Network Gateway Types
- Use up/down arrow keys to navigate, Esc to collapse.
- Last UpdatedFeb 27, 2025
- 3 minute read
A network gateway represents a Software Defined Networking (SDN) infrastructure element that routes traffic from a user's device with Jamf Connect's Zero Trust Network Access (ZTNA) enabled to a destination application.
When a ZTNA access policy processes that a user is authorized to access an application, a network gateway opens a secure connection the application.
Generally, two network gateway types exist:
- Internet Cloud Gateways—Cloud-based internet interconnects that are located in various Jamf data centers throughout the world. They are shared by all Jamf customers.
- Private Interconnect Gateways—Customer-specific routing destinations that provide Cloud-to-Customer Cloud/Data Center connectivity. These routes are never shared between Jamf customers.
These gateways are can be defined as the routing destination for applications in a ZTNA access policy.
There are three ways to provide your users with access to private applications via Zero Trust Network Access:
- Dedicated IPSec gateway—There are two kinds of dedicated IPSec gateways
- Quick Connect IPSec
A Linux VM that establishes a secure route to Jamf Security Cloud
For more information, see Creating a Quick Connect IPSec Gateway.
- Custom IPSec
A fully customized IPSec tunnel configuration designed to connect with your existing VPN infrastructure or firewalls
For more information, see Creating a Custom IPSec Gateway.
- Dedicated internet gateway (limited availability)—
A pair of IPv4 addresses that route traffic to the internet through the Jamf Security Cloud
For more information, see Dedicated internet gateway.
Jamf Security Cloud Micro-Tunnel Technology
While dedicated gateways and their tunnels are shared by your employees and sites, each individual device-to-application connection within these tunnels are themselves "micro-tunnels".
Each micro-tunnel is built dynamically on a per-app, per-device, per-session basis that conforms to your defined access policy in Jamf Security Cloud. This means that every packet traversing the gateway's tunnel has been validated against Jamf Security Cloud Zero Trust policy engine and is permitted to connect to the requested application.
Any requests to applications that are not permitted by policy are dropped and reported. They are never routed via the tunnel towards the application. For more information, see Zero Trust Network Access Policy.
Grouped gateways are a way for you to define a group of IPSec or internet gateways to provide a highly available connection between Jamf Security Cloud and your data center, cloud services, or offices. If the primary route goes down, the secondary route will take over handling the traffic. For more information, see Creating a Group of Gateways.
- Nearest data center—
A smart routing gateway that automatically uses the data center nearest to the user based on their current location
- Client access IPs—
A collection of data centers that reside in specific regions; such as the Americas, Europe, and Asia Pacific
These gateways are typically used for SaaS, private cloud, or reverse proxy published applications that can be configured to restrict access to public IP addresses. This helps to limit the application and its data to only trusted IP addresses, which can be used only by Jamf Connect's Zero Trust Network Access-enabled endpoints.
You can add the full list of IP addresses to your firewall allowlist or access policies.
After a dedicated gateway is configured, it may be used to reach one or more internal/private DNS name servers to resolve hostnames. This is very common for organizations that only provide hostname lookups for internal devices that are "on network", and not to anyone on the open internet.
The integration uses your dedicated gateways to ensure that no additional software, agents, nor appliances are required to support any number of private DNS zones in your environment.
If you have one or more private DNS domains or zones that can only be looked up "inside" your network, you must configure custom DNS zones to ensure your end users can reach private resources from their Zero Trust Network Access-enabled device. For more information, see DNS Zones.