Customers who have gateway deployments on the versions mentioned above are required to upgrade to the latest versions via Sophos Central. Customers with firewalls functioning as ZTNA gateways should always upgrade their firewalls to the latest version of SFOS<\/a>.<\/p>\n As a reminder, Sophos maintains a retirement calendar<\/a> for all network security products outlining the latest supported versions.\u00a0 Sophos ZTNA is near the bottom of this page.<\/p>\n <\/p>\n This highly requested new feature addresses a key challenge with the ZTNA-as-a-service deployment mode, where a ZTNA device in an office on the same trusted network as the ZTNA application will route access via the Sophos Cloud or through the WAN interface of the gateway. While this maintains a uniform user experience and security posture, hairpinning has also introduced significant latency, especially for applications such as CIFS file shares and RDP.<\/p>\n The ZTNA agent will now assess whether it is on a trusted network based on the DNS configuration and decide whether to intercept the traffic.\u00a0 This is an optional configuration that customers can enable according to their specific use cases.<\/p>\n Note: To make use of this new feature, the ZTNA agent needs to be upgraded to a new build:\u00a0 Documentation<\/a><\/p>\n <\/p>\n This enhancement facilitates seamless user access to resources behind a domain controller.<\/p>\n This addresses a limitation where ZTNA agents could not intercept these\u00a0DNS-SRV\u00a0records, leading to connectivity issues, particularly when users accessed resources like file shares remotely. We developed a temporary workaround for this issue, and a\u00a0corresponding\u00a0Knowledge Base Article\u00a0<\/a>was published.<\/p>\n To better address this issue, we are now rolling out the first phase of updates, which makes it easier to add a domain controller (DC) as a ZTNA resource on Sophos Central. Along with the addition of the DC, we automatically add commonly used\u00a0DNS-SRV\u00a0records under the \u201cAdvanced Settings\u201d section and provide an option for administrators to add or modify these records. This prevents administrators from having to create multiple\u00a0DNS-SRV\u00a0records for individual ZTNA resources, as was the case with the previous workaround.<\/p>\n Accounts that have already deployed the workaround can also migrate to the new approach by simply adding a new resource of type DC. Both these approaches can co-exist until we phase out the workaround.<\/p>\n While this new implementation addresses the majority of customer use cases, there are additional specific instances, such as support for multiple domain controllers, that we want to address via a ZTNA agent update in the next phase.<\/p>\n <\/p>\n The latest online documentation is\u00a0here<\/a>, and the updated known issues list can be found\u00a0here<\/a>.<\/p>\n <\/p>\n If your customers are not already using Sophos ZTNA<\/a>, they can get started for free. There\u2019s a free trial<\/a> available via Sophos Central. Sophos Firewall customers can get three free one-year licenses<\/a>\u00a0and take advantage of the\u00a0ZTNA gateway integrated into your firewall<\/a>.<\/p>\n Check out the\u00a0Deployment Checklist<\/a>\u00a0for other considerations when deploying ZTNA and the latest\u00a0online documentation<\/a>.<\/p>\n If you are starting your ZTNA journey, view our updated initial setup video here:<\/p>\nNew On-Premise Network Detection<\/h2>\n
![\"\"](\"https:\/\/testing.eight25sites.com\/en-us\/wp-content\/uploads\/sites\/3\/2025\/06\/sophos-ztna-on-premise-traffic.png\")
<\/p>\nDomain Controller as a ZTNA Resource<\/h2>\n
![\"\"](\"https:\/\/testing.eight25sites.com\/en-us\/wp-content\/uploads\/sites\/3\/2025\/06\/sophos-ztna-domain-controller.png\")
<\/p>\n![\"\"](\"https:\/\/testing.eight25sites.com\/en-us\/wp-content\/uploads\/sites\/3\/2025\/06\/sophos-ztna-advanced-domain-controller.png\")
<\/p>\nDocumentation<\/h2>\n
Get Started with ZTNA for Free<\/h2>\n