Skip to content

Set up an on-premises gateway

Set up a ZTNA on-premises gateway that will control access to resources on your network.

The steps differ depending on whether you want to host the gateway on an ESXi server or Microsoft Hyper-V.

Warning

AWS gateways reach end of life on March 31st, 2024. See Retirement calendar. You can deploy SFOS on AWS and migrate the resources to this gateway to make sure users can still access apps after that date.

Warning

Don't configure gateways to operate in subnets used for internal services. If you do, you may have issues accessing applications. These subnets are as follows: 10.42.0.0/16, 10.43.0.0/16, 10.108.0.0/16.

Warning

Don't configure IPv6 addresses for your gateways, or allow DHCP IPv6 addresses to be assigned to endpoints, as IPv6 isn't supported.

Tip

If your users need to access ZTNA resources from the same network as the ZTNA gateway, add a SNAT rule of the type MASQ to prevent asymmetric routing.

To get step-by-step instructions, click the tab for your host below.

You set up a gateway on ESXi in two stages:

  • Download a gateway image (OVA file) and deploy it in ESXi.

  • Add gateway settings in Sophos Central to generate an ISO file ("seed image") that you use to boot the gateway in ESXi.

You can set up a gateway cluster to ensure availability. To do this, you set up additional instances of the gateway, as described here.

Note

Make sure that the correct time and date are set on the ESXi host. You must set the timezone as UTC. The ZTNA gateway encounters problems if you don't set the time correctly. See Requirements.

If you're using a two-arm proxy, see Network configuration.

Download and deploy image

  1. In Sophos Central, go to Devices > Installers.

  2. Find Zero Trust Network Access.

    1. Click the download link for a gateway image.
    2. Accept the license agreement and (if you're prompted) the software export compliance forms.
    3. The gateway image is downloaded. This is a generic OVA image of the ZTNA gateway for ESXi servers. You can reuse it as many times as you want.

    Downloads page.

  3. Deploy the OVA image to your ESXi host. In VMware vSphere, right-click the host and select Deploy OVA Template. This runs an assistant to guide you through deployment.

    Warning

    Turn off the option for automatic power-on (the default on ESXi) or prevent the ZTNA gateway from booting after you finish. If you don't, the gateway will boot without the ISO files and you'll have to start again.

    Deployment page in VMware vSphere.

Add settings and boot gateway

  1. Go back to Sophos Central and go to My Products > ZTNA > Gateways. Click Add Gateway.

    Gateways page.

  2. For Gateway Mode, select On-premises.

    On-premises gateway mode selected.

  3. In Add gateway, do as follows:

    1. Enter a gateway name and the gateway FQDN.
    2. Enter the domain for the resources (apps).
    3. In Platform type, select VMware ESXi.

    4. Select the Deployment mode.

      • One-arm uses the external interface for incoming and outgoing traffic.
      • Two-arm uses both external and internal interfaces.

    5. Enter the Interface settings.

      • If you select DHCP, set a reservation on the DHCP server.

        Warning

        The gateway can't handle changes in its IP address. You must set a reservation to ensure that it always keeps the initial IP address that DHCP assigns.

      • If you select Static IP, specify IP address, subnet, and DNS server settings.

      In a two-arm deployment, you must specify Static routes if you have apps hosted on multiple internal networks.

    6. Upload the certificates you created earlier.

    7. Click Save and generate file.

    Note

    Only a single, wildcard certificate is supported in this release.

    Add Gateway dialog.

  4. On the Gateways page, the gateway's status is Waiting for Deployment.

    The seed image ISO is ready for download. You'll need it to boot the gateway and complete the registration process. The ISO is unique for each gateway. You can't reuse it.

    Note

    Before you download the image, we suggest that you create a gateway cluster. If you don't want a cluster, skip to step 6.

    Gateways page with gateway status shown..

  5. Click your new gateway to open its details page. Click Add/Edit instances.

    Gateway details page.

  6. In Add/Edit instances, do as follows:

    1. Click Add another instance. Clustering turns on automatically.

    2. Enter a Cluster virtual IP. This is used for cluster management and load balancing. It must be in the same IP range as the gateway instances.

      In a two-arm deployment, the external cluster VIP is for load balancing only. If you use an external load balancer, leave this blank.

    3. Enter a VM name and Interface IP for the new instance.

      In a two-arm deployment, enter an internal and external interface IP.

    4. Repeat the process to add another instance.

      Note

      You must have at least three instances for a cluster. You can have up to nine instances, but you must always have an odd number.

      Note

      To keep your cluster active, make sure that at least half the gateways in it are active.

    Add/Edit instances dialog.

  7. Download each ISO file and mount it on your host. Then attach it to the gateway, as follows:

    1. Go to VMware vSphere.
    2. Right-click the gateway VM and select Edit Settings.
    3. On the Hardware tab, in CD/DVD drive, ensure the ISO file is shown and select Connect.
    4. In Status, select Connect at Power on.
    5. Click Save.

    If a serial device is listed in the virtual hardware, you can safely remove it.

    When the gateway boots with the ISO file, it'll contact Sophos Central to register.

    Virtual Hardware tab in VMware vSphere.

  8. Go back to Sophos Central. On the Gateways page, the gateway status changes to Awaiting Approval.

    When you're prompted, approve gateway registration.

    It can take up to ten minutes for approval to take effect. The gateway status then changes to Connected. You'll see an option to create a password if you want to.

    Note

    If you have a cluster of gateway instances, you only approve gateway registration for the first gateway instance. Subsequent instances are managed without explicit approval.

    Note

    The ISO file must stay attached to the gateway. You can't unmount it after the gateway is booted.

You've finished setting up the on-premises gateway.

Note

If the gateway can't connect to Sophos Central, go to VMware vSphere and run diagnostics on the VM.

When a new virtual machine version is available, a green check mark shows in the version column. Click the version number to start or schedule an update. See Gateway updates in Gateways.

To set up a gateway on Microsoft Hyper-V, do as follows:

  • Download and deploy the gateway VM image.

  • Add gateway settings to generate an ISO file ("seed image").

  • Download the ISO file and boot the gateway.

Download and deploy image

  1. In Sophos Central, go to Devices > Installers.

  2. Under Zero Trust Network Access, click Download Gateway VM image for Hyper-V.

    A ZIP file containing the VM image is downloaded.

    Protect Devices page.

  3. Extract the Hyper-V base image from the ZIP file you downloaded.

    This gives you the .vhdx file you need to set up the gateway. You can't use this file to deploy more than one VM, but you can make copies and use them for additional VMs.

  4. In Hyper-V Manager, in the Virtual Machines list, in Actions, click New.

    Hyper-V Manager.

  5. Enter a name for the VM.

    Specify Name and Location page.

  6. Select the generation. Generation 1 supports both 32-bit and 64-bit operating systems.

    Specify Generation page.

  7. In Assign Memory, enter at least 4096 MB of startup memory.

    Assign Memory page.

  8. In Configure Networking, select a network adapter.

    Configure Networking page.

  9. In Connect Virtual Hard Disk, select Use an existing virtual hard disk and browse to the .vhdx file that you extracted from the VM image download.

    Connect Virtual Hard Disk page.

  10. Click Finish.

    Completing the New VM page.

  11. Go to the Settings for the new VM.

    1. In Hardware > Processors, set Number of virtual processors to "2".

    2. If your gateway is in a two-arm deployment, go to Network adapter and add another adapter to the VM.

    VM Settings.

    Note

    If you're using VLANs, make sure you tag your network interfaces with the appropriate VLAN IDs.

  12. Click Apply and Save.

Add gateway settings

  1. Go back to Sophos Central and go to My Products > ZTNA > Gateways. Click Add gateway.

    Gateways page.

  2. For Gateway Mode, select On-premises.

    On-premises gateway mode selected.

  3. In Add gateway, do as follows:

    1. Enter a gateway name and the gateway FQDN.
    2. Enter the domain for the resources (apps).
    3. In Platform type, select Hyper-V.

    4. Select the Deployment mode.

      • One-arm uses the external interface for incoming and outgoing traffic.
      • Two-arm uses both external and internal interfaces.

    5. Enter the Interface settings.

      • If you select DHCP, set a reservation on the DHCP server.

        Warning

        The gateway can't handle changes in its IP address. You must set a reservation to ensure that it always keeps the initial IP address that DHCP assigns.

      • If you select Static IP, enter an IP address, a subnet, and DNS server settings.

      In a two-arm deployment, you must specify Static routes if you have apps hosted on multiple internal networks.

    6. Upload the certificates you created earlier.

    7. Click Save and generate file.

    Note

    Only a single, wildcard certificate is supported in this release.

    Add gateway dialog.

  4. On the Gateways page, the new gateway's status is Waiting for Deployment. Click the gateway to see details.

    Waiting for deployment status.

  5. In the gateway details, you can see that the ISO image is ready for download. You'll need it to boot the gateway. The ISO is unique for each gateway. You can't reuse it.

    Before you download the image, we suggest that you create a gateway cluster. If you don't want a cluster, skip to the 'Download ISO files and boot the gateway' section.

    New gateway's details.

  6. In the gateway details, click Add/Edit instances.

    Gateway details page.

  7. In Add/Edit instances, click Add another instance. Clustering turns on automatically.

    Add/Edit instances dialog.

  8. Enter the details of the new instance as follows:

    1. Enter a Cluster virtual IP. This is used for cluster management and load balancing. It must be an IP address that you haven't used before in this configuration, and it must be in the same IP range as the gateway instances.

      Tip

      In a two-arm deployment, the external interface IP address is used for load balancing only. If you use an external load balancer, leave this field blank.

    2. Enter a VM name and Interface IP for the new instance.

      In a two-arm deployment, enter an internal and external interface IP.

    3. Repeat the process to add another instance.

      Note

      You must have at least three instances for a cluster. You can have up to nine instances, but you must always have an odd number.

      Note

      To keep your cluster active, make sure that at least half the gateways in it are active.

    Instance details.

Next you download the ISO files and boot the gateway.

Download ISO files and boot the gateway

Download the ISO file for each instance, attach them to the gateway VM, and boot the gateway, as follows:

  1. In the gateway details, go to each instance and click Download image.

    Gateway instances with downloads.

  2. In Hyper-V Manager, go to Settings for the VM. In DVD Drive, do as follows:

    1. In Controller, select IDE Controller 1.
    2. In Media, select Image file and enter the path to the seed ISO.
    3. Click Apply and Save.

    Note

    The ISO file must stay attached to the gateway. You can't unmount it after the gateway is booted.

    VM DVD drive.

  3. Power on the gateway instances. Wait for a few minutes.

  4. In Sophos Central, go to My Products > ZTNA > Gateways and click the new gateway to open its details page.

    The gateway status changes to Waiting for gateway approval. Click Approve.

    Gateway status with Approve button.

    Note

    If you have a cluster of gateway instances, you only approve gateway registration for the first gateway instance. Subsequent instances are managed without explicit approval.

  5. The gateway's status changes to Active.

You've finished setting up the on-premises gateway.

Note

If the gateway can't connect to Sophos Central, go to Hyper-V Manager and run diagnostics on the VM.

When a new virtual machine version is available, a green check mark shows in the version column. Click the version number to start or schedule an update. See Gateway updates in Gateways.

Next, you add DNS settings.