Settings

You can see and change your Zero Trust Network Access (ZTNA) settings.

Go to ZTNA > Settings.

Sophos support for gateway instance

You can give Sophos support a token to allow us to access your gateway instance for troubleshooting. Here you can set the time when tokens expire.

To give Sophos access to a gateway, you must go to Gateway > Gateway Details and generate a support token.

You must click Save after changing any settings.

Minimum time before device health triggers a rule

You can change the time before a device's security health triggers a rule in an access policy. This prevents ZTNA from acting too quickly if there's a temporary issue.

You must click Save after changing any settings.

Agent tunnel inactivity timeout

You can now set an inactivity timeout for the tunnel between the ZTNA agent and the ZTNA gateway. If there's no activity for a specific length of time, the tunnel is automatically closed.

Select one of the following options:

• 5 minutes
• 15 minutes
• 30 minutes
• 1 hour

The default value is 5 minutes.

When traffic resumes, the tunnel is re-established.

Domains & certificates

Click Domains & certificates to generate a free Let's Encrypt certificate, and add your domains. See Get a certificate.

Points of Presence

On ZTNA 2.1 and later, a secondary point of presence is set up by default, nearest to your primary point of presence. There's automatic failover between the points of presence, so that users can access resources without any interruptions.

If you want to turn off the secondary point of presence, do as follows:

1. Sign in to Sophos Central.
2. Go to My Products > ZTNA > Settings.
3. Under Points of Presence, turn the secondary points of presence option off.
4. Go to the top of the page, and click Save.

Don't intercept on-premises traffic

Suppose the ZTNA agent is connected to an office or trusted network, and the ZTNA resources configured are also on the same network. In that case, traffic is routed through the WAN interface of the ZTNA gateway or Sophos Cloud. While this maintains a uniform user experience and security posture, hairpinning could introduce latency, especially for applications such as Common Internet File System (CIFS) and Remote Desktop Protocol (RDP).

If you want to make sure resources are accessed via the LAN and not via the ZTNA gateway, turn this feature on, as follows:

1. Sign in to Sophos Central.
2. Go to My Products > ZTNA > Settings.

3. Under Don't intercept on-premises traffic, turn the feature on.

   Note

   If you turn this feature on, you must make sure that your resources are reachable via the LAN.

4. Add your network's FQDN and IP address.

   This allows the ZTNA agent to check the network.

   Note

   You must add the same details to your on-premise DNS server. If the DNS server can resolve the FQDN, the ZTNA agent knows that the network is on-premises, and it won't send traffic from this network to the ZTNA gateway.

5. Go to the top of the page, and click Save.

6. Get the special software package. See Special. The token you must enter is e047cf82-a1b3-532f-8ff5-b18a79489a04.

   You'll see the following package under Software Packages: FTS 2025.1.2.20.2-ZTNA-SPECIAL-61157.

7. Go to My Products > Endpoint > Policies.

8. Under Update Management, click on the policy you want to apply the software package to, and click Settings.
9. Under Select a software package, select the FTS 2025.1.2.20.2-ZTNA-SPECIAL-61157 package, then click Save.
10. Your endpoints will update automatically if you've set a schedule. You can also update your endpoints manually.

The ZTNA agent checks the network whenever the network interface on the endpoint device changes.

Resource connection pooling

Connection pooling for NTLM-based resources is turned on by default on the ZTNA gateway. Turn this option off if you have agentless resources that use NTLM or similar authentication protocols.