In a standard scenario for a Dial-up IPSEC/SSL VPN-RA we have:
A DHCP IP-Pool is set up on the VPN Gateway to assign IP addresses to clients. The DNS resolver is also configured, usually using the Active Directory (AD) DNS for these assignments. The internal/remote networks that will be advertised in the VPN clients' routing table for split-tunnel access are defined.
By default, a Windows interface has NetBIOS over TCP (ports 137/138) enabled.
So, when connecting to the VPN, a typical SMB access like \\AD-Domain\C$
(using ports 445 and 139) for file sharing works successfully. In other words, with the old VPN model, resources can be accessed without much firewall configuration or concerns about application ports or DNS resolution.
In a ZTNA/NPA environment, I’d like to better understand the precautions I should take in the same scenario. Here, we have a remote machine properly joined to the AD Domain. When it connects to the VPN, it receives its internal-use IP and internal DNS. With this setup, it can resolve internal DNS, translating the hostname AD-Domain to the local server IP and establishing an SMB connection to the server’s FileShare, which may or may not require application authentication.
I understand the architecture of Netskope ZTNA, but I don’t have a clear, fully mapped-out view of certain points. For example, as in the scenario above, where a DNS is provided for local domain resolution via a VPN tunnel (using AD DNS), how is this resolution handled in NPA? Is it necessary to map all FQDNs/IPs when creating a "Private App," or can the server's Hostname be used when creating the rule?