Warp -> domain access issues

FJvR-NZ · December 18, 2024, 9:52pm

What is the name of the domain?

example.com

What is the issue you’re encountering

We are busy setting up WARP/ZT to replace our current Proxy + VPN but we are encountering routing issues to our domain controllers, we can resolve on prem(in one of our offices) routing by breaking out our DC’s but this then in turn breaks remote users(not on any SD-WAN) as they can not reach the DC’s at all.

What steps have you taken to resolve the issue?

Broken out traffic,
Local domain breakout,
Wireshark traces,
firewall logs,
Youtube videos,
Vendor support(slow)

What are the steps to reproduce the issue?

WARP set up using 7x Cloudflared machines across our DC’s and Azure environments with routing set up for the Subnets via the daemons

FJvR-NZ · December 18, 2024, 10:00pm

We’re currently migrating to Cloudflare Warp and encountering a few issues related to name resolution, domain authentication, and network connectivity. Any guidance would be appreciated.

1. Name Resolution Issue (Shortnames not working)

What works: We can access servers using their Fully Qualified Domain Name (FQDN), such as server1.ourdomain.local (e.g., 172.23.6.1).
What doesn’t work: Short names (e.g., server1) do not resolve.
Question: Is it possible for short names to work with Cloudflare Warp, or is this a limitation?

2. Domain Authentication and UAC Issues

Symptoms:
- Domain authentication fails when connected via Cloudflare Warp.
- User Account Control (UAC) is slow.
- We notice a round-robin approach to Domain Controllers (DCs) during the auth process, but it fails to pass the authentication back correctly.
- What works: File server access and RDP.
- What doesn’t work: IIS authentication and domain authentication (e.g., \\our-dc-p01\netlogon).
Question: How can we resolve domain authentication and UAC slowness when using Warp? Does anyone have experience with this?

3. Excluding Domain Controller IPs (Policy Issues)

Symptoms:
- Excluding the DC IPs from the policy causes remote clients to lose connection to the DC’s RFC1918 subnets, depending on the exclusion method used.
Question: Has anyone successfully excluded DC IPs from Warp without causing network issues? Any advice on the best way to configure this?

4. Connectivity Issues with External Resources (Ping and Traceroute)

Symptoms:
- Unable to ping external resources or complete a traceroute when connected through the Warp client.
Question: Is there a way to resolve issues with external connectivity when using Warp? Can the client be configured to allow ping and traceroute to external destinations?

5. Considering Cloudflare Magic WAN

Question: We’re considering moving to Magic WAN (pending budget approval) to potentially resolve some of these issues. Does anyone know if Magic WAN would help with domain authentication, network routing, or other connectivity problems?

Topic		Replies	Views
Cloudflare WARP, no access to Cloudflare domain WARP	1	1365	December 17, 2022
Name resolution in tunnel not working if subdomain is proxied Zero Trust	0	153	June 9, 2024
Can I resolve the ip address using local network's domain controller? WARP	3	1143	November 20, 2023
WARP Client failing to resolve DNS and killing the internet access WARP	0	1249	February 23, 2023
WARP on router (Asus AC86U) 1.1.1.1	7	15838	June 18, 2021