Shopping Cart

No products in the cart.

How to create a Sophos ZTNA Gateway / Connector

This guide explains how to run the ZTNA Gateway on a hypervisor.


To configure the ZTNA gateway, you need the following things.

  • Hypervisor or Cloud
  • Access to Public DNS
  • Wildcard certificate
  • Fixed IP address
  • Access to firewall to create DNAT rule

Platform Support

The following platforms are supported:

– VMware ESXi
– Microsoft Hyper-V 2016 or higher
– Amazon Cloud AWS

We recommend assigning 2 cores and 4 GB RAM to the VM. This is sufficient for 10’000 clients. If this is not enough for a company, it is also possible to cluster several gateways to increase the number to 90’000 clients by a cluster of 9 gateways.

Subnet for gateway

The ZTNA gateway should be operated in its own subnet and not used in the client or server network.

Do not use any of these networks for the gateway:

A DNS name e.g. points to the public IP address, which is forwarded to the ZTNA gateway via port forwarding (port 443).

On the one hand, the ZTNA gateway requires access to the Internet and to the respective VLANs of the applications that are provided, with the corresponding ports.

ZTNA Gateway Download

On Sophos Central in the main menu under Protect Devices, you can download the files for the virtual machine.

Deploy the VM on Hyper-V or ESXi

Create a new virtual machine with the following settings:

Generation 1 (for Hyper-V)
Virtual processors: 2
Network: Preferably own VLAN
Hard disk for Hyper-V: .vhdx files, which were previously downloaded.
ESXi: Uses the OVA file.

Before you start the VM, you have to create the ISO with the settings.

Gateway settings

The VM has now been created, but it still has no settings and no reference to the Central Account. These are now given by adding a gateway and making the settings.
Mode: Gateway or Connector. In my case I use the Gateway. The ZTNA Connector is intended for a ZTNA as a Service from Sophos. Here no DNAT rule is used to direct the traffic to the gateway, but the connector reports to Central.
Name: Simply a name with, for example, the location or hostname of the gateway.
Location: If you have multiple locations, you can optinally store this.
FQDN: DNS name pointing to the public IP of the firewall, which in turn provides a DNAT (https / 443) rule on the ZTNA gateway.
Domain: Results from the domain name which one uses.
Platform type: Here you can choose between VMware ESXi, Hyper-V and Amazon Web Services (AWS).
Identity provider: Select the previously added provider, in my case Azure AD.
Gateway Instance Deployment mode: One-arm is used if a DNAT rule is created afterwards, Two-arm if the ZTNA gateway has an interface in the LAN as well as in the WAN.
IP address: This should be self-explanatory. I use DHCP here and reserve an IP on the DHCP for the ZTNA gateway.
Certificate: Wildcard certificate of the domain specified above.

After saving, an ISO image is created with the stored information, which can be downloaded as shown in the screenshots. This ISO image is now used as boot ISO for the VM.

Depending on the performance of the host, the first start and the registration at Central takes up to 30 minutes. As soon as the gateway reports to Central, you can then still accept this and this step is thus also completed.

More information in the Sophos KB: Set up a gateway