Skip to content

Add resources

Now you add the resources (apps and web pages) that users will access through the gateway.

If you add a resource that redirects the user to a different URL after authentication or that links to other resources, add those resources too. For example, if you add wiki.mycompany.net and the wiki links to jira tickets, add jira.mycompany.net.

Note

For instructions about how to configure a resource that users access through a Windows domain controller, such as Common Internet File System (CIFS), see Sophos ZTNA: Non-seamless access to Windows resources.

To get step-by-step instructions for on-premises gateway and Sophos Cloud gateway, click the tab for your deployment type below

To add resources, do as follows:

  1. Go to My Products > ZTNA > Resources & Access and click Add Resource.

    Resources page.

  2. In Add Resource, do as follows:

    1. Enter the resource name and description.
    2. Check that Show resource in user portal is selected.

    Add Resource dialog.

  3. Specify the access type and resource details as follows:

    1. Select a Gateway.
    2. In Access method, select Agent to access the resource with the ZTNA agent or Agentless to access the resource without it. Also select the Policy to apply.
    3. Select the Resource type (for example, Web Application).

    4. Enter the External FQDN and Internal FQDN/IP address of the resource.

      Warning

      If you selected agentless access, the external FQDN must be publicly available. If you selected agent access, the external FQDN must not be publicly available.

      Note

      You don't need to add an internal FQDN or IP address. If you leave the Internal FQDN/IP address field blank, the external FQDN is added automatically.

    5. Provide the port type and number (for example, HTTPS and port 443 for a web app).

      You can use up to 20 TCP and UDP ports to provide access to a resource. You can add a comma separated port range. Example: TCP 26-27, 20-24.

  4. In Assign User Groups, select the available groups that need access to the resource. Move them to Assigned User Groups and select them.

    User group settings.

    Note

    If you change the name of an assigned Microsoft Entra ID (Azure AD) user group later, the list isn't updated. Users won't be able to access the app, and you'll need to assign the group again.

  5. Click Save.

  6. Check that you can access the app you added.

    You can verify the SSL certificate and ensure it's the same wildcard certificate that was uploaded to the gateway.

  7. Repeat the above steps for any other resource that this resource might redirect the user to.

    Note

    To edit or remove resource information, go to Resources & access, then click the resource name to open Resource details.

To add resources, do as follows:

  1. Go to My Products > ZTNA > Resources & Access and click Add Resource.

    Resources page.

  2. In Add Resource, do as follows:

    1. Enter the resource name and description.
    2. Check that Show resource in user portal is selected.

    Add Resource dialog.

  3. Specify the access type and resource details as follows:

    1. Select a Gateway.
    2. In Access method, select Agent to access the resource with the ZTNA agent or Agentless to access the resource without it. Also select the Policy to apply.

    3. Select the Resource type (for example, Web Application).

      ZTNA resource types.

    4. Enter the External FQDN and Internal FQDN/IP address of the resource.

      Warning

      If you selected agentless access, the external FQDN must be publicly available. If you selected agent access, the external FQDN must not be publicly available.

    5. Provide the port type and number (for example, HTTPS and port 443 for a web app).

      You can use up to 20 TCP and UDP ports to provide access to a resource. You can add a comma separated port range. Example: TCP 26-27, 20-24.

  4. In Assign User Groups, select the available groups that need access to the resource. Move them to Assigned User Groups and select them.

    User group settings.

    Note

    If you change the name of an assigned Microsoft Entra ID (Azure AD) user group later, the list isn't updated. Users won't be able to access the app, and you'll need to assign the group again.

  5. Click Save.

    You'll see a Resource added pop-up which shows the Alias domain.

  6. Check that the Alias domain is the same as the one generated when you set up your gateway.

    Note

    If your Access method is Agent, the alias domain isn't generated.

  7. Check that you can access the app you added.

    You can verify the SSL certificate and ensure it's the same wildcard certificate that was uploaded to the gateway.

  8. Repeat the above steps for any other resource that this resource might redirect the user to.

DNS entries

The DNS entries required for agentless and agent based resources are different.

Agentless based resources

  • When you add a FQDN for the Sophos Cloud gateway, a gateway alias domain is generated. You must add this as a CNAME record on your public DNS server.

  • When you add a FQDN for the resource, a resource alias domain is generated. You must add this as a CNAME record on your public DNS server.

When you access a resource via its FQDN, you're redirected to the alias domain.

Agent based resources

  • When you add a FQDN for the Sophos Cloud gateway, a gateway alias domain is generated. You must add this as a CNAME record on your public DNS server.

  • An alias domain isn't generated for agent-based resources. Therefore, you shouldn't add CNAME records for resources.

  • Don't add any wildcard DNS entries.

IP based access

If a user attempts to access an internal resource by typing its IP address into the browser, the user goes directly to the resource, bypassing ZTNA. To ensure users access the internal resource by FQDN, you can add firewall rules.