This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ZTNA local domain/GPO

I'm hoping someone has a similar situation and can shed some light on how they configured their environment.  We have a single domain.  All of the GPOs work great; we use folder redirection to a local file server, and also map network drives for various users and groups.  I have a few users that would like remote access to their files.  When I initially installed the ZTNA agent, I could not access anything on my fileserver, either directly or via mapped drive; Windows would always prompt me for network credentials; I would enter the credentials and receive an error because it could not communicate with a domain controller.

Support suggested that I add our domain controllers into ZTNA resources (and public SRV records).  This allowed me to manually access the fileserver (no more credential prompt).  However, it broke just about everything else domain-wise on the machine.  Once adding the domain controllers as a resource, any machine with the ZTNA agent has difficulty receiving and applying GPOs and login items do not process.  Users attempt to log into their machine and wait up to 10 minutes just to be greeted by errors saying that 'redirection failed', and drives did not map.  In this scenario, the machines are useless; users aren't going to manually map their network drives, or wait 10 minutes for a Windows login!

Has anyone with a traditional domain configuration successfully implemented ZTNA?  Am I expecting too much to have redirected folders and mapped drives?  We have over 500 PCs running great, and 20 ZTNA machines that are giving much trouble.  Necessary to have the DCs as ZTNA resources?

Thank you for reading.

This thread was automatically locked due to age.
  • We have this here:  ZTNA SMB Authentication with on-premise file server There is also a "Workaround" you could use. 


  • Thanks for the reply.  I do have the public SRV records in place.  I think I'll try to get a logon script working for now.  It should help with the mapped drives, but not the redirected folders.

  • Has anyone with a traditional domain configuration successfully implemented ZTNA?  Am I expecting too much to have redirected folders and mapped drives? 

    We purchased some licenses' to test. This is half baked product as far as I am concern and if MIcrosoft solve this Private Access with new offering they are planning, all these vendors can actually kill their products. 

    It was pain to install, it was pain to understand shortcomings of the solution. For time being we will test Todyl and few other vendors to replace Sophos until Microsoft is ready for prime time.

  • Thank you for the insight.  I'll investigate Private Access.  I tested ZTNA with a couple machines and it actually worked pretty well, but then after rolling it out organization-wide we ran into some of these 'unfixable' issues that didn't seem very prevalent on the test machines for whatever reason.  Multiple users are asking to go back to the previous solution (MS AoVPN), but for compliance reasons we're marching forward for the moment...

  • Sophos think companies are all in as far as cloud. But reality is different. It is hybrid. And will stay hybrid for very long time. We have projects now putting back from cloud on premise. They probably stopped any investment in to this ZTNA and focusing on SASE and integration with XGS. If they ever come out with that solution.

    And we are searching for new solution. Todyl may be doing something different but I need to separate marketing from real facts. Also there are few other vendors we will test it.

  • compliance reasons we're marching forward for the moment...

    Can you describe what compliance you are not able to achieve with AoVPN?

  • It's my understanding that any VPN or remote access product needs MFA.  We had AoVPN configured on Windows 10 machines with a device tunnel (not MFA).  It worked great while we used it.  I was having some difficulties getting the same configuration to work on Windows 11; and around that time we were notified of the new MFA requirement, which prompted me to look for alternative solutions.

  • Hi Justin, we are working on a fix for this and are targeting the end of August to roll it out to select customers. By taking this approach, you can do away with the current workaround you are using where you have the public SRV records in place.  

  • Hi, thank you for the update and the continued support.

  • A new approach to this problem is now published. See: