The best SASE architecture is not the most complex. It is the most logical.

UniFi does what needs to be simple, stable, segmented and economical at the WAN edge.
Zscaler does what needs to be centralized, granular and zero-trust based.

Together, they create a model that increases security, reduces complexity and massively lowers costs.

This is precisely why SASE with UniFi and Zscaler is not an economy trick or a marketing buzzword, but one of the most economical and cleanest target architectures that companies can build today.
, ,

You might like

Ubiquiti Logo
How to configure a VPN Tunnel from Ubiquiti to Cloudflare
Problem: Many IoT/OT devices, servers and legacy systems do not support agents (e.g. Cloudflare WARP), or Cloudflare Magic WAN is used to ramp up locations.Solution: IPSec tunnels from UniFi gateways to Cloudflare via Magic WAN to centrally inspect and filter HTTP/HTTPS traffic - without an...
Cloud computing symbol in modern office environment, illustrates Zscaler and secure data access.
What is Zscaler?
If you are looking for a powerful solution for your cloud security, sooner or later you will come across the name Zscaler. But what is Zscaler? Generally speaking, it's a cloud-based security service that helps companies protect themselves against threats on the internet and manage their data...