Oh, so you go out to ZS and then back on-prem? Seems like you’d have a pretty big performance hit
It’s a tunnel to a Cloudflare DC, then they provide SSO, terminate TLS and route back to your server. No open ports on your firewall and only traffic that’s been authorized reaches your tunnel endpoint. No DDNS, and your IP can change constantly and it won’t matter because of the tunnel.
There’s also a VPN client but it’s not necessary for the above functionality. The VPN client allows you to apply DNS and traffic policies to your clients, add a TLS inspecting gateway and more.
It’s free, so poke around.