This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues getting RDP over ZTNA to work properly with Cloudflare (SSL handshake error)

Hello folks, I'm reaching out for assistance for an issue that I've been working with Sophos Support for over a week that we're having issues trying to fix.  Any helpful information is greatly appreciated.  Here's the scenario:

Prereqs - I've followed all prereq steps to get ZTNA properly installed, also confirmed by Sophos Support.

ZNTA has been properly configured on both firewalls (Office and Cloud) and can properly route our test wep apps on our network using Agentless policy.  All CNAMES are configured properly, etc.   These sites are also available in the resource portal on both gateways.  This also works for connecting to the FW admin webpage over ZTNA.  When I try to change this to agent based, this no longer works.  When digging in the network threat logs, the support agent found a 525 ssl error with the ZTNA agent logs which is quite strange.  This is also valid for both gateways when trying to make an RDP connection over ZTNA.  I've made sure the same wildcard cert and key has been uploaded to each gateway several times, and i've uploaded this cert to cloudflare as good measure.  We've also tried with the changing the A dns record from proxy to dns only with no luck for RDP.  Also reinstalling the ZTNA agent has not helped either.  So right now im at a loss.  It appears the issue is with SSL, but there are no troubleshooting tools available to verify if the cert on the gateway is in use or not. 

Also I done this exact same setup, WITHOUT cloudflare on my home setup running an XG 115 with no issues running on v19.  Both RPD and agentless web apps and godaddy dns works without any issues using the same ssl wildcard cert provider.  Any input is greatly appreciated.



This thread was automatically locked due to age.
Parents
  • Hello!

    I'm also using Cloudflare as my DNS provider, one thing I had to do is always select the option "DNS Only" as "Proxy Status" or the "Agent" based resources wouldn't work.

    This include for all CNAME's if using ZTNAaaS or A Records if running a ZTNA VM.

    Can you verify if the DNS records are all as "DNS Only" on the Cloudflare Dashboard?

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

Reply
  • Hello!

    I'm also using Cloudflare as my DNS provider, one thing I had to do is always select the option "DNS Only" as "Proxy Status" or the "Agent" based resources wouldn't work.

    This include for all CNAME's if using ZTNAaaS or A Records if running a ZTNA VM.

    Can you verify if the DNS records are all as "DNS Only" on the Cloudflare Dashboard?

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

Children
  • I can verify that DNS only was selected, but still no joy.  The CNAME resources worked regardless if proxy was on or not.  from wireshark readings, I've noticed that RDP is not receivng replies going over the ztna adapter.  which means the traffic isnt even making it to the firewall.  RDP does work locally to rule out the local firewall theory.  It's most likely due to the ssl error that keeps appearing in the network threat logs for agent based traffic.