Sophos Zero Trust Network Access (ZTNA) is Coming Soon – Your FAQ

ProductsSophos ZTNA

Sophos Zero Trust Network Access is an exciting new product category coming early next year to Sophos and it promises to transform the way organizations secure their networked applications.

Sophos ZTNA is a new product category that will soon have a presence on the Sophos Partner Portal and later on as well. Continue reading to learn more about what’s coming, access a collection of frequently asked questions and revisit the recent SophSkills recording in case you missed it.

What is ZTNA All About? 

If you missed the recent SophSkills session, this video presentation covers everything you need to know about why ZTNA is so important and what Sophos ZTNA will look like. You can also grab the PowerPoint file here.

ZTNA is founded on the principle of zero trust.  ZTNA is all about verifying the user, typically with multi-factor authentication to prevent stolen credentials from being a source of compromise, then validating the health and compliance of the device: is it enrolled, is it up to date, is it properly protected?  And then using that information to make decisions based on policies to control access and privilege to important networked applications.


What are the Benefits of ZTNA (compared to remote access VPN)?

While remote access VPN continues to serve us well, ZTNA offers a number of added benefits that make it a much more attractive solution:

  • More Granular Control:  ZTNA allows more granular control over who can access applications and data minimizing lateral movement and improving segmentation.  VPN is all-or-nothing: once on the network, VPN generally offers access to everything.
  • Better Security:  ZTNA removes implicit trust and incorporates device status and health in access policies that further enhances security.  VPN does not consider device status which can put application data at risk to a compromised or non-compliant device.
  • Easier to Enroll Staff:  ZTNA is much easier to roll-out and enroll new employees, especially if they are working remotely.  VPN is more challenging and difficult setup and deploy.
  • Transparent to Users:  ZTNA offers “just works” transparency to users with frictionless connection management.  VPN can be difficult and prone to initiating support calls.

Overall, ZTNA offers a welcome and much better solution to connecting remote workers or the branch office of one.

What is Sophos ZTNA?

Sophos ZTNA is a brand new cloud-delivered, cloud-managed product to easily and transparently secure important networked applications with granular controls.  It’s scheduled to enter early access in January.

Sophos ZNTA consists of three components:

  • Sophos Central – provides the ultimate cloud management and reporting solution for all Sophos products including Sophos ZTNA.  Sophos ZTNA is a fully cloud enabled with Sophos Central providing easy deployment, granular policy management, and insightful reporting from the cloud.
  • Sophos ZTNA Gateway – will come as a virtual appliance for a variety of platforms to secure networked applications on-premise or in the public cloud with AWS and VMware ESXi support initially closely followed by Azure, Hyper-V, Nutanix, and others.
  • Sophos ZTNA Client – provides transparent and frictionless connectivity to controlled applications for end-users based on identity and device health. It will integrate with Synchronized Security for Heartbeat and device health. It is super easy to deploy from Sophos Central, with an option to easily deploy alongside Intercept X with just one click, or it can work stand-alone with any desktop AV client (obtaining health status from Windows Security Center).  It will initially support Windows, followed by macOS and later Linux and mobile device platforms as well.

Here’s a basic block diagram of Sophos ZTNA at work:

Frequenty Asked Questions about Sophos ZTNA:

What are the key dates?

The Early Access Program (EAP) will get underway in January.  Launch is expected to be around mid-year 2021.

What applications can be protected?

Sophos ZTNA can provide protection for any networked application hosted on the company’s on-premise network, or in the public cloud or any other hosting site.  Everything from RDP access to network file shares to applications like Jira, Wiki’s, source code repositories, support and ticketing apps, etc.

ZTNA cannot protect SaaS applications like or Office365 because  customers don’t own these applications which are public internet facing applications servicing many clients by design.  Controlling access to these applications is already done effectively through multi-factor authentication, and if customers need more granular controls, then CASB is the technology that can help with access control to these types of applications.  Sophos is also working on a SASE strategy that will include CASB as well in the future.

What client, gateway and identity platforms will be supported?

Client platforms will initially include a clientless option across all client platforms (EAP1), Native Windows and Mac support (EAP2) and then Linux and mobile device platforms (iOS and Android) following launch.

Gateway platforms will initially include AWS (public cloud) and VMware ESXi (virtual appliance) for EAP.  This will be expanded to include other platforms like Azure, Hyper-V, Nutanix, K8S, and GCP following launch.

For identity, Sophos ZTNA will initially support Azure Active Directory (AD) for EAP 1 and Okta in EAP2. Supported directory services include Azure and on-premise AD. Customers can take advantage of Azure’s MFA options right away with support for third-party MFA solutions coming in a future release.

Is the Sophos ZTNA gateway hardware, virtual or cloud?

The Sophos ZTNA gateway is a virtual appliance only. There is no hardware version and it is not a hosted service.  Customers can deploy as many Sophos ZTNA gateways as they need (for free) on any of the platforms mentioned above to protect their applications in the cloud (AWS, Azure, Nutanix, etc) or hosted in their data center or on-premise (using a virtual appliance).

Is ZTNA a stand-alone product or does it require another Sophos product?

Sophos ZTNA is a stand-alone product and does not require any other Sophos Products.  It is managed by Sophos Central which is free, and obviously offers a ton of benefits when customers have other Sophos products.  It can easily deploy alongside Intercept X, but Intercept X is not a requirement.  Sophos ZTNA can work alongside any vendor’s desktop AV or firewall.

How will Sophos ZTNA client deployment work?

Sophos ZTNA will be an option to deploy alongside Intercept X and device encryption when protecting devices from Sophos Central.  It will be added to this list…

Will ZTNA integrate with Sophos XG Firewall and Intercept X?

Sophos ZTNA is fully compatible with XG Firewall and Sophos Intercept X. In fact, it takes advantage of Security Heartbeat to assess device health which can be used in ZTNA policies.  As mentioned above, deployment of the ZTNA client can easily happen as part of a CIX roll-out – it’s as simple as checking a box.  Of course Sophos ZTNA can also work perfectly with other vendor desktop AV or firewall products, but it will work better together with other Sophos products such as XG Firewall and Intercept X.

There are plans to ultimately include ZTNA gateway functionality in the firewall, but for now, the biggest opportunity for ZTNA is providing it as a stand-alone solution that can work with any firewall.

How will licensing and pricing work?

Sophos ZTNA will be licensed on a user basis like our Endpoint products.  And it is not per user-device, just per user, so if a user has 3 devices, they only require one license.

Customers can deploy as many ZTNA gateways as they need to protect all their apps.  There is no charge for the gateway or for Central Management.

There will be a free trial at launch.

More of Your Frequently Asked Questions:

How does ZTNA compare to…


DUO is an identity technology provider focused on multi-factor authentication (MFA) to help users verify their identity.  Identity and MFA and thus DUO, are a part of a ZTNA solution.  ZTNA also verifies device health.  Sophos ZTNA will initially support Azure MFA and ultimately support Duo and other MFA solutions as well.


NAC and ZTNA technologies may sound similar as they are both about providing access, but that’s where the similarities end.  Network Access Control (NAC) is concerned about controlling physical access to a local on-premise network.  ZTNA is concerned about controlling access to data and specific network applications regardless of what network they are on.


While remote-access VPN has served us well, ZTNA has a number of benefits when compared to VPN as outlined above.  Of course there will be some situations where VPN continues to be a good solution… where a relatively small number of people (e.g. the IT department) need broad access to network applications and services to manage them.  And of course, VPN will still be instrumental for site-to-site connectivity.  But for most organization’s  users, ZTNA can replace remote-access VPN to provide a better, more granular security solution while being more transparent and easier for users.


ZTNA is complimentary to a Firewall just like VPN is complimentary to a Firewall.  Of course, the Firewall still plays a critically important role in protecting corporate network and data center assets from attacks, threats and unauthorized access.  ZTNA bolsters a Firewall by adding granular controls and security for networked applications in the cloud or on-premise.

Synchronized Security?

ZTNA and Synchronized Security are both conceptually similar in that they both can use device health to determine network access privileges.  In fact, Sophos ZTNA will use Security Heartbeat as a key component in assessing device health.  If a user has a device with a Red Heartbeat, their application access can be limited through policy, just as their network access can be limited on the firewall. However, ZTNA goes further than Synchronized Security by also integrating user identity verification.  ZTNA is also more about controlling privilege and access to applications while Synchronized Security is more about automated response to threats and preventing threats from moving or stealing data.


SASE (pronounced “sassy”) or Secure Access Service Edge, is about the cloud delivery of networking and security and includes many components such as Firewalls, SD-WAN, Secure Web Gateways, CASB, and ZTNA designed to secure any user, on any network, anywhere through the cloud.  So as you can see, ZTNA is a component of SASE and will be our initial offering into this segment and an essential part of our overall SASE strategy.


We know questions about competitors are always top of mind.  We will be developing comprehensive competitive analysis as we get underway with the EAP and share that information soon.