I would recommend AppGate SDP to anyone that has fairly clear cut use cases for systems with user access with less than 5K resources per user. We found it works well in those cases and fully as advertised. The application can easily hide applications and resources from unauthorized access and is a reliable tool in your ZeroTrust arsenal.
The tool is, for the most part, very intuitive. Most of our issues so far (working through them with our Resident Engineer) are the one-off applications. We are working on some exemptions to make them functional. Besides that, the team loves the tool and how it can provide better security than our previous tool.
Live logging in the client. Currently you have to "download" the logs into a zip file and then open that zipfile to look at the logs. There's no logfile to tail or watch.
Load balancing between controllers could be better. Currently relies on round robin DNS and sometimes a browser will pick a different IP than previous and you'll get a big "LOST CONNECTION TO CONTROLLER" message.
Application Segmentation and Listener Configuration - The way applications are defined and listened for is fundamental to ZPA, but can be a source of frustration, especially when dealing with legacy or non-HTTP protocols
The ZCC is the user's primary gateway, but its control over local system network behavior can sometimes clash with enterprise requirements.
Few things stand out. The ease of access: It very convenient - one click to open add details and done. Packet capture: Can't talk enough about this feature. Troubleshooting private access is always problematic,but this feature helped a lot. One thing that can be improved is early warning about expiring authentication
The company has been supportive overall of our needs and desired features. I have not personally called the support services, but I've heard no direct complaints either.
The existing system was FortiGate. The management of the system was a hassle. Because IT personnel had to manually create VPN accounts, user passwords were known to who created them and the end user did not have a way to change them. This created a security issue in the event an IT engineer left the company.
All of these tools are for different needs. Zscaler Private Access being for internal seems very simple as it really only allows filtering up to L4 whereas ZIA allows for filtering up to L7. ZDX often tries to give insight into the environment but since it only works with preconfigured items, that then means when a new problem shows up - ZDX isn't helpful troubleshooting postmortem. For the internal side of the house - Zscaler Private Access' strength is its simplicity to configure.
It freed up IT personnel time. No longer did they have to manually create the account on the VPN endpoint and manually install the client or create VPN profiles on the employees computer.
Positive: We have now charged users internally for the service
Negative: Dealing with users who also have the Zscaler Client Connector for their company, can cause confusions
Negative: Enabling the Zscaler Internet Access entitlement has been a major headache for us because Zscaler Private Access users can't autheniticate through ZIA on a non corporate device.