This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ZTNA local domain/GPO

I'm hoping someone has a similar situation and can shed some light on how they configured their environment.  We have a single domain.  All of the GPOs work great; we use folder redirection to a local file server, and also map network drives for various users and groups.  I have a few users that would like remote access to their files.  When I initially installed the ZTNA agent, I could not access anything on my fileserver, either directly or via mapped drive; Windows would always prompt me for network credentials; I would enter the credentials and receive an error because it could not communicate with a domain controller.

Support suggested that I add our domain controllers into ZTNA resources (and public SRV records).  This allowed me to manually access the fileserver (no more credential prompt).  However, it broke just about everything else domain-wise on the machine.  Once adding the domain controllers as a resource, any machine with the ZTNA agent has difficulty receiving and applying GPOs and login items do not process.  Users attempt to log into their machine and wait up to 10 minutes just to be greeted by errors saying that 'redirection failed', and drives did not map.  In this scenario, the machines are useless; users aren't going to manually map their network drives, or wait 10 minutes for a Windows login!

Has anyone with a traditional domain configuration successfully implemented ZTNA?  Am I expecting too much to have redirected folders and mapped drives?  We have over 500 PCs running great, and 20 ZTNA machines that are giving much trouble.  Necessary to have the DCs as ZTNA resources?

Thank you for reading.



This thread was automatically locked due to age.
  • I do yes, I can also browse the sysvol from the ZTNA.   

  • Hi Tejas,

    it seems that GPO pull only works after user logon happend and ztna auth is done. Result is, that policy settings which needs to be set prelogon or in the moment of user-logon (like user home mapping) will not work. Even when Agent is on the office network.

    ZTNA seems to intercept DNS when enabled, even if the user is not logged in or is authenticated. So connection to DC / Domain is not available when access is configured for seemless access to fileserver ressources described in KB-000045614.

    It would be a much better approach when ztna agent only come in place, when user is authenticated, then PC with ZTNA Agent will work on office  even when user is not logged in or is not authenticated yet.

  • There should be an option to have trusted networks to stop ZTNA processing when in the office. 

  • Sophos assumed that ALL customers are in cloud for some reason. I make best money today actually today moving people from cloud (public like Azure/AWS) to onprem or some kind of private cloud (VMware somewhere like Aruba or OVH) where they can actually cap expenses per month. 

    Sophos missed big time here and now they are working to put back these kind of functionalities. And this is good and we need to help them to get there.  Bad is when they are trying to convince us that milk isn't white Shrug‍♂️ThinkingRage


    Since we ran in to issue with Sophos ZTNA where we assumed they will have functionalities like some other competitor have (our mistake), I went and tested at least 10 different solutions on market and discussed few issues with those vendors. These vendors are actually taking additional approach where they are going to introduce device tunnels where pc will get extension of LAN. Something like RED device but SW on pc.

  • Hi All. Thank you for the feedback. Yes, we are working on a feature related to on-premise detection. This will ensure that the agent stops intercepting requests in networks that are marked as trusted. I dont have an ETA currently for it. Please stay tuned for more info. 

  • Hi Tejas, we are really looking forward for an Early Access of that feature...

  • Hi Sven, Sure. I will reach out to you once we have something substantial that can be tested. Please stay tuned for updates. 

  • Any update on this?  We are still running into two major roadblocks with ZTNA.  Local GPO's not applying and print shares not working.  Seems like full on prem domain/AD services are not fully functional.  This could also be bypassed if there was an on trusted network option as mentioned above.