Toll-free1-877-430-6240 / 1-780-430-6240 Authorized Sophos Partner
Zero Trust Network Access

Replace VPN with application-level access.

Sophos ZTNA gives users authenticated, per-application access to private resources without ever putting them on a flat corporate network. Identity-, device-, and posture-based decisions enforce least privilege automatically - on every connection, every time.

Key Capabilities

What ZTNA does that VPN can’t

VPN gives the user a tunnel to a flat network. ZTNA gives the user a tunnel to one application, validated on every request. That difference closes the lateral-movement and over-privilege gaps that VPN created.

Per-application access

Users connect only to specific applications they’re authorized for. No flat-network subnet exposure. A compromised endpoint can’t pivot to anything it wasn’t already allowed to reach.

Identity-based policy

Sophos ZTNA integrates with Microsoft Entra ID, Okta, Google Workspace, and standard SAML / OIDC providers. Access decisions ride on the same identity your IdP already manages.

Device-posture-aware

Sophos ZTNA checks the live posture of the device on every connection: OS version, patch level, encryption status, EDR health. Out-of-compliance? Access denied until self-remediation.

Cloud or firewall gateway

Deploy via Sophos’s cloud-delivered ZTNA gateways or host the gateway on your existing Sophos Firewall. Same policy, choose the deployment that fits your environment.

Synchronized Security

If Intercept X flags an endpoint as compromised, ZTNA cuts off that endpoint’s access automatically. No analyst pivot, no manual session revoke.

Managed and BYOD friendly

Works on Sophos-managed endpoints AND on BYOD devices. Different posture policies per device class, but same per-app access model for the user.

Deep Dive

Why ZTNA finally retires the VPN concentrator

VPN was built when employees were inside the office and the network perimeter was meaningful. That hasn’t been true for years. ZTNA is the access model the modern workforce actually needs.

  • VPN trusts the network. Once authenticated, the user is on the network as if they were in the office - any service the network can reach, the user can probe.
  • ZTNA trusts the request. Each connection is authenticated, posture-checked, and matched to a specific allowed application. Nothing else is reachable.
  • VPN is a black box. Most VPN concentrators don’t log which application a session touched, just that the tunnel was open.
  • ZTNA logs per-application. You can see exactly which user connected to which app, from which device, in which posture state, for how long.
  • VPN replaces itself with technical debt. Concentrators, client agents, public IPs to defend, MFA bolt-ons. ZTNA is cloud-delivered or firewall-integrated; no new hardware to maintain.
VPN model ZTNA model user net app A app B app C Lateral exposure user per-app app No lateral access
Who Deploys It

Three deployment patterns that pay back fast

ZTNA replaces or augments existing remote access. These are the three patterns we see customers move on first.

1

VPN replacement

End-of-life concentrator, painful patching cycle, or just the realization that flat-network VPN doesn’t fit the work pattern any more. ZTNA cuts over per-app, in parallel with the existing VPN.

Retire the concentrator
2

Contractor & temp access

External developers, vendor support, seasonal staff. ZTNA gives them access to only the specific apps they need, time-bounded, without enrolling their device into your domain.

Tightly-scoped temp access
3

M&A and federated tenants

Acquired company, separate IdP, can’t merge directories yet. ZTNA gives users from the acquired side access to specific apps in your environment without you joining the domains.

Access without integration
Pairs Well With

Stronger together

ZTNA on its own gives you access control. Combined with the rest of the Sophos stack, you get detection-aware access that adapts as posture changes.

Sophos Firewall
Network

Sophos Firewall

Host the ZTNA gateway on your existing Sophos Firewall, sharing policy and identity context. Simpler than spinning up separate cloud gateways for many deployments.

Sophos ITDR
Identity

Sophos ITDR

ITDR detects identity-based attacks at the directory level; ZTNA enforces access decisions based on that intel. Together they form a detection-plus-enforcement loop.

Sophos Workspace Protection
Bundle

Workspace Protection

If you want ZTNA plus Endpoint Protection, Mobile, Protected Browser, DNS Protection, and Email Monitoring under one per-user license, the bundle is usually the way to buy.

Ready to retire the VPN concentrator?

Request user-based pricing for Sophos ZTNA, or talk to our team about a phased VPN-to-ZTNA migration plan for your environment.