How users access apps
Users can do as follows:
- Access apps directly.
- Access apps via the ZTNA user portal.
Whichever method they use, users must sign in. If you later need them to sign out, see Sign out of ZTNA.
Note
When a user fails to authenticate five times in a row, they can't access any other resources for 60 minutes.
Access apps directly
New users who try to access an app (via a browser or Explorer) for the first time are asked to sign in. They can then access all apps you've given them access to. They don't have to sign in each time.
If a user doesn't access any apps behind the gateway for seven days, they have to sign in again.
Access apps via the ZTNA user portal
Users can access apps through the Zero Trust user portal, which shows them the apps they can use.
Give users the web address for the portal (this is the FQDN you entered when you added the gateway) and tell them to enter it in their browser.
The first time they go to the portal, users are asked to sign in. They can then access all apps you've given them access to. They don't have to sign in each time.
Users can see all the apps they're allowed to access regardless of which gateway they're hosted behind.
Example
You have one app behind an Hyper-V gateway and one app behind an ESXi gateway. If you enter the FQDN of the Hyper-V gateway to access the user portal, you'll see the app behind the Hyper-V gateway and also the app behind the ESXi gateway.
Note
If you set the gateway Platform type to Firewall, you must first configure a resource so users can access the user portal.
If a user doesn't access any apps behind the gateway for seven days, they have to sign in again.
Note
Currently the portal doesn't show apps that are accessed via the ZTNA agent.
Sign out of ZTNA
Users stay signed in to ZTNA unless they're inactive for seven days.
You might need users to sign out, for example if they're on a shared device, or if there are issues that can be fixed by reauthenticating.
Currently, only an admin can sign users out. See Sophos Zero Trust Network Access: Sign out from ZTNA agent.