Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Private Access for Microsoft Active Directory Domain Services

  1. Last updated
  2. Save as PDF

This topic explains how to configure Private Access applications for Microsoft Active Directory Domain Services (AD DS), including DNS, Kerberos, GPUpdate, and file server access. Private Access enables administrators to extend the Domain Services experience to remote users in a secure and seamless manner.

Internal domain resources, such as domain controllers and file servers, require resolution through internal network paths. With the appropriate configuration in place, endpoints can resolve and access these resources without disruption, ensuring that domain-dependent operations function consistently across all networks.

Configuration 

Configure Private Access (PA) application and Skyhigh Client Proxy (SCP) policies to enable seamless access to internal resources.

Secure App Connector Requirements

  1. Deploy both TCP and UDP connectors.
  2. Ensure that both connectors can directly reach the DNS server and Domain Controller (DC) without using a proxy.
  3. Ensure that the connectors can access the required DNS/DC ports: 53, 88, 135–139, 389, and 445.
Private Access Configuration

To enable a Windows client running Skyhigh Client 5.x.x to join the <domain.internal>, configure the required Private Access (PA) applications for DNS and Active Directory traffic.

Perform the following steps in the Skyhigh console:

  1. Go to Settings > Infrastructure > Private Access Configuration.
  2. Click the Applications tab.
  3. From the Action menu, select Add Application.
  4. In the Add Application window, define the required applications as described below:
  1. Configure On-Prem DNS Server (UDP 53)
    Define the on-prem DNS server IP as a PA application. This private DNS application allows users to join Active Directory Domains, query Active Directory group policies.
    • Example10.213.139.69
    • Protocol. UDP
    • Port. 53

      clipboard_ee42d6226fd26ef7eb487feeec86ec415.png
       
  2. Configure DNS Server for AD Join Traffic
    Define the Domain server IP as a PA application with required TCP and UDP ports to support Active Directory communication.
    • Example10.213.139.69
    • Protocol. TCP and UDP
    • Ports. 88, 123, 135, 136, 137, 138, 139, 389, 443, 445, 464, 636, 1512, 3268, 3269, 5357, 49152-65535

      clipboard_e0fc91a5c6a2abce38cbde2728d149699.png
       
  3. Configure Domain Controller Access (FQDN)
    Define the domain controller hostname as the PA application to allow clients to communicate with the domain controller.
    • Examplepa-dc.domain.internal
    • Protocol. TCP
    • Ports. 88, 123, 135, 136, 137, 138, 139, 389, 443, 445, 464, 636, 1512, 3268, 3269, 5357, 49152-65535

      clipboard_e8a042dbeaf7094290e40a829761757f0.png
       
  4. Configure SmartMatch for Domain
    Define a SmartMatch rule for the domain to ensure dynamic resolution of domain resources.
    • Example*domain.internal
    • Protocol. UDP
    • Ports. 88, 123, 135, 136, 137, 138, 139, 389, 443, 445, 464, 636, 1512, 3268, 3269, 5357, 49152-65535

      clipboard_e3462d576a47e01bad24a23fb13b36a8a.png

Active Directory Port Definitions

Port Protocol Service Description
53 TCP/UDP DNS Domain Name System (name resolution for AD resources)
88 TCP/UDP Kerberos Authentication protocol used by AD
123 UDP NTP / Time Time synchronization (critical for Kerberos)
135 TCP RPC Endpoint Mapper Maps RPC services to dynamic ports
137–139 TCP/UDP NetBIOS Legacy name resolution and session services
389 TCP/UDP LDAP / CLDAP Directory queries and domain controller location
445 TCP SMB / CIFS File sharing, Group Policy, SYSVOL access
464 TCP/UDP Kerberos Password Change Password updates using Kerberos
636 TCP LDAPS Secure LDAP over SSL/TLS
3268 TCP Global Catalog LDAP Forest-wide directory searches
3269 TCP Global Catalog LDAPS Secure Global Catalog queries
9389 TCP ADWS Active Directory Web Services (used by PowerShell, ADAC)
49152–65535 TCP Dynamic RPC Ports Used by RPC services after endpoint mapping
Skyhigh Client Configuration

To control how internet-bound traffic is routed, configure the Network rules in the Skyhigh Client policy. 

  1. Go to Policy > Skyhigh Client > Policy
  2. Select the relevant policy.
  3. Go to the Network ruleset section.
  4. In the Preset Rules section, disable the Forward Internet Bound Web Traffic to Cloud Firewall checkbox (if enabled) to ensure DNS traffic is not sent to the Cloud Firewall. To send the internet traffic to the firewall, you can add a custom rule by bypassing DNS traffic.

    clipboard_ecfff2b4575a76f378a3fd9d28031d7d0.png

  1. In the Preset Rules section, disable the Bypass All Local Traffic checkbox (if enabled) to ensure PA traffic is not bypassed. To bypass local traffic, use the Add Custom Rule Via Rule Builder option. 

    clipboard_eb29d3d27096df3f987f11e216a94b134.png

 

NOTE:

  • Ensure local traffic is not bypassed.
  • Ensure local DNS traffic is not fully routed through the Cloud Firewall. 
Result

Endpoints use their existing DNS configuration while securely resolving and accessing internal domain resources through Private Access. With the configured Private Access applications and Skyhigh Client policies, domain join, GPUpdate, and file server access function seamlessly across all networks without requiring manual DNS changes.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.