Sophos ZTNA has received a couple of important updates to ease deployment and enhance performance. There is also an important End-of-Life announcement for earlier versions of the Sophos ZTNA gateway that may require some of you to plan an upgrade soon.
Important: End-of-Life for all ZTNA Gateways prior to v2.1
ZTNA gateways on VMware ESXi and Hyper-V versions earlier than 2.1 will no longer be supported starting October 1, 2025. ZTNA gateways running on firewalls with SFOS versions older than 20.0 MR2 are also not supported, as these SFOS versions are already end of life.
Customers who have gateway deployments on the versions mentioned above are required to upgrade to the latest versions via Sophos Central. Customers with firewalls functioning as ZTNA gateways should always upgrade their firewalls to the latest version of SFOS.
As a reminder, Sophos maintains a retirement calendar for all network security products outlining the latest supported versions. Sophos ZTNA is near the bottom of this page.
New On-Premise Network Detection
This highly requested new feature addresses a key challenge with the ZTNA-as-a-service deployment mode, where a ZTNA device in an office on the same trusted network as the ZTNA application will route access via the Sophos Cloud or through the WAN interface of the gateway. While this maintains a uniform user experience and security posture, hairpinning has also introduced significant latency, especially for applications such as CIFS file shares and RDP.
The ZTNA agent will now assess whether it is on a trusted network based on the DNS configuration and decide whether to intercept the traffic. This is an optional configuration that customers can enable according to their specific use cases.
Note: To make use of this new feature, the ZTNA agent needs to be upgraded to a new build: Documentation
Domain Controller as a ZTNA Resource
This enhancement facilitates seamless user access to resources behind a domain controller.
This addresses a limitation where ZTNA agents could not intercept these DNS-SRV records, leading to connectivity issues, particularly when users accessed resources like file shares remotely. We developed a temporary workaround for this issue, and a corresponding Knowledge Base Article was published.
To better address this issue, we are now rolling out the first phase of updates, which makes it easier to add a domain controller (DC) as a ZTNA resource on Sophos Central. Along with the addition of the DC, we automatically add commonly used DNS-SRV records under the “Advanced Settings” section and provide an option for administrators to add or modify these records. This prevents administrators from having to create multiple DNS-SRV records for individual ZTNA resources, as was the case with the previous workaround.
Accounts that have already deployed the workaround can also migrate to the new approach by simply adding a new resource of type DC. Both these approaches can co-exist until we phase out the workaround.
While this new implementation addresses the majority of customer use cases, there are additional specific instances, such as support for multiple domain controllers, that we want to address via a ZTNA agent update in the next phase.
Documentation
The latest online documentation is here, and the updated known issues list can be found here.
Get Started with ZTNA for Free
If your customers are not already using Sophos ZTNA, they can get started for free. There’s a free trial available via Sophos Central. Sophos Firewall customers can get three free one-year licenses and take advantage of the ZTNA gateway integrated into your firewall.
Check out the Deployment Checklist for other considerations when deploying ZTNA and the latest online documentation.
If you are starting your ZTNA journey, view our updated initial setup video here:
