Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 16 subscribers
  • Views 96 views
  • Users 0 members are here
Options
Suggested

How to publish Local Apps with ZTNA

ptho

Hi Sophos Community,

I'm trialling ZTNA with a view to have it replace the classic SSL VPN experience for the majority of our userbase.

I've created some Web Applications that are accessed as an Agentless resource. These work entirely as expected.

I'd like to push some Local Apps, accessed by the ZTNA Agent as part of the Endpoint installation package.

These are apps used by specific people in the org that are typically in use by staff by way of a local app and a SSL VPN connection.

I am hoping to have these apps removed from their local device but accessed by the ZTNA gateway. According to Sophos documentation I see the term 'Local Apps' as a supported resource type, but can't see how these would be accessed. The Add resource wizard doesn't make this clear, nor is there any documenation outlining an example to ue as a reference.

Has anyone gone through this process and can give some insight?

Many Thanks

Parents
  • +1

    You have agentless and agentbased resources. 

    Agentbased works with an internal DNS service on the endpoint: You can use an external FQDN (which the clients open in his browser) and then you use an internal FQDN, which the GW/firewall tries to reach. 

    Agentless means, you have to create the ressource on your DNS server, so the client is looking for it and it will be redirected to Sophos. Sophos then searches for the internal FQDN. 

    Overall: There is no problem in using: Internal == external FQDN. 

    __________________________________________________________________________________________________________________

Reply
  • +1

    You have agentless and agentbased resources. 

    Agentbased works with an internal DNS service on the endpoint: You can use an external FQDN (which the clients open in his browser) and then you use an internal FQDN, which the GW/firewall tries to reach. 

    Agentless means, you have to create the ressource on your DNS server, so the client is looking for it and it will be redirected to Sophos. Sophos then searches for the internal FQDN. 

    Overall: There is no problem in using: Internal == external FQDN. 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    Hi LuCar,

    Thanks, I think I undesrtand the differences there. I suspect I don't understand or have misinterpreted what Sophos Central / ZTNA considers to be a Local App.

    The only options I have are SSH, CIFS, RDP, or OTHER. If I wanted to publisha desktop app, an executable for instance, how would / can this be achieved using ZTNA?

    Otherwise, what kind of apps qualify as 'OTHER'?

    What kind of App can be published under other? How would I publish a local app using the Agent resource? Are there any reference materials that explain this?

  • 0 in reply to ptho

    ZTNA is a pure "Port" based product. Every EXE or application works on a port and destination level. 

    If you have an EXE, which is a database for example, it will connect to a database server with a Port specific for this database. 
    You need to create this resource in ZTNA with: FQDN (to database) and Port for the database.

    Best example is VNC for example: VNC as a RDP replacement, you can create as "OTHER". You can select the destination server (VNC Server), create it as vnc.domain.local and VNC Port 5900. 

    The client then opens in VNC this "vnc.domain.local" and ZTNA will tunnel it to the local site. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I think I understand now, sorry. I've come at this expecting something different and so framed my question entirely wrong. I'll go back to my testing. Thank you Lucar.

  • 0 in reply to ptho

    If you use Sophos XDR for your endpoint, you could check what kind of DNS your apps use:  Discover potential Apps in your Network  

    __________________________________________________________________________________________________________________

Unfiltered HTML