System.Return('/syslog')
SecurityNetworking

Bypassing ISP Blocks: The Business Case for Zero Trust

When TRA Oman blocked our VPN protocol, our operations halted. Here is the technical and business breakdown of why we moved to Twingate.

In Oman, the Telecommunications Regulatory Authority (TRA) maintains strict control over VoIP and VPN traffic. For businesses relying on remote access, this creates significant operational risks.

This is the story of how an ISP-level DPI (Deep Packet Inspection) block crippled our operations, and how migrating to a Zero Trust architecture restored them within 48 hours.

The Incident

Thursday, 9:00 AM: Remote users reported they could not connect to the Tally Prime ERP hosted on our central Windows Server 2019 RDS. Diagnosis: tailscale netcheck reported UDP blocked. The ISP had deployed a new DPI rule targeting WireGuard signatures. Outbound connections to the control plane failed. Our custom DERP relays were also blackholed.

Operations across 4 branches stopped. We couldn’t generate invoices or check inventory.

Why Traditional “Fixes” Failed

  1. Changing Ports: Ineffective against DPI which analyzes traffic behavior, not just ports.
  2. OpenVPN (TCP): Too slow for RDP traffic, and frequently flagged by the ISP.
  3. Dedicated VPN Lines: Expensive (thousands of dollars setup) and takes weeks to provision.

The Strategy: Zero Trust Network Access (ZTNA)

We needed a solution that:

  1. Did not rely on easily-identified VPN protocols like WireGuard or IPsec
  2. Did not require inbound port forwarding (due to our Double NAT setup)
  3. Operated via standard TLS (HTTPS) outbound traffic

The Choice: Twingate.

Architecture Change

The Old Way (VPN Tunnel)

User connects to VPN -> Gained access to the entire local subnet -> Connects to server. This is dangerous. If a user’s laptop is compromised with ransomware, the entire corporate network is exposed via the tunnel.

The New Way (Zero Trust)

User authenticates via IdP (Identity Provider) -> Twingate Client initiates outbound TLS to Twingate Relay -> Internal Server Connector picks up the request -> Allows access only to the specific IP and Port (3389 for RDP).

The key difference: The firewall has zero open inbound ports. The connection is established from the inside out using standard web traffic (TLS), making it virtually indistinguishable from regular secure browsing.

The Certificate Hurdle

Zero Trust handles the routing, but Windows RDS still expects a valid SSL certificate for the rdgateway.company.com hostname. Since Twingate routes internally using the private IP, the hostname mismatch caused RDP clients to reject the connection.

The Fix: Used win-acme with Cloudflare DNS validation to generate a Let’s Encrypt certificate for the internal server, then bound it to all RDS roles via PowerShell.

The Business Result

  1. Uptime Restored: Operations resumed within 48 hours.
  2. Invisible Infrastructure: The server now has zero presence on the public internet (Shodan scans return nothing).
  3. Microsegmentation: Users can only access the ERP server, nothing else on the subnet.

Zero Trust isn’t just a buzzword; in strict regulatory environments, it’s a required survival tactic.