>
    Active Directory Domain Services Support with ZTNA Connector
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access ZTNA Connector
    5. Active Directory Domain Services Support with ZTNA Connector
    Download PDF
    Prisma Access

    Active Directory Domain Services Support with ZTNA Connector

    Table of Contents

    Active Directory Domain Services Support with ZTNA Connector

    Learn how Prisma Access ZTNA Connector provides support for Microsoft Active Directory Domain Services using DNS SRV resolution and data center IP addresses.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access version 6.0
    • Prisma Access licenses include 10 connectors, 10,000 FQDNs, and 1024 IP subnets. A minimum version of Prisma Access 5.2 is required to get 10,000 FQDNs. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
    • The Private App add-on license includes 200 ZTNA Connectors, 10,000 FQDNs, and 1024 IP subnet functionality.
    Microsoft Active Directory Domain Services (AD DS) relies on a two-phase DNS resolution process that requires special handling in Prisma Access ZTNA deployments. When a Microsoft client joins a domain, it first makes a DNS SRV query to identify domain controllers offering specific services, followed by Connectionless Lightweight Directory Access Protocol (CLDAP) queries to locate the optimal domain controller in the user's AD site.
    Prisma Access ZTNA Connector now provides enhanced support for AD DS environments through two key capabilities. First, it supports end-to-end DNS SRV resolution, enabling users to discover domain controllers and their services. Second, it provides a Use Data Center IP feature for application targets that prevents destination network address translation (DNAT) to domain controllers required by Microsoft's AD architecture.
    In traditional ZTNA deployments, application targets are assigned Prisma Access anycast IP addresses, and traffic undergoes DNAT. However, AD services might not function correctly over DNAT. The Use Data Center IP feature addresses this by treating the domain controller's actual data center IP address as the fabric IP address, eliminating the need for DNAT in the connection path.
    To successfully implement ZTNA Connector for AD environments:
    • Understand your AD network design.
    • Co-locate ZTNA Connector groups in those sites within AD site subnets close to AD resources.
    • Configure the DNS servers for the ZTNA Connectors. The DNS servers need to provide DNS resolutions for both public PANW cloud services FQDNs and also private data center Microsoft AD FQDNs, particularly for 1-arm and 2-arm configurations.
      ZTNA Connector requires access to DNS servers for resolving public DNS to connect to PANW cloud controllers and private DNS for Microsoft AD. In 1-arm configurations, the DNS server (typically a domain controller) must resolve both public and private FQDNs. In 2-arm configurations, port 1 DNS server resolves public FQDNs, while port 2 DNS server (the domain controller) resolves private Microsoft AD resources.
    • Map wildcard and/or FQDN ZTNA Connector application targets to the domain names within the sites domain controllers.
    ZTNA Connector also includes wildcard and FQDN application target port settings for Microsoft AD services, such as DNS, Kerberos, LDAP, SMB, and others, saving you time during configuration while enabling customization as needed.
    ZTNA Connectors forwards the SRV request to the domain controllers. The response to the DNS SRV query from the domain controllers is forwarded back to the Microsoft Windows client. With this information, the Microsoft client is able to join the AD domain.
    You need to use the domain controller's data center IP address when communicating with the domain controllers.
    Configuring Application Targets
    When configuring the application targets:
    1. Review the ZTNA Connector Requirements and Guidelines.
    2. Configure ZTNA Connector.
    3. Go to ConfigurationWildcard Targets and Create Wildcard Target.
    4. Add a unique Name, assign a Connector Group, and add a domain in Wildcard.
    5. If you're adding a wildcard target or an FQDN target to access a Microsoft AD data center, Enable Microsoft AD Firewall Ports to prepopulate TCP and UDP ports required for AD, and then Confirm.
    6. If you are adding a wildcard target or an FQDN target to access a Microsoft AD data center, enable Keep Data Center IP Address, and then Confirm.
      For Microsoft AD networks, it's essential to utilize this option. Microsoft client must communicate (without involving DNAT translation of the domain controller's IP address) with the domain controllers using the native data center IP address of the domain controller within the network. If the application is compatible with DNS proxy and DNAT translation, this option isn't necessary.
      When you enable Keep Data Center IP Address, the applications don't get an IP address from the application pool. The original IP address of the application that the ZTNA Connector resolves, will be advertised in the Prisma Access Infrastructure.
      For FQDN applications learned from Keep Data Center IP Address wildcards or manually added FQDNs set as Keep Data Center IP Address targets, the IP address displayed in the application table indicates the specific data center IP address.

    © 2025 Palo Alto Networks, Inc. All rights reserved.

    "].join(""));l.close()}catch(m){b.src=a+'d.write("'+loaderHtml().replace(/"/g,String.fromCharCode(92)+'"')+'");d.close();'}b.contentWindow.config=k;b.contentWindow.SCRIPT_ID=g},0)}}}(); window.usabilla.load("w.usabilla.com", "2e03ec052d76"); /*]]>{/literal}*/
    OSZAR »