ZTNA local domain/GPO

I'm hoping someone has a similar situation and can shed some light on how they configured their environment.  We have a single domain.  All of the GPOs work great; we use folder redirection to a local file server, and also map network drives for various users and groups.  I have a few users that would like remote access to their files.  When I initially installed the ZTNA agent, I could not access anything on my fileserver, either directly or via mapped drive; Windows would always prompt me for network credentials; I would enter the credentials and receive an error because it could not communicate with a domain controller.

Support suggested that I add our domain controllers into ZTNA resources (and public SRV records).  This allowed me to manually access the fileserver (no more credential prompt).  However, it broke just about everything else domain-wise on the machine.  Once adding the domain controllers as a resource, any machine with the ZTNA agent has difficulty receiving and applying GPOs and login items do not process.  Users attempt to log into their machine and wait up to 10 minutes just to be greeted by errors saying that 'redirection failed', and drives did not map.  In this scenario, the machines are useless; users aren't going to manually map their network drives, or wait 10 minutes for a Windows login!

Has anyone with a traditional domain configuration successfully implemented ZTNA?  Am I expecting too much to have redirected folders and mapped drives?  We have over 500 PCs running great, and 20 ZTNA machines that are giving much trouble.  Necessary to have the DCs as ZTNA resources?

Thank you for reading.

Parents Reply
  • Sophos assumed that ALL customers are in cloud for some reason. I make best money today actually today moving people from cloud (public like Azure/AWS) to onprem or some kind of private cloud (VMware somewhere like Aruba or OVH) where they can actually cap expenses per month. 

    Sophos missed big time here and now they are working to put back these kind of functionalities. And this is good and we need to help them to get there.  Bad is when they are trying to convince us that milk isn't white Shrug‍♂️ThinkingRage


    Since we ran in to issue with Sophos ZTNA where we assumed they will have functionalities like some other competitor have (our mistake), I went and tested at least 10 different solutions on market and discussed few issues with those vendors. These vendors are actually taking additional approach where they are going to introduce device tunnels where pc will get extension of LAN. Something like RED device but SW on pc.

Children