gpudpate and crl checks do not work over ZTNA agent

I have followed KBs (https://support.sophos.com/support/s/article/KBA-000008481?language=en_US) to get nearly all aspects of domain communication to work for ZTNA endpoints. They are able to change passwords, authenticate, access file shares over SMB, and, I believe DNS from the DCs. We have multiple DCs and, if I am correct, the KB only supports one (which hasn't been a problem in our pilot phase). The issue is that the endpoints on ZTNA (not onsite and completely remote) are not able to process GPO updates. This came to light when we deployed a new RDS that required a new signed RDP file and the endpoints were not getting the updated file (deployed through GPO preferences) and then when manually deployed, those endpoints were not able to connect because the endpoint was unable to perform a CRL check on the newly signed files (cert was issued by internal domain CA). This all work perfectly fine while onsite for non-ZTNA endpoints (have not been able to test ZTNA onsite). Is this expected behavior at the moment or are there additional steps that are needed to enable these functions? To clarify, I have the DCs as resources with full TCP/UDP ports listed.

Thank you,

James



Added TAGs
[edited by: Raphael Alganes at 1:12 PM (GMT -7) on 7 Oct 2024]
  • Can you show us all your SRV Records, you created?

    __________________________________________________________________________________________________________________

  • After adding a blanket resource for the domain (domain.fqdn as the external source, internal is our PDC, all TCP/UDP ports), gpupdate /target:User now works. However, /target:Computer does not. It is consistently failing with a Event ID 5719 on NETLOGON (error message below) after throwing an Event ID 1030 generic GroupPolicy error.

    "This computer was not able to set up a secure session with a domain controller in domain due to the following:
    An internal error occurred.
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

    ADDITIONAL INFO
    If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain."

    I have noticed that it is trying to access our domains "short name" and not a FQDN. I also noticed that it is using the SYSTEM account. Could this be the issue and is expected behavior for ZTNA?

    Thank you,

    James