r/CloudFlare: SMB to Synology over WARP

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/y4eqvs/smb_to_synology_over_warp/

Question

Hi, hoping someone on this subreddit can help out with SMB over WARP

Background:

• I have successfully set up a CloudflareD tunnel from Synology to Cloudflare Zero Trust
• I have linked the web domain to my Synology - e.g. https:\\files,company,com
• I have setup access for my company's Google workspace domain and staff can successfully access https:\\files,company,com
• I have also setup an SMB domain, e.g. smb:\\smb,company,com
• I have successfully setup the WARP app on iPhone and installed the Root certificate
• Authentication via Google oAuth for Google workspace is working
• WARP can successfully connect to Cloudflare Zero Trust (CFZT)

WARP settings under CFZT --> settings --> WARP Client --> Device enrollment

• 'Include' and 'Require' rules are set to Login Method -> Google workspace oAuth
• Re-authentication of WARP shows "successful"
• 'Identity providers' only include Google workspace oAuth

What is not working:

• I am unable to get the correct setting for WARP to allow access to https:\\files,company,com without being prompted for Google oAuth -> interpretation: CFZT is not accepting WARP as an alternative login to Google oAuth
• I am unable to connect to smb:\\smb,company,com via finder on Mac, with probable cause that WARP is not accepted as a valid login of CFZT

So my question:

1. How to successfully set up WARP to identify for CFZT and access to https:\\files,company,com and smb:\\smb,company,com

Thank you for your help!

Answer

We have multiple problems.

1. First up, the WARP client is not able to do the auth for you, if you want SSO, so transparent login without a prompt, that is Google's job. A few settings on CF's side make that easier, e.g. disabling the IdP prompt if only one is present, but the SSO has to come from Google itself.
2. You setup files.company.com as a Public Hostname in the CF Tunnel and created an Access Application for it to require Auth. This is correct, if you want to let your users access it WITHOUT needing the WARP client, since that deployment method is used for clientless access. A note here, this only works for web-based traffic & applications.I would assume, since you want to use WARP, it is not relevant that users access it without a WARP client from everywhere, so delete it for the Access Applications and the Tunnel and jump to my next point.
3. SMB over Access Applications only works, if you have cloudflared on both the server and the client, as described here: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/use_cases/smb/#connect-to-smb-server-with-cloudflared-accessYou essentially open a 1:1 tunnel between the server and the client via cloudflared, but your client needing to access the SMB share connects to a local port since, as said before, Access Apps only work for web-based traffic, and SMB isn't.
4. Your best bet, if you want files.company.com and smb.company.com only accessible via WARP, is to configure the Private Network settings in the Tunnel and then go through the Network settings under https://dash.teams.cloudflare.com/settings/network to setup split tunnel correctly and also have Local Domain Fallback working for your users to be able to use DNS names to reach their destinations.