How to implement Sophos Zero Trust Network Access solution part 1

1.The goal of the article

This series of articles will provide you with detailed steps to take as well as how to fully deploy the Sophos Zero Trust Network Access solution.

2.Diagram

Details:

We will have the Sophos firewall device connected to the internet at Port 2 with a static WAN IP of 115.78.x.x.

The internal network will be configured at Port 1 of the Sophos Firewall device with IP 172.16.31.1/24 and configured with DHCP.

In the internal network, there will be a server running VMWware Esxi virtualization infrastructure with IP 172.16.31.11/24 and virtual machines as follows:

  • Active Directory cum DNS server with hostname pdc.valab.xyz with IP 172.16.31.250/24.
  • Sophos ZTNA Gateway has hostname ztna.valab.xyz with IP 172.16.31.251/24.

On the outside of the internet we will have the following components used to deploy Sophos ZTNA:

  • Public domain: using the domain of Mat Bao.
  • Identity Provider: Okta.
  • Sophos Central: where to manage policies, users, logs.
  • Two Windows 10 computers, one with Agent installed and one without Agent installed.

3.Scenario

In part 2 of this series techbast will guide you to configure the rest of the components, Sophos ZTNA Gateway and connect to resources in the system using Sophos ZTNA with 2 methods: Agent and Agentless..

4.What to do

Sophos ZTNA Gateway:

  • Configure NAT.
  • Declare ZTNA Gateway parameters on Sophos Central.
  • Deploying Sophos ZTNA Gateway on VMWare Esxi.

Sophos Central:

  • Synchronize users from Active Directory.

Create Policy and check operation:

  • Create Policy.
  • Resource declaration.
  • Works with Agent.
  • Works with Agentless.
  • Check Logs and Reports.

5.Configuration

5.1.Sophos ZTNA Gateway

5.1.1.Configure NAT

5.1.2.Declare ZTNA Gateway parameters Sophos Central.

The first step we need to declare parameters about Sophos ZTNA Gateway such as IP Address, Subnet Mask, Default Gateway, DNS Server, Wildcard Certificate, Identity Provider, the virtualization system will deploy on Sophos Central so that it can be repackaged for we become a file used for deployment.

To declare we need to log in to Sophos Central’s admin page with admin rights.

Go to My Products > ZTNA > Gateways > click Add gateway and declare the following parameters:

  • Name*: ztna.
  • FQDN*: ztna.valab.xyz.
  • Domain*: valab.xyz.
  • Platform type*: VMware ESXi.
  • Identity provider: okta.
  • Deployment mode*: select One-arm.
  • IP address*: select Static IP (Below we will declare IP parameters, Subnet Mask, … like on the network diagram).
  • IP address*: 172.16.31.251.
  • Subnet mask: 255.255.255.0.
  • Gateway*: 172.16.31.1.
  • DNS server1*: 172.16.31.250.
  • Upload certificate*: Click Choose and select the wildcard certificate fullchain.pem file that we got from part 1.
  • Upload private key*: Click Choose and select the key file privkey.key (note that the original file will have the extension privkey.pem, we need to change the file extension to .key).
  • Click Save and generate file.

After completing the declaration, the ztna gateway has been created successfully.

Next we will need to download 2 files for the installation process in the next step.

We left-click on Download image (Ready for download) to download the iso file to our personal computer.

This is a file containing information such as IP, Subnet Mask, DNS, Identity Provider, etc. that we have declared above and also used to communicate between the internally deployed ZTNA Gateway and Sophos Central.

We continue to left-click Download gateway VM > Download Gateway VM image for VMware to download Sophos ZTNA prepackaged with the ova file used to deploy on VMWare ESXi.

These are the 2 files that we have downloaded.

5.1.3.Deploying Sophos ZTNA Gateway on VMWare Esxi.

Before we deploy Sophos ZTNA on VMware ESXi we need to upload the iso file we downloaded from Sophos Central to VMware ESXi Datastore.

To upload we need to log in to the VMware ESXi admin page with admin rights.

Go to Storage and select the datastore that we will upload, in this article we will upload the iso file to the datastore named ISO Storage.

Click Datastore browser.

Click Upload.

Select the iso file that we have downloaded.

We have successfully uploaded the iso file to the ISO Storage datastore.

Next we will implement the Sophos ZTNA Gateway deployment.

Trên trang quản trị của VMware ESXi nhấn phải chuột vào Virtual Machines > Create/Register VM để tạo máy ảo mới.

The New Virtual Machine panel appears, at Select creation type select Deploy a virtual machine from an OVF or OVA file.

Click Next.

At Select OVF and VMDK files:

  • Enter a name for the virtual machine: Enter the virtual machine name as Sophos ZTNA Gateway.
  • Left click Click to select files or drag/drop.
  • Then select the OVA file that we downloaded from Sophos Central earlier and click Next.

At Select storage we will choose where to save the virtual machine, in this article techbast will save the virtual machine at VM Storage 3 and click Next.

At Deployment options, we will choose the VM Network network card for External (WAN) and Local for Internal (LAN).

Power on automatically: deselect.

Note: VM Network card must have internet connection.

At Ready to complete, review the configured configurations and click Finish.

So we have finished creating the Sophos ZTNA Gateway virtual machine from the OVA file.

Next we will need to import the iso file we uploaded earlier into this virtual machine so that it can set the parameters that we have declared on Sophos Central as well as communicate with Sophos Central and turn off the Internal card. (LAN).

To do this, right-click on the Sophos ZTNA Gateway virtual machine and select Edit settings.

At CD/DVD Drive: select Datastore.

The Datastore browser panel appears, select the iso file and press Select.

Then tick Connect at CD/DVD Drive 1 and uncheck Connect at Network Adapter 2 (this is the Internal (LAN) card of Sophos ZTNA, since we deploy in One-arm mode, we only need 1 External card (WAN) ) with internet connection).

Click Save.

Then we perform Start Sophos ZTNA Gateway virtual machine and it will appear as shown below.

After booting and the virtual machine is up and running, we wait a few minutes for the virtual machine to authenticate with Sophos Central.

After a few minutes we return to the admin page of Sophos Central.

Go to MY PRODUCTS > ZTNA > Gateways.

We will see the word Approve in the Status column of ztna that we declared appeared.

This tells us that the internal Sophos ZTNA Gateway virtual machine has successfully communicated with Sophos Central.

We click on Approve to complete the deployment process.

5.2.Sophos Central

5.2.1.Synchronize users from Active Directory.

5.3.Create Policy and check operation

Phần này chúng ta sẽ thực hiện việc tạo policy, định nghĩa các resource và phân quyền truy cập vào các resource này.

5.3.1.Create Policy

Because Sophos ZTNA supports 2 access methods, Agent and Agentless, we will create 2 policies.

To create login to Sophos Central’s admin page with an account with admin rights.

Go to MY PRODUCTS > ZTNA > Policies > Click Add policy > Select Agent.

Note: with the Agent option, it will support combination with Sophos Intercept X Advanced antivirus software to check the security status of the workstation when accessing the resource and support accessing the resource using many different protocols such as Remote Desktop, SSH, Telnet,… .

Create a policy named Agent with the following parameters:

  • Policy name: Agent
  • Use condition to manage access: Select (this is the option to use Sophos Intercept X Advanced antivirus software to check the status of the workstation when accessing the resource)..
  • Tại Allow access: select green (this option will only allow workstations whose antivirus software’s status is green to access the internal resources).
  • Click Save.

At Policy enforced we remember to turn on the policy.

Similarly, we also click Add policy > select Agentless.

Note: with the Agentless option, it will not support checking the status of antivirus software when accessing it, nor will it only support accessing web resources.

Create a policy named Agentless with the following parameters:

  • Policy enforced: turn on policy.
  • Click Save.

5.3.2.Resource declaration.

After creating the policy, we will declare the resources and assign which users will have access to that resource.

To declare us and MY PRODUCTS > ZTNA > Resources & Access > click Add resource.

We will declare the resources as follows:

  • Active Directory: using a computer that has Agent installed, accessed by Remote Desktop and only users from the TECHNICAL TEAM group can access.
  • Sophos Firewall: Using a computer with Agent installed, accessing it with a web browser and only users from the TECHNICAL TEAM group can access.
  • ESXI11: sử dụng máy tính không được cài Agent, truy cập bằng trình duyệt web và chỉ các user từ group TECHNICAL TEAM mới có thể truy cập.

We will create an Active Directory resource with the following parameters:

  • Name: Active Directory.
  • Gateway: select ztna.
  • Access method: select Agent.
  • Resource type: Select RDP.
  • External FQDN: enter the FQDN that external users use to access, randomly set with subdomain valab.xyz, in this lab will set it as pdc.valab.xyz.
  • Internal FQDN/IP address: enter the internal AD server’s IP 172.16.31.250.
  • Assign user group: select TECHNICAL TEAM group and press “>”.
  • Click Save.

Similarly, click Add resource and create a resource Sophos Firewall with the following parameters:

  • Name: Sophos Firewall.
  • Gateway: select ztna.
  • Access method: select Agent.
  • Resource type: select Web Application.
  • External FQDN: enter the FQDN that external users use to access, randomly set with subdomain valab.xyz, in this lab will set it as sf.valab.xyz.
  • Internal FQDN/IP address: enter the LAN IP of the internal Sophos Firewall as 172.16.31.1.
  • Port: enter 4444.
  • Assign user group: select TECHNICAL TEAM group and press “>”.
  • Click Save.

Create an ESXI11 resource with the following information:

  • Name: ESXI11.
  • Gateway: select ztna.
  • Access method: select Agentless.
  • External FQDN: enter the FQDN that external users use to access, randomly set it with subdomain valab.xyz, in this lab it will be esxi11.valab.xyz.
  • Internal FQDN/IP address: enter the internal IP of Vmware ESXi server 172.16.31.11.
  • Assign user group: select TECHNICAL TEAM group and press “>”.
  • Click Save.

5.3.3.Work with Agent.

We will access 2 resources Active Directory and Sophos Firewall using a computer that has Sophos Endpoint pre-installed with 2 modules Sophos Antivirus and Sophos ZTNA.

We open the Remote Desktop Connection software and enter the External FQDN of the Active Directory resource that we have declared in the Computer then click Connect.

At this point Sophos will redirect the user to Okta to authenticate with the account.

Enter username and password then click Sign in.

A message that we have successfully authenticated appears.

Back to the Sophos Endpoint Dashboard we will see the authenticated user name displayed at Zero Trust Network Access.

We will perform remote desktop to the server and enter the username and password.

Click Yes.

As a result, the remote successfully entered the Active Directory server.

Next we will access the admin page of Sophos Firewall through the FQDN which we have declared as sf.valab.xyz.

Open any browser and enter https://sf.valab.xyz:4444.

As a result, we were able to access the Sophos Firewall’s admin page through ZTNA.

Finally, we will test the ability to automatically disconnect the workstation to the server when the workstation is infected with a virus.

We remote desktop to Active Directory and will extract a virus file as shown below and see that Sophos Antivirus has detected it.

Then the security status of the antivirus software on the computer has turned yellow and means that Sophos ZTNA will immediately disconnect from the workstation to the Active Directory server.

After Sophos antivirus successfully processes the virus file, it will automatically change the security status to green and at this time Sophos ZTNA will return access to the Active Directory server.

5.3.4.Work with Agentless.

We will check out how Agentless will work in this article.

With Agentless, we can access the VMware ESXi server using the web browser that we declared in the previous section.

To access we open any browser and enter the FQDN of Sophos ZTNA Gateway is https://ztna.valab.xyz.

Sophos will then redirect the user to the Okta page for authentication.

After successful authentication, the user will access a page called ZTNA Application Portal.

This is the page that lists all the resources that the authenticated user is allowed to access.

As we see in the listing is the VMware ESXI11 server.

We just need to left click on the server to access it.

As we can see the access failed and the error encountered here is a DNS error.

We should note that although we have declared the resource for the VMware ESXi server with the FQDN of esxi11.valab.xyz, but because we have not pointed this FQDN DNS record to the Sophos Firewall’s WAN IP, when we access the resource will get this error.

We need to go to the domain’s admin page and create a DNS record as shown below.

And then go back to the ZTNA Application Portal and try accessing the VMware ESXi server again.

As a result, we have successfully accessed.

5.2.5.Check Logs and Reports.

Since we have access to resources with both Agent and Agentless methods, in this section we will review how Sophos ZTNA’s logs will display and what types of logs are available.

The first is a log that records which users have authenticated and the status is successful or not.

As we can see in the image below, the log of Sophos ZTNA lists in great detail which user has authenticated, the authentication status, the OS version that user computer uses to authenticate, if it is Agentless, there will be a browser, which is used for authentication and the version of that browser.

The second content that Sophos ZTNA logs is the list of denied access to the resource.

In the above, we have extracted the virus file and disconnected from the Active Directory server.

As shown below, we can see that Sophos ZTNA has recorded a very detailed log including date-time parameters, resource name, user used to access, reason for denial.

The third content that Sophos logs is to record the amount of bandwidth accessed by resources.

Finally, the content that Sophos logs is the bandwidth accessed by Sophos ZTNA Gateway.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.