IT Security Blog

SASE with Zscaler, Ubiquiti and Hetzner for SMEs

Written by Linus Espach | Feb 16, 2026 3:27:58 PM


SMEs need one thing above all: simple, secure and cost-effective architecture approaches so that IT and security become enablers rather than spoilsports. At Rheintec, we deliver exactly that with architecture concepts that are unparalleled on the market, with the aim of helping our customers lead the competition through secure digitalization.

What it's all about

  • We clearly reduce costs by replacing unnecessary and expensive components such as firewalls and MPLS
  • We create a healthy and major security baseline for SMEs by using Zscaler as the market leader
  • We enable small internal teams to operate intelligent architectures easily
  • Our concept is modularly expandable

Why this combination

A brief look at the key data and function is necessary:

Zscaler:

  • Market leader in the SSE (Zero Trust Network Access) sector
  • Cloud-native solution: Very low deployment and scaling effort (Security as a Service)
  • Extremely powerful security solution that gives users easy access to internal and external resources from anywhere.

Ubiquiti:

  • Extremely simple but sufficiently powerful solution to map SD-WAN, WiFi and switching in the local network at the sites
  • Few seucirty functions, but a functional layer 4 firewall
  • License-free: No tens of thousands of francs for licenses for firewalls, switches and access points

Hetzner:

  • Is a Bavarian cloud provider that makes it possible to host servers, applications and containers at a third of the cost of Azure, AWS and GCP
  • Offers a cloud firewall and backup as an easy-to-activate service
  • Does not have powerful enterprise functions, which an SME does not need and therefore does not pay for

Context and reality check

What is immediately apparent: Hetzner and Ubiquiti only have limited security functions. In fact, this is precisely the reason why we propose these components for SMEs:

  • Our concept almost completely degenerates the local network into "dumb" Internet access. Security is handled entirely with the market leader Zscaler in the cloud.

  • SMEs do not need these enterprise functions! Most SMEs we encounter already lack an existing security baseline. Instead of spending money on enterprise functionalities that these SMEs can't use anyway, we create a secure, micro-segmented baseline with maximum cost-benefit factor

  • The concept is modularly expandable with a WAF (e.g. Cloudflare), an MDR (e.g. fully managed with 24/7 service from the manufacturer), a SIEM (also from CrowdStrike, as most of the data comes from the endpoint anyway), a PAM for privileged access (e.g. Keeper), a mail server, a security management system (e.g. a security management system) and a security management system (e.g. a security management system).e.g. Keeper), a mail security gateway and awareness training from Proofpoint or Mimecast, an additional NAC that can be integrated with Ubiquiti (802.1.x) or an extended backup for more fine granularity such as Acronis and Rubrik.

  • No other architecture offers more added value for the francs invested

  • The infrastructure is extremely easy to operate, even for small teams without enterprise know-how
  • It creates noticeable added UX value for both end users (open the device and be connected everywhere) and admins (administration of these products is extremely simple and efficient)

Architecture details

Hetzner is used as a cloud solution for IaaS and PaaS. The resources are easy to deploy, are located in Europe and are extremely affordable. We use the built-in firewall for East-West communication. Servers can be grouped and segmented from each other on the application side. The built-in backup module is also activated as standard, allowing resources to be restored at the touch of a button.

Zscaler is used as a Zero Trust Network solution via an agent on the clients in order to obtain micro-segmented access to the resources in the Hetzner cloud. App connectors are deployed for this purpose. The cloud does not need a single inbound port open for this approach and can remain completely inaccessible from the outside. Zscaler also filters user access to web applications, as this is one of the biggest attack vectors.

Finally, Ubiquiti is used to provide the entire local network stack at the sites. We are talking about layer 2 with switching and WiFi and layer 3 with a built-in firewall and SD-WAN. If required, the gateways can be designed redundantly using HA clusters. The sites are networked via inexpensive FTTH (fiber) connections with optional provider SLA (we recommend Init7 for direct termination without an additional provider router) and 5G redundancy. Ultimately, the locations only need to segment simple network zones such as guest WiFi (for which we have developed our own captive portal with SMS authentication, see go-online.io), IoT, servers, internal clients and OT. All security and app access is via Zscaler, whereby the clients require no more than Internet access.
View full post