Skip to content


Before you set up ZTNA, check that you meet all the requirements:

Wildcard certificate

You need a wildcard certificate for the ZTNA gateway. Use one of the following:

  • A certificate issued from Let's Encrypt.
  • A certificate issued by a trusted certificate authority.

This guide tells you how to get a certificate.

Gateway host

You can host the ZTNA gateway on an ESXi server or Amazon Web Services.

ESXi server

If you host the gateway on an ESXi server, you must meet these requirements:

  • VMware vSphere hypervisor (ESXi) 6.5 or later.
  • 2 cores, 4GB RAM, and 80GB Disk space.

You must ensure that the correct date and time are set. The ZTNA gateway syncs with the host's time and encounters problems if it isn't correct.

On your ESXi host, go to Manage > System > Time & date and click Edit settings to set the time.

ESXi time settings

Amazon Web Services

If you host the gateway on Amazon Web Services (AWS), you need an AWS account.

DNS management

You need the following settings in your DNS servers.

Public DNS server

You need a public (external) DNS server that can resolve these records:

  • An "A record" that points to the ZTNA gateway.
  • The "CNAME record" of applications that point to the domain name (FQDN) of the ZTNA gateway. You don't need these CNAME records for applications if you access them with the Sophos ZTNA agent.

The EAP supports a single domain only. So the domain name of your applications must match that of your gateway.


  • Gateway FQDN:
  • An application FQDN:

Private DNS server

The ZTNA gateway must point to a private (internal) DNS server to redirect users to an application after authentication and authorization.

Alternatively, you can configure the internal FQDN/IP of the application directly when you add it to ZTNA in Sophos Central.

Directory service

You need a directory service to manage the user groups that ZTNA will use. You can use Microsoft Azure AD or Active Directory.

Azure AD

You need a Microsoft Azure AD account with user groups configured and synced with Sophos Central. This guide tells you how to set up and sync these groups.

You can also use Azure AD as your identity provider.

Active Directory

You need an Active Directory account with user groups configured and synced with Sophos Central. See Set up synchronization with Active Directory in the Sophos Central admin help.

If you use Active Directory, you need a separate identity provider such as Okta.

Identity provider

You need an identity provider to authenticate your users. You can use either of the following:

  • Azure AD
  • Okta

This guide tells you how to configure them for use with ZTNA.

Allowed websites

If the gateway is behind a firewall, you must give access to these required websites (on port 443, unless otherwise stated):

  • *
  • *
  • *
  • (Port 22)
  • * (If you use Okta as an identity provider)
Back to top