Browse Docs

Using with Active Directory

In this document

Overview
- Ports Used by Active Directory
Creating the Secure Access Service for Active Directory
Microsoft DNS Server Configuration

Overview

When enabling Active Directory (AD) services over the DefensX ZTNA network, certain configuration parameters must be set carefully to ensure proper functionality.

This document provides step-by-step guidance on how to create a Secure Access Service that makes Active Directory resources accessible through the ZTNA network.

Ports Used by Active Directory

To enable Active Directory services over ZTNA, it’s essential to understand which ports and port ranges are required for specific AD functions. The table below lists the commonly used ports and their corresponding purposes within Active Directory operations:

Port	Protocol	Service	Description
53	UDP	DNS	Domain Name System is used for locating the Domain Controller and resources.
88	TCP/UDP	Kerberos	Used for authentication between the client and the DC
135	TCP	RPC Endpoint Mapper	Used to locate the port of a specific RPC service. The client queries this port to find out which dynamic port a service (like Task Scheduler for remote GP update) is listening on
389	TCP/UDP	LDAP	Lightweight Directory Access Protocol, used for reading policy information from the DC
636	TCP	LDAPS	Secure LDAP (LDAP over SSL)
445	TCP	SMB	Accessing to the shared files, crucial for accessing the SYSVOL share, where the actual Group Policy templates and files are stored.
49152–65535	TCP/UDP	RPC	Dynamic Ports (High Ports) Used by various RPC services after the client contacts the RPC Endpoint Mapper (Port 135). Services like NetLogon, LSA, and SAM use these dynamic ports for communication.

Port

Protocol

Service

Description

UDP

DNS

Domain Name System is used for locating the Domain Controller and resources.

TCP/UDP

Kerberos

Used for authentication between the client and the DC

135

TCP

RPC Endpoint Mapper

Used to locate the port of a specific RPC service. The client queries this port to find out which dynamic port a service (like Task Scheduler for remote GP update) is listening on

389

TCP/UDP

LDAP

Lightweight Directory Access Protocol, used for reading policy information from the DC

636

TCP

LDAPS

Secure LDAP (LDAP over SSL)

445

TCP

SMB

Accessing to the shared files, crucial for accessing the SYSVOL share, where the actual Group Policy templates and files are stored.

49152–65535

TCP/UDP

RPC

Dynamic Ports (High Ports) Used by various RPC services after the client contacts the RPC Endpoint Mapper (Port 135). Services like NetLogon, LSA, and SAM use these dynamic ports for communication.

Creating the Secure Access Service for Active Directory

To enable Group Policy updates, domain join, and domain leave operations over the DefensX ZTNA network, you must create a Secure Access Service as described below.

In the example configuration:

DNS Server IP: 10.20.1.1
AD Domain Name: defensx.us

Note: Replace these values with those corresponding to your own environment.

Configuration Steps

Navigate to the Configuration page under the Secure Access section in the DefensX Backend
Click New Secure Access Service.
In the Name field, enter a descriptive name such as Active Directory
In the Agent field, select the Connector that can reach your Active Directory services on the local network. If you don’t have a connector yet, go to Policies & Deployments, open the desired deployment, locate the agent, and mark it as a Connector.
In Application Restrictions, select No Restriction
In Status, select Active
In DNS Hostname or IP Address, enter the local IP of your Microsoft DNS Server (e.g., 10.20.1.1)
In Protocol, select TCP_UDP
In Target Service IP or Hostname, enter your Microsoft DNS Server IP again (e.g., 10.20.1.1)
In Port(s), enter 53, 88, 135, 389, 445, 636, 49152-65535
Under the ports field, click Add DNS Overrides
In DNS Suffix, enter your domain name prefixed with a dot (e.g., .defensx.us)
In Nameserver, enter the Microsoft DNS Server IP (e.g., 10.20.1.1)
Click Create Secure Access Service to save the configuration

After creating the service:

You must enable it under a Secure Access Policy.
If no policy exists, click New Secure Access Policy, give it a name, and then add this service to that policy.

Microsoft DNS Server Configuration

By default, the Microsoft DNS Server listens on all available IP addresses.

When the DefensX Agent is installed, Windows may detect the DefensX tunnel interface (100.80.0.1) and automatically start advertising it as one of the DNS listening IPs.

As a result, when an Active Directory client performs a DNS query, it may receive a response pointing to 100.80.0.1, a virtual IP that cannot be reached directly.

This behavior is a side effect of the default “listen on all interfaces” configuration in Microsoft DNS and is not a DefensX-specific issue. It is also not considered best practice.

Solution

To prevent this issue:

Open the DNS Manager on your Windows Server.
Right-click the server name and choose Properties.
Go to the Interfaces tab.
Change Listen on from All IP Addresses to Only the following IP addresses.
Select the specific local IP addresses that should handle DNS queries (exclude 100.80.0.1).
Restart the DNS Server service.
(Optional) On client machines, run the ipconfig /flushdns command to clear cached DNS entries for quicker testing:

Knowledge Base

Browse Docs

Introduction

Management

Deployment

Secure Access (ZTNA)

Integrations

Policy Management

Questions & Answers

Training Videos

MSP Automation

Using with Active Directory

Overview

Ports Used by Active Directory

Creating the Secure Access Service for Active Directory

Microsoft DNS Server Configuration