Skip to content

Requirements

Before you set up ZTNA, check that you meet all the requirements:

Wildcard certificate

You need a wildcard certificate for the ZTNA gateway. Use one of the following:

  • A certificate issued from Let's Encrypt.
  • A certificate issued by a trusted certificate authority.

This guide tells you how to get a certificate.

Gateway host

You can host the ZTNA gateway on an ESXi server, a Hyper-V server, or Amazon Web Services.

ESXi server

If you host the gateway on an ESXi server, you must meet these requirements:

  • VMware vSphere hypervisor (ESXi) 6.5 or later.
  • 2 cores, 4GB RAM, and 80GB Disk space.

You must ensure that the correct date and time are set. The ZTNA gateway synchronizes with the host's time and encounters issues if it isn't correct.

Note

You must set the time zone as UTC.

On your ESXi host, go to Manage > System > Time & date and click Edit settings to set the time.

ESXi time settings

Hyper-V server

If you host the gateway on a Hyper-V server, you must meet these requirements:

  • Hyper-V Server running on Windows Server 2016 or later.
  • 2 cores, 4GB RAM, and 80GB Disk space.

You must ensure that the correct date and time are set. The ZTNA gateway synchronizes with the host's time and encounters issues if it isn't correct.

Note

You must set the time zone as UTC.

Amazon Web Services

If you host the gateway on Amazon Web Services (AWS), you need an AWS account.

DNS management

You need the following settings in your DNS servers.

Public DNS server

You need a public (external) DNS server that can resolve these records:

  • An "A record" that points to the ZTNA gateway.
  • The "CNAME record" of applications that point to the domain name (FQDN) of the ZTNA gateway. You don't need these CNAME records for applications if you access them with the Sophos ZTNA agent.

If you don't use the ZTNA agent, ZTNA supports a single domain only. The domain name of your applications must match that of your gateway.

Example

  • Gateway FQDN: https://ztna.mycompany.net/
  • An application FQDN: https://wiki.mycompany.net/#all-updates

Private DNS server

The ZTNA gateway must point to a private (internal) DNS server to redirect users to an application after authentication and authorization.

Alternatively, you can configure the internal FQDN/IP of the application directly when you add it to ZTNA in Sophos Central.

For examples of how DNS works with ZTNA, see DNS flows.

Directory service

You need a directory service to manage the user groups that ZTNA will use. You can use Microsoft Azure AD or Active Directory.

Azure AD

You need a Microsoft Azure AD account with user groups configured and synced with Sophos Central. This guide tells you how to set up and sync these groups.

Your user groups must be security enabled. Groups created in Azure AD are automatically security enabled, but groups created from the Microsoft 365 portal or imported from AD aren't.

You can also use Azure AD as your identity provider.

Active Directory

You need an Active Directory account with user groups configured and synced with Sophos Central. See Set up synchronization with Active Directory in the Sophos Central admin help.

If you use Active Directory, you need a separate identity provider such as Okta.

Identity provider

You need an identity provider to authenticate your users. You can use either of the following:

  • Azure AD
  • Okta

This guide tells you how to configure them for use with ZTNA.

Allowed websites

If the gateway is behind a firewall, you must give access to these required websites (on port 443, unless otherwise stated):

  • sophos.jfrog.io
  • *.amazonaws.com
  • production.cloudflare.docker.com
  • *.docker.io
  • *.sophos.com
  • login.microsoftonline.com
  • graph.microsoft.com
  • ztna.apu.sophos.com (Port 22)
  • sentry.io
  • *.okta.com (If you use Okta as an identity provider)

Supported app types

ZTNA can control access to both web-based and local apps. Control of local apps requires the ZTNA agent.

ZTNA doesn’t support apps that depend on dynamic port allocation or use a wide range of ports, for example older VOIP products.

Sophos ZTNA agent

You can install the ZTNA agent on the following operating systems:

  • Windows 10.1803 or later

  • macOS BigSur (macOS11) or later