hello. I want to replace my current XGS VPN with ZTNA for RDP access. Where can I find some documentation to help me?
Thanks...
This thread was automatically locked due to age.
hello. I want to replace my current XGS VPN with ZTNA for RDP access. Where can I find some documentation to help me?
Thanks...
Moved this Thread to the matching community.
https://community.sophos.com/zero-trust-network-access/
You find here most of the viable information and documentation.
Do you have a IDP (Azure AD or OKTA)?
__________________________________________________________________________________________________________________
Hi, thanks for the help. We use on-premise AD, can't you use ZTNA in this scenario?
No, because on premise AD does not support the next generation of Authentication. You should look at Azure AD for multiple reasons, as it resolves plenty of limitations/challenges from the past decades with on premise AD.
__________________________________________________________________________________________________________________
BTW: Azure AD Connect should be on your list for the future.
__________________________________________________________________________________________________________________
Sure. The architecture is based on ZTNA. But the technology to communicate to the IDP is the problem.
While a "on premise" AD is basically behind a firewall, a client in the internet is not able to talk to the AD. Azure AD always provide a connector to the IDP. This means, you can update policies, status of the client and status of the user all the time without any kind of connection to a firewall and to a AD Server.
Azure AD was build with this in mind to resolve the issue with connectivity to the IDP itself. (Think about the cases, you change your password and try to reach the AD via VPN, but the client did not update "yet".
All those protocols, AD uses, are now encapsulated into TLS443.
And this is not considering the entire new stacks, build around Azure AD (Azure MFA etc.). I am not able to give more insights into the world of Azure, but there are certain advantages, which customers will get moving to Azure AD and thats the reason, most customer move (Microsoft365 integration for example).
__________________________________________________________________________________________________________________
Sure. The architecture is based on ZTNA. But the technology to communicate to the IDP is the problem.
While a "on premise" AD is basically behind a firewall, a client in the internet is not able to talk to the AD. Azure AD always provide a connector to the IDP. This means, you can update policies, status of the client and status of the user all the time without any kind of connection to a firewall and to a AD Server.
Azure AD was build with this in mind to resolve the issue with connectivity to the IDP itself. (Think about the cases, you change your password and try to reach the AD via VPN, but the client did not update "yet".
All those protocols, AD uses, are now encapsulated into TLS443.
And this is not considering the entire new stacks, build around Azure AD (Azure MFA etc.). I am not able to give more insights into the world of Azure, but there are certain advantages, which customers will get moving to Azure AD and thats the reason, most customer move (Microsoft365 integration for example).
__________________________________________________________________________________________________________________
I'm sorry, but the restrictions in terms of user authorization are within the implementation of Sophos ZTNA and it is definitely not a limitation in the possibilities of on-premises Active Directory client authorization.
I think it is more correct to write: We have implemented ZTNA with these restrictions, which you must respect when deploying Sophos ZTNA.
I can use, for example, OKTA as an IDP (which, by the way, you already support in the current version) and which offers significantly more authorization functions to third parties than MS Azure.
Regards
alda
There is no restriction. Azure AD and OKTA are supported. To get a support on a product like on premise AD, you would have to reinvent Azure AD on premise and implement the API support or a piece of software to query the AD. It does not work with LDAP in this manner for a client and would be a backstep to the future technologies like implementing something like Security Center (which also are not implemented on premise AD).
So to support something, which is not future proof + does not support everything in the future in terms of ZTNA roadmap, looks like a bad trade to begin with.
__________________________________________________________________________________________________________________
Please read again the sentence you wrote: "because on premise AD does not support the next generation of Authentication."
The restrictions are not on in-premise Active Directory, but in the ZTNA architecture, which in principle needs an external IDP and that Azure is not the only possible option.
This is, I think, necessary to tell potential users but definitely not to stop using the internal on-premise Active Directory!
Regards
alda
P.S. If you are not an Azure reseller ....
On Premise do not support the sync to the client. This is a next generation integration of Client (see windows 11). That is the point.
__________________________________________________________________________________________________________________