We are pleased to announce the availability of Sophos ZTNA 2.1 which brings support for on-premise Microsoft Active Directory for identity, zero downtime and seamless failover between cloud points-of-presence, and important security enhancements. 

This release offers a new identity provider solution in addition to the existing cloud-based Microsoft Entra ID and Okta solutions already supported by Sophos ZTNA. It enables organizations without cloud infrastructure or a cloud-based identity platform to easily adopt Sophos ZTNA by leveraging their in-house Microsoft AD system for authentication with support for MFA through captchas or email OTPs.

In addition, cloud gateways running on virtual platforms (ESXi or Hyper-V) now support zero downtime and seamless failover between cloud points of presence. This capability will also be available for Sophos Firewall-integrated ZTNA Gateways with the release of v20 MR2, which is scheduled for later this month. This new capability allows for seamless transitions to the next closest regional gateway in the event of an outage in your preferred gateway region, ensuring uninterrupted ZTNA access during the outage.

 An additional update with security enhancements is also available as ZTNA 2.1.1.  You will need to first update your gateways to 2.1 and then apply the 2.1.1 update after that.

How to Get the Updates:

The gateway image updates are available from Sophos Central. There is no need to update your ZTNA agents.

  1. On Sophos Central, navigate to the gateways page and notice an indication that an image update is available. This notification is only seen on gateways hosted on ESXi and Hyper-V platforms. 


  2. You can either initiate the upgrade immediately or schedule the upgrade for later. The update may take up to 30 minutes.


  3. After the upgrade is completed and the gateway is back to "Active," verify on the gateway’s diagnostics console that all the tests pass before initiating the next update to ZTNA 2.1.1.

    Version 2.1.1 includes important security and vulnerability fixes, and we highly recommend that customers begin the upgrade process immediately. Upgrading to version 2.1.1 should also take approximately 30 minutes for a single node. The time required will be proportional if the deployment involves a multi-node cluster.

  4. Check the gateway console diagnostics once the update is complete and the gateway returns to the "Active" state. If all diagnostics checks pass, resource access can be resumed.

Documentation

The latest online documentation is here and, the troubleshooting guide has also been updated in case you encounter any issues during configuration. 

  • Also, 1 suggestion for a workaround. You can add a secondary email ID to the user attribute. You can either add the secondary email ID that is not your regular corporate email ID on the AD server or add that as secondary email attribute. 

    So, with this approach, when an OTP is triggered, it would be sent to the secondary mail as well thus preventing this deadlock kind of a situation. 

  • Hi Tejas,

    perhaps you could use this as a feature request to link the support of security tokens in Sophos products to our customer account. Let's see what is coming, we are looking forward to the next updates.

  • Thank you, for the feedback. Yes, we support email-based OTPs and captchas in the initial release and based on feedback, we will also prioritise other methods. 

  • A welcome step, as we do not use identity providers in the cloud, but unfortunately not an option for us as the MFA options are limited to email. On-premise Exchange is located in our company network, so access to emails would only be possible after the ZTNA connection. OWA is not accessible via the Internet. A typical chicken-and-egg situation.

    Here it would be a good idea to use phish-resistant security tokens, e.g. Yubikey. If you want to be at the leading edge of security, a general support of security tokens would be slowly welcome. In my opinion, this includes also Sophos Connect (SSL VPN) and Sophos Central.