Requirements
Before you set up ZTNA, check that you meet all of the following requirements.
Wildcard certificate
You need a wildcard certificate for the ZTNA gateway. Use one of the following:
- A certificate issued from Let's Encrypt.
- A certificate issued by a trusted certificate authority.
This guide tells you how to get a certificate.
Gateway host
You can host the ZTNA gateway on an ESXi server, a Hyper-V server, or Amazon Web Services.
ESXi server
If you host the gateway on an ESXi server, you must meet these requirements:
- VMware vSphere hypervisor (ESXi) 6.5 or later.
- 2 cores, 4GB RAM, and 80GB Disk space.
You must ensure that the correct date and time are set. The ZTNA gateway synchronizes with the host's time and encounters issues if it isn't correct.
Note
You must set the time zone as UTC.
On your ESXi host, go to Manage > System > Time & date and click Edit settings to set the time.
Hyper-V server
If you host the gateway on a Hyper-V server, you must meet these requirements:
- Hyper-V Server running on Windows Server 2016 or later.
- 2 cores, 4GB RAM, and 80GB Disk space.
You must ensure that the correct date and time are set. The ZTNA gateway synchronizes with the host's time and encounters issues if it isn't correct.
Note
You must set the time zone as UTC.
Amazon Web Services
If you host the gateway on Amazon Web Services (AWS), you need an AWS account.
DNS management
You must configure your DNS server settings. See Add your DNS settings.
Directory service
You need a directory service to manage the user groups that ZTNA will use. You can use Microsoft Entra ID (Azure AD) or Active Directory.
Microsoft Entra ID (Azure AD)
You need a Microsoft Entra ID (Azure AD) account with user groups configured and synced with Sophos Central. This guide tells you how to set up and sync these groups.
Your user groups must be security enabled. Groups created in Microsoft Entra ID (Azure AD) are automatically security enabled, but groups created from the Microsoft 365 portal or imported from AD aren't.
You can also use Microsoft Entra ID (Azure AD) as your identity provider.
Active Directory
You need an Active Directory account with user groups configured and synced with Sophos Central. See Set up synchronization with Active Directory in the Sophos Central admin help.
If you use Active Directory, you need a separate identity provider such as Okta.
Identity provider
You need an identity provider to authenticate your users. You can use either of the following:
- Microsoft Entra ID (Azure AD)
- Okta
This guide tells you how to configure them for use with ZTNA.
Allowed websites
If the gateway is behind a firewall, you must give access to the required websites (on port 443, unless otherwise stated).
Note
This only applies to on-premise gateways.
The required websites are as follows:
sophos.jfrog.io
jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com
*.amazonaws.com
production.cloudflare.docker.com
*.docker.io
*.sophos.com
login.microsoftonline.com
graph.microsoft.com
ztna.apu.sophos.com
(Port 22)sentry.io
*.okta.com
(If you use Okta as an identity provider)wsserver-ztna.<customerdomain.com>
- ZTNA gateway FQDN (the domain you configured in the ZTNA gateway settings)
Supported app types
ZTNA can control access to both web-based and local apps. Control of local apps requires the ZTNA agent.
ZTNA doesn’t support apps that depend on dynamic port allocation or use a wide range of ports, for example older VOIP products.
Sophos ZTNA agent
You can install the ZTNA agent on the following operating systems:
-
Windows 10.1803 or later
-
macOS BigSur (macOS11) or later