r/CloudFlare: Zero Trust- can it replace MS DirectAccess / always on VPN?

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/y24nh9/zero_trust_can_it_replace_ms_directaccess_always/

Question

We're currently using DirectAccess and I've been tasked with replacing it (initial thoughts were always on VPN) but thought i'd have a look around and stumbled upon this in my CloudFlare dashboard.

DirectAccess is great for clients getting group policy updates which i don't want to lose. There are a small number of staff who need access to RDS servers and then the admin team who need access to various devices.

I suppose the question(s) is(are) - can i use ZTNA so that clients 'check in' with domain controllers automatically (does the warp client need enabled manually?) and also restrict access for other users so they can only access what they really have to?

Answer

ZTNA can solve the second topic of restricting access for you. The first, the check-in with the domain controller, will be more tricky.

Strictly speaking, clients can reach their domain controllers through WARP, but not the other way round, DCs will not be able to initiate a connection to reach the client. And from my multi-year understanding of MS AD, this isn't feasible.

Generally, you have to understand that ZTNA is best paired with other modern technologies like AAD and Intune, so On-Prem independent device management. You will also see that when you look at the device attestation connectors within ZTNA.

Comment 1 on Answer

I agree. I'll also mention endpoint to endpoint connectivity is on the warp ZTNA roadmap which could possibly solve this issue but who knows as there's no info on it yet.

I would utilize always-on-VPN + warp ZTNA for OPs needs for now. My workplace utilizes ZTNA for all devices and it's perfect for our needs. AAD joined w/ intune/autopilot. Cloudflared tunnels for access to various azure/AWS infrastructure.

My response to comment 1

Yes, very good. The AA-VPN allowing only access to a cluster of RODCs to minimize the impact of an attack propagating through the VPN. And WARP ZTNA for everything else. Then later on, set up a hybrid cloud infrastructure to get the full benefit of device attestation capabilities.