IT Security Blog

Single-Vendor SASE with Zscaler Zero Trust Branch

Written by Linus Espach | Jul 17, 2026 3:07:49 PM

SASE is no longer just an emerging technology; it has become a central component of many companies' network security strategies. This is also clearly evident in the Gartner Hype Cycle.

Conceptually, companies must make decisions in two fundamental areas:

Vendor strategy: single-vendor SASE or multi-vendor SASE

Architectural focus: cloud-centric approach or perimeter-centric approach

The terms “single-vendor SASE” and “multi-vendor SASE” are used depending on whether the SSE and WAN edge come from the same vendor or from different vendors . Which option is more suitable depends heavily on the specific requirements.

Whether a solution is more cloud- or perimeter-centric is usually determined by the vendor’s product history.

While vendors such as Zscaler, Cloudflare, and Netskope have developed cloud-native platforms, providers like Fortinet, Cato Networks, Check Point, and Palo Alto Networks have their roots in the traditional perimeter-based world and base their SASE architectures more heavily on this approach.

The various models offer different advantages and disadvantages, which we will not discuss in detail in this article.

In the following, we’ll focus on the single-vendor SASE approach of the cloud-centric vendor Zscaler, which offers both SSE and a WAN edge component from a single source.

For which companies is this approach intended?


Zscaler’s single-vendor approach is particularly appealing to companies that have high security requirements and demand granularity and customizability in their configurations.

Zscaler is considered a pioneer of the cloud proxy approach and has long been active in the market for SSE components. This experience is clearly evident in the technology.

The WAN edge sector, however, has long been a challenge for Zscaler, a company that originally focused on SaaS.

The product has now matured and offers a patented, decisive advantage: native, AI-powered microsegmentation that assigns every single host in the network to a so-called “Segment of One” without requiring the configuration of VLANs on switches.

The idea behind it is simple but effective: The company builds a completely flat network and deploys the ZTB—the Zscaler Zero Trust Branch —as the default gateway at each location.

The gateway can be operated as a hardware appliance or a virtual machine and deployed, for example, in an office, data center, or warehouse.

The gateway also handles the local DHCP function. This allows all clients to be assigned microsegmented networks—in networking terms, /32 networks.

The clients can then no longer communicate directly with each other at Layer 2—that is, within the same VLAN—via the switch.

Instead, all traffic is routed through the ZTB. The ZTB automatically detects and classifies the devices and uses AI to generate corresponding policy recommendations.

Tags can also be created manually, configured with properties, and grouped together.

This technology is currently unique on the market. At present, no other manufacturer can offer this concept in the same form.

Other manufacturers use complex and time-consuming-to-configure ACLs (Access Control Lists) on switches or require a separate VLAN for each segment.

This approach is particularly difficult to manage in larger environments and results in high operational overhead and corresponding costs.

What about user traffic?

This question is easier to answer: Zscaler addresses this with its components ZIA— Zscaler Internet Access —and ZPA— Zscaler Private Access.

Technologically speaking, these are Zero Trust Internet Access and Zero Trust Network Access.

Both solutions are cloud-native and offer a very high level of security as well as comprehensive configuration options.

These include, among other things:

  • Cloud Access Security Broker – CASB
  • Data Loss Prevention – DLP
  • Malware Protection
  • Advanced Threat Protection (ATP)
  • Browser Isolation
  • Browser Access

Device posture is also continuously evaluated and taken into account when determining access.

What about server traffic?

Access to servers is provided via Zero Trust Network Access, regardless of their location, and includes cloud-based segmentation. Servers that communicate with the Internet are also filtered agentlessly via ZIA.

In our scenario, the ZTB acts as the perimeter and forwards traffic to the Zscaler Cloud for filtering. Alternatively, this forwarding can also be implemented using any third-party gateways via GRE, VPN, and policy-based routing.

How do I enable remote employees to access internal systems without agents?

It’s simple: through browser access.

Zscaler allows the integration of any identity provider, including those from partner companies.

External users log in to a portal and can securely access the systems authorized for them from there (HTTP, RDP, VNC, SSH).

Optionally, additional security features can be configured, such as:

  • Restrictions on copying and pasting
  • Credential injection for SSH and RDP
  • Printing restrictions
  • Sandbox checks for file uploads
  • Etc.

Do I still need a firewall or other components?

The clear answer is: No.

ZTB also filters east-west traffic within a data center, forwards web traffic to the cloud for filtering, and automatically makes on-premises applications available to remote users.

Traditional site-to-site VPNs to partner companies can also be connected. These terminate in the Zscaler cloud or at Zscaler data centers and can then carry bidirectionally filtered traffic.

Conclusion

In our view, there is currently no infrastructure that is more technologically mature, secure, or powerful.

In particular, Zscaler’s ability to implement microsegmentation without VLANs or ACLs using Zero Trust Branch makes the platform, in our view, one of the most comprehensive and best solutions currently available (as of July 2026).

In addition to the powerful, automated, and feature-rich Zero Trust components ZIA and ZPA—such as browser access and VPN termination—Zscaler offers a compelling overall solution in terms of security, automation, and scalability.

Since not every company requires or wishes to finance this level of security at its locations, a combined architecture is a viable option alongside Zscaler as a complete single-vendor SASE solution.

In this setup, Zscaler serves as the Zero Trust or SSE component, while Ubiquiti is deployed as the WAN edge.

This creates a first-class zero-trust infrastructure whose architecture makes security largely independent of the complexity of individual office locations.

With Ubiquiti as the WAN edge, the company also gains an intuitive and cost-effective networking platform that combines Wi-Fi and switching with firewalling and SD-WAN and integrates seamlessly with Zscaler.