Skip to content

Configure a Remote Desktop Services farm with a ZTNA agent

In this topic, we show you how to configure your Remote Desktop Services (RDS) farm with a ZTNA agent. This is one of many possible deployment scenarios. For more information, contact your Microsoft Partner or see the Microsoft documentation.

In the following example, we set up a three-node Windows RDS environment consisting of the following components:

  • One remote desktop connection broker, gateway, or web server.
  • Two remote desktop session hosts.
  • A remote desktop license server.

We then configure the ZTNA settings in Sophos Central, and establish an RDP session from a Windows computer.

Deploy your RDS farm on Windows Server 2019

Build your GUI VMs and join them to your domain.

Note

The names in the following steps are all examples. When you configure your RDS farm, you must use your domain and VM names.

In this example, we build three new Windows Server 2019 GUI VMs and join them to the zagent.com domain as follows:

  • A VM named rdp3.zagent.com with the following components:

    • A remote desktop gateway server
    • Two virtual CPUs
    • 4GB RAM
    • HDD with 60GB on the C drive

  • A VM named rdp1.zagent.com with the following components:

    • A remote desktop session host server
    • Two virtual CPUs
    • 16GB RAM
    • HDD with 80GB on the C drive

  • A VM named rdp2.zagent.com with the following components:

    • A remote desktop session host server
    • Two virtual CPUs
    • 16GB RAM
    • HDD with 80GB on the C drive

Next, deploy your RDS farm.

The RDS farm overview should look like the example below:

Deployment overview diagram.

You'll see your VMs under Deployment Servers.

Deployment servers window.

Configure ZTNA settings in Sophos Central

In Sophos Central, do as follows:

  1. Go to My Products > ZTNA > Resources & Access.
  2. Click Add resource.

  3. Enter the following settings:

    1. Name: rds farm
    2. Gateway: Select your gateway
    3. Access Method: Agent
    4. Resource type: RDP
    5. External FQDN: rdp3.zagent.com
    6. Port: 3389, 443, 80
    7. Internal FQDN/IP: The IP address or FQDN of the RDS gateway or resource.
    8. Assign user groups: Select your user groups

    You'll see your resource details.

    ZTNA Resource details.

Establish an RDP session

On your Windows computer from which you want to access another device remotely, do as follows:

  1. Type the following address into your web browser: https://rdp3.zagent.com/rdweb

  2. Enter your domain credentials.

    ZTNA credentials.

  3. Download and save the RDP configuration file.

  4. Double-click the RDP file, then click Connect.
  5. Enter your domain password.
  6. An RDP session to one of the session host servers is established, through ZTNA.

Check the traffic is going through ZTNA

  1. Perform a packet capture on the ZTNA TAP/TUN adapter and the primary interface.
  2. When the RDS session is running, you'll see packets on the TAP/TUN interface on port 443 (the connection to the RD-Gateway).
  3. Filter the packets on the primary interface by "RD-G IP" OR "RDSH-IP". No packets should be displayed.