How to set up Sophos ZTNA (Zero Trust Network Access)

This article explains how to set up Sophos Zero Trust Network Access, or ZTNA. This will give you an insight into how the software works.

Prerequisites for Sophos Zero Trust

• Sophos Central AccountSophos Central CreateSophos Central 30 days free trial account)
• Azure Active Directory with users and groups
• VMware ESXi, Microsoft Hyper-V or Amazon Cloud AWS environment for new VM
• Fixed IP address for VM
• Wildcard certificate

Activate Sophos Central ZTNA

If you haven’t already tested Zero Trust Network Access, feel free to do so with a new or existing Central Account.

Wildcard certificate

For ZTNA you need a wildcard certificate. I recommend using a certificate that is valid for longer than 3 months, like the Let’s Encrypt certificates are. But often you want to test the ZTNA solution during the 30 days trial period and Let’s Encrypt is a good choice if you don’t already have a wildcard certificate.

If a certificate already exists, perfect. If not, instructions: Create Let’s Encrypt Wildcard Certificate

Set up ZTNA

Now, in order to use ZTNA, you must first set up the following five things.

1. Add directory service: Azure AD Sync with Central to synchronize users and groups.
2. Add identity providers: Set up the identity providers needed for authentication.
3. Add gateway: Create a virtual gateway for each network location.
4. Add policy: Set rules for resource access
5. Add resource: Specify resources and user groups that are allowed to access the resources.

1. Synchronize user (set up directory sync)

Not only for ZTNA, but for Central in general, it is helpful to use a directory service that synchronizes the users and groups with Central. In the case of ZTNA, however, you need Azure AD or Okta – a normal Windows Active Directory Sync is not sufficient here.

This guide explains how to fulfill this requirement: AddSophos Central Azure AD

2. Add identity provider (Add identitv provider)

After setting up the Azure AD, you can now enter the corresponding data here: Client ID, Tenant ID, and Client secret.

3. Add gateway / connector (Set up gateways)

The Sophos Zero Trust Network Access Gateway is a component of the ZTNA architecture. With this gateway, you can provide secure and controlled access to applications and resources for users and devices.

The article Create Sophos ZTNA Gateway explains how to create the ZTNA On-Premise Gateway or ZTNA Cloud Gateway.

4. Add policy (Add policy)

Instructions follow. Write us via the contact form if you want us to prioritize this.

5. Add resource (Add resources)

Instructions follow. Write us via the contact form if you want us to prioritize this.

6. Install ZTNA client on endpoints

Instructions follow. Write us via the contact form if you want us to prioritize this.