Skip to content

Set up a Sophos Cloud gateway

Now set up a Sophos Cloud gateway that will control access to resources on your network.

The steps differ, depending on whether you want to host the gateway on an ESXi server, on Microsoft Hyper-V, or in Amazon Web Services.

Warning

Don't configure gateways to operate in subnets used for internal services. If you do, you may have issues accessing applications. These subnets are as follows: 10.42.0.0/16, 10.43.0.0/16, 10.108.0.0/16.

Note

In Amazon Web Services, there are additional costs based on your configuration. Your ZTNA license doesn't cover these costs.

Tip

If your users need to access ZTNA resources from the same network as the ZTNA gateway, add a SNAT rule of the type MASQ to prevent asymmetric routing.

To get step-by-step instructions, click the tab for your host below.

To set up a Sophos Cloud gateway on ESXi do as follows:

  • Download and deploy the VM image.

  • Validate your domain.

  • Add gateway settings and add instances.

  • Download the images and boot the VM.

Note

Make sure that the correct time and date are set on the ESXi host. You must set the timezone as UTC. The ZTNA gateway encounters problems if you don't set the time correctly. See Requirements.

If you're using a two-arm proxy, see Network configuration.

Download and deploy image

  1. In Sophos Central, go to Protect Devices.

  2. Find Zero Trust Network Access.

    1. Click the download link for a gateway image.
    2. Accept the license agreement and (if you're prompted) the software export compliance forms.
    3. The gateway image is downloaded. This is a generic OVA image of the ZTNA gateway for ESXi servers. You can reuse it as many times as you want.

    Screenshot of Downloads page

  3. Deploy the OVA image to your ESXi host. In VMware vSphere, right-click the host and select Deploy OVA Template. This runs an assistant to guide you through deployment.

    Warning

    Turn off the option for automatic power-on (the default on ESXi) or prevent the ZTNA gateway from booting after you finish. If you don't, the gateway will boot without the ISO files and you'll have to start again.

    Screenshot of deployment page in VMware vSphere

Validate your domain

  1. In Sophos Central, go to ZTNA > Settings.

  2. Click Domains.

  3. Click Add domain and add your domain name then click Add.

    You'll see your domain information in the domains table. A TXT record is generated for your domain.

  4. Go to your DNS server, and add the TXT record for your domain.

    Wait for a few minutes before moving on to the next step.

  5. Go back to Sophos Central, and go to ZTNA > Settings > Domains and click Validate.

    Your domain status changes to "Validated".

Add gateway settings and add instances

  1. Click Add gateway.

  2. For Gateway Mode, select Sophos Cloud.

    Sophos Cloud gateway mode selected

  3. Enter a gateway name and the gateway FQDN.

  4. Select your Domain (validated).

  5. Select VMWare ESXi as the Platform type.

  6. Select your Identity provider.

  7. Under Points of Presence, select your Region.

    Select the region nearest to where your datacentre is to reduce latency.

  8. Select the Deployment mode.

    • One-arm uses the external interface for incoming and outgoing traffic.
    • Two-arm uses both external and internal interfaces.
  9. Enter the Interface settings.

    • If you select DHCP, set a reservation on the DHCP server.

      Warning

      The gateway can't handle changes in its IP address. You must set a reservation to ensure that it always keeps the initial IP address that DHCP assigns.

    • If you select Static IP, specify IP address, subnet, and DNS server settings.

      In a two-arm deployment, you must specify Static routes if you have apps hosted on multiple internal networks.

  10. Upload the certificates you created earlier. See Get a certificate.

  11. Click Save and generate file.

    You'll see a Gateway added pop-up which shows the generated Alias domain for the gateway. You'll need to add the alias domain for the gateway to your public DNS server as a CNAME entry later. See Add your DNS settings.

  12. Click Copy

    You'll see your gateway on the Gateways page. Here's an example.

    Gateway summary

  13. Click your gateway's Name.

    This takes you to the Gateway Details page.

  14. In the gateway details, you can see that the ISO image is ready for download. You'll need it to boot the gateway. The ISO is unique for each gateway. You can't reuse it.

    Before you download the image, we suggest that you create a gateway cluster. If you don't want a cluster, skip to the Download images and boot VM section.

    New gateway's details

  15. In the gateway details, click Add/Edit instances.

    Gateway details page

  16. In Add/Edit instances, click Add another instance. Clustering turns on automatically.

    Add/Edit instances dialog

  17. Enter the details of the new instance as follows:

    1. Enter a Cluster virtual IP. This is used for cluster management and load balancing. It must be in the same IP range as the gateway instances.

      In a two-arm deployment, the external cluster VIP is for load balancing only. If you use an external load balancer, leave this blank.

    2. Enter a VM name and Interface IP for the new instance.

      In a two-arm deployment, enter an internal and external interface IP.

    3. Repeat the process to add another instance.

      Note

      You must have at least three instances for a cluster. You can have up to nine instances, but you must always have an odd number.

    Instance details

Next you download the ISO files and boot the gateway.

Download images and boot VM

  1. Go to Gateway instances and scroll down.

    You'll see your instances under Status.

  2. Download each ISO file and mount it on your host. Then attach it to the gateway, as follows:

    1. Go to VMware vSphere.
    2. Right-click the gateway VM and select Edit Settings.
    3. On the Hardware tab, in CD/DVD drive, ensure the ISO file is shown and select Connect.
    4. In Status, select Connect at Power on.
    5. Click Save.

    If a serial device is listed in the virtual hardware, you can safely remove it.

    When the gateway boots with the iso file, it'll contact Sophos Central to register.

    Screenshot of the Virtual Hardware tab in VMware vSphere

  3. Go back to Sophos Central. On the Gateways page, the gateway status changes to Awaiting Approval.

    When you're prompted, to approve gateway registration, click Approve.

    It can take up to ten minutes for approval to take effect. The gateway status then changes to Active and Connected. You'll see an option to create a password if you want to.

    Note

    The ISO file must stay attached to the gateway. You can't unmount it after the gateway is booted.

    Note

    If the gateway can't connect to Sophos Central, go to VMware vSphere and run diagnostics on the VM.

    When a new virtual machine version is available, a green check mark shows in the version column. Click the version number to start or schedule an update. See Gateway updates in Gateways.

You've finished setting up the Sophos Cloud gateway.

To set up a Sophos Cloud gateway on Microsoft Hyper-V, do as follows:

  • Download and deploy the VM image.

  • Validate your domain.

  • Add gateway settings to generate an ISO file ("seed image").

  • Download the ISO file and boot the gateway.

Download and deploy image

  1. In Sophos Central, go to Protect Devices.

  2. Under Zero Trust Network Access, click Download Gateway VM image for Hyper-V.

    A ZIP file containing the VM image is downloaded.

    Protect Devices page

  3. Extract the Hyper-V base image from the ZIP file you downloaded.

    This gives you the .vhdx file you need to set up the gateway. You can't use this file to deploy more than one VM, but you can make copies and use them for additional VMs.

  4. In Hyper-V Manager, in the Virtual Machines list, in Actions, click New.

    Hyper-V Manager

  5. Enter a name for the VM.

    Specify Name and Location page

  6. Select the generation. Generation 1 supports both 32-bit and 64-bit operating systems.

    Specify Generation page

  7. In Assign Memory, enter at least 4096 MB of startup memory.

    Assign Memory page

  8. In Configure Networking, select a network adapter.

    Configure Networking page

  9. In Connect Virtual Hard Disk, select Use an existing virtual hard disk and browse to the .vhdx file that you extracted from the VM image download.

    Connect Virtual Hard Disk page

  10. Click Finish.

    Completing the New VM page

  11. Go to the Settings for the new VM.

    1. In Hardware > Processors, set Number of virtual processors to "2".

    2. If your gateway is in a two-arm deployment, go to Network adapter and add another adapter to the VM.

    VM Settings

  12. Click Apply and Save.

Validate your domain

  1. In Sophos Central, go to ZTNA > Settings.

  2. Click Domains.

  3. Click Add domain and add your domain name then click Add.

    You'll see your domain information in the domains table. A TXT record is generated for your domain.

  4. Go to your DNS server, and add the TXT record for your domain.

    Wait for a few minutes before moving on to the next step.

  5. Go back to Sophos Central, and go to ZTNA > Settings > Domains and click Validate.

    Your domain status changes to "Validated".

Add gateway settings and add instances

  1. Click Add gateway.

  2. For Gateway Mode, select Sophos Cloud.

    Sophos Cloud gateway mode selected

  3. Enter a gateway name and the gateway FQDN.

  4. Select your Domain (validated).

  5. Select VMWare ESXi as the Platform type.

  6. Select your Identity provider.

  7. Under Points of Presence, select your Region.

    Select the region nearest to where your datacentre is to reduce latency.

  8. Select the Deployment mode.

    • One-arm uses the external interface for incoming and outgoing traffic.
    • Two-arm uses both external and internal interfaces.
  9. Enter the Interface settings.

    • If you select DHCP, set a reservation on the DHCP server.

      Warning

      The gateway can't handle changes in its IP address. You must set a reservation to ensure that it always keeps the initial IP address that DHCP assigns.

    • If you select Static IP, specify IP address, subnet, and DNS server settings.

      In a two-arm deployment, you must specify Static routes if you have apps hosted on multiple internal networks.

  10. Upload the certificates you created earlier.

  11. Click Save and generate file.

    You'll see a Gateway added pop-up which shows the generated Alias domain for the gateway. You'll need to add the alias domain for the gateway to your public DNS server as a CNAME entry later. See Add your DNS settings.

  12. Click Copy

    You'll see your gateway on the Gateways page. Here's an example.

    Gateway summary

  13. Click your gateways's Name.

    This takes you to the Gateway Details page.

  14. In the gateway details, you can see that the ISO image is ready for download. You'll need it to boot the gateway. The ISO is unique for each gateway. You can't reuse it.

    Before you download the image, we suggest that you create a gateway cluster. If you don't want a cluster, skip to the Download ISO files and boot the gateway section.

    New gateway's details

  15. In the gateway details, click Add/Edit instances.

    Gateway details page

  16. In Add/Edit instances, click Add another instance. Clustering turns on automatically.

    Add/Edit instances dialog

  17. Enter the details of the new instance as follows:

    1. Enter a Cluster virtual IP. This is used for cluster management and load balancing. It must be in the same IP range as the gateway instances.

      In a two-arm deployment, the external cluster VIP is for load balancing only. If you use an external load balancer, leave this blank.

    2. Enter a VM name and Interface IP for the new instance.

      In a two-arm deployment, enter an internal and external interface IP.

    3. Repeat the process to add another instance.

      Note

      You must have at least three instances for a cluster. You can have up to nine instances, but you must always have an odd number.

    Instance details

Next you download the ISO files and boot the gateway.

Download ISO files and boot the gateway

Download the ISO file for each instance, attach them to the gateway VM, and boot the gateway, as follows:

  1. In the gateway details, go to each instance and click Download image.

    Gateway instances with downloads

  2. In Hyper-V Manager, go to Settings for the VM. In DVD Drive, do as follows:

    1. In Controller, select IDE Controller 1.
    2. In Media, select Image file and enter the path to the seed ISO.
    3. Click Apply and Save.

    Note

    The ISO file must stay attached to the gateway. You can't unmount it after the gateway is booted.

    VM DVD drive

  3. Power on the gateway instances. Wait for a few minutes.

  4. In Sophos Central, go to ZTNA > Gateways and click the new gateway to open its details page.

    The gateway status changes to Waiting for gateway approval. Click Approve.

    Gateway status with Approve button

  5. The gateway's status changes to Active.

You've finished setting up the Sophos Cloud gateway.

Note

If the gateway can't connect to Sophos Central, go to Hyper-V Manager and run diagnostics on the VM.

When a new virtual machine version is available, a green check mark shows in the version column. Click the version number to start or schedule an update. See Gateway updates in Gateways.

To set up a ZTNA Sophos Cloud gateway in Amazon Web Services (AWS), do as follows:

Validate your domain

  1. In Sophos Central, go to ZTNA > Settings.

  2. Click Domains.

  3. Click Add domain and add your domain name then click Add.

    You'll see your domain information in the domains table. A TXT record is generated for your domain.

  4. Go to your DNS server, and add the TXT record for your domain.

    Wait for a few minutes before moving on to the next step.

  5. Go back to Sophos Central, and go to ZTNA > Settings > Domains and click Validate.

    Your domain status changes to "Validated".

Add gateway settings and add instances

  1. Click Add Gateway.

  2. For Gateway Mode, select Sophos Cloud.

    Sophos Cloud gateway mode selected

  3. Enter a gateway name and the gateway FQDN.

  4. Select your Domain (validated).

  5. Select AWS as the Platform type.

  6. Select your Identity provider.

  7. Under Points of Presence, select your Region.

    Select the region nearest to where your datacentre is to reduce latency.

  8. Select the Deployment mode.

    • One-arm uses the external interface for incoming and outgoing traffic.
    • Two-arm uses both external and internal interfaces.
  9. Enter the Interface settings.

    • If you select DHCP, set a reservation on the DHCP server.

      Warning

      The gateway can't handle changes in its IP address. You must set a reservation to ensure that it always keeps the initial IP address that DHCP assigns.

    • If you select Static IP, specify IP address, subnet, and DNS server settings.

      In a two-arm deployment, you must specify Static routes if you have apps hosted on multiple internal networks.

  10. Upload the certificates you created earlier.

  11. Click Save and generate file.

    You'll see a Gateway added pop-up which shows the generated Alias domain for the gateway. You'll need to add the alias domain for the gateway to your public DNS server as a CNAME entry later. See Add your DNS settings.

  12. Click Copy

    You'll see your gateway on the Gateways page. Here's an example.

    Gateway summary

  13. Click the Launch stack link beside the gateway.

    Gateway with Launch stack link

Create a stack in AWS

In AWS, in CloudFormation, you see the Quick create stack template. We've already partly configured it. Follow the steps below to complete it.

  1. On the Quick create stack page, do as follows:

    1. Select an AWS region (upper right of the screen).
    2. In Stack name, enter a custom name.

    Stack template

  2. In Basic configuration, select two or three availability zones to ensure the gateway's availability.

    Stack basic configuration

  3. In VPC network configuration, do as follows:

    1. Set the number of availability zones. This must match the number of zones you selected in the previous step.
    2. Ensure the subnets don't conflict with existing resources.
    3. In MaxNumberOfNodes, set the maximum number of nodes. By default, this is three.
    4. In NodeInstanceType, select the type of EC2 instance to use.
    5. In NumberOfNodes, set the number of nodes you want. The default is one for each availability zone.

    Auto-scaling isn't currently available for ZTNA.

    VPC network configuration

  4. Click Create stack and wait for the process to finish. This can take up to an hour. When it's finished, your new stack is in your AWS stack list, and the details look like this.

    New ZTNA stack

  5. In Sophos Central, go to the new gateway. Click Approve.

    It can take up to ten minutes for approval to take effect. The gateway status then changes to Connected.

    Gateway details page

Configure your new VPC

Configure the VPC as follows:

  1. In AWS, go to Virtual Private Cloud > Your VPCs.

    AWS VPCs menu

  2. Go to your new VPC and look for the VPC ID. You can use this ID to search for the other components that you’ve created.

    New VPC details

  3. Go to your EC2 instances and search for instances with the new VPC ID. This finds the instances that make up the ZTNA gateway cluster. Rename them.

    EC2 instances

  4. In Load balancing, use the VPC ID to find the load balancer for ZTNA. Open its details and copy the DNS name. You need this to create a public DNS record (CNAME) for the gateway, which points to the load balancer.

    AWS load balancer

Create a peering connection

The gateway is always in a new VPC, so you must use peering to connect it with the VPC where your applications are.

  1. Go to VPC > Peering connections. Click Create peering connection and do as follows:

    1. In VPC ID (requester), select the ZTNA gateway's ID.
    2. In VPC ID (Accepter), select the VPC where your resources are.
    3. Click Create peering connection.

    VPC peering connection

  2. Go to Subnets and add your resources subnet and your gateway's private subnets to the route tables. This lets ZTNA use the peering connection to connect to resources.

    Subnets page

You've finished setting up the Sophos Cloud gateway.

When a new virtual machine version is available, a green check mark shows in the version column. Click the version number to start or schedule an update. See Gateway updates in Gateways.

Next, you add DNS settings. See Add your DNS settings.