Skip to content

Set up a Sophos Cloud gateway

Now set up a Sophos Cloud gateway that will control access to resources on your network.

The steps differ depending on whether you want to host the gateway on an ESXi server or Microsoft Hyper-V. You can also set up a gateway on your centrally managed SFOS devices.

Warning

AWS gateways reach end of life on March 31st, 2024. See Retirement calendar. You can deploy SFOS on AWS and migrate the resources to this gateway to make sure users can still access apps after that date.

Warning

Don't configure gateways to operate in subnets used for internal services. If you do, you may have issues accessing applications. These subnets are as follows: 10.42.0.0/16, 10.43.0.0/16, 10.108.0.0/16.

Warning

IPv6 isn't supported. So, don't configure IPv6 addresses for your gateways, or allow DHCP IPv6 addresses to be assigned to endpoints. If you already have endpoints with IPv6 addresses assigned to them, your users must manually turn off the IPv6 settings on each endpoint.

Tip

If your users need to access ZTNA resources from the same network as the ZTNA gateway, add a SNAT rule of the type MASQ to prevent asymmetric routing.

To get step-by-step instructions, click the tab for your host below.

To set up a Sophos Cloud gateway on ESXi do as follows:

  • Download and deploy the VM image.

  • Validate your domain.

  • Add gateway settings and add instances.

  • Download the images and boot the VM.

Note

Make sure that the correct time and date are set on the ESXi host. You must set the timezone as UTC. The ZTNA gateway encounters problems if you don't set the time correctly. See Requirements.

If you're using a two-arm proxy, see Network configuration.

Download and deploy image

  1. In Sophos Central, go to Devices > Installers.

  2. Find Zero Trust Network Access.

    1. Click the download link for a gateway image.
    2. Accept the license agreement and (if you're prompted) the software export compliance forms.
    3. The gateway image is downloaded. This is a generic OVA image of the ZTNA gateway for ESXi servers. You can reuse it as many times as you want.

    Downloads page.

  3. Deploy the OVA image to your ESXi host. In VMware vSphere, right-click the host and select Deploy OVA Template. This runs an assistant to guide you through deployment.

    Warning

    Turn off the option for automatic power-on (the default on ESXi) or prevent the ZTNA gateway from booting after you finish. If you don't, the gateway will boot without the ISO files and you'll have to start again.

    Deployment page in VMware vSphere.

Validate your domain

  1. In Sophos Central, go to My Products > ZTNA > Settings.

  2. Click Domains.

  3. Click Add domain and add your domain name then click Add.

    You'll see your domain information in the domains table. A TXT record is generated for your domain.

  4. Go to your DNS server, and add the TXT record for your domain.

    Wait for a few minutes before moving on to the next step.

  5. Go back to Sophos Central, and go to My Products > ZTNA > Settings > Domains and click Validate.

    Your domain status changes to "Validated".

Add gateway settings and add instances

  1. Click Add gateway.

  2. For Gateway Mode, select Sophos Cloud.

    Sophos Cloud gateway mode selected.

  3. Enter a gateway name and the gateway FQDN.

    Note

    Ensure the gateway FQDN is the same as the one you specified on the Register an application page. See Register the ZTNA app.

  4. Select your Domain (validated).

  5. Select VMWare ESXi as the Platform type.

  6. Select your Identity provider.

  7. Under Points of Presence, select your Region.

    Select the region nearest to where your datacentre is to reduce latency.

    On ZTNA 2.1 and later, a secondary point of presence is set up by default, nearest to your primary point of presence. You can turn this off from the Settings page. See Sophos Central: Settings.

  8. Select the Deployment mode.

    • One-arm uses the external interface for incoming and outgoing traffic.
    • Two-arm uses both external and internal interfaces.

  9. Enter the Interface settings.

    • If you select DHCP, set a reservation on the DHCP server.

      Warning

      The gateway can't handle changes in its IP address. You must set a reservation to ensure that it always keeps the initial IP address that DHCP assigns.

    • If you select Static IP, specify IP address, subnet, and DNS server settings.

      In a two-arm deployment, you must specify Static routes if you have apps hosted on multiple internal networks.

  10. Upload the certificates you created earlier. See Get a certificate.

  11. Click Save and generate file.

    You'll see a Gateway added pop-up which shows the generated Alias domain for the gateway. You'll need to add the alias domain for the gateway to your public DNS server as a CNAME entry later. See Add your DNS settings.

  12. Click Copy

    You'll see your gateway on the Gateways page. Here's an example.

    Gateway summary.

  13. Click your gateway's Name.

    This takes you to the Gateway Details page.

  14. In the gateway details, you can see that the ISO image is ready for download. You'll need it to boot the gateway. The ISO is unique for each gateway. You can't reuse it.

    Before you download the image, we suggest that you create a gateway cluster. If you don't want a cluster, skip to the Download images and boot VM section.

    New gateway's details.

  15. In the gateway details, click Add/Edit instances.

    Gateway details page.

  16. In Add/Edit instances, click Add another instance. Clustering turns on automatically.

    Add/Edit instances dialog.

  17. Enter the details of the new instance as follows:

    1. Enter a Cluster virtual IP. This is used for cluster management and load balancing. It must be an IP address that you haven't used before in this configuration, and it must be in the same IP range as the gateway instances.

      Tip

      In a two-arm deployment, the external interface IP address is used for load balancing only. If you use an external load balancer, leave this field blank.

    2. Enter a VM name and Interface IP for the new instance.

      In a two-arm deployment, enter an internal and external interface IP.

    3. Repeat the process to add another instance.

      Note

      You must have at least three instances for a cluster. You can have up to nine instances, but you must always have an odd number.

      Note

      To keep your cluster active, make sure that at least half the gateways in it are active.

    Instance details.

Next you download the ISO files and boot the gateway.

Download images and boot VM

  1. Go to Gateway instances and scroll down.

    You'll see your instances under Status.

  2. Download each ISO file and mount it on your host. Then attach it to the gateway, as follows:

    1. Go to VMware vSphere.
    2. Right-click the gateway VM and select Edit Settings.
    3. On the Hardware tab, in CD/DVD drive, ensure the ISO file is shown and select Connect.
    4. In Status, select Connect at Power on.
    5. Click Save.

    If a serial device is listed in the virtual hardware, you can safely remove it.

    When the gateway boots with the iso file, it'll contact Sophos Central to register.

    Virtual Hardware tab in VMware vSphere.

  3. Go back to Sophos Central. On the Gateways page, the gateway status changes to Awaiting Approval.

    When you're prompted, to approve gateway registration, click Approve.

    It can take up to ten minutes for approval to take effect. The gateway status then changes to Active and Connected. You'll see an option to create a password if you want to.

    Note

    If you have a cluster of gateway instances, you only approve gateway registration for the first gateway instance. Subsequent instances are managed without explicit approval.

    Note

    The ISO file must stay attached to the gateway. You can't unmount it after the gateway is booted.

    Note

    If the gateway can't connect to Sophos Central, go to VMware vSphere and run diagnostics on the VM.

    When a new virtual machine version is available, a green check mark shows in the version column. Click the version number to start or schedule an update. See Gateway updates in Gateways.

You've finished setting up the Sophos Cloud gateway.

To set up a Sophos Cloud gateway on Microsoft Hyper-V, do as follows:

  • Download and deploy the VM image.

  • Validate your domain.

  • Add gateway settings to generate an ISO file ("seed image").

  • Download the ISO file and boot the gateway.

Download and deploy image

  1. In Sophos Central, go to Devices > Installers.

  2. Under Zero Trust Network Access, click Download Gateway VM image for Hyper-V.

    A ZIP file containing the VM image is downloaded.

    Protect Devices page.

  3. Extract the Hyper-V base image from the ZIP file you downloaded.

    This gives you the .vhdx file you need to set up the gateway. You can't use this file to deploy more than one VM, but you can make copies and use them for additional VMs.

  4. In Hyper-V Manager, in the Virtual Machines list, in Actions, click New.

    Hyper-V Manager.

  5. Enter a name for the VM.

    Specify Name and Location page.

  6. Select the generation. Generation 1 supports both 32-bit and 64-bit operating systems.

    Specify Generation page.

  7. In Assign Memory, enter at least 4096 MB of startup memory.

    Assign Memory page.

  8. In Configure Networking, select a network adapter.

    Configure Networking page.

  9. In Connect Virtual Hard Disk, select Use an existing virtual hard disk and browse to the .vhdx file that you extracted from the VM image download.

    Connect Virtual Hard Disk page.

  10. Click Finish.

    Completing the New VM page.

  11. Go to the Settings for the new VM.

    1. In Hardware > Processors, set Number of virtual processors to "2".

    2. If your gateway is in a two-arm deployment, go to Network adapter and add another adapter to the VM.

    VM Settings.

    Note

    If you're using VLANs, make sure you tag your network interfaces with the appropriate VLAN IDs.

  12. Click Apply and Save.

Validate your domain

  1. In Sophos Central, go to My Products > ZTNA > Settings.

  2. Click Domains.

  3. Click Add domain and add your domain name then click Add.

    You'll see your domain information in the domains table. A TXT record is generated for your domain.

  4. Go to your DNS server, and add the TXT record for your domain.

    Wait for a few minutes before moving on to the next step.

  5. Go back to Sophos Central, and go to My Products > ZTNA > Settings > Domains and click Validate.

    Your domain status changes to "Validated".

Add gateway settings and add instances

  1. Click Add gateway.

  2. For Gateway Mode, select Sophos Cloud.

    Sophos Cloud gateway mode selected.

  3. Enter a gateway name and the gateway FQDN.

    Note

    Ensure the gateway FQDN is the same as the one you specified on the Register an application page. See Register the ZTNA app.

  4. Select your Domain (validated).

  5. Select VMWare ESXi as the Platform type.

  6. Select your Identity provider.

  7. Under Points of Presence, select your Region.

    Select the region nearest to where your datacentre is to reduce latency.

    On ZTNA 2.1 and later, a secondary point of presence is set up by default, nearest to your primary point of presence. You can turn this off from the Settings page. See Sophos Central: Settings.

  8. Select the Deployment mode.

    • One-arm uses the external interface for incoming and outgoing traffic.
    • Two-arm uses both external and internal interfaces.

  9. Enter the Interface settings.

    • If you select DHCP, set a reservation on the DHCP server.

      Warning

      The gateway can't handle changes in its IP address. You must set a reservation to ensure that it always keeps the initial IP address that DHCP assigns.

    • If you select Static IP, specify IP address, subnet, and DNS server settings.

      In a two-arm deployment, you must specify Static routes if you have apps hosted on multiple internal networks.

  10. Upload the certificates you created earlier.

  11. Click Save and generate file.

    You'll see a Gateway added pop-up which shows the generated Alias domain for the gateway. You'll need to add the alias domain for the gateway to your public DNS server as a CNAME entry later. See Add your DNS settings.

  12. Click Copy

    You'll see your gateway on the Gateways page. Here's an example.

    Gateway summary.

  13. Click your gateways's Name.

    This takes you to the Gateway Details page.

  14. In the gateway details, you can see that the ISO image is ready for download. You'll need it to boot the gateway. The ISO is unique for each gateway. You can't reuse it.

    Before you download the image, we suggest that you create a gateway cluster. If you don't want a cluster, skip to the Download ISO files and boot the gateway section.

    New gateway's details.

  15. In the gateway details, click Add/Edit instances.

    Gateway details page.

  16. In Add/Edit instances, click Add another instance. Clustering turns on automatically.

    Add/Edit instances dialog.

  17. Enter the details of the new instance as follows:

    1. Enter a Cluster virtual IP. This is used for cluster management and load balancing. It must be in the same IP range as the gateway instances.

      In a two-arm deployment, the external cluster VIP is for load balancing only. If you use an external load balancer, leave this blank.

    2. Enter a VM name and Interface IP for the new instance.

      In a two-arm deployment, enter an internal and external interface IP.

    3. Repeat the process to add another instance.

      Note

      You must have at least three instances for a cluster. You can have up to nine instances, but you must always have an odd number.

      Note

      To keep your cluster active, make sure that at least half the gateways in it are active.

    Instance details.

Next you download the ISO files and boot the gateway.

Download ISO files and boot the gateway

Download the ISO file for each instance, attach them to the gateway VM, and boot the gateway, as follows:

  1. In the gateway details, go to each instance and click Download image.

    Gateway instances with downloads.

  2. In Hyper-V Manager, go to Settings for the VM. In DVD Drive, do as follows:

    1. In Controller, select IDE Controller 1.
    2. In Media, select Image file and enter the path to the seed ISO.
    3. Click Apply and Save.

    Note

    The ISO file must stay attached to the gateway. You can't unmount it after the gateway is booted.

    VM DVD drive.

  3. Power on the gateway instances. Wait for a few minutes.

  4. In Sophos Central, go to My Products > ZTNA > Gateways and click the new gateway to open its details page.

    The gateway status changes to Waiting for gateway approval. Click Approve.

    Gateway status with Approve button.

    Note

    If you have a cluster of gateway instances, you only approve gateway registration for the first gateway instance. Subsequent instances are managed without explicit approval.

  5. The gateway's status changes to Active.

You've finished setting up the Sophos Cloud gateway.

Note

If the gateway can't connect to Sophos Central, go to Hyper-V Manager and run diagnostics on the VM.

When a new virtual machine version is available, a green check mark shows in the version column. Click the version number to start or schedule an update. See Gateway updates in Gateways.

Centrally managed firewalls can use a ZTNA gateway to provide secure access to internal resources. To find out how to manage your firewall through Sophos Central, see Sophos Firewall: Sophos Central.

Restrictions

  • You can't access your firewall's web admin portal console via ZTNA if your firewall is part of a high availability active-active deployment.
  • Access to the firewall's user portal and VPN portal isn't yet supported via the ZTNA gateway.

To set up a Sophos Cloud gateway that controls access to your network's resources, do as follows:

  1. In Sophos Central, go to My Products > ZTNA > Gateways.

  2. Click Add gateway.

  3. For Gateway Mode, select Sophos Cloud.

  4. Enter a gateway name and the gateway FQDN.

    Note

    Ensure the gateway FQDN is the same as the one you specified on the Register an application page. See Register the ZTNA app.

  5. Select your Domain (validated).

  6. Select Firewall as the Platform type.

  7. Under Firewall, select your SFOS firewall from the drop-down list.

    Select firewall from list.

    The drop-down list only includes firewalls that are managed by Sophos Central, and are on firmware version 19.5 MR3 and later.

    You can select an active firewall from a high-availability pair, which ensures failover of traffic and services and minimizes ZTNA downtime.

  8. Select your Identity provider.

  9. Under Points of Presence, select your Region.

    Select the region nearest to where your datacentre is to reduce latency.

    On ZTNA 2.1 and later, a secondary point of presence is set up by default, nearest to your primary point of presence. You can turn this off from the Settings page. See Sophos Central: Settings.

  10. Upload the certificates you created earlier. See Get a certificate.

  11. Click Save.

    You'll see your gateway on the Gateways page.

    Note

    Your gateway should be active in approximately 5 minutes.

  12. Click your gateway's Name.

    This takes you to the Gateway Details page. You can view and edit your gateway details or delete your gateway.

Note

When you set up an identity provider, you must add a new redirect URI for the firewall gateway in the following format: https://<gateway’s external FQDN>/ztna-oauth2/callback. This format differs from other gateway platforms.

Add your firewall's web admin portal as a resource

You can add your firewall web admin portal as a resource. When you do this, you'll see Web Admin Portal in the Resource type drop-down list for the Agentless access method.

Resource type list.

Agentless access

You can define an external FQDN such as http://firewall.xyz.com and set the resource type as Web Admin Portal. When you add the resource, an alias domain is generated. You must add this as a CNAME record on your public DNS server. All traffic to your web admin portal is redirected to the Sophos-owned alias domain.

Agent-based access

You can add anything as an external FQDN for the resource, and the ZTNA agent intercepts it. A tunnel was created when you added an A record for the firewall gateway, and all traffic to your web admin portal goes through the tunnel.

Migrate resources

To migrate existing resources behind a gateway platform to a firewall gateway, do as follows:

  1. Set up a firewall gateway.
  2. Add a new redirect URI for the firewall gateway.
  3. Edit your existing resources. To do this, go to Resources & access, then click the resource name to open Resource details. For Gateway, select the firewall gateway.
  4. If your access method is Agentless, copy the firewall's alias domain and add it to your public DNS server.

Next, you add DNS settings. See Add your DNS settings.