This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ZTNA local domain/GPO

I'm hoping someone has a similar situation and can shed some light on how they configured their environment.  We have a single domain.  All of the GPOs work great; we use folder redirection to a local file server, and also map network drives for various users and groups.  I have a few users that would like remote access to their files.  When I initially installed the ZTNA agent, I could not access anything on my fileserver, either directly or via mapped drive; Windows would always prompt me for network credentials; I would enter the credentials and receive an error because it could not communicate with a domain controller.

Support suggested that I add our domain controllers into ZTNA resources (and public SRV records).  This allowed me to manually access the fileserver (no more credential prompt).  However, it broke just about everything else domain-wise on the machine.  Once adding the domain controllers as a resource, any machine with the ZTNA agent has difficulty receiving and applying GPOs and login items do not process.  Users attempt to log into their machine and wait up to 10 minutes just to be greeted by errors saying that 'redirection failed', and drives did not map.  In this scenario, the machines are useless; users aren't going to manually map their network drives, or wait 10 minutes for a Windows login!

Has anyone with a traditional domain configuration successfully implemented ZTNA?  Am I expecting too much to have redirected folders and mapped drives?  We have over 500 PCs running great, and 20 ZTNA machines that are giving much trouble.  Necessary to have the DCs as ZTNA resources?

Thank you for reading.

This thread was automatically locked due to age.
Parents Reply Children
  • I have the service records in that article setup and I have my DC setup as a resource but gpupdate /force still fails when attempting a pull off network.  Is there more service records beyond the 4 listed in the article i should be adding?   

  • Oh ok. We will try this internally in our lab and get back to you with more information. Please stay tuned. 

  • thank you.  Password changes work, file shares work, last logon timestamp to the domain works, looks like only thing im not intercepting correctly is the gpupdate.

  •   do you have enabled smb access to sysvol on ZTNA setup? I didn't play with this for long time, but this is something what crossed my mind ...

  • I do yes, I can also browse the sysvol from the ZTNA.   

  • Hi Tejas,

    it seems that GPO pull only works after user logon happend and ztna auth is done. Result is, that policy settings which needs to be set prelogon or in the moment of user-logon (like user home mapping) will not work. Even when Agent is on the office network.

    ZTNA seems to intercept DNS when enabled, even if the user is not logged in or is authenticated. So connection to DC / Domain is not available when access is configured for seemless access to fileserver ressources described in KB-000045614.

    It would be a much better approach when ztna agent only come in place, when user is authenticated, then PC with ZTNA Agent will work on office  even when user is not logged in or is not authenticated yet.

  • There should be an option to have trusted networks to stop ZTNA processing when in the office. 

  • Sophos assumed that ALL customers are in cloud for some reason. I make best money today actually today moving people from cloud (public like Azure/AWS) to onprem or some kind of private cloud (VMware somewhere like Aruba or OVH) where they can actually cap expenses per month. 

    Sophos missed big time here and now they are working to put back these kind of functionalities. And this is good and we need to help them to get there.  Bad is when they are trying to convince us that milk isn't white Shrug‍♂️ThinkingRage

    Since we ran in to issue with Sophos ZTNA where we assumed they will have functionalities like some other competitor have (our mistake), I went and tested at least 10 different solutions on market and discussed few issues with those vendors. These vendors are actually taking additional approach where they are going to introduce device tunnels where pc will get extension of LAN. Something like RED device but SW on pc.

  • Hi All. Thank you for the feedback. Yes, we are working on a feature related to on-premise detection. This will ensure that the agent stops intercepting requests in networks that are marked as trusted. I dont have an ETA currently for it. Please stay tuned for more info. 

  • Hi Tejas, we are really looking forward for an Early Access of that feature...