Skip to content
Last update: 2022-01-04

Set up a gateway

Now set up a ZTNA gateway that will control access to resources on your network.

The steps differ, depending on whether you want to host the gateway on an ESXi server or in Amazon Web Services.

To get step-by-step instructions, click the tab for your host below.

You set up a gateway on ESXi in two stages:

  • Download a gateway image (OVA file) and deploy it in ESXi.

  • Add gateway settings in Sophos Central to generate an ISO file ("seed image") that you use to boot the gateway in ESXi.

You can set up a gateway cluster to ensure availability. To do this, you set up additional instances of the gateway, as described here.


Make sure that the correct time and date are set on the ESXi host. The ZTNA gateway encounters problems if they aren't correct. For details, see Requirements.

Download and deploy image

  1. In Sophos Central, go to Overview > Protect Devices.

  2. Find Zero Trust Network Access.

    1. Click the download link for a gateway image.
    2. Accept the license agreement and (if you're prompted) the software export compliance forms.
    3. The gateway image is downloaded. This is a generic OVA image of the ZTNA gateway for ESXi servers. You can reuse it as many times as you want.

    Screenshot of Downloads page

  3. Deploy the OVA image to your ESXi host. In VMware vSphere, right-click the host and select Deploy OVA Template. This runs an assistant that guides you through deployment.


    Don't power on the ZTNA gateway VM yet.

    Screenshot of deployment page in VMware vSphere

Add settings and boot gateway

  1. Go back to Sophos Central and go to ZTNA > Gateways. Click Add Gateway.

    Screenshot of Gateways page

  2. In Add gateway, do as follows:

    1. Enter a gateway name and the gateway FQDN.
    2. Enter the domain for the resources (apps).
    3. In Platform type, select VMware ESXi.
    4. Select the Deployment mode.

      • One-arm uses the external interface for incoming and outgoing traffic.
      • Two-arm uses both external and internal interfaces.
    5. Enter the Interface settings.

      • If you select DHCP, set a reservation on the DHCP server. Otherwise, the gateway will be unstable.
      • If you select Static IP, specify IP address, subnet, and DNS server settings.

      In a two-arm deployment, you must specify Static routes if you have apps hosted on multiple internal networks.

    6. Upload the certificates you created earlier.

    7. Click Save and generate file.


    Only a single, wildcard certificate is supported in this release.

    Screenshot of Add Gateway dialog

  3. On the Gateways page, the gateway's status is Waiting for Deployment.

    The seed image ISO is ready for download. You'll need it to boot the gateway and complete the registration process. The ISO is unique for each gateway. You can't reuse it.


    Before you download the image, we suggest that you create a gateway cluster. If you don't want a cluster, skip to step 9.

    Screenshot of Gateways page with gateway status shown.

  4. Click your new gateway to open its details page. Click Add/Edit instances.

    Gateway details page

  5. In Add/Edit instances, do as follows:

    1. Click Add another instance. Clustering turns on automatically.
    2. Enter a Cluster virtual IP. This is used for cluster management and load balancing. It must be in the same IP range as the gateway instances.

      In a two-arm deployment, the external cluster VIP is for load balancing only. If you use an external load balancer, leave this blank.

    3. Enter a VM name and Interface IP for the new instance.

      In a two-arm deployment, enter an internal and external interface IP.

    4. Repeat the process to add another instance.

    You must have at least three instances for a cluster. You can have up to nine instances, but you must always have an odd number.

    Add/Edit instances dialog

  6. Download each ISO file and mount it on your host. Then attach it to the gateway, as follows:

    1. Go to VMware vSphere.
    2. Right-click the gateway VM and select Edit Settings.
    3. On the Hardware tab, in CD/DVD drive, ensure the ISO file is shown and select Connect.
    4. In Status, select Connect at Power on.
    5. Click Save.

    If a serial device is listed in the virtual hardware, you can safely remove it.

    When the gateway boots with the ISO file, it'll contact Sophos Central to register.

    Screenshot of the Virtual Hardware tab in VMware vSphere

  7. Go back to Sophos Central. On the Gateways page, the gateway status changes to Awaiting Approval.

    When you're prompted, approve gateway registration.

    It can take up to ten minutes for approval to take effect. The gateway status then changes to Connected. You'll see an option to create a password if you want to.


The ISO file must stay attached to the gateway. You can't unmount it after the gateway's booted.

To set up a ZTNA gateway in Amazon Web Services (AWS), do as follows:

  1. In Sophos Central, go to ZTNA > Gateways.

    ZTNA menu

  2. On the Gateways page, click Add gateway.

    Gateways page

  3. In the Add gateway dialog, add your details as follows:

    1. Enter the gateway name and FQDN.
    2. Enter the domain for the resources (applications).
    3. In Platform type, select Amazon Web Services.
    4. In Identity provider, select the identity provider you set up earlier.
    5. Upload the certificates you created earlier.
    6. Click Save.

    Add gateway

  4. On the Gateways page, you now see the new gateway. Click the Launch stack link beside it.

    Gateway with Launch stack link

Create a stack in AWS

In AWS, in CloudFormation, you see the Quick create stack template. We've already partly configured it. Follow the steps below to complete it.

  1. On the Quick create stack page, do as follows:

    1. Select an AWS region (upper right of the screen).
    2. In Stack name, enter a custom name.

    Stack template

  2. In Basic configuration, select two or three availability zones to ensure the gateway's availability.

    Stack basic configuration

  3. In VPC network configuration, do as follows:

    1. Set the number of availability zones. This must match the number of zones you selected in the previous step.
    2. Ensure the subnets don't conflict with existing resources.
    3. In MaxNumberOfNodes, set the maximum number of nodes. By default, this is three.
    4. In NodeInstanceType, select the type of EC2 instance to use.
    5. In NumberOfNodes, set the number of nodes you want. The default is one for each availability zone.

    Auto-scaling isn't currently available for ZTNA.

    VPC network configuration

  4. Click Create stack and wait for the process to finish. This can take up to an hour. When it's finished, your new stack is in your AWS stack list, and the details look like this.

    New ZTNA stack

  5. In Sophos Central, go to the new gateway. Click Approve.

    It can take up to ten minutes for approval to take effect. The gateway status then changes to Connected.

    Gateway details page

Configure your new VPC

Configure the VPC as follows:

  1. In AWS, go to Virtual Private Cloud > Your VPCs.

    AWS VPCs menu

  2. Go to your new VPC and look for the VPC ID. You can use this ID to search for the other components that you’ve created.

    New VPC details

  3. Go to your EC2 instances and search for instances with the new VPC ID. This finds the instances that make up the ZTNA gateway cluster. Rename them.

    EC2 instances

  4. In Load balancing, use the VPC ID to find the load balancer for ZTNA. Open its details and copy the DNS name. You need this to create a public DNS record (CNAME) for the gateway, which points to the load balancer.

    AWS load balancer

Create a peering connection

In the ZTNA EAP2 release, the gateway is always in a new VPC. So you must use peering to connect it with the VPC where your applications are.

  1. Go to VPC > Peering connections. Click Create peering connection and do as follows:

    1. In VPC ID (requester), select the ZTNA gateway's ID.
    2. In VPC ID (Accepter), select the VPC where your resources are.
    3. Click Create peering connection.

    VPC peering connection

  2. Go to Subnets and add your resources subnet and your gateway's private subnets to the route tables. This lets ZTNA use the peering connection to connect to resources.

    Subnets page

You've finished setting up the gateway.

Next, you add policies.

Back to top