I have followed KBs (https://support.sophos.com/support/s/article/KBA-000008481?language=en_US) to get nearly all aspects of domain communication to work for ZTNA endpoints. They are able to change passwords, authenticate, access file shares over SMB, and, I believe DNS from the DCs. We have multiple DCs and, if I am correct, the KB only supports one (which hasn't been a problem in our pilot phase). The issue is that the endpoints on ZTNA (not onsite and completely remote) are not able to process GPO updates. This came to light when we deployed a new RDS that required a new signed RDP file and the endpoints were not getting the updated file (deployed through GPO preferences) and then when manually deployed, those endpoints were not able to connect because the endpoint was unable to perform a CRL check on the newly signed files (cert was issued by internal domain CA). This all work perfectly fine while onsite for non-ZTNA endpoints (have not been able to test ZTNA onsite). Is this expected behavior at the moment or are there additional steps that are needed to enable these functions? To clarify, I have the DCs as resources with full TCP/UDP ports listed.
Thank you,
James
