Set up a Sophos Cloud gateway
Now set up a Sophos Cloud gateway that will control access to resources on your network.
The steps differ, depending on whether you want to host the gateway on an ESXi server, on Microsoft Hyper-V, or in Amazon Web Services.
Warning
Don't configure gateways to operate in subnets used for internal services. If you do, you may have issues accessing applications. These subnets are as follows: 10.42.0.0/16
, 10.43.0.0/16
, 10.108.0.0/16
.
Note
In Amazon Web Services, there are additional costs based on your configuration. Your ZTNA license doesn't cover these costs.
Tip
If your users need to access ZTNA resources from the same network as the ZTNA gateway, add a SNAT rule of the type MASQ to prevent asymmetric routing.
To get step-by-step instructions, click the tab for your host below.
To set up a Sophos Cloud gateway on ESXi do as follows:
-
Download and deploy the VM image.
-
Validate your domain.
-
Add gateway settings and add instances.
-
Download the images and boot the VM.
Note
Make sure that the correct time and date are set on the ESXi host. You must set the timezone as UTC. The ZTNA gateway encounters problems if you don't set the time correctly. See Requirements.
If you're using a two-arm proxy, see Network configuration.
Download and deploy image
-
In Sophos Central, go to Protect Devices.
-
Find Zero Trust Network Access.
- Click the download link for a gateway image.
- Accept the license agreement and (if you're prompted) the software export compliance forms.
- The gateway image is downloaded. This is a generic OVA image of the ZTNA gateway for ESXi servers. You can reuse it as many times as you want.
-
Deploy the OVA image to your ESXi host. In VMware vSphere, right-click the host and select Deploy OVA Template. This runs an assistant to guide you through deployment.
Warning
Turn off the option for automatic power-on (the default on ESXi) or prevent the ZTNA gateway from booting after you finish. If you don't, the gateway will boot without the ISO files and you'll have to start again.
Validate your domain
-
In Sophos Central, go to ZTNA > Settings.
-
Click Domains.
-
Click Add domain and add your domain name then click Add.
You'll see your domain information in the domains table. A TXT record is generated for your domain.
-
Go to your DNS server, and add the TXT record for your domain.
Wait for a few minutes before moving on to the next step.
-
Go back to Sophos Central, and go to ZTNA > Settings > Domains and click Validate.
Your domain status changes to "Validated".
Add gateway settings and add instances
-
Click Add gateway.
-
For Gateway Mode, select Sophos Cloud.
-
Enter a gateway name and the gateway FQDN.
-
Select your Domain (validated).
-
Select VMWare ESXi as the Platform type.
-
Select your Identity provider.
-
Under Points of Presence, select your Region.
Select the region nearest to where your datacentre is to reduce latency.
-
Select the Deployment mode.
- One-arm uses the external interface for incoming and outgoing traffic.
- Two-arm uses both external and internal interfaces.
-
Enter the Interface settings.
-
If you select DHCP, set a reservation on the DHCP server.
Warning
The gateway can't handle changes in its IP address. You must set a reservation to ensure that it always keeps the initial IP address that DHCP assigns.
-
If you select Static IP, specify IP address, subnet, and DNS server settings.
In a two-arm deployment, you must specify Static routes if you have apps hosted on multiple internal networks.
-
-
Upload the certificates you created earlier. See Get a certificate.
-
Click Save and generate file.
You'll see a Gateway added pop-up which shows the generated Alias domain for the gateway. You'll need to add the alias domain for the gateway to your public DNS server as a CNAME entry later. See Add your DNS settings.
-
Click Copy
You'll see your gateway on the Gateways page. Here's an example.
-
Click your gateway's Name.
This takes you to the Gateway Details page.
-
In the gateway details, you can see that the ISO image is ready for download. You'll need it to boot the gateway. The ISO is unique for each gateway. You can't reuse it.
Before you download the image, we suggest that you create a gateway cluster. If you don't want a cluster, skip to the Download images and boot VM section.
-
In the gateway details, click Add/Edit instances.
-
In Add/Edit instances, click Add another instance. Clustering turns on automatically.
-
Enter the details of the new instance as follows:
-
Enter a Cluster virtual IP. This is used for cluster management and load balancing. It must be in the same IP range as the gateway instances.
In a two-arm deployment, the external cluster VIP is for load balancing only. If you use an external load balancer, leave this blank.
-
Enter a VM name and Interface IP for the new instance.
In a two-arm deployment, enter an internal and external interface IP.
-
Repeat the process to add another instance.
Note
You must have at least three instances for a cluster. You can have up to nine instances, but you must always have an odd number.
-
Next you download the ISO files and boot the gateway.
Download images and boot VM
-
Go to Gateway instances and scroll down.
You'll see your instances under Status.
-
Download each ISO file and mount it on your host. Then attach it to the gateway, as follows:
- Go to VMware vSphere.
- Right-click the gateway VM and select Edit Settings.
- On the Hardware tab, in CD/DVD drive, ensure the ISO file is shown and select Connect.
- In Status, select Connect at Power on.
- Click Save.
If a serial device is listed in the virtual hardware, you can safely remove it.
When the gateway boots with the
iso
file, it'll contact Sophos Central to register. -
Go back to Sophos Central. On the Gateways page, the gateway status changes to Awaiting Approval.
When you're prompted, to approve gateway registration, click Approve.
It can take up to ten minutes for approval to take effect. The gateway status then changes to Active and Connected. You'll see an option to create a password if you want to.
Note
The ISO file must stay attached to the gateway. You can't unmount it after the gateway is booted.
Note
If the gateway can't connect to Sophos Central, go to VMware vSphere and run diagnostics on the VM.
When a new virtual machine version is available, a green check mark shows in the version column. Click the version number to start or schedule an update. See Gateway updates in Gateways.
You've finished setting up the Sophos Cloud gateway.
To set up a Sophos Cloud gateway on Microsoft Hyper-V, do as follows:
-
Download and deploy the VM image.
-
Validate your domain.
-
Add gateway settings to generate an ISO file ("seed image").
-
Download the ISO file and boot the gateway.
Download and deploy image
-
In Sophos Central, go to Protect Devices.
-
Under Zero Trust Network Access, click Download Gateway VM image for Hyper-V.
A ZIP file containing the VM image is downloaded.
-
Extract the Hyper-V base image from the ZIP file you downloaded.
This gives you the
.vhdx
file you need to set up the gateway. You can't use this file to deploy more than one VM, but you can make copies and use them for additional VMs. -
In Hyper-V Manager, in the Virtual Machines list, in Actions, click New.
-
Enter a name for the VM.
-
Select the generation. Generation 1 supports both 32-bit and 64-bit operating systems.
-
In Assign Memory, enter at least 4096 MB of startup memory.
-
In Configure Networking, select a network adapter.
-
In Connect Virtual Hard Disk, select Use an existing virtual hard disk and browse to the
.vhdx
file that you extracted from the VM image download. -
Click Finish.
-
Go to the Settings for the new VM.
-
In Hardware > Processors, set Number of virtual processors to "2".
-
If your gateway is in a two-arm deployment, go to Network adapter and add another adapter to the VM.
-
-
Click Apply and Save.
Validate your domain
-
In Sophos Central, go to ZTNA > Settings.
-
Click Domains.
-
Click Add domain and add your domain name then click Add.
You'll see your domain information in the domains table. A TXT record is generated for your domain.
-
Go to your DNS server, and add the TXT record for your domain.
Wait for a few minutes before moving on to the next step.
-
Go back to Sophos Central, and go to ZTNA > Settings > Domains and click Validate.
Your domain status changes to "Validated".
Add gateway settings and add instances
-
Click Add gateway.
-
For Gateway Mode, select Sophos Cloud.
-
Enter a gateway name and the gateway FQDN.
-
Select your Domain (validated).
-
Select VMWare ESXi as the Platform type.
-
Select your Identity provider.
-
Under Points of Presence, select your Region.
Select the region nearest to where your datacentre is to reduce latency.
-
Select the Deployment mode.
- One-arm uses the external interface for incoming and outgoing traffic.
- Two-arm uses both external and internal interfaces.
-
Enter the Interface settings.
-
If you select DHCP, set a reservation on the DHCP server.
Warning
The gateway can't handle changes in its IP address. You must set a reservation to ensure that it always keeps the initial IP address that DHCP assigns.
-
If you select Static IP, specify IP address, subnet, and DNS server settings.
In a two-arm deployment, you must specify Static routes if you have apps hosted on multiple internal networks.
-
-
Upload the certificates you created earlier.
-
Click Save and generate file.
You'll see a Gateway added pop-up which shows the generated Alias domain for the gateway. You'll need to add the alias domain for the gateway to your public DNS server as a CNAME entry later. See Add your DNS settings.
-
Click Copy
You'll see your gateway on the Gateways page. Here's an example.
-
Click your gateways's Name.
This takes you to the Gateway Details page.
-
In the gateway details, you can see that the ISO image is ready for download. You'll need it to boot the gateway. The ISO is unique for each gateway. You can't reuse it.
Before you download the image, we suggest that you create a gateway cluster. If you don't want a cluster, skip to the Download ISO files and boot the gateway section.
-
In the gateway details, click Add/Edit instances.
-
In Add/Edit instances, click Add another instance. Clustering turns on automatically.
-
Enter the details of the new instance as follows:
-
Enter a Cluster virtual IP. This is used for cluster management and load balancing. It must be in the same IP range as the gateway instances.
In a two-arm deployment, the external cluster VIP is for load balancing only. If you use an external load balancer, leave this blank.
-
Enter a VM name and Interface IP for the new instance.
In a two-arm deployment, enter an internal and external interface IP.
-
Repeat the process to add another instance.
Note
You must have at least three instances for a cluster. You can have up to nine instances, but you must always have an odd number.
-
Next you download the ISO files and boot the gateway.
Download ISO files and boot the gateway
Download the ISO file for each instance, attach them to the gateway VM, and boot the gateway, as follows:
-
In the gateway details, go to each instance and click Download image.
-
In Hyper-V Manager, go to Settings for the VM. In DVD Drive, do as follows:
- In Controller, select IDE Controller 1.
- In Media, select Image file and enter the path to the seed ISO.
- Click Apply and Save.
Note
The ISO file must stay attached to the gateway. You can't unmount it after the gateway is booted.
-
Power on the gateway instances. Wait for a few minutes.
-
In Sophos Central, go to ZTNA > Gateways and click the new gateway to open its details page.
The gateway status changes to Waiting for gateway approval. Click Approve.
-
The gateway's status changes to Active.
You've finished setting up the Sophos Cloud gateway.
Note
If the gateway can't connect to Sophos Central, go to Hyper-V Manager and run diagnostics on the VM.
When a new virtual machine version is available, a green check mark shows in the version column. Click the version number to start or schedule an update. See Gateway updates in Gateways.
To set up a ZTNA Sophos Cloud gateway in Amazon Web Services (AWS), do as follows:
Validate your domain
-
In Sophos Central, go to ZTNA > Settings.
-
Click Domains.
-
Click Add domain and add your domain name then click Add.
You'll see your domain information in the domains table. A TXT record is generated for your domain.
-
Go to your DNS server, and add the TXT record for your domain.
Wait for a few minutes before moving on to the next step.
-
Go back to Sophos Central, and go to ZTNA > Settings > Domains and click Validate.
Your domain status changes to "Validated".
Add gateway settings and add instances
-
Click Add Gateway.
-
For Gateway Mode, select Sophos Cloud.
-
Enter a gateway name and the gateway FQDN.
-
Select your Domain (validated).
-
Select AWS as the Platform type.
-
Select your Identity provider.
-
Under Points of Presence, select your Region.
Select the region nearest to where your datacentre is to reduce latency.
-
Select the Deployment mode.
- One-arm uses the external interface for incoming and outgoing traffic.
- Two-arm uses both external and internal interfaces.
-
Enter the Interface settings.
-
If you select DHCP, set a reservation on the DHCP server.
Warning
The gateway can't handle changes in its IP address. You must set a reservation to ensure that it always keeps the initial IP address that DHCP assigns.
-
If you select Static IP, specify IP address, subnet, and DNS server settings.
In a two-arm deployment, you must specify Static routes if you have apps hosted on multiple internal networks.
-
-
Upload the certificates you created earlier.
-
Click Save and generate file.
You'll see a Gateway added pop-up which shows the generated Alias domain for the gateway. You'll need to add the alias domain for the gateway to your public DNS server as a CNAME entry later. See Add your DNS settings.
-
Click Copy
You'll see your gateway on the Gateways page. Here's an example.
-
Click the Launch stack link beside the gateway.
Create a stack in AWS
In AWS, in CloudFormation, you see the Quick create stack template. We've already partly configured it. Follow the steps below to complete it.
-
On the Quick create stack page, do as follows:
- Select an AWS region (upper right of the screen).
- In Stack name, enter a custom name.
-
In Basic configuration, select two or three availability zones to ensure the gateway's availability.
-
In VPC network configuration, do as follows:
- Set the number of availability zones. This must match the number of zones you selected in the previous step.
- Ensure the subnets don't conflict with existing resources.
- In MaxNumberOfNodes, set the maximum number of nodes. By default, this is three.
- In NodeInstanceType, select the type of EC2 instance to use.
- In NumberOfNodes, set the number of nodes you want. The default is one for each availability zone.
Auto-scaling isn't currently available for ZTNA.
-
Click Create stack and wait for the process to finish. This can take up to an hour. When it's finished, your new stack is in your AWS stack list, and the details look like this.
-
In Sophos Central, go to the new gateway. Click Approve.
It can take up to ten minutes for approval to take effect. The gateway status then changes to Connected.
Configure your new VPC
Configure the VPC as follows:
-
In AWS, go to Virtual Private Cloud > Your VPCs.
-
Go to your new VPC and look for the VPC ID. You can use this ID to search for the other components that you’ve created.
-
Go to your EC2 instances and search for instances with the new VPC ID. This finds the instances that make up the ZTNA gateway cluster. Rename them.
-
In Load balancing, use the VPC ID to find the load balancer for ZTNA. Open its details and copy the DNS name. You need this to create a public DNS record (CNAME) for the gateway, which points to the load balancer.
Create a peering connection
The gateway is always in a new VPC, so you must use peering to connect it with the VPC where your applications are.
-
Go to VPC > Peering connections. Click Create peering connection and do as follows:
- In VPC ID (requester), select the ZTNA gateway's ID.
- In VPC ID (Accepter), select the VPC where your resources are.
- Click Create peering connection.
-
Go to Subnets and add your resources subnet and your gateway's private subnets to the route tables. This lets ZTNA use the peering connection to connect to resources.
You've finished setting up the Sophos Cloud gateway.
When a new virtual machine version is available, a green check mark shows in the version column. Click the version number to start or schedule an update. See Gateway updates in Gateways.
Next, you add DNS settings. See Add your DNS settings.