1.The purpose of article
This series of articles will provide you with detailed steps to take as well as how to fully deploy the Sophos Zero Trust Network Access solution.
We will have a Sophos firewall device connected to the internet at Port 2 with a static WAN IP of 115.78.x.x.
The internal network will be configured at Port 1 of the Sophos Firewall device with IP 172.16.31.1/24 and configured with DHCP.
In the internal network, there will be a server running virtualization infrastructure VMWware Esxi with IP 172.16.31.11/24 and virtual machines as follows:
- Active Directory cum DNS server with hostname pdc.valab.xyz with IP 172.16.31.250/24.
- Sophos ZTNA Gateway has hostname ztna.valab.xyz with IP 172.16.31.251/24.
On the outside of the internet we will have the following components used to deploy Sophos ZTNA:
- Public domain: using the domain of Mat Bao.
- Identity Provider: Okta.
- Sophos Central: where to manage policies, users, logs.
- Two Windows 10 computers, one with Agent installed and one without Agent installed.
In part 1 of this series, techbast will guide you to configure the first 3 components, which is to declare a record on the public domain pointing the Sophos ZTNA Gateway’s FQDN to the Sophos Firewall’s WAN IP, configure the Wildcard certificate and configure Okta.
4.What to do
- Create record.
Configure Wildcard certificate:
- Register wildcard certificate for domain valab.xyz.
Identity Provider Okta:
- Sync user from Active Directory
- Create Application for Sophos ZTNA.
- Create Authorization Server for Sophos ZTNA.
- Add Identity Provider Okta on Sophos Central.
Because Sophos ZTNA operates with a domain name, techbast has prepared a domain name purchased from Mat Bao, which is valab.xyz.
The first thing we need to do with this domain is point the Sophos ZTNA FQDN to the Sophos Firewall’s WAN IP.
To do this we need to log in to the DNS administration page for the domain valab.xyz on Mat Bao’s website.
We will create records that point the Sophos ZTNA Gateway’s FQDN to the Sophos Firewall’s WAN IP as shown below:
To check if the record is active, we turn on the Command Prompt on the computer.
Enter the command nslookup > type in the domain name ztna.valab.xyz and we will see this domain name will be resolved to the IP address 115.78.x.x.
5.2.Configure Wildcard certificate
5.2.1.Register wildcard certificate for domain valab.xyz.
Since the Sophos ZTNA solution will use all the subdomains of the valab.xyz domain and the connection it uses is https, we need a wildcard certificate of https to apply to all subdomains of the valab.xyz domain.
In this article we will apply for a free wildcard certificate from Let’s Encrypt.
First we need to download the Certbot client software to our personal computer.
Click the link below to download.
Next, install the certbot client software on your computer and open it up.
When opened, it will have an interface as shown below.
We will enter the following command to register a wild certificate for the domain valab.xyz.
certbot certonly –manual –preferred-challenges=dns –server https://acme-v02.api.letsencrypt.org/directory –agree-tos –domain valab.xyz
After running the command line certbot will ask us to create a DNS TXT record on domain valab.xyz with the parameters below.
We need to login to the admin page of the valab.xyz domain and add the TXT record as follows.
Then we go to https://toolbox.googleapps.com/apps/dig/#TXT/ to check if the TXT record is working or not.
Type _acme-challenge.valab.xyz in the box and press enter, we will see the result that the TXT record is active.
Return to the certbot client and press Enter to continue.
We see that the wild certificate registration was successful.
Two certificate files named fullchain.pem and key file named privkey.pem are stored at drive C:/Certbot/Archive/valab.xyz-0001
Note: we need to keep these 2 files to use for deploying Sophos ZTNA Gateway in the following section.
5.3.Identity Provider Okta
5.3.1.Sync user from Active Directory
The purpose of this sync user is so that Okta will use the user from Active Directory directly for the user authentication step.
The following figure is a list of users and groups that will be synced to Okta.
To sync we access Okta’s admin page.
Go to Directory > Directory Integrations > click Add Active Directory.
Click Set Up Active Directory.
Click Download Agent.
We will install the OktaADAgentSetup file that we just downloaded and we need to copy the Your Okta Orgnization URL parameter to use for the installation process.
Okta AD Agent will automatically detect the domain name on the Active Directory server.
Select Create or use the OktaService account (recommended), with this option Okta Agent will create an account with the username OktaService that will be used only to run the Okta service.
We enter the password for the OktaService account and click Next.
Click Next if we do not use a proxy in the system.
Copy the Okta Organization URL that we saved in the Okta Agent download step into the Enter Organization URL box.
A login window appears, we need to log in to Okta’s admin account and click Sign in.
Click Allow Access to allow the necessary services Okta Agent can work.
Okta Agent registration and installation will take about 5 seconds.
We click Finish to complete the installation of Okta Agent.
Back on the admin page we will continue the rest of the configuration.
At Basic Settings, we will select the OU that we will sync to Okta.
Here we will choose OU valab because this is where users and groups are stored.
In Okta username format, we will select Email Address and click Next.
In Build User Profile click Next.
Go to Directory > Directory Integrations and we should see Okta has successfully connected to the Active Directory server.
Next we will import users and groups into Okta, to import we left click on Active Directory.
At the Import tab, click Import Now.
Select Incremental import (fastest) and click Next.
The import process will take a few seconds.
Okta has successfully scanned 7 users and 2 groups.
To import users into Okta, we tick all users and click Confirm Assignments.
Check Auto-active users after confirmation and click Confirm.
With Auto-active users after confirmation selected, after successful confirmation Okta will send an email to each user informing that the user’s Okta account has been created and the username and password will be similar to that of the account domain that the user is using.
The email sent to the user will have the following content.
To see the list of users that have just been imported into Directory > People, we will see the list of users that have been imported as shown below.
To see the groups that have been imported go to Directory > Groups.
5.3.2.Create Application for Sophos ZTNA
We need to create an Application for Sophos ZTNA so that when the user accesses and authenticates, he will be redirected to Okta’s authentication page.
To create, go to Okta’s admin page > Applications > Applications > Create App Integration.
- Sign-in method: select OIDC – OpenID Connect.
- Application type: select Web Application.
App integration name: Sophos ZTNA.
In Grand type: select Client Credentials and Refresh Token.
At Sign-in redirect URIs we enter the path, this is the path that the user will be redirected to perform authentication.
This path will be in the format https://FQDN/oauth2/callback.
For example, the FQDN of Sophos ZTNA Gateway will be deployed in the following section ztna.valab.xyz => the path will be https://ztna.valab.xyz/oauth2/callback.
At Assignments select Skip group assignment for now and click Save.
Going back to Applications > Applications we will see the Sophos ZTNA has been created.
We will need to assign group and adjust scope for this Sophos ZTNA app.
To adjust left click on the name Sophos ZTNA.
At the General tab we will need to click on the copy icon at Client ID and Client Secrets and save them for use in the Identity Okta declaration on Sophos Central.
At the Okta API Scopes tab we click Grant at okta.idps.read.
At the Assignments tab, click Assign > Assign to Groups to specify which groups will use this Sophos ZTNA app.
At Assign Sophos ZTNA to Groups click Assign 2 groups SALE TEAM and TECHNICAL TEAM.
We will see that the right side of the 2 groups shows the word Assigned, which means it has been successfully assigned.
Going back to the admin page at Assignments > Groups, we will see the 2 groups that we just Assign have been listed.
At Assignments > People we will also see the users belonging to the 2 groups listed.
5.3.3.Create Authorization Server for Sophos ZTNA.
To create we access the Okta admin page go to Security > API > Click Add Authorization Server
The Add Authorization Server table appears, enter ZTNA in Name and Audience and click Save.
We will see that the Authorization Server ZTNA has been created, we need to save the Issuer URI information to serve the Identity Provider Okta declaration on Sophos Central.
Next we click on the name ZTNA to adjust a few parameters.
First we need to create a Scope named customScope with the sole purpose of testing the connection between Okta and Sophos Central.
To create, go to the Scope tab > click Add Scope.
At Name fill in customScope and click Save.
On the Claim tab, click Add Claim. A Claim allows ZTNA to view groups for validation. Enter the following details:
- Name: groups.
- Inlcude in token type: ID Token – Iserinfo / id_token request.
- Value type: select Expression.
- Value: Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith(“active_directory”,””,100))) ? Groups.startsWith(“OKTA”,””,100) : Arrays.flatten(Groups.startsWith(“OKTA”,””,100), Groups.startsWith(“active_directory”,””,100))
- Include in: select Any scope.
- Click Save.
In order for Sophos Central to connect to the customScope on Okta, we need to create an permission policy.
At the Access Policies tab, click Add New Access Policy and configure the following parameters:
- Name: ZTNA.
- Description: ZTNA.
5.3.4.Add Identity Provider Okta on Sophos Central,
To declare we access the admin page of Sophos Central with admin rights.
Go to ZTNA > Identity Providers > click Add identity provider.
- Name: okta
- Provider: Okta
- Client ID: Enter the Client ID copied in the step of creating App Integration Sophos ZTNA.
- Client secret: Enter the Client secrets copied in the step of creating the App Integration Sophos ZTNA.
- Issue URI: Enter the Issue URI copied in the Authorization Server ZTNA creation step.
- Scope: enter customScope and click Test connection to test the connection between Sophos Central and Okta.
- Click Save.