Enabled by the Zscaler Zero Trust Exchange (ZTE), Zero Trust Software-Defined Wide Area Network (SD-WAN) Devices are hardware devices that use Zero Trust Branch Connectivity to simplify traffic forwarding to Zscaler services. The Zero Trust SD-WAN Device is deployed as a Zscaler Branch Connector virtual machine (VM). It supplies branches and data centers with fast and reliable access to the internet and private applications with a direct-to-cloud architecture.

Branch Connector eliminates the network attack surface by establishing direct branch-to-internet and branch-to-private-app connections using a full proxy architecture. It also simplifies branch communications by eliminating complex routing, virtual private networks (VPNs), and firewalls while allowing for flexible forwarding and simple policy management by using the proven Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) policy framework.

The Branch Connector forwards all branch communications directly to the ZTE, where you can apply ZIA or ZPA policies for full security inspection and you can access identity-based control of branch and data center communications. The communications are then forwarded from the ZTE to any destination (the internet, private applications in a public cloud, on-premises data center, etc.).

You can deploy Zero Trust SD-WAN Devices in one of two modes: gateway or non-gateway (one-arm).

In gateway mode, the Zero Trust SD-WAN Device enables direct, secure access from your private network to other geographically distributed parts of your private network, cloud applications, and the internet over one or more internet service provider (ISP) connections. It can also dynamically determine the best quality link, forward specific traffic toward that link, and function as a local router. Local devices can communicate without an external router. You can also deploy the hardware device in gateway mode inside of your local area network (LAN) while an existing device connects you to the internet through the wide area network (WAN).

In non-gateway (one-arm) mode, the Zero Trust SD-WAN Device does not connect directly to the internet service provider (ISP). Instead, the Zero Trust SD-WAN Device deploys in the internal network of the organization and provides access from your private network to other geographically distributed parts of your private network, cloud applications, and the internet. Non-gateway (one-arm) mode requires an external router.

Zero Touch Provisioning

Zero Trust SD-WAN Devices are installed in your organization's on-premises locations and are loaded with the required deployment configurations using Branch Configuration Templates. You can stage the device configuration on the Zscaler Cloud & Branch Connector Admin Portal before a device is powered on and connected to the on-premises location. When your organization is ready for the Zero Trust Exchange to adopt the device, you’ll change the template status from Staged to Ready to Deploy. After an on-site technician powers up the device and provides it with network connectivity, the device software connects to the Zscaler cloud and authenticates itself. After the authentication is successful, the device is provided with its deployment configuration. This simplified method for loading the deployment configuration on on-premises devices is referred to as Zero Touch Provisioning.

To learn more, see Deploying Zero Trust SD-WAN Devices and Installing Zero Trust SD-WAN Devices.