Help CenterGeneral (applies to both ZTCA and ZTNA)
Q: How does ThreatLocker validate the connections with this service?
A: ThreatLocker adds an additional authentication layer by validating that the device itself is authorized for access. A user with valid credentials and a valid MFA token will still be denied access if that connection comes from a device that is not explicitly authorized for access.
Q: Where are the ThreatLocker broker services located?
A: Data Centers are located geographically throughout much of the world. Current locations include: US, Canada, Australia, France, Italy, Germany, UK, Dubai, Saudi Arabia.
Q: What resources are provisioned in the ThreatLocker Data Centers to support these connections?
A: Networks are 100 gig backbone and 10 gig NICs.
Q: What performance impact should I expect to see when connecting over this secure network?
A: Negligible if any. Internal testing showed 950 mbps on a 1 gb connection.
Q: How will these connections handle high-bandwidth services such as VoIP and streaming video?
A: There will be no impact. Only the authentication is sent over the secure network. Voice and video traffic is sent directly over the standard internet connection.
Q: What ports are used in communication to the secure network broker?
A: Communication is on port 443 using a proprietary protocol.
Q: Can I control which applications have access to which cloud or network services?
A: Yes, in the access policy, each connection can be limited to specific applications.
Q: Is this similar to other SASE tools?
A: While we don’t comment specifically on other products, many other similar solutions route all network traffic through their secure network. ThreatLocker is only routing the required traffic through the secure connection, everything else has standard internet access.
Q: Do multiple organizations share the same IP address?
A: No, each organization gets its own IP.
Q: Can this run alongside another VPN on iOS?
A: Multiple VPNs can be configured on the device, but only 1 can be active at a time (iOS limitation). When one VPN connects, it will disconnect the other.
Q: Do you still suggest having a “Break Glass” account that is not restricted to the IP limitation?
A: Break Glass accounts are typically a good idea in most cases.
Q: Does the ThreatLocker connection stay active after a phone reboot?
A: Yes, it will automatically reconnect after a reboot.
Q: Does this work on O365 GCC-High?
A: Yes, available on our FedRamp instance also.
Q: Does this secure network meet FIPS 140-1/3?
A: Yes.
Q: Is all iOS traffic sent over the VPN?
A: No, iOS requires a VPN to be configured for routing information only; no traffic is sent over the VPN.
Q: Can a connection be established from an external connection to a local network and connect to an internal device that is not running ThreatLocker (i.e., print to a printer in the office from home)?
A: Not currently, that feature will be available soon.
Zero Trust Network Access (ZTNA)
Q: What problem does ZTNA solve?
A: Prevents unauthorized access to servers that might have an exposed port, even if valid credentials are used from a phishing attack, stolen, or simply being accessed from an unauthorized device by ensuring that access is only granted to specific devices that have authorization in addition to authorized credentials.
Q: How does ZTNA differ from a VPN?
A: ThreatLocker only sends the required data over the secure network. VPN’s typically send all data through the VPN connection, which often results in performance degradation. ThreatLocker also does not require any additional agents to establish a secure connection.
Q: Is ZTNA similar to a split tunnel VPN?
A: It’s similar in the idea that not all traffic is sent over the secure connection, but different fundamentally in how the connection is established and authenticated.
Q: Can ZTNA replace a site-to-site VPN?
A: Yes. External network connections will route securely through our secure network broker to allow access to a remote network without any additional action, creating a seamless user experience.
Q: What impact would this have on a port scan?
A: Port scans from unauthorized devices will result in no open ports being found. Only authorized devices will be able to see open ports.
Q: Will all traffic route over the secure network even if I’m connected to the same LAN?
A: No, ThreatLocker will automatically detect if the connection is on the same LAN and only route the required traffic over the secure network.
Zero Trust Cloud Access
Q: What problem does ZTCA solve?
A: Prevents unauthorized access to cloud SaaS platforms that could be exposed by phishing attacks, stolen credentials, or simply accessed from unauthorized devices by ensuring that access is only granted to specific devices that have authorization in addition to authorized credentials.
Q: What is the benefit of this solution if I already have an EDR monitoring my cloud services for potential compromise?
A: Unauthorized access is only detectable if the attacker performs a function identifiable as malicious in nature. If an attacker gains access and simply reads email to gather information, it's unlikely to be detected by a monitoring service.
Q: Why would I consider using this over Conditional Access policies that Microsoft already provides for M365 services?
A: Microsoft conditional access policies can take up to 15 min to apply any changes made to them. ThreatLocker policy updates apply almost instantly.