Configure a Remote Desktop Services farm with a ZTNA agent
In this topic, we show you how to configure your Remote Desktop Services (RDS) farm with a ZTNA agent. This is one of many possible deployment scenarios. For more information, contact your Microsoft Partner or see the Microsoft documentation.
In the following example, we set up a three-node Windows RDS environment consisting of the following components:
- One remote desktop connection broker, gateway, or web server.
- Two remote desktop session hosts.
- A remote desktop license server.
We then configure the ZTNA settings in Sophos Central, and establish an RDP session from a Windows computer.
Deploy your RDS farm on Windows Server 2019
Build your GUI VMs and join them to your domain.
Note
The names in the following steps are all examples. When you configure your RDS farm, you must use your domain and VM names.
In this example, we build three new Windows Server 2019 GUI VMs and join them to the zagent.com
domain as follows:
-
A VM named
rdp3.zagent.com
with the following components:- A remote desktop gateway server
- Two virtual CPUs
- 4GB RAM
- HDD with 60GB on the C drive
-
A VM named
rdp1.zagent.com
with the following components:- A remote desktop session host server
- Two virtual CPUs
- 16GB RAM
- HDD with 80GB on the C drive
-
A VM named
rdp2.zagent.com
with the following components:- A remote desktop session host server
- Two virtual CPUs
- 16GB RAM
- HDD with 80GB on the C drive
Next, deploy your RDS farm.
The RDS farm overview should look like the example below:
You'll see your VMs under Deployment Servers.
Configure ZTNA settings in Sophos Central
In Sophos Central, do as follows:
- Go to My Products > ZTNA > Resources & Access.
- Click Add resource.
-
Enter the following settings:
- Name: rds farm
- Gateway: Select your gateway
- Access Method: Agent
- Resource type: RDP
- External FQDN: rdp3.zagent.com
- Port: 3389, 443, 80
- Internal FQDN/IP: The IP address or FQDN of the RDS gateway or resource.
- Assign user groups: Select your user groups
You'll see your resource details.
Establish an RDP session
On your Windows computer from which you want to access another device remotely, do as follows:
- Type the following address into your web browser:
https://rdp3.zagent.com/rdweb
-
Enter your domain credentials.
-
Download and save the RDP configuration file.
- Double-click the RDP file, then click Connect.
- Enter your domain password.
- An RDP session to one of the session host servers is established, through ZTNA.
Check the traffic is going through ZTNA
- Perform a packet capture on the ZTNA TAP/TUN adapter and the primary interface.
- When the RDS session is running, you'll see packets on the TAP/TUN interface on port 443 (the connection to the RD-Gateway).
- Filter the packets on the primary interface by "RD-G IP" OR "RDSH-IP". No packets should be displayed.