Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syadav
Staff
Staff

Created on ‎06-24-2024 11:26 PM

Article Id 322246

Technical Tip: How to configure DFS file share access using ZTNA TCP access proxy

Description

 

This article describes how to configure DFS file share access using ZTNA TCP access proxy.

 

Scope

 

FortiOS v7.0 and later.

 

Solution

 

The below topology used in the article for demonstration:

 

syadav_0-1719261953023.png

 

For complete DFS configuration, refer to the below Microsoft link:
DFS Namespaces overview

Make sure to configure the namespace servers and folders with the FQDN (fully qualified domain name) instead of the hostname as shown in the below screenshots.

 

In the below example, the ZTNA namespace is configured which will have two folders one from each domain controller.

 

syadav_1-1719261953024.png

 

 

syadav_2-1719261953026.png

 

 

Namespace Servers are configured using their FQDN:

syadav_3-1719261953027.png

 

Folder Targets in the namespace folders are configured using the domain controllers FQDN.

 

syadav_4-1719261953027.png

 

syadav_5-1719261953028.png

 

 

ZTNA TCP Access proxy configuration:


config firewall vip

    edit "ztna-testing"

        set type access-proxy

        set server-type https

        set extip 10.12.6.20

        set extintf "wan1"

        set extport 8444

        set ssl-certificate "float-zone"

    next

end

 

config firewall access-proxy

    edit "ztna-testing"

        set vip "ztna-testing"

            config api-gateway

                edit 1

                    set url-map "/tcp"

                    set service tcp-forwarding

                        config realservers

                            edit 1

                                set address "domain-controllers"

                                set mappedport 445

                            next

                        end

                next

            end

    next

end

 

config firewall addrgrp

    edit "domain-controllers"

        set member "DC01" "DC02"

    next

end

 

config firewall proxy-policy

    edit 1

        set name "ztna"

        set proxy access-proxy

        set access-proxy "ztna-testing"

        set srcintf "virtual-wan-link"

        set srcaddr "all"

        set dstaddr "all"

        set ztna-ems-tag "EMS1_ZTNA_all_registered_clients"

        set action accept

        set schedule "always"

        set logtraffic all

    next

end

 

For basic ZTNA TCP access proxy, check the below documentation:

ZTNA TCP forwarding access proxy example

 

Make sure to configure ZTNA destination rules on the FortiClient for all file share servers and one for the parent domain.

In this example, Three ZTNA destination rules are configured as shown in the below screenshot:

  • Rule DC01:445 and DC02:445 are each for a respective domain controller.
  • The rule domain is for the parent domain.

 

syadav_6-1719261953030.png

 

 

For configuring ZTNA destinations rules on FortiClient EMS, refer to the below documentation:
ZTNA Destinations

 

DFS ZTNA share is now accessible using the parent domain on the remote endpoint as shown in the below screenshots, this share has two shared folders that exist on each domain controller:

 

syadav_7-1719261953031.png

 

syadav_8-1719261953032.png

 

syadav_9-1719261953033.png

1206
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.