TroutTrout

Deployment options

How Access Gate adapts its Zero-Trust deployment to your existing network, from full coverage to partial, exotic setups.

2 min read · Last updated 2026-07-07

Access Gate does not require you to redesign your network. It adapts to what is already there, DNS, routers, managed or unmanaged switches, even non-routed and exotic setups, and deploys the strongest Zero-Trust posture your topology allows.

Use the explorer below to see the recommended deployment for your environment: where the Access Gate sits, how much Zero-Trust coverage you get, and the migration path to get there.

Access Gate: deploy Zero-TrustSelect an option to highlight its path

Full vs partial Zero-Trust

  • Full Zero-Trust is available whenever the Access Gate can see and broker every relevant flow. That is typically the case when the network is routed and you have DNS or a managed switch to steer traffic through the overlay.
  • Partial Zero-Trust applies when some traffic stays purely at layer 2 and never reaches the Access Gate, for example with unmanaged switches or non-routed, exotic protocols. The Access Gate still protects everything it sees and can filter at L2 by EtherType or MAC, but flows it never observes are out of scope.

What drives the decision

Three properties of your existing network determine the deployment:

  1. Routing: whether communications are routed and routable, or non-routed (exotic and custom).
  2. What is on the network: DNS, a router (no DNS), or a switch only (no DNS or router).
  3. Switch type: managed (supports PVLAN and VLAN steering) or unmanaged.

From these, the Access Gate is positioned as an inline peer of your router, in place of your router, or as an aggregation switch, and the Secure Twin overlay carries the migrated assets without touching production.

Next steps