We're setting up ZTNA and one of the hurdles we have run in to is file shares - currently we're mapping network drives to our local domain name (eg \\contoso.lan\Share)
I've been able to verify share access via a specific server FQDN but when i try to set up "contoso.lan" as a FQDN address on the firewall (verified it appears in HOSTS file), access is lost which was expected. Contoso.lan resolves to the DCs and not the file share servers.
I didn't find any documentation or examples for this specific scenario and scratching my head how I could get this to work.
Has anyone run in to this or have any suggestions to look in to or try?
Hi imsail,
please check the following guide related to your scenario:
Regards
Any fix? Kdc proxy only works for shared folder not for dfs namespaces.
I have the same issue and would like to hear the solution.
Hi folks,
I'm exploring solutions to this problem right now and would be grateful for any further insights.
DNS resolution and Namespace referrals currently don't work, though SMB and KDC are seamless.
Somehow forcing DNS over TCP and using another ZTNA destination for DNS, possible?
Thanks in advance.
Good news folks, I figured this out.
As the OP has stated, browsing to the domain root (\\domain.local for instance) needs to work as this is how the client attempts to get SMB referrals to the DFS root (\\domain.local\DFSRoot) and then further to actual shares (\\domain.local\DFSRoot\ShareName). The key is ensuring the client can resolve the DNS and talk to all of the SMB resources required.
In our network there are three domain controllers in the remote access site and one file server. The file server is the DFS root and was configured with AD integration as per MS best practice. Here's what we configured:
1) A DNS zone on the Fortigate for the forest root domain (domain.local for example).
2) DNS 'A' records for each of the relevant servers including all of the domain controllers in the site.
3) DNS 'A' record for the domain root '@' pointing to the PDC emulator. This one is critical.
4) Address objects of type FQDN for all of the servers in the full FQDN form (server01.domain.local for example).
5) This one is critical; an address object of type FQDN for the domain root (domain.local for example).
6) ZTNA server with a single server mapping of type TCP-forwarding. This mapping includes real server entries for all of your domain controllers. Critically, this also includes the address object for the domain root.
7) We've elected to add a second ZTNA server with a single server mapping of type TCP-forwarding. The second is specifically for the single file server but doesn't need to be separate.
8) We've configured a Kerberos KDC Proxy as per the Fortinet literature.
9) Of course, all of the FortiClient destinations for each of these resources, including the SMB domain root.
During testing we found that the ability to resolve the domain root via DNS and connect to the resolved servers via SMB are what matters. We also found that you may get an SMB referral to a different domain controller that the PDC emulator, for reasons I didn't bother to explore, so you'll need access to all of them. Once SMB is established to the domain controllers the client can request referrals to the DFS root and/or shares successfully.
I have a working config here, so I'm happy to answer any questions.
Do you have a step by step on what you did, we have problems with DFS working on VPN also
Hi David, has your solution remained stable?
I am curious if you have some general guidance (or reference from the FG) re the changes implemented. I have a client who has DFS namesspaces throughout various locations and is implementing ZTNA & DFS/Namespaces and their Forti VAR is having issues, so I am looking into this. You outlined DNS - assuming all the reference is within the zone created on the FG. Did you need to create records for the DFS namespaces themselves? Basically anything you would be willing to share would be helpful. (My lotto today would be a redacted config). Thanks for consideration.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.