Achieving Domain Controller via SSL VPN is impossible

Hi to all of you.

I have two Sophos XGS 136 in HA (active / passive); the firmware version is SFOS 18.5.3 MR-3-Build408.

IT infrastructure consists on:

  • 1 Windows Server 2019 Host with Hyper-V role
  • n.2 VM Windows Server 2019: both are DC and one of them has file server Role
  • Many Windows 10 Pro clients

All servers (Host and VM) and clients are on the same subnet

I have configured user authentication via active directory on Sophos XG; users access via VPN SSL using them AD credentials and they are able to reach all the devices on the network (PC clients, NAS, networks printers, access point, or the Hyper-V Host server), but not the Domain controllers VM!

On the firewall, Active Directory Server authentication was originally set with "Plaintext" connection security, but in this moment is set with SSL/TLS connection security (and the Test connection works). 

There's no way to reach DCs: ping, rdp session, shares browsing on file server, etc always fail, but If I make the same tests to the Host Server, they perfectly work.

DCs are not reachable also if I try to connect using SSL VPN local user of the Sophos XG

If Host Server and VMs are on the same subnet (, can the problem be a bad traffic rules configuration?

PS: To exclude that it is a Hyper-V problem, I installed a Windows 10 VM on the Hyper-V Host server and It's perfectly reached from SSL VPN user
PPS: Having a Qnap NAS at my disposal, I enabled OpenVPN server on it; in this case SSL VPN (qnap) users can perfectly reach DCs servers. 

Can you help me to solve this big problem? Thanks for your support!

Edited TAGs
[edited by: emmosophos at 6:11 PM (GMT -7) on 17 Jun 2022]