We’re currently using DirectAccess and I’ve been tasked with replacing it (initial thoughts were always on VPN) but thought i’d have a look around and stumbled upon this in my CloudFlare dashboard.
DirectAccess is great for clients getting group policy updates which i don’t want to lose. There are a small number of staff who need access to RDS servers and then the admin team who need access to various devices.
I suppose the question(s) is(are) - can i use ZTNA so that clients ‘check in’ with domain controllers automatically (does the warp client need enabled manually?) and also restrict access for other users so they can only access what they really have to?
ZTNA can solve the second topic of restricting access for you. The first, the check-in with the domain controller, will be more tricky.
Strictly speaking, clients can reach their domain controllers through WARP, but not the other way round, DCs will not be able to initiate a connection to reach the client. And from my multi-year understanding of MS AD, this isn’t feasible.
Generally, you have to understand that ZTNA is best paired with other modern technologies like AAD and Intune, so On-Prem independent device management. You will also see that when you look at the device attestation connectors within ZTNA.
I tested ZT at the start of 2022 when looking to replace our legacy VPN. We are all on-prem but have a handful of remote workers and I simply needed a like-for-like replacement for VPN. It could handle SMB, RDS, Web and AD traffic. I still have the proof of concept running and if you have any questions I may be able to answer them. I seem to remember there was an option with the ZT client where you could force it to be always on.
However as others have stated, outbound connections (from your domain to an endpoint) cannot be established, but that should not impact an endpoint getting a GPO update.
I agree. I’ll also mention endpoint to endpoint connectivity is on the warp ZTNA roadmap which could possibly solve this issue but who knows as there’s no info on it yet.
I would utilize always-on-VPN + warp ZTNA for OPs needs for now. My workplace utilizes ZTNA for all devices and it’s perfect for our needs. AAD joined w/ intune/autopilot. Cloudflared tunnels for access to various azure/AWS infrastructure.
With ZT client you mean 1.1.1.1 Warp VPN? I have successfully setup the CloudflareD tunnel from our drive and implemented the ZeroTrust login for online access. Would be very interested getting Warp running as it could replace our own VPN, but so far I haven’t been able to get 1.1.1.1 Warp VPN to get access to my drive.
Seems that, besides the SSO / Google oAuth on the Warp app, a Cloudflare origin certificate needs to be installed on the device as well. Is this correct?
Also, what are the correct authentication settings on the zero trust dashboard using Warp 1.1.1.1 VPN as access group.
Thanks
Yes, very good. The AA-VPN allowing only access to a cluster of RODCs to minimize the impact of an attack propagating through the VPN. And WARP ZTNA for everything else. Then later on, set up a hybrid cloud infrastructure to get the full benefit of device attestation capabilities.
Are you interested in doing a webmeeting troubleshooting session with me to finish your setup? Send me a DM.
Hey. I was referring to this functionality… https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/private-net/
Essentially, in the ZT dashboard, you create ‘tunnels’, then advertise routes that are available for those tunnels. The tunnel, in our case, is effectively the cloudflared service running on a Linux VM. Other things to configure on the portal are ‘Local Domain Fallback’ (found in Settings > Network) and Split Tunnels (found in the same place). Note these settings were necessary for our specific requirements, but yours may not be the same.
You might find a previous post of mine about VPN replacement some use https://www.reddit.com/r/CloudFlare/comments/tk2x8o/cloudflare\_ztnateams\_as\_vpn\_replacement/
Thanks. Yes, talking the same thing ie the warp client. I’ve tried to configure it but I seem to still have some blind spots that I need to work through, mostly re: the Cloudflare ssl cert that seems to have an issue with WARP.
Hi, I totally am at your spot and have from what I can tell where you got with your labs and other post. I however hit a snag with IP overlap and risk of this whole solution not working with private resources over the WARP client because of that. Which cloudflare in the community posts says I’d need to run a normal VPN client in addition to the Zero Trust client in those scenarios. I am in Azure but the whole group to IP subnet mapping on their P2S stuff is an epic failure and doesn’t work. But heh it’s in preview. I am potentially going to go with my on-premises stuff still or maybe keep rules on an on-premises client updated for scenarios where IP overlap exists.
Did you ever go full in with the CF ZT product? If not, what stopped you?
I loved and hated the product. Cloudflares marketing and features set of its ZTNA offering were really compelling. The documentation was sorely lacking however, so the process took me way longer than it should have as I was piecing together information from various other sources (Reddit, forums, blogs). Eventually I got it working. It’s been almost a year so hopefully the documentation has improved 
What stopped me? We have small but important remote site in mainland China with a dozen users. I didn’t have a lot of time to test whether, or how well, CF ZT would work in China. Maybe it would work well, maybe not at all or, as I have discovered dealing with IT in China, it might work some of the time and not others. 
Also, as I understand, the ZT client will use a CF POP to broker or negotiate a connection to the on-prem network. I just ran out of time to test.
Instead, I went with Twingate, which is excellent. Really robust, reliable and super easy to setup. Documentation is complete and helpful. Support team are responsive. It’s a paid solution, so I will probably re-evaluate CF ZT again before our renewal with Twingate, as we would fall under the <50 user free tier.
Hope this helps.
Thanks for the quick response!
Oh yes, I can see and know that China complexity for sure. I’ve peered at Twingate as well. Price wise it’s a similar cost to Azure P2S for me which I was totally willing to accept the cost for sure. I’ll maybe give them a trial.
As for CF ZT I followed the docs and didn’t have to much issue getting it working with my on-premises things. I got things flowing to external resources that require a static IP as well by injecting the IP to the destination into the routes for my tunnels. So I think the docs have been much improved for sure since you last visited it as well. I noticed the tunnel daemon setup wasn’t so straight forward in the past.
The only thing that failed for me was the overlapping IP scenario. Which I think is more wireguard driven and maybe Twingate has the same issue since I know they use wireguard. I am almost to the point of just bagging it all and using my branch office VPN to give things time to grow. Thanks for the Twingate tip.
Tailscale is based on wireguard, maybe that’s what you’re thinking of? Twingate uses quic, so worth a look at twingate! Good luck.
