I have setup a ZTNA gateway on a VMWare ESXi using the instructions mentioned in ZTNA setup . But I am not getting a home page to login
This thread was automatically locked due to age.
I have setup a ZTNA gateway on a VMWare ESXi using the instructions mentioned in ZTNA setup . But I am not getting a home page to login
Hi
Check your ESIX deployment if you are using VMWare . The VM should have an ip 10.* showing on your console . Also check the ISO image is always connected . Follow these steps
1. Create your gateway in central
2. Download your image
3. Add the VM
4. Attach the image
5. Before you start verify the ISO is attached
6. Start the VM .
7. Give it 5 min and see if the ip that i mentioned is showing . if not check if your ESIX server has internet connectivity
8. Give an hour for the gateway to sync and approve button to be enabled
Hi,
thx for your reply. I doublechecked everything mentioned.
If it takes an our to sync seems that I only have to wait...
But why should the VM have an ip 10.x.x.x?
It should be also possible to have an ip for example 192.x.x.x as I´ve a 192.x.x.x setup.
Yes that is the ip you have setup , and the one i have setup has a ip of 192.x.x.x also . 10.x is an internal thing to gateway and a way for you to know things are going fine
Hi Matthias, Couple of questions. Previously, the gateways were in a connected state, right? Were there any changes done such that the gateway became disconnected? And, are the time sync settings correct? And, finally are the below URLs whitelisted on the upstream firewall: https://docs.sophos.com/central/ZTNA/startup/en-us/setup/Requirements/index.html#active-directory
Hi Tejas,
my gateway deployment was never in a connected state. Time settings are in sync.
I think indeed there is a problem on the upstreaming firewall.
I can reach everything except:
1. *.amazonaws.com
2. production.cloudflare.docker.com
3. ztna.apu.sophos.com:22
I try to get in contact with someone who can whitelist those URLs.
After that get back to you.
Thx
I did a seperate rule on my sophos xg for allowing https services from LAN and my ZTNA IP to WAN.
Am I right? Or do I have to put those URLs into my exceptions listings within web protection?
As long as the above mentioned URLs are reachable from the ZTNA gateway, that should be fine.
As long as the above mentioned URLs are reachable from the ZTNA gateway, that should be fine.
Above mentoined URLs are all white listed as per Protect -> Web-> Exceptions and tested per Diagnostics -> Policy Test.
There is a firewall rule allowing Source zone LAN with Source network and devices IP address of ZTNA-Gateway all the time
traffic to Destination zone WAN Destination Network any with services HTTPS.
My ZTNA Gateway gets desired IP Address and MAC, ZTNA Gateway is reachable via ping, nslookup is fine so DNS is working too.
But it doesn´t show up in Central, so that I can´t approve deployment.
You might want to try and reload the image onto the VM and restart the VM.
Tried this several times.
Propably something wrong with my certificate which I generated on my own private CA.
Both, certificate and key are not displayed when I go for editing my Gateway in the edit option field.
You can recreate the gateway and give it a try , if you can provide a screen shot of your VM network info in ESIX that would be helpful. As far as certificate is concerned that is not a problem as i also generated on my own private CA
This is what it looks like when it is working .
You´ve got a second NIC with IP 10.42.0.1 why is this?
That is something internal to gateway . It will help you know that it is connected
Do you have checked the NTP Service is linked to the VM?
__________________________________________________________________________________________________________________
@Sophos User5771 where to you put the configuration of the 2nd NIC to ztna-gateway config as I know within in the setup process you can give only one IP Adress to zntn-gateway config?
@LuCar Toni you mean within ESXi?