Figure: Legacy perimeter firewall setup vs. Secure Zero Trust access with TAC
Every open port is an open invitation
The average enterprise firewall has dozens of open inbound ports — each one a potential entry point for attackers. VPNs need their ports open. RDP needs its port. SharePoint needs its port. Every SaaS connector, every remote access tool, every collaboration platform demands firewall rules that punch holes in your perimeter.
Port scanning is automated, cheap, and relentless. Attackers don’t need to find a vulnerability in your application — they just need one open port to start probing.
Every additional open port multiplies your attack surface. And your security stack keeps asking you to open more.
TAC’s reverse proxy changes everything
A single encrypted port (up to TLS 1.3) handles ALL application traffic. Close every inbound access port on your firewall.
How It Works
Reverse Proxy Architecture
TAC sits at the network edge as a reverse proxy. All user requests flow through TAC on a single encrypted channel — never directly to backend applications.
Authentication Before Access
Identity, MFA, device posture, and policy evaluation all happen at the proxy layer — before any connection to the internal resource is established.
Close the Rest
Since all traffic is proxied through a single port, every other inbound port can be closed on the firewall. No exceptions. No “temporary” rules that become permanent.
Why competitors can’t close your access ports
Other solutions move the problem around. Only TAC eliminates it entirely.
Uses lightweight connectors that create outbound tunnels to Zscaler’s cloud. Traffic still flows through Zscaler’s multi-tenant infrastructure, and connectors must maintain persistent connections. You’re trading open ports for dependency on a shared cloud you don’t control.
An identity platform, not a network proxy. Okta authenticates users to cloud apps via SAML/OIDC redirects. On-prem apps require the Access Gateway add-on — which still needs network access to your applications. No port reduction capability whatsoever.
Duo Network Gateway proxies web applications but requires its own exposed ports. Full zero-trust access requires Duo + Secure Access + ISE — multiple products, multiple consoles, multiple port requirements. The attack surface fragments rather than shrinks.
Entra Application Proxy uses connector agents that create outbound connections to Azure — but only supports web apps. Thick-client apps need separate solutions. Full stack requires Entra + Intune + GSA + Defender — 4-6 admin centers, none of which close your ports.
TAC: One Port. All Traffic. Zero Exceptions.
TAC’s reverse proxy handles all application traffic through a single encrypted port (up to TLS 1.3). VPN traffic, RDP sessions, web apps, thick-client apps, IoT consoles — everything flows through one port. Close the rest. No competitor can do this.