Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Today, the network product team is pleased to announce the general availability of Sophos ZTNA v2 enabling ZTNA-as-a-Service via the Sophos cloud and new macOS agent support for zero trust endpoints. This marks a significant milestone for us, being the first of our SASE (Secure Access Service Edge) solutions, paving the way for more exciting cloud-delivered security solutions in the future. 

 ZTNA – The Ultimate Remote Access VPN Replacement 

Zero Trust Network Access (ZTNA) provides the ultimate networked application access, particularly for remote workers, but works equally well both in and out of the office. ZTNA provides better security by only providing access to specific applications, easier more scalable cloud management, and a more transparent end-user experience than remote access VPN.  ZTNA not only secures access to the applications you own in your on-premise data center or AWS, but can also control access to SaaS applications that support IP address access control by limiting access from your ZTNA gateway IPs. 

 

 

 

 New ZTNA-as-a-Service Cloud Gateways 

This latest release of our ZTNA platform makes deployment even easier and security even stronger by utilizing lightweight gateways on the application side that establish secure encrypted connections to the Sophos cloud on port 443, eliminating any need for firewall NAT configuration.  This enhances security by eliminating open firewall ports to the internet and provides a further abstraction of the applications that ZTNA is protecting. 

With these new ZTNA gateways, the Sophos cloud now brokers the secure connections between zero trust endpoints and your applications. These new ZTNA gateways offer the same platform support as the current on-premise gateways: VMware, Hyper-V, and AWS. 

In summary, with this release, there are now two options for ZTNA application gateways:  

  • Cloud Gateways introduced in this release provide a new lightweight gateway deployment option that connects automatically via port 443 to the Sophos cloud at regional points of presence. This solution offers the most streamlined deployment option without requiring any firewall configuration and makes the applications more invisible and secure as a result.
     
  • On-Premise Gateways continue to provide a private data plane connection directly between your zero trust endpoints and applications.  This solution will be best for those customers who have concerns about latency via the Sophos cloud points of presence. Current customers can switch to the new cloud gateways or continue to run these on-premise gateways or utilize the new cloud gateways in a mixed or hybrid approach. 

 ZTNA-as-a-Service cloud points of presence currently include: 

  • Europe (Ireland and Frankfurt) 
  • North America (Ohio and Oregon) 
  • Asia Pacific (Mumbai and Sydney) 

You select your preferred cloud point of presence when setting up your ZTNA cloud gateway in Sophos Central. 

 macOS Support 

We are also pleased to offer Apple macOS agent support with this release. Mac users can now get the same single-agent health-based secure access with Intercept X and Synchronized Security as Windows users.  Running agentless continues to be an option for web-based apps on all platforms including mobile devices. 

  

 

ZTNA and MSP Flex - Coming Soon! 

ZTNA will soon be part of the MSP Flex Program. Expect another announcement at the end of January.   

Zero Trust Network Access is the perfect MSP product at the perfect time for enabling your customer’s remote workers to securely access the applications and systems they need to do their jobs.  This innovative new zero trust solution is now part of our industry leading MSP Flex portfolio of cybersecurity products.  As a Sophos MSP partner, ZTNA further expands the portfolio of monthly billing services you can offer, all from a single cybersecurity vendor, managed from a single Central Management Platform.  

Get prepared to start selling ZTNA Today. 

Getting Started 

These new capabilities are now included in Sophos ZTNA available on Sophos Central. Simply login to your Sophos Central account to begin taking advantage of these new capabilities. 

Review the documentation and stop by the community forums to discuss the release. 

If you’re new to Sophos ZTNA, learn more at Sophos.com/ztna. 

Known Issues

Issue Key Summary
NZT-4496 Gateway build number in diagnostics menu shows "v1.1" even after a successful upgrade to v2
NZA-1004 Intermittent installation issues with macOS agent. Workaround is to re-install the agent
NZA-972 macOS machine with ZTNA agent installed and running Monterey when upgraded to Ventura could encounter a situation where ZTNA agent status shows "Not Configured". The workaround is to reboot the machine once. 
NZA-978 On macOS Ventura, if ZTNA applications are not accessed for seven days, the secure tunnel with the ZTNA gateway gets reset. The workaround is to reset the session information from the troubleshooting section on the agent. 
NZA-993 Interoperability issues with Microsoft Azure's continuous access evaluation