Initial deployment of XG firewall in datacenter


We are planning to use the XG 310 for a co-located datacenter setup where majority of end users connect to RDP and web servers from outside. They also use browsing to external websites when they are working on the RDP machines. There are about 30-40 servers and about 500 users login daily from outside. All web server pages are HTTPS and RDP is also encrypted so I don't expect the firewall to look into the packets (I know it supports it but thats not a concern right now).

Our main reason to

- use a device is to monitor the ports and data destinations/source  going in and out of the remote desktop machines as well as the web servers.

- Want to make sure no malware is there in the network and we get reports of what is going in and out.

- Be able to control web browsing of people who use browsers on RDP servers, block sites etc.

- Currently the VPN are done via Mikrotik and some via Windows but if possible do them via sophos.

- In future, have a email server (zimbra) running behind the sophos.

The current setup is a Mikrotik router (basically linux with IP tables) which is fed by the datacenter using Cisco HSRP for failover. All the servers have the Mikrotik as their gateways. We do not want to rock the boat too much by completely swapping the Mikrotik with sophos.  We have a few options and would like to get an idea of how it will help.

1. Use the Sophos as standalone device on LAN so connect it using 1 LAN cable to the LAN switch and use the IP of sophos as gateway address of all servers so the data going to/from servers will pass via the sophos which in-turn will go to Mikrotik.

2. Physically keep the device between the Mikrotik LAN port and our LAN switch so all data has to compulsory go via sophos. From what I have read, this is eth0/1 ports which have a way to stop all filtering in case of hardware failure and just run as pass through port.

3. Replace Mikrotik by sophos. I understand this is the cleanest way of doing it but we dont want to risk this right now. We have too many ports mapped for different customers and things are running Ok. 

Is there a way I can get best of both worlds? Basically use the Mikroti just for accepting the IP address and doing the NAT and then let sophos do everything else.