Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDLP
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ZTNA & DFS/Namespaces for file shares
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ZTNA & DFS/Namespaces for file shares
We're setting up ZTNA and one of the hurdles we have run in to is file shares - currently we're mapping network drives to our local domain name (eg \\contoso.lan\Share)
I've been able to verify share access via a specific server FQDN but when i try to set up "contoso.lan" as a FQDN address on the firewall (verified it appears in HOSTS file), access is lost which was expected. Contoso.lan resolves to the DCs and not the file share servers.
I didn't find any documentation or examples for this specific scenario and scratching my head how I could get this to work.
Has anyone run in to this or have any suggestions to look in to or try?
https://xender.vip/
Labels:
- Labels:
-
FortiGate
2102
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi imsail,
please check the following guide related to your scenario:
Regards
sx11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any fix? Kdc proxy only works for shared folder not for dfs namespaces.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same issue and would like to hear the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi folks,
I'm exploring solutions to this problem right now and would be grateful for any further insights.
DNS resolution and Namespace referrals currently don't work, though SMB and KDC are seamless.
Somehow forcing DNS over TCP and using another ZTNA destination for DNS, possible?
Thanks in advance.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good news folks, I figured this out.
As the OP has stated, browsing to the domain root (\\domain.local for instance) needs to work as this is how the client attempts to get SMB referrals to the DFS root (\\domain.local\DFSRoot) and then further to actual shares (\\domain.local\DFSRoot\ShareName). The key is ensuring the client can resolve the DNS and talk to all of the SMB resources required.
In our network there are three domain controllers in the remote access site and one file server. The file server is the DFS root and was configured with AD integration as per MS best practice. Here's what we configured:
1) A DNS zone on the Fortigate for the forest root domain (domain.local for example).
2) DNS 'A' records for each of the relevant servers including all of the domain controllers in the site.
3) DNS 'A' record for the domain root '@' pointing to the PDC emulator. This one is critical.
4) Address objects of type FQDN for all of the servers in the full FQDN form (server01.domain.local for example).
5) This one is critical; an address object of type FQDN for the domain root (domain.local for example).
6) ZTNA server with a single server mapping of type TCP-forwarding. This mapping includes real server entries for all of your domain controllers. Critically, this also includes the address object for the domain root.
7) We've elected to add a second ZTNA server with a single server mapping of type TCP-forwarding. The second is specifically for the single file server but doesn't need to be separate.
8) We've configured a Kerberos KDC Proxy as per the Fortinet literature.
9) Of course, all of the FortiClient destinations for each of these resources, including the SMB domain root.
During testing we found that the ability to resolve the domain root via DNS and connect to the resolved servers via SMB are what matters. We also found that you may get an SMB referral to a different domain controller that the PDC emulator, for reasons I didn't bother to explore, so you'll need access to all of them. Once SMB is established to the domain controllers the client can request referrals to the DFS root and/or shares successfully.
I have a working config here, so I'm happy to answer any questions.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a step by step on what you did, we have problems with DFS working on VPN also
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi David, has your solution remained stable?
I am curious if you have some general guidance (or reference from the FG) re the changes implemented. I have a client who has DFS namesspaces throughout various locations and is implementing ZTNA & DFS/Namespaces and their Forti VAR is having issues, so I am looking into this. You outlined DNS - assuming all the reference is within the zone created on the FG. Did you need to create records for the DFS namespaces themselves? Basically anything you would be willing to share would be helpful. (My lotto today would be a redacted config). Thanks for consideration.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- no configuration menu option on Fortimail... 76 Views
- #FortiPAM Launcher Multi-Port Configuration 75 Views
- FortiSandbox File On-Demand 115 Views
- Forti Authenticator implementation 157 Views
- It take too long to get... 255 Views
Labels
-
FortiGate
8,359 -
FortiClient
1,691 -
5.2
801 -
FortiManager
705 -
5.4
639 -
FortiAnalyzer
534 -
FortiSwitch
452 -
FortiAP
447 -
6.0
416 -
FortiClient EMS
394 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
194 -
IPsec
177 -
FortiNAC
171 -
FortiGuard
133 -
6.4
128 -
SD-WAN
105 -
FortiGateCloud
100 -
FortiSIEM
96 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
50 -
High Availability
50 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiPAM
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
FortiGate v5.0
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
Proxy policy
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
Explicit proxy
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1634 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.