.. _installing-ztna-gateway: Installing ZTNA Gateway ======================= Deployment Models ----------------- You can install the ZTNA Gateway in two ways depending on your site's infrastructure setup. .. list-table:: :header-rows: 1 :widths: 20 80 80 * - Type - Description - Note * - **On-premises** - Install the ZTNA Gateway in your internal network to manage policies and network resources. - * - **Cloud managed** - Deploy a virtual ZTNA Gateway in a cloud environment. Administrators create and manage instances via the cloud console or Web UI. - If deploying ZTNA Policy Center in the cloud, prepare the cloud environment first. :ref:`cloud-setting` Prepare the Environment ----------------------- You need one or more public IP addresses to use the ZTNA Gateway. Install ZTNA Gateway -------------------- Install Gateway on-premises ^^^^^^^^^^^^^^^^^^^^^^^^^^^ | You can install the ZTNA Gateway on a physical system or a virtual machine. | Refer to :ref:`Install Ubuntu OS ` to prepare **Ubuntu OS 24.04.4 LTS**. | If using a **sensor install token**, refer to :ref:`Token-based Policy Server access ` for values to input. .. note:: | You can install the ZTNA Gateway on a virtual machine. | ZTNA supports various hypervisors such as VMware, VirtualBox, and XenServer. **Step 1: Switch to the root account** .. code-block:: text genian@genian:~$ sudo su [sudo] password for genian: root@genian:/home/genian# **Step 2: Update and upgrade packages** .. code-block:: text root@genian:/home/genian# apt-get update root@genian:/home/genian# apt-get upgrade **Step 3: Install curl (required for installation)** .. code-block:: text root@genian:/home/genian# apt install curl **Step 4: Install ZTNA Gateway** .. code-block:: text curl -sSLk https://bit.ly/4fX6bQ8 | sudo PROMPT=1 SSHALLALLOW=1 SSHPORT=22 TARGET=GNS DEB=ztna LOCALE=en bash - - Log in to Web UI, go to [System] -> [System Management]. - Select the newly added unapproved sensor and approve it via [Select Action] -> [Approve Unapproved Sensor]. Install Gateway in Cloud-Managed environment - Manual via CLI ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | Create an instance for ZTNA Gateway per your cloud provider's guide. | Use an Ubuntu 24.04 image for the instance. | If using a **sensor install token**, refer to :ref:`Token-based Policy Server access ` for values to input. After creating the instance, connect via SSH and follow the steps below. **Step 1: Switch the Ubuntu user account to the root account.** .. code-block:: text genian@genian:~$ sudo su [sudo] password for genian: root@genian:/home/genian# **Step 2: Update and upgrade packages** .. code-block:: text root@genian:/home/genian# apt-get update root@genian:/home/genian# apt-get upgrade **Step 3: Install curl (required for installation)** .. code-block:: text root@genian:/home/genian# apt install curl **Step 4: Install ZTNA Gateway** .. code-block:: text curl -sSLk https://bit.ly/4fX6bQ8 | sudo PROMPT=1 SSHALLALLOW=1 SSHPORT=22 TARGET=GNS DEB=ztna bash - - Log in to Web UI, go to [System] -> [System Management]. - Select the newly added unapproved sensor and approve it via [Select Action] -> [Approve Unapproved Sensor]. Install Gateway in Cloud-Managed environment - Automatic via Web UI ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ To use automatic installation through the Web UI, first register a Cloud Provider and a Site. Refer to :ref:`Cloud Provider settings ` and :ref:`Site settings `. 1. Access the Web UI console: ``https://(ZTNA Policy Server IP):8443/`` 2. From the top menu, click **System** -> **Cloud Provider Management**. 3. Click **Tasks** -> **Create** and enter credentials for each cloud. 4. In the left menu, go to **System** -> **Site** and create a site. 5. Go to **System** -> **System Management**, then **Tasks** -> **Add ZTNA Gateway**. - Site name: Specify the previously created site. - AMI / Image: Selected automatically based on site settings. - Instance Type: Choose instance type (recommended: t2.medium or higher, or cloud recommended spec). - Size: Set disk size (recommended: 64GB or higher). - Subnet ID: Automatically assigned based on site settings. - Key pair: Set the key pair for SSH to the Gateway instance. 6. Click **Check init** to confirm initialization, then click **Create**. 7. Verify instance creation in the cloud console (e.g., AWS EC2, Linode, OCI). 8. In the Web UI, go to [System] -> [System Management], select the newly added unapproved sensor, and approve it via [Select Action] -> [Approve Unapproved Sensor].