ZTNA in windows domain infrastructure and client-to-domain-controller traffic

Hello Folks,

windows environment seem to be somehow complex to me when dealing with ZTNA, especially when knowing that some transactions need line-of-side connections between clients and the DC, many ports being used on both TCP and UDP.

In my scenario, I have configured a ZTNA server to the LDAP, included all ports required. UDP seem to work, cause I have tried to resolve names from the client side. However, when it comes to the user login (with a new username that is not cached on the client machine or after resetting a domain user`s password), things not working.

I have seen this kb about the need for a KDC proxy for accessing shared folders. Do I need a KDC also to allow users to login to their machines when they are at home (especially after a password change?)

ZTNA access proxy with KDC to access shared drives | FortiGate / FortiOS 7.4.1 | Fortinet Document Library

Secondly, for the sake of troubleshooting, sometimes I needed to analyze packets from the fG to the backend servers while preserving the client`s IP address. I have found the below document but it did not help because it talks about editing a proxy policy, while in 7.4, ztna configurations are under ordinary firewall policy , even when I tried to disable the NAT, I Stil cannot see traffic between the firewall and backend server when performing a sniffer (filtered by client IP address and backend server ip address)

Using the IP pool or client IP address in a ZTNA connection to backend servers | FortiGate / FortiOS 7.2.0 | Fortinet Document Library