Secure Private Access (ZPA)
Configuring Access to Distributed File Servers
The following methods can be used to configure access to Distributed File Servers (DFS) while using Kerberos for authentication:
- Using a Wildcard Domain
Within ZPA, define an application in the application segment using a wildcard domain and associated ports, for example:
Close - Configure Separate Applications for DFS (with Kerberos) and SRV Resolution
This configuration can be used when the same server is set up as a file server and domain controller.
Configuring the DFS with Kerberos
Within ZPA, define an application in the application segment for DFS with Kerberos using wildcard domains and ports, for example:
Enabling SRV Resolution
ZPA requires an application to be defined as a wildcard with any port to resolve SRV records. So, for this application segment configuration, you are using a dummy port, Port 1, for SRV record DNS resolution. For example:
Close - Configure Separate Applications for File Servers and Domain Controllers, and SRV Resolution
This configuration can be used when the domain controller and file server are set up on separate servers, as detailed in the image below.
Configuring the File Server
Within ZPA, define an application for the file server using wildcard domains and ports, for example:
Configuring Kerberos on the Domain Controller
Within ZPA, define an application in the application segment for Kerberos on the domain controller using wildcard domains and ports, for example:
Enabling SRV Resolution
ZPA requires an application to be defined as a wildcard with any port to resolve SRV records. So, for this application segment configuration you are using a dummy port, Port 1, for SRV record DNS resolution. For example:
Close
Zscaler recommends a dedicated App Connector Group for the File Server applications. These applications can be latency sensitive and may experience performance degradation if the associated App Connectors provide access to other applications as well.
The following list provides port descriptions for TCP and UDP:
- TCP/88: Kerberos
- TCP/464: Kerberos Password Change
- TCP/389: LDAP
- TCP/3268: Global Catalog
- TCP/3269: Global Catalog SSL (Optional)
- TCP/135: MSRPC
- TCP/139: Common Internet File Service (CIFS)
- TCP/445: CIFS
- UDP/88: Kerberos
- UDP/464: Kerberos Password Change
- UDP/389: LDAP
- UDP/636: LDAPS (Optional)
- UDP/138: NetBT datagram (File Server)
- UDP/123: NTP Service
To learn more, see Configuring Application Segments.