Skip to content

About Zero Trust Network Access

Sophos Zero Trust Network Access (ZTNA) lets you control access to resources (apps and web pages) on your network.

ZTNA deployment modes

You can deploy ZTNA with an on-premise gateway or a Sophos Cloud gateway based on your requirements. The deployment mode is interchangeable, and you can easily migrate from one gateway mode to another.

On-premise gateway

When you deploy an on-premise gateway, you set up gateways in your data centre.

You manage the gateways, which are exposed to the public internet, so you also need to open firewall ports and create NAT rules to manage your network.

Here's an example of on-premise gateway mode.

Diagram: ZTNA on-premise gateway Mode

Sophos Cloud gateway

You can use a new Sophos-protected data-plane cloud to provide access to internal resources.

The multi-tenanted Sophos Cloud isolates network deployments from direct internet exposure and reduces the attack surface area. You can easily connect your users to applications without opening firewall ports and creating NAT rules.

When a user attempts to access a resource, they're directed to Sophos Cloud. Sophos manages the data plane within Sophos Cloud. Your infrastructure is hidden from the internet. You set up gateways in your data centre to connect Sophos Cloud with your internal resources. You can choose from multiple points of presence to provide access to your internal resources. Choose the point of presence nearest to your datacenter to reduce latency.

Here's an example of Sophos Cloud gateway deployment mode.

Diagram: ZTNA Cloud Deployment Mode

Note

Sophos Cloud deployment mode is delivered with availability of 99.999% except during any planned or emergency maintenance windows or due to issues caused by factors outside of Sophos's reasonable control. To see the availability of the points of presence and get notifications about upcoming maintenance, go to the Sophos status page.

Deployment information

To get information about on-premise gateways or Sophos Cloud gateways, click the tab for your deployment type below.

Sophos ZTNA consists of these components:

  • Sophos Central. This management tool lets you set up and manage a ZTNA on-premise gateway.

  • ZTNA on-premise gateway. A virtual appliance that authenticates users and authorizes them to access apps.

  • ZTNA agent. An agent installed on your devices. This lets ZTNA control local apps (not just web apps).

A ZTNA on-premise gateway is currently available for VMware ESXi, Hyper-V, and Amazon Web Services.

About setup

The main steps in setting up ZTNA are as follows:

  • Check the requirements.
  • Check the network deployments available (for ESXi gateways).
  • Get a certificate.
  • Set up a directory service. This manages your users.
  • Synchronize users. This imports your users into Sophos Central.
  • Set up an identity provider (IDP). This authenticates users.
  • Set up a gateway. This controls access to apps.
  • Add policies. These set conditions for access.
  • Add your DNS settings.
  • Install the ZTNA agent. This controls access to local apps.
  • Add resources. This makes apps available and lets you specify which users can access them.

Note

This guide includes instructions for third-party products. We recommend that you check the vendors' latest documentation.

Sophos ZTNA consists of these components:

  • Sophos Central. This management tool lets you set up a gateway. The gateway is then managed by Sophos.

  • ZTNA Sophos Cloud gateway. A Sophos-protected data-plane cloud gateway that provides access to internal resources. This consists of Sophos Cloud and the gateway. You must deploy the gateway in data centers that host resources. These gateways connect Sophos Cloud and resources in your data center.

    When you deploy your Sophos Cloud gateway, you configure your gateway's point of presence. To get the best latency and connectivity, choose a point of presence nearest to the datacenter in which you host your resources.

  • ZTNA agent. An agent installed on your devices. This lets ZTNA control local apps (not just web apps).

A ZTNA Sophos Cloud Gateway is currently available for VMware ESXi, Hyper-V, and Amazon Web Services.

About setup

The main steps in setting up ZTNA are as follows:

  • Check the requirements.
  • Get a certificate.
  • Set up a directory service. This manages your users.
  • Synchronize users. This imports your users into Sophos Central.
  • Set up an identity provider (IDP). This authenticates users.
  • Set up a Sophos Cloud Gateway. This controls access to apps.
  • Add policies. These set conditions for access.
  • Add your DNS settings.
  • Install the ZTNA agent. This controls access to local apps.
  • Add resources. This makes apps available and lets you specify which users can access them.

Note

This guide includes instructions for third-party products. We recommend that you check the vendors' latest documentation.