If you're trying to configure Sophos ZTNA to enable connectivity to your Primary Domain Controller (PDC) for Active Directory (AD) services; including authentication, GPO processing, password changes, and LDAP queries, this guide is for you. I faced challenges setting this up, and despite creating a support ticket and referencing the official Sophos article ( KBA -000008481 ), I found that the provided instructions and video were incorrect. To save you hours of testing and troubleshooting, I’m sharing the correct configuration steps below. Step 1: Configure Access to the Primary Domain Controller First, create a ZTNA resource in Sophos Central to allow access to the required ports on your Primary Domain Controller. Ensure the RESOURCE TYPE is set to Other (not Web Application). The ports you need to open are: TCP Ports: 53, 80, 88, 135, 139, 389, 443, 445, 464, 636, 3268, 3269, 49666, 49670, 49152-65535 UDP Ports: 53, 88, 123, 137, 138, 389, 636 Step 2: Create 17 SRV Records as ZTNA Resources You also need to create 17 ZTNA resources for the required SRV records that Active Directory relies on. Make sure to: Set RESOURCE TYPE to Other (as opposed to Web Application, which is incorrectly suggested in the Sophos article). Use the following naming syntax for the resources: __SRV _ldap _tcp <DomainName> List of Required SRV Records: _ldap._tcp.<DomainName> _ldap._tcp.dc._msdcs.<DomainName> _ldap._tcp.<SiteName>._sites.<DomainName> _ldap._tcp.<SiteName>._sites.dc._msdcs.<DomainName> _ldap._tcp.DomainDnsZones.<DomainName> _ldap._tcp.ForestDnsZones.<DomainName> _ldap._tcp.pdc._msdcs.<DomainName> _ldap._tcp.gc._msdcs.<DomainName> _gc._tcp.<DomainName> _gc._tcp.<SiteName>._sites.<DomainName> _kerberos._tcp.<DomainName> _kerberos._udp.<DomainName> _kerberos._tcp.dc._msdcs.<DomainName> _kerberos._tcp.<SiteName>._sites.<DomainName> _kerberos._tcp.<SiteName>._sites.dc._msdcs.<DomainName> _kpasswd._tcp.<DomainName> _kpasswd._udp.<DomainName> Final Setup and Testing After creating these 18 resources (1 for the PDC ports and 17 for the SRV records), your setup should work correctly, enabling full Active Directory functionality via Sophos ZTNA. Acknowledgments A big thanks to Nikita Sharma from Sophos Tech Support for her assistance during this process. I hope Sophos incorporates this guide into their official documentation to save others the frustration I experienced. Let me know in the comments if this worked for you or if you have additional questions!

Step-by-Step Guide to Configuring Sophos ZTNA for Active Directory and Domain Controllers connectivity

If you're trying to configure Sophos ZTNA to enable connectivity to your Primary Domain Controller (PDC) for Active Directory (AD) services; including authentication, GPO processing, password changes, and LDAP queries, this guide is for you.

I faced challenges setting this up, and despite creating a support ticket and referencing the official Sophos article (KBA-000008481), I found that the provided instructions and video were incorrect. To save you hours of testing and troubleshooting, I’m sharing the correct configuration steps below.

Step 1: Configure Access to the Primary Domain Controller

First, create a ZTNA resource in Sophos Central to allow access to the required ports on your Primary Domain Controller. Ensure the RESOURCE TYPE is set to Other (not Web Application). The ports you need to open are:

TCP Ports:

53, 80, 88, 135, 139, 389, 443, 445, 464, 636, 3268, 3269, 49666, 49670, 49152-65535

UDP Ports:

53, 88, 123, 137, 138, 389, 636

Step 2: Create 17 SRV Records as ZTNA Resources

You also need to create 17 ZTNA resources for the required SRV records that Active Directory relies on. Make sure to:

Set RESOURCE TYPE to Other (as opposed to Web Application, which is incorrectly suggested in the Sophos article).
Use the following naming syntax for the resources:

__SRV _ldap _tcp <DomainName>

List of Required SRV Records:

_ldap._tcp.<DomainName>
_ldap._tcp.dc._msdcs.<DomainName>
_ldap._tcp.<SiteName>._sites.<DomainName>
_ldap._tcp.<SiteName>._sites.dc._msdcs.<DomainName>
_ldap._tcp.DomainDnsZones.<DomainName>
_ldap._tcp.ForestDnsZones.<DomainName>
_ldap._tcp.pdc._msdcs.<DomainName>
_ldap._tcp.gc._msdcs.<DomainName>
_gc._tcp.<DomainName>
_gc._tcp.<SiteName>._sites.<DomainName>
_kerberos._tcp.<DomainName>
_kerberos._udp.<DomainName>
_kerberos._tcp.dc._msdcs.<DomainName>
_kerberos._tcp.<SiteName>._sites.<DomainName>
_kerberos._tcp.<SiteName>._sites.dc._msdcs.<DomainName>
_kpasswd._tcp.<DomainName>
_kpasswd._udp.<DomainName>

Final Setup and Testing

After creating these 18 resources (1 for the PDC ports and 17 for the SRV records), your setup should work correctly, enabling full Active Directory functionality via Sophos ZTNA.

Acknowledgments

A big thanks to Nikita Sharma from Sophos Tech Support for her assistance during this process. I hope Sophos incorporates this guide into their official documentation to save others the frustration I experienced.

Let me know in the comments if this worked for you or if you have additional questions!

Added TAGs
[edited by: Raphael Alganes at 2:11 PM (GMT -8) on 4 Feb 2025]

Top Replies

Rafael Telles 3 months ago +1

Follow-Up: Comprehensive Configuration for Sophos ZTNA with Active Directory Integration This post builds on the initial guide by incorporating field-specific instructions for configuring resources in…