This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

configure RDP to ZTNA

hello. I want to replace my current XGS VPN with ZTNA for RDP access. Where can I find some documentation to help me?

Thanks...



This thread was automatically locked due to age.
  • Moved this Thread to the matching community. 
    https://community.sophos.com/zero-trust-network-access/
    You find here most of the viable information and documentation.

    Do you have a IDP (Azure AD or OKTA)? 

    __________________________________________________________________________________________________________________

  • Hi, thanks for the help. We use on-premise AD, can't you use ZTNA in this scenario?

  • No, because on premise AD does not support the next generation of Authentication. You should look at Azure AD for multiple reasons, as it resolves plenty of limitations/challenges from the past decades with on premise AD.

    __________________________________________________________________________________________________________________

  • BTW: Azure AD Connect should be on your list for the future. 

    __________________________________________________________________________________________________________________

  • Hello Lucar_Toni,

    Could you teach me (and maybe others as well) what a new generation Authentication on-premise Microsoft Active Directory does not support? When the whole Azure is built on Microsoft Active Directory ....

    Regards

    alda

  • Sure. The architecture is based on ZTNA. But the technology to communicate to the IDP is the problem. 

    While a "on premise" AD is basically behind a firewall, a client in the internet is not able to talk to the AD. Azure AD always provide a connector to the IDP. This means, you can update policies, status of the client and status of the user all the time without any kind of connection to a firewall and to a AD Server. 

    Azure AD was build with this in mind to resolve the issue with connectivity to the IDP itself. (Think about the cases, you change your password and try to reach the AD via VPN, but the client did not update "yet". 

    All those protocols, AD uses, are now encapsulated into TLS443. 

    And this is not considering the entire new stacks, build around Azure AD (Azure MFA etc.). I am not able to give more insights into the world of Azure, but there are certain advantages, which customers will get moving to Azure AD and thats the reason, most customer move (Microsoft365 integration for example). 

    __________________________________________________________________________________________________________________

  • I'm sorry, but the restrictions in terms of user authorization are within the implementation of Sophos ZTNA and it is definitely not a limitation in the possibilities of on-premises Active Directory client authorization.
    I think it is more correct to write: We have implemented ZTNA with these restrictions, which you must respect when deploying Sophos ZTNA.
    I can use, for example, OKTA as an IDP (which, by the way, you already support in the current version) and which offers significantly more authorization functions to third parties than MS Azure.

    Regards

    alda

  • There is no restriction. Azure AD and OKTA are supported. To get a support on a product like on premise AD, you would have to reinvent Azure AD on premise and implement the API support or a piece of software to query the AD. It does not work with LDAP in this manner for a client and would be a backstep to the future technologies like implementing something like Security Center (which also are not implemented on premise AD). 

    So to support something, which is not future proof + does not support everything in the future in terms of ZTNA roadmap, looks like a bad trade to begin with.

    __________________________________________________________________________________________________________________

  • Please read again the sentence you wrote: "because on premise AD does not support the next generation of Authentication."

    The restrictions are not on in-premise Active Directory, but in the ZTNA architecture, which in principle needs an external IDP and that Azure is not the only possible option.
    This is, I think, necessary to tell potential users but definitely not to stop using the internal on-premise Active Directory!

    Regards

    alda

    P.S. If you are not an Azure reseller ....

    Laughing

  • On Premise do not support the sync to the client. This is a next generation integration of Client (see windows 11). That is the point. 

    __________________________________________________________________________________________________________________