If users are remote from the office LAN, the user's device cannot just talk to the Domain Controller (AD). When you connect through AppGate ZTNA with limited application access then the user's device still cannot talk to AD even though they might have just signed-in using AD as the IdP. This means that 'network like' services such as users being able to change their password and pushing group policy updates to the device will not work.
As with any application, for a user's device to be able to talk to AD the right Actions need to be included in a suitable Entitlement. Once this is done correctly then the user's device should behave much the same as if it were on the office LAN even when it is connected through AppGate ZTNA. However AD was never really designed with this use case in mind so the requirements are quite extensive.
Here are the Actions you should include in your AD Entitlement:
Should be in place already in your DNS Entitlement
Likely requirement for more recent network installations
May be required in specific situations
PROTOCOL | DIRECTION | PORT | APPLIES TO | USE |
|---|---|---|---|---|
TCP | UP | 53 | DNS | |
UDP | UP | 53 | DNS | |
TCP | UP + DOWN | 42 | Win NT | WINS |
TCP + UDP | UP + DOWN | 88 | KERBEROS | |
UDP | UP + DOWN | 123 | WINDOWS TIME | |
TCP | UP + DOWN | 135 | RPC/EPM | |
UDP | UP + DOWN | 137 | Win NT | VARIOUS |
UDP | UP + DOWN | 138 | Win NT | VARIOUS |
TCP + UDP | UP + DOWN | 139 | Win NT | VARIOUS |
TCP + UDP | UP + DOWN | 389 | LDAP | |
TCP | UP + DOWN | 445 | SMB | |
TCP + UDP | UP + DOWN | 464 | KERBEROS PW CHANGE | |
TCP | UP + DOWN | 636 | LDAPS | |
TCP + UDP | UP + DOWN | 1512 | Win NT | WINS REPLICATION |
TCP | UP + DOWN | 3268 | LDAP GC | |
TCP | UP + DOWN | 3269 | LDAPS GC | |
TCP | UP + DOWN | 5722 | RPC | |
ICMP | UP | 0-255 | Win 2000/XP clients | GROUP POLICY |
TCP | UP + DOWN | 1024-5000 | 2003 and before | RPC Dynamically-assigned |
TCP | UP + DOWN | 49152-65535 | 2008 and later | RPC Dynamically-assigned |