Legacy IPSec / SSL VPN concentrators were the model for the 2000s — they don't fit a hybrid-work, multi-cloud, M&A-active 2026 estate. Zero Trust Network Access (ZTNA) via Zscaler ZPA, Palo Alto Prisma Access, or Microsoft Entra Private Access replaces VPN at any scale. This is the 90-day playbook Servnet uses.
Why migrate
VPN concentrator scalability + cost — adding capacity for hybrid workforce growth gets expensive.
Security model — VPN grants network-level access. ZTNA grants application-level access only. Per-app conditional access is a step change.
User experience — direct app-level connection beats double-encrypted VPN tunnels for cloud apps.
See our SASE buyer's guide for platform selection.
Days 1-21 — Platform selection + commercial
Select ZTNA platform — Zscaler ZPA for biggest UK skills market + PoP coverage; Palo Alto Prisma Access if existing Palo Alto NGFW estate; Microsoft Entra Private Access for pure Microsoft shops.
Net UK pricing negotiation — typically 25-40% off list.
Sign + provision tenant.
Days 22-35 — Pilot deployment
Identity integration — connect Microsoft Entra ID / Okta / Google for SSO.
Conditional access design — device posture, location, app sensitivity tiering.
Deploy connector / app connector appliances at HQ + DC + major regional sites.
Pilot with 20-50 users covering: standard remote workers, power users with complex apps, BYOD edge cases.
Days 36-75 — Phased rollout
Department-by-department rollout — typically 100-300 users/week for a competent IT team.
Per-app onboarding — web apps easy, internal TCP apps need app connector config, UDP-heavy apps (some VoIP, custom protocols) test carefully.
Run VPN + ZTNA in parallel — users on either path during transition.
Days 76-90 — Legacy VPN decommission
Once 95%+ users on ZTNA: schedule VPN decommission cutover.
Communicate aggressively to remaining users — final cutover dates, fallback support, exception process for the long tail.
Decommission VPN concentrator + DMZ rules. Reallocate firewall capacity.
Common gotchas
UDP apps — voice + video apps that need direct UDP may need an exception path. Confirm during pilot.
Legacy ICS / OT — some industrial controls only work over Layer 2 / 3 — ZTNA isn't the answer for those flows. Hybrid model.
Identity dependence — ZTNA requires healthy identity provider. If Entra ID goes down, access breaks. Resilience planning matters.
Bandwidth — moving 1,000 users from VPN concentrator (typically 1-10 Gbps) to ZTNA cloud (per-user 100-500 Mbps) is a different traffic pattern. Validate ISP at HQ.
What Servnet does
Servnet runs VPN → ZTNA migrations across Zscaler ZPA + Palo Alto Prisma Access. Typical UK engagement: 90 days for 500-2,000 user environments.