Philip
Thanks for the feedback. To your questions:
-
(1) Yes, it’s just a question of whether it’s seamless today. For example. with CloudZiti, we have already made Azure/Microsoft AD an automatic integration via API. It’s not out of the box with OpenZiti today in the same way.
-
(2) integrate… it depends on the definition. I am not overly familiar with the tech, but I note we were broadly discussing this topic in a Reddit recently - https://www.reddit.com/r/openziti/comments/108hmjx/opnsensepfsense_integration/ - so my question would refine to, what are the specific FW solutions and what OS do they run?
-
(3) completely clientless will not give you E2E to the endpoint (so you have some trust in the local network) but it much better than a traditional VPN. We had a large IoT use case recently in discourse (How do I create a service that connects to a Subnet via a router instead of just a single host? - #12 by TheLumberjack), it may be similar to your use case (if not, interesting to know how its not). Ultimately, if the IoT device can load a tunnel, or is Linux and can run an executable its easy to bring onto the overlay. Otherwise, we need to use an Edge Router type deployment and know there is a segment of untrusted connection (ideally, 1-1 plug in with a Hardware-Based Zero Trust Supplicant (HBZTS) but possibly operating on the whole network.