Skip to content

Requirements

Before you set up ZTNA, check that you meet all of the following requirements.

Wildcard certificate

You need a wildcard certificate for the ZTNA gateway. Use one of the following:

  • A certificate issued from Let's Encrypt.
  • A certificate issued by a trusted certificate authority.

This guide tells you how to get a certificate.

Gateway host

You can host the ZTNA gateway on an ESXi server or a Hyper-V server.

Warning

AWS gateways reach end of life on March 31st, 2024. See Retirement calendar. You can deploy SFOS on AWS and migrate the resources to this gateway to make sure users can still access apps after that date.

ESXi server

If you host the gateway on an ESXi server, you must meet these requirements:

  • VMware vSphere hypervisor (ESXi) 6.5 or later.
  • 2 cores, 4GB RAM, and 80GB Disk space.

You must ensure that the correct date and time are set. The ZTNA gateway synchronizes with the host's time and encounters issues if it isn't correct.

Note

You must set the time zone as UTC.

On your ESXi host, go to Manage > System > Time & date and click Edit settings to set the time.

ESXi time settings.

Hyper-V server

If you host the gateway on a Hyper-V server, you must meet these requirements:

  • Hyper-V Server running on Windows Server 2016 or later.
  • 2 cores, 4GB RAM, and 80GB Disk space.

You must ensure that the correct date and time are set. The ZTNA gateway synchronizes with the host's time and encounters issues if it isn't correct.

Note

You must set the time zone as UTC.

DNS management

You must configure your DNS server settings. See Add your DNS settings.

Directory service

You need a directory service to manage the user groups that ZTNA will use. You can use Microsoft Entra ID (Azure AD) or Active Directory.

Microsoft Entra ID (Azure AD)

You need a Microsoft Entra ID (Azure AD) account with user groups configured and synced with Sophos Central. This guide tells you how to set up and sync these groups.

Your user groups must be security enabled. Groups created in Microsoft Entra ID (Azure AD) are automatically security enabled, but groups created from the Microsoft 365 portal or imported from AD aren't.

You can also use Microsoft Entra ID (Azure AD) as your identity provider.

Active Directory

You need an Active Directory account with user groups configured and synced with Sophos Central. See Set up synchronization with Active Directory in the Sophos Central admin help.

If you use Active Directory, you need a separate identity provider such as Okta.

Identity provider

You need an identity provider to authenticate your users. You can use either of the following:

  • Microsoft Entra ID (Azure AD)
  • Okta

This guide tells you how to configure them for use with ZTNA.

Allowed websites

If the gateway is behind a firewall, you must give access to the required websites (on port 443, unless otherwise stated).

Note

This only applies to on-premises gateways.

The required websites are as follows:

  • sophos.jfrog.io
  • jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com
  • *.amazonaws.com
  • production.cloudflare.docker.com
  • *.docker.io
  • *.sophos.com
  • login.microsoftonline.com
  • graph.microsoft.com
  • ztna.apu.sophos.com (Port 22)
  • sentry.io
  • *.okta.com (If you use Okta as an identity provider)
  • wsserver-ztna.<customerdomain.com>
  • ZTNA gateway FQDN (the domain you configured in the ZTNA gateway settings)

Supported app types

ZTNA can control access to both web-based and local apps. Control of local apps requires the ZTNA agent.

ZTNA doesn’t support apps that depend on dynamic port allocation or use a wide range of ports, for example older VOIP products.

Sophos ZTNA agent

You can install the ZTNA agent on the following operating systems:

  • Windows 10.1803 or later

  • macOS BigSur (macOS11) or later