Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=protected-browser-ztna-rdp

Access RDP agentlessly via Protected Browser

Configure ZTNA so that you can access RDP agentlessly via Protected Browser.

Note

When you set up RDP as a ZTNA agentless resource, it can be accessed only via Protected Browser.

Protected Browser is supported on Windows and macOS only.

In this example, we'll show you how to configure ZTNA and Protected Browser so that users on Windows devices with green health status can access RDP securely.

Requirements

  • Make sure you've synchronized your users, added your identity providers, and set up your gateways. See Set up Zero Trust Network Access.
  • Make sure the RDP resources are reachable from the ZTNA Gateway behind which they're hosted.

What to do

Add a ZTNA agentless policy

You can either use an existing agentless policy, or create a new one, as follows:

  1. Go to My Products > ZTNA > Policies.
  2. Click Add policy.
  3. In Add policy, select Agentless.

  4. On the New policy page, do as follows:

    1. Enter a name for the policy. Example: "Agentless access".
    2. Click the Policy enforced tab, then turn on Policy is enforced.

  5. Click Save.

Add a ZTNA resource

  1. Go to My Products > ZTNA > Resources & Access, and click Add Resource.

  2. In Add Resource, do as follows:

    1. Enter the resource name. Example: "Agentless RDP".
    2. (Optional) Add a description.
    3. Select a Gateway.
    4. In Access method, select Agentless.
    5. Select the Policy to apply. Example: "Agentless access".

    6. Select RDP as the Resource type.

      The port number, 3389, is automatically added in Port numbers.

      The Access port type is TCP. You can't change this.

    7. Enter the Internal FQDN/IP address of the resource.

      You can't add an External FQDN.

    8. In Assign User Groups, select the available groups that need access to the resource. Move them to Assigned User Groups and select them.

    9. Click Save.

Add a device posture

Adding a device posture is optional.

  1. Go to My Products > Protected Browser > Policy objects.
  2. Click Add object and select Device posture.
  3. Enter a name for the device posture. Example: "Green Windows".
  4. (Optional) Add a description.
  5. Under OS platform, select Windows.
  6. Under Endpoint protection, select Check if device is protected by Sophos Endpoint, then select Green health status.
  7. Click Save.

Note

To strengthen the security posture, you can add extra device posture checks. For more information, see Add a device posture.

Add an application group

  1. Go to My Products > Protected Browser > Policy objects.
  2. Click Add object and select Application group.
  3. Enter a name for the application group. Example: "Agentless RDP Group".
  4. Expand ZTNA resources.
  5. Under Available, select the resource you created earlier. Example: "Agentless RDP". Move it to Assigned.
  6. Click Save.

Add a web policy

  1. Go to My Products > Protected Browser > Web policy.
  2. Make sure you're on the Policies tab.
  3. Click Add policy.
  4. Enter a name for the web policy. Example: "RDP Agentless access from Green health Windows".
  5. Make sure Allow is selected.
  6. Select the Device posture you created earlier. Example: "Green Windows".
  7. Select the Application group you created earlier. Example: ""Agentless RDP Group".
  8. Click Save.

Connect to the RDP host through Protected Browser

  1. In the Start menu or the desktop, click Sophos Protected Browser to launch the browser.
  2. Sign in using your credentials to start using the browser.
  3. Click the remote desktop icon RDP icon. in the toolbar at the top of the browser.
  4. Click + New Host.

  5. In New Host, do as follows:

    1. Add a display name for your RDP connection.
    2. For Host, enter the internal FQDN or IP address of the resource you created earlier.
    3. Port is automatically set to 3389.
    4. Enter your username and password.
    5. Click Connect.

Upload or download files

When a connection is established to the RDP server, you can upload or download files.

  • To upload a file, expand the menu at the top of the screen, click File Transfer, click Upload, then locate and click the file you want to upload.

    RDP browser menu.

    RDP upload file.

    The file is scanned, and if it's clean, it is uploaded.

    On the File scanned successfully dialog, click Got it.

    Window showing "File scanned successfully".

    You see a message at the bottom of the screen confirming that your file has been uploaded.

  • To download a file, expand the menu at the top of the screen, click File Transfer, find your file in the list, and click the download icon next to the file.

Video

Sophos Workspace Protection: Configure secure access and SSH/RDP