Cloud-Native Proxy vs DMZ Appliance
Xona’s video-streaming approach successfully isolates the network, but it sacrifices user experience and creates massive, unsearchable video files for auditing. Agilicus achieves Zero Trust isolation but preserves the native, frictionless feel of the application while providing actionable, granular security logs.
Discover why an outbound-only network architecture beats open ports on your firewall for a modern, frictionless remote access tool.
The Fundamental Difference
Invisible vs Public IP Address
Agilicus
Agilicus connectors operate entirely outbound. You install a lightweight connector behind your firewall, and it dials out to the Agilicus cloud. Because there are zero inbound ports open, your firewall drops all unsolicited external traffic. Your infrastructure remains completely “dark” and invisible to the public internet.
Xona
To allow external contractors to reach the Xona Critical System Gateway (CSG) without a VPN, you are forced to open an inbound port (typically 443) on your corporate firewall. As soon as you open an inbound port, your public IP address is visible to the entire internet. Automated bots, Shodan scanners, and malicious actors can ping the appliance, probe it for vulnerabilities, and attempt to brute-force the login page.
Identity Model Comparison
Agilicus
Outbound Only
→
No open ports, completely invisible to the public internet
Xona
Inbound Listening
→
Open ports in firewall exposes resource to the public internet
Agilicus brokers the connection in its globally distributed cloud edge. When a user navigates to your portal, they are hitting the Agilicus cloud, not your physical firewall. The Agilicus cloud natively includes massive DDoS mitigation and an automated WAF. If a botnet launches a DDoS attack or attempts an SQL injection (OWASP), the Agilicus cloud absorbs and neutralizes the attack at the edge, meaning those malicious packets never even reach your corporate ISP, let alone your internal network.
Xona is just the gateway sitting in your DMZ, it does not have a massive global network to absorb a Distributed Denial of Service (DDoS) attack. If attackers flood your public IP with junk traffic, your physical firewall or internet pipe will choke, taking your remote access (and potentially your entire site) offline. Furthermore, Xona itself is not a Web Application Firewall (WAF). To protect it from OWASP Top 10 web exploits, you have to buy, configure, and maintain a separate 3rd-party WAF to sit in front of it.
Agilicus AnyX is a complete Zero Trust Network Access platform, comprising authentication, authorization, audit, access. One of AnyX’ core features is the ability to remotely use a remote graphical environment, via both Remote Desktop Protocol, and VNC. These are available via a browser, or via a native client, and incorporate Agilicus’ trademark simple, seamless, single-sign-on via your existing identity providers, for your staff, your partners, with optional multi-factor authentication.
Why Modern Teams Choose Agilicus
Compare capabilities side-by-side.
Feature
Agilicus AnyX
Xona
Firewall Exposure
Zero Inbound Ports. Connectors dial out to the cloud edge. Your perimeter drops all unsolicited public traffic.
Requires IT Inbound Ports. The appliance must be exposed to the public internet for clientless access (or hidden behind a legacy VPN).
Network Visibility
“Dark” Infrastructure. The attack surface is hidden; the local network routing table is completely unaware of the target asset.
Publicly Addressable. The appliance gateway can be pinged, scanned by Shodan, and targeted by botnets.
Delivery Mechanism
Native Protocol Proxying (HTML5). Translates RDP/SSH/Web locally. Feels snappy, native, and uses ultra-low bandwidth.
Pixel / Video Streaming. Streams an interactive video (MP4/H.264) of the screen. High bandwidth, high latency, and “clunky” UX.
Edge Threat Protection
Built-in WAF & DDoS. The Agilicus cloud absorbs DDoS floods and OWASP attacks globally before they reach your ISP.
Bring-Your-Own Security. Relies on your physical firewall to survive DDoS attacks. Requires licensing a 3rd-party WAF for web protection.
Asset Protection (Granularity)
Application-Layer (L7) Control. Understands the traffic. Can restrict specific actions (e.g., allow “View”, block “Save/Post”).
Visual Airgap Only. You either have access to the video stream or you don’t. Cannot natively filter specific clicks or API commands inside the stream.
Auditability & Forensics
Text-based, searchable logs. Exact records of what a verified identity did (e.g., “User executed HTTP POST at 10:02 AM”).
Video playback. Security teams must manually watch hours of recorded MP4 video files to figure out what a contractor clicked.
Clientless Universal Access
Access all resources from any device with a web browser.
- Equal security across all devices accessing resources
- Enable BYOD while maintaining security
- Easy Access to all authorized resources in one tile-based web launcher
Granular Authorization
Granular authorization and permission levels on a per resource level.
- Enforce read vs write permission levels per user
- Enable specific users to perform specific tasks on a resource
- Native resource request workflow for task based permissions
Per-Resource Authentication
User authentication at a per resource level to enable granular authorization.
- Enables granular audit logs for what user on what device
- Eliminate shared passwords and team level access
- Provision / Decommission resources on a per user basis
Ready to move beyond legacy remote desktop?
Experience the security of a complete Zero Trust platform. No Clients to manage, no shared passwords to fear.