Thread Info
Options
Suggested

Step-by-Step Guide to Configuring Sophos ZTNA for Active Directory and Domain Controllers connectivity

Rafael Telles

If you're trying to configure Sophos ZTNA to enable connectivity to your Primary Domain Controller (PDC) for Active Directory (AD) services; including authentication, GPO processing, password changes, and LDAP queries, this guide is for you.

I faced challenges setting this up, and despite creating a support ticket and referencing the official Sophos article (KBA-000008481), I found that the provided instructions and video were incorrect. To save you hours of testing and troubleshooting, I’m sharing the correct configuration steps below.

Step 1: Configure Access to the Primary Domain Controller

First, create a ZTNA resource in Sophos Central to allow access to the required ports on your Primary Domain Controller. Ensure the RESOURCE TYPE is set to Other (not Web Application). The ports you need to open are:

TCP Ports:

  • 53, 80, 88, 135, 139, 389, 443, 445, 464, 636, 3268, 3269, 49666, 49670, 49152-65535

UDP Ports:

  • 53, 88, 123, 137, 138, 389, 636

Step 2: Create 17 SRV Records as ZTNA Resources

You also need to create 17 ZTNA resources for the required SRV records that Active Directory relies on. Make sure to:

  • Set RESOURCE TYPE to Other (as opposed to Web Application, which is incorrectly suggested in the Sophos article).
  • Use the following naming syntax for the resources:
    __SRV _ldap _tcp <DomainName>

List of Required SRV Records:

  1. _ldap._tcp.<DomainName>
  2. _ldap._tcp.dc._msdcs.<DomainName>
  3. _ldap._tcp.<SiteName>._sites.<DomainName>
  4. _ldap._tcp.<SiteName>._sites.dc._msdcs.<DomainName>
  5. _ldap._tcp.DomainDnsZones.<DomainName>
  6. _ldap._tcp.ForestDnsZones.<DomainName>
  7. _ldap._tcp.pdc._msdcs.<DomainName>
  8. _ldap._tcp.gc._msdcs.<DomainName>
  9. _gc._tcp.<DomainName>
  10. _gc._tcp.<SiteName>._sites.<DomainName>
  11. _kerberos._tcp.<DomainName>
  12. _kerberos._udp.<DomainName>
  13. _kerberos._tcp.dc._msdcs.<DomainName>
  14. _kerberos._tcp.<SiteName>._sites.<DomainName>
  15. _kerberos._tcp.<SiteName>._sites.dc._msdcs.<DomainName>
  16. _kpasswd._tcp.<DomainName>
  17. _kpasswd._udp.<DomainName>

Final Setup and Testing

After creating these 18 resources (1 for the PDC ports and 17 for the SRV records), your setup should work correctly, enabling full Active Directory functionality via Sophos ZTNA.

Acknowledgments

A big thanks to Nikita Sharma from Sophos Tech Support for her assistance during this process. I hope Sophos incorporates this guide into their official documentation to save others the frustration I experienced.

Let me know in the comments if this worked for you or if you have additional questions!



Added TAGs
[edited by: Raphael Alganes at 2:11 PM (GMT -8) on 4 Feb 2025]
  • 0

    Hi Rafael, Thanks for your feedback and comments. We will review the KBA that was published, re-test and incorporate the suggestions made above. 

    • 0

      Thank you Rafael for Sharing: this is what Community is for and  i realy appricate That. We Used ad Connect since very First available and it‘s a Bad workaround - but it at least it is a workaround. Since now we have still issues with gpudate, But i will Update by policies as you discovered with Sophos and give you Feedback. Again, thanks for you work in that

      • 0 in reply to Sven Schaffranneck

        Let me know if setting up all the SRV records fix your issues making gpupdate /force work. It does for me and we have out-of-the-box AD setup. If you have a custom or complex setup then you might need more SRV records (check on your PDC).

      • 0

        Follow-Up: Comprehensive Configuration for Sophos ZTNA with Active Directory Integration

        This post builds on the initial guide by incorporating field-specific instructions for configuring resources in the Sophos ZTNA Add Resource window. It also provides detailed definitions and port requirements for all 17 SRV records, ensuring proper Active Directory (AD) functionality.

        Key Configuration Notes:

        1. In the Add Resource window:
          • Resource Name: Use the correct syntax (e.g., __SRV _ldap _tcp example com).
          • Resource Type: Always select Other.
          • Ports: Specify the required TCP/UDP ports based on the example.
          • External FQDN: Input the corresponding FQDN (e.g., srv01-pdc.example.com).
          • Assign User Groups: Assign the appropriate group (e.g., Sophos ZTNA AD) for access control.
        2. Replace example.com and <PDC name> with your actual domain name and Primary Domain Controller (PDC).
        3. Each SRV record corresponds to specific AD services (details below).

        SRV Records Configuration:

        1. __SRV _ldap _tcp example com

          • Description: Locate LDAP-enabled services for general directory operations (e.g., authentication, GPO processing, LDAP queries).
          • Ports: TCP 389, 636
          • External FQDN: srv01-<PDC name>.example.com

        2. __SRV _ldap _tcp dc _msdcs example com

          • Description: Locate all Domain Controllers (DCs) for redundancy and failover.
          • Ports: TCP 389, 636
          • External FQDN: srv02-<PDC name>.example.com

        3. __SRV _ldap _tcp Default-First-Site-Name _sites example com

          • Description: Locate site-specific LDAP-enabled services for optimized communication.
          • Ports: TCP 389, 636
          • External FQDN: srv03-<PDC name>.example.com

        4. __SRV _ldap _tcp Default-First-Site-Name _sites dc _msdcs example com

          • Description: Locate site-specific Domain Controllers for LDAP communication in multi-site environments.
          • Ports: TCP 389, 636
          • External FQDN: srv04-<PDC name>.example.com

        5. __SRV _ldap _tcp DomainDnsZones example com

          • Description: Support domain-specific replication and resource discovery.
          • Ports: TCP 389, 636
          • External FQDN: srv05-<PDC name>.example.com

        6. __SRV _ldap _tcp ForestDnsZones example com

          • Description: Enable forest-wide replication and resource discovery.
          • Ports: TCP 389, 636
          • External FQDN: srv06-<PDC name>.example.com

        7. __SRV _ldap _tcp pdc _msdcs example com

          • Description: Locate the PDC emulator for password changes, time synchronization, and legacy applications.
          • Ports: TCP 389, 636
          • External FQDN: srv07-<PDC name>.example.com

        8. __SRV _ldap _tcp gc _msdcs example com

          • Description: Locate any Global Catalog (GC) for forest-wide searches.
          • Ports: TCP 3268, 3269
          • External FQDN: srv08-<PDC name>.example.com

        9. __SRV _gc _tcp example com

          • Description: Locate Global Catalog servers across the AD domain for compatibility and redundancy.
          • Ports: TCP 3268, 3269
          • External FQDN: srv09-<PDC name>.example.com

        10. __SRV _gc _tcp Default-First-Site-Name _sites example com

          • Description: Locate site-specific Global Catalog servers for optimized performance.
          • Ports: TCP 3268, 3269
          • External FQDN: srv10-<PDC name>.example.com

        11. __SRV _kerberos _tcp example com

          • Description: Locate DCs that provide Kerberos authentication over TCP.
          • Ports: TCP 88
          • External FQDN: srv11-<PDC name>.example.com

        12. __SRV _kerberos _udp example com

          • Description: Locate DCs that provide Kerberos authentication over UDP.
          • Ports: UDP 88
          • External FQDN: srv12-<PDC name>.example.com

        13. __SRV _kerberos _tcp dc _msdcs example com

          • Description: Locate all DCs for Kerberos operations over TCP.
          • Ports: TCP 88
          • External FQDN: srv13-<PDC name>.example.com

        14. __SRV _kerberos _tcp Default-First-Site-Name _sites example com

          • Description: Locate site-specific DCs for Kerberos authentication over TCP.
          • Ports: TCP 88
          • External FQDN: srv14-<PDC name>.example.com

        15. __SRV _kerberos _tcp Default-First-Site-Name _sites dc _msdcs example com

          • Description: Locate site-specific DCs for Kerberos authentication over TCP in multi-site environments.
          • Ports: TCP 88
          • External FQDN: srv15-<PDC name>.example.com

        16. __SRV _kpasswd _tcp example com

          • Description: Locate DCs for Kerberos password changes over TCP.
          • Ports: TCP 464
          • External FQDN: srv16-<PDC name>.example.com

        17. __SRV _kpasswd _udp example com

          • Description: Locate DCs for Kerberos password changes over UDP.
          • Ports: UDP 464
          • External FQDN: srv17-<PDC name>.example.com

        Final Testing:

        After configuring all 18 resources (17 SRV records + PDC ports), validate the setup by checking:

        • AD authentication functionality.
        • GPO processing on connected systems.
        • Password change operations.
        • LDAP queries for expected results.

        Let me know if you have additional questions or need further clarification!

        Unfiltered HTML