icon-zpa.svg
Secure Private Access (ZPA)

Configuring Access to Distributed File Servers

The following methods can be used to configure access to Distributed File Servers (DFS) while using Kerberos for authentication:

  • Within ZPA, define an application in the application segment using a wildcard domain and associated ports, for example:

    Wildcard Domain Configuration for DFS

    Close
  • This configuration can be used when the same server is set up as a file server and domain controller.

    Configuring the DFS with Kerberos

    Within ZPA, define an application in the application segment for DFS with Kerberos using wildcard domains and ports, for example:

    Wildcard Domain Configuration for DFS with Kerberos

    Enabling SRV Resolution

    ZPA requires an application to be defined as a wildcard with any port to resolve SRV records. So, for this application segment configuration, you are using a dummy port, Port 1, for SRV record DNS resolution. For example:

    Enabling SRV Resolution

    Close
  • This configuration can be used when the domain controller and file server are set up on separate servers, as detailed in the image below.

    Distributed File Server (DFS) and Domain Controller (DC) on Separate Servers

    Configuring the File Server

    Within ZPA, define an application for the file server using wildcard domains and ports, for example:

    Configuring an Application for DFS

    Configuring Kerberos on the Domain Controller

    Within ZPA, define an application in the application segment for Kerberos on the domain controller using wildcard domains and ports, for example:

    Configuring Kerberos on the Domain Controller

    Enabling SRV Resolution

    ZPA requires an application to be defined as a wildcard with any port to resolve SRV records. So, for this application segment configuration you are using a dummy port, Port 1, for SRV record DNS resolution. For example:

    Enabling SRV Resolution

    Close

Zscaler recommends a dedicated App Connector Group for the File Server applications. These applications can be latency sensitive and may experience performance degradation if the associated App Connectors provide access to other applications as well.

The following list provides port descriptions for TCP and UDP:

  • TCP/88: Kerberos
  • TCP/464: Kerberos Password Change
  • TCP/389: LDAP
  • TCP/3268: Global Catalog
  • TCP/3269: Global Catalog SSL (Optional)
  • TCP/135: MSRPC
  • TCP/139: Common Internet File Service (CIFS)
  • TCP/445: CIFS
  • UDP/88: Kerberos
  • UDP/464: Kerberos Password Change
  • UDP/389: LDAP
  • UDP/636: LDAPS (Optional)
  • UDP/138: NetBT datagram (File Server)
  • UDP/123: NTP Service

To learn more, see Configuring Application Segments.

Related Articles
Bypassing Unified Communications TrafficConfiguring Access to Distributed File ServersEnabling Domain Join for Remote Users on Windows DevicesSupporting Citrix XenApp and XenDesktop ApplicationsSupporting FTP ApplicationsSupporting Microsoft GPO Network TrafficSupporting Microsoft SCCMSupporting Reauthentication into ZPA via Microsoft IWA with KerberosSupporting RDP ApplicationsSupporting SAP Applications