This article describes how to configure DFS file share access using ZTNA TCP access proxy.
Scope
FortiOS v7.0 and later.
Solution
The below topology used in the article for demonstration:
Make sure to configure the namespace servers and folders with the FQDN (fully qualified domain name) instead of the hostname as shown in the below screenshots.
In the below example, the ZTNA namespace is configured which will have two folders one from each domain controller.
Namespace Servers are configured using their FQDN:
Folder Targets in the namespace folders are configured using the domain controllers FQDN.
ZTNA TCP Access proxy configuration:
config firewall vip edit "ztna-testing" set type access-proxy set server-type https set extip 10.12.6.20 set extintf "wan1" set extport 8444 set ssl-certificate "float-zone" next end config firewall access-proxy edit "ztna-testing" set vip "ztna-testing" config api-gateway edit 1 set url-map "/tcp" set service tcp-forwarding config realservers edit 1 set address "domain-controllers" set mappedport 445 next end next end next end config firewall addrgrp edit "domain-controllers" set member "DC01" "DC02" next end config firewall proxy-policy edit 1 set name "ztna" set proxy access-proxy set access-proxy "ztna-testing" set srcintf "virtual-wan-link" set srcaddr "all" set dstaddr "all" set ztna-ems-tag "EMS1_ZTNA_all_registered_clients" set action accept set schedule "always" set logtraffic all next end
Make sure to configure ZTNA destination rules on the FortiClient for all file share servers and one for the parent domain.
In this example, Three ZTNA destination rules are configured as shown in the below screenshot:
- Rule DC01:445 and DC02:445 are each for a respective domain controller.
- The rule domain is for the parent domain.
DFS ZTNA share is now accessible using the parent domain on the remote endpoint as shown in the below screenshots, this share has two shared folders that exist on each domain controller:
