This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues getting RDP over ZTNA to work properly with Cloudflare (SSL handshake error)

Hello folks, I'm reaching out for assistance for an issue that I've been working with Sophos Support for over a week that we're having issues trying to fix.  Any helpful information is greatly appreciated.  Here's the scenario:

Prereqs - I've followed all prereq steps to get ZTNA properly installed, also confirmed by Sophos Support.

ZNTA has been properly configured on both firewalls (Office and Cloud) and can properly route our test wep apps on our network using Agentless policy.  All CNAMES are configured properly, etc.   These sites are also available in the resource portal on both gateways.  This also works for connecting to the FW admin webpage over ZTNA.  When I try to change this to agent based, this no longer works.  When digging in the network threat logs, the support agent found a 525 ssl error with the ZTNA agent logs which is quite strange.  This is also valid for both gateways when trying to make an RDP connection over ZTNA.  I've made sure the same wildcard cert and key has been uploaded to each gateway several times, and i've uploaded this cert to cloudflare as good measure.  We've also tried with the changing the A dns record from proxy to dns only with no luck for RDP.  Also reinstalling the ZTNA agent has not helped either.  So right now im at a loss.  It appears the issue is with SSL, but there are no troubleshooting tools available to verify if the cert on the gateway is in use or not. 

Also I done this exact same setup, WITHOUT cloudflare on my home setup running an XG 115 with no issues running on v19.  Both RPD and agentless web apps and godaddy dns works without any issues using the same ssl wildcard cert provider.  Any input is greatly appreciated.



This thread was automatically locked due to age.
Parents Reply
  • Update: My Support session yesterday has made some progress but no fix.  I noticed that the Root CA was not showing properly when inspecting the certificate for both gateways.  When I disabled Live internet scanning and web control, the correct certificate information was coming through and showed the correct Root CA, instead of the local firewall showing as the root CA.  Very strange since I have a similar endpoint policy setup for real-time / live scanning in my other environment.  Agent based comms still doesn't work yet, btw.  Agentless works fine.

Children