Thread Info
Options
Suggested

Step-by-Step Guide to Configuring Sophos ZTNA for Active Directory and Domain Controllers connectivity

Rafael Telles

If you're trying to configure Sophos ZTNA to enable connectivity to your Primary Domain Controller (PDC) for Active Directory (AD) services; including authentication, GPO processing, password changes, and LDAP queries, this guide is for you.

I faced challenges setting this up, and despite creating a support ticket and referencing the official Sophos article (KBA-000008481), I found that the provided instructions and video were incorrect. To save you hours of testing and troubleshooting, I’m sharing the correct configuration steps below.

Step 1: Configure Access to the Primary Domain Controller

First, create a ZTNA resource in Sophos Central to allow access to the required ports on your Primary Domain Controller. Ensure the RESOURCE TYPE is set to Other (not Web Application). The ports you need to open are:

TCP Ports:

  • 53, 80, 88, 135, 139, 389, 443, 445, 464, 636, 3268, 3269, 49666, 49670, 49152-65535

UDP Ports:

  • 53, 88, 123, 137, 138, 389, 636

Step 2: Create 17 SRV Records as ZTNA Resources

You also need to create 17 ZTNA resources for the required SRV records that Active Directory relies on. Make sure to:

  • Set RESOURCE TYPE to Other (as opposed to Web Application, which is incorrectly suggested in the Sophos article).
  • Use the following naming syntax for the resources:
    __SRV _ldap _tcp <DomainName>

List of Required SRV Records:

  1. _ldap._tcp.<DomainName>
  2. _ldap._tcp.dc._msdcs.<DomainName>
  3. _ldap._tcp.<SiteName>._sites.<DomainName>
  4. _ldap._tcp.<SiteName>._sites.dc._msdcs.<DomainName>
  5. _ldap._tcp.DomainDnsZones.<DomainName>
  6. _ldap._tcp.ForestDnsZones.<DomainName>
  7. _ldap._tcp.pdc._msdcs.<DomainName>
  8. _ldap._tcp.gc._msdcs.<DomainName>
  9. _gc._tcp.<DomainName>
  10. _gc._tcp.<SiteName>._sites.<DomainName>
  11. _kerberos._tcp.<DomainName>
  12. _kerberos._udp.<DomainName>
  13. _kerberos._tcp.dc._msdcs.<DomainName>
  14. _kerberos._tcp.<SiteName>._sites.<DomainName>
  15. _kerberos._tcp.<SiteName>._sites.dc._msdcs.<DomainName>
  16. _kpasswd._tcp.<DomainName>
  17. _kpasswd._udp.<DomainName>

Final Setup and Testing

After creating these 18 resources (1 for the PDC ports and 17 for the SRV records), your setup should work correctly, enabling full Active Directory functionality via Sophos ZTNA.

Acknowledgments

A big thanks to Nikita Sharma from Sophos Tech Support for her assistance during this process. I hope Sophos incorporates this guide into their official documentation to save others the frustration I experienced.

Let me know in the comments if this worked for you or if you have additional questions!



Added TAGs
[edited by: Raphael Alganes at 2:11 PM (GMT -8) on 4 Feb 2025]
  • 0

    Hi Rafael, Thanks for your feedback and comments. We will review the KBA that was published, re-test and incorporate the suggestions made above. 

    • 0

      Thank you Rafael for Sharing: this is what Community is for and  i realy appricate That. We Used ad Connect since very First available and it‘s a Bad workaround - but it at least it is a workaround. Since now we have still issues with gpudate, But i will Update by policies as you discovered with Sophos and give you Feedback. Again, thanks for you work in that

      • 0 in reply to Sven Schaffranneck

        Let me know if setting up all the SRV records fix your issues making gpupdate /force work. It does for me and we have out-of-the-box AD setup. If you have a custom or complex setup then you might need more SRV records (check on your PDC).

      • 0

        Follow-Up: Comprehensive Configuration for Sophos ZTNA with Active Directory Integration

        This post builds on the initial guide by incorporating field-specific instructions for configuring resources in the Sophos ZTNA Add Resource window. It also provides detailed definitions and port requirements for all 17 SRV records, ensuring proper Active Directory (AD) functionality.

        Key Configuration Notes:

        1. In the Add Resource window:
          • Resource Name: Use the correct syntax (e.g., __SRV _ldap _tcp example com).
          • Resource Type: Always select Other.
          • Ports: Specify the required TCP/UDP ports based on the example.
          • External FQDN: Input the corresponding FQDN (e.g., srv01-pdc.example.com).
          • Assign User Groups: Assign the appropriate group (e.g., Sophos ZTNA AD) for access control.
        2. Replace example.com and <PDC name> with your actual domain name and Primary Domain Controller (PDC).
        3. Each SRV record corresponds to specific AD services (details below).

        SRV Records Configuration:

        1. __SRV _ldap _tcp example com

          • Description: Locate LDAP-enabled services for general directory operations (e.g., authentication, GPO processing, LDAP queries).
          • Ports: TCP 389, 636
          • External FQDN: srv01-<PDC name>.example.com

        2. __SRV _ldap _tcp dc _msdcs example com

          • Description: Locate all Domain Controllers (DCs) for redundancy and failover.
          • Ports: TCP 389, 636
          • External FQDN: srv02-<PDC name>.example.com

        3. __SRV _ldap _tcp Default-First-Site-Name _sites example com

          • Description: Locate site-specific LDAP-enabled services for optimized communication.
          • Ports: TCP 389, 636
          • External FQDN: srv03-<PDC name>.example.com

        4. __SRV _ldap _tcp Default-First-Site-Name _sites dc _msdcs example com

          • Description: Locate site-specific Domain Controllers for LDAP communication in multi-site environments.
          • Ports: TCP 389, 636
          • External FQDN: srv04-<PDC name>.example.com

        5. __SRV _ldap _tcp DomainDnsZones example com

          • Description: Support domain-specific replication and resource discovery.
          • Ports: TCP 389, 636
          • External FQDN: srv05-<PDC name>.example.com

        6. __SRV _ldap _tcp ForestDnsZones example com

          • Description: Enable forest-wide replication and resource discovery.
          • Ports: TCP 389, 636
          • External FQDN: srv06-<PDC name>.example.com

        7. __SRV _ldap _tcp pdc _msdcs example com

          • Description: Locate the PDC emulator for password changes, time synchronization, and legacy applications.
          • Ports: TCP 389, 636
          • External FQDN: srv07-<PDC name>.example.com

        8. __SRV _ldap _tcp gc _msdcs example com

          • Description: Locate any Global Catalog (GC) for forest-wide searches.
          • Ports: TCP 3268, 3269
          • External FQDN: srv08-<PDC name>.example.com

        9. __SRV _gc _tcp example com

          • Description: Locate Global Catalog servers across the AD domain for compatibility and redundancy.
          • Ports: TCP 3268, 3269
          • External FQDN: srv09-<PDC name>.example.com

        10. __SRV _gc _tcp Default-First-Site-Name _sites example com

          • Description: Locate site-specific Global Catalog servers for optimized performance.
          • Ports: TCP 3268, 3269
          • External FQDN: srv10-<PDC name>.example.com

        11. __SRV _kerberos _tcp example com

          • Description: Locate DCs that provide Kerberos authentication over TCP.
          • Ports: TCP 88
          • External FQDN: srv11-<PDC name>.example.com

        12. __SRV _kerberos _udp example com

          • Description: Locate DCs that provide Kerberos authentication over UDP.
          • Ports: UDP 88
          • External FQDN: srv12-<PDC name>.example.com

        13. __SRV _kerberos _tcp dc _msdcs example com

          • Description: Locate all DCs for Kerberos operations over TCP.
          • Ports: TCP 88
          • External FQDN: srv13-<PDC name>.example.com

        14. __SRV _kerberos _tcp Default-First-Site-Name _sites example com

          • Description: Locate site-specific DCs for Kerberos authentication over TCP.
          • Ports: TCP 88
          • External FQDN: srv14-<PDC name>.example.com

        15. __SRV _kerberos _tcp Default-First-Site-Name _sites dc _msdcs example com

          • Description: Locate site-specific DCs for Kerberos authentication over TCP in multi-site environments.
          • Ports: TCP 88
          • External FQDN: srv15-<PDC name>.example.com

        16. __SRV _kpasswd _tcp example com

          • Description: Locate DCs for Kerberos password changes over TCP.
          • Ports: TCP 464
          • External FQDN: srv16-<PDC name>.example.com

        17. __SRV _kpasswd _udp example com

          • Description: Locate DCs for Kerberos password changes over UDP.
          • Ports: UDP 464
          • External FQDN: srv17-<PDC name>.example.com

        Final Testing:

        After configuring all 18 resources (17 SRV records + PDC ports), validate the setup by checking:

        • AD authentication functionality.
        • GPO processing on connected systems.
        • Password change operations.
        • LDAP queries for expected results.

        Let me know if you have additional questions or need further clarification!

        • 0 in reply to Rafael Telles

          I was able to perform all 4 tasks below after adding all resources to ZTNA 

          • AD authentication functionality.
          • GPO processing on connected systems.
          • Password change operations.
          • LDAP queries for expected result

          Also able to perform gpupdate /force without errors, the only thing that did not work was the login script that was defined in AD Users and Computers > user profile. Any suggestion what I could be missing?

        • 0 in reply to Rafael Telles

          This is a brilliant write up thank you so much, we desperately want to get this working to get line of site of our field-based technicians and users!

          I have additional queries please with regard to the setup of these 18x resources...

          For resource #1 to allow all the ADDS protocols and service ports, I'm assuming the External & Internal FQDN configured in the resource will simply be the FQDN of my PDC...e.g.  contosodc01.contoso.com

          For resources #2-18 I'm confused...how the ZTNA adapter knows to intercept this traffic and redirect it at the PDC?

          Must I additionally add all the 17x External FQDN names listed in the 17x ZTNA resources to my internal DNS zone file and point them at my PDC as CNAME records or something?

          • 0 in reply to Heath Durrett

            Replace example com for your local domain contoso com
            You don't need to put the name of the PDC. AD does all the magic behind the scenes including resources 2-18.
            I found in my case I had to add all 18 resources to ZTNA to make everything work. Some are extra and you can make it work with less but I wanted a full redundant solution so ZTNA would switch to the Secondary DC in the event the PDC was down.

            Btw after almost a year using ZTNA I decided to go back to Sophos SSL VPN using our XGS firewall. Our users have sporadic issues with ZTNA when working remotely and our 3rd party IT support company cannot troubleshoot ZTNA issues, so I end up having to troubleshoot the problems myself. VPN is older technology but it is 100% reliable. ZTNA is awesome when it works but people get frustrated when it doesn't work (which is at least once a month for us).

            • +1 in reply to Rafael Telles

              Hi   We have rolled out a fix which would make this configuration easier and more user-friendly  than the suggested workaround. More details can be found here https://community.sophos.com/zero-trust-network-access/b/announcements/posts/sophos-ztna-updates-for-june-2025 . Please do try that out and let us know if that helps. 

              • 0 in reply to Tejas Kashyap

                Hello Tejas, thank you for the update.

                I see the new "Domain Controller (DC)" resource type now and that it includes all the SRV records auto-populated based on the External FQDN name you supply in the resource.

                Looking forward to testing this out, will revert once I've had a chance to test.

                Thanks!

                • 0 in reply to Tejas Kashyap

                  That is great news that Sophos added DC for the ZTNA. Creating all those records was painful.