Skip to main content

A 17-year-old web foundation.
And not a second the water can stand still.

To a cloud web gateway, without downtime

A drinking-water utility, critical infrastructure. Web traffic had run through an on-premise proxy for 17 years: outdated, identity-blind, hard to manage. We lifted it to a cloud secure web gateway with zero trust, without the people keeping the water running noticing a thing.

Web traffic · routeLive
Now · cloud, zero trustBefore · on-prem proxy
Source · LLD + cutoverZero trust · identity-aware
Sector
Drinking-water utility (critical infra)
Scale
Multiple sites, 17-year legacy estate
Engagement
Migration + ongoing management
Frameworks
Zero trust, NIS2
Legacy
17 years
on-premise proxy estate, retired to the cloud.
Migration
No downtime
cut over in phases without interrupting operations.
Vendor outage
~40 min
a global fault worked around, before the vendor confirmed it.

The challenge

In critical infrastructure, nothing can go down.

Web traffic had run through an on-premise proxy for 17 years. Outdated, identity-blind, with a sprawl of exceptions, and hard to manage. Replacing it was overdue, but every interruption hits a vital process.

Web trafficRoute
Cloud SWG
Still via the legacy on-prem proxy
Cloud SWG
Legacy proxy
  • 01

    A 17-year-old on-premise proxy. Outdated, hard to manage, and a single point of failure for all web traffic.

  • 02

    No identity in the traffic. Policy on IP and location, not on who the user is; zero trust was impossible.

  • 03

    A sprawl of exceptions. Years of bypasses piled up; no one still oversaw what was open and why.

  • 04

    No downtime allowed. Every interruption hits a vital process; the migration had to go unnoticed.

The question was not whether the proxy had to be replaced. It was how you lift critical-infrastructure web traffic to the cloud, without anyone noticing.

The approach

First understand what runs. Then cut over.

No big bang. A phased cutover on a design that first mapped the existing reality, with the service desk ready to catch every user.

AS-IS firstNo assumptions
Cut over in phasesPer batch
Service desk readySafety net
01

The existing mapped

The full proxy configuration, the years of exceptions and the roaming/on-prem split captured in a low-level design, in seven iterations until it was right.

02

A zero-trust design

A cloud secure web gateway with identity as the base: policy on who the user is, SSL inspection, content filtering and visibility of cloud services (CASB).

03

Phased cutover

No big bang but batch by batch, with a rollback path ready. Heightened vigilance at every step, as vital work demands.

04

Service desk in position

A quick reference card for the service desk: block pages, certificate checks and a direct rollback, so every user could be helped at once.

The solution

Web traffic that knows who is browsing.

What stands now: all web traffic via a cloud secure web gateway, identity-aware and zero-trust, with the on-premise proxy retired. And it stays under our management.

Cloud secure web gateway

Web traffic cloud-delivered instead of through an on-premise box, no single point of failure anymore.

Identity as the base

Policy on who the user is, not on IP or location, zero trust in the web traffic.

Insight and grip

SSL inspection, content filtering and visibility of cloud services, shadow IT in view.

Managed, not abandoned

With a steering group, fixed agreements and a service-desk safety net, run by us continuously.

“When a vendor fault took down every login, ours was already fixed before the vendor admitted it.”

IT manager · drinking-water utility

The result

From a 17-year-old box to a cloud gateway that moves with you.

Before
  • -17-year-old on-prem proxy, single point of failure
  • -Policy on IP and location, no identity
  • -A sprawl of unmanageable exceptions
  • -Every change risky for a vital process
Now
  • Web traffic via a cloud secure web gateway, the on-prem proxy retired.
  • Identity-aware and zero trust, policy on who the user is.
  • Migrated without downtime for operations.
  • Managed continuously, faster than the vendor itself when it mattered.

A similar challenge?

No pitch. One conversation.

One conversation in which we determine whether, and how, this works for your organisation too.

Schedule a conversation

30 minutes with a senior, no pitch.

Speak with an architectCall directly088 - 163 23 25