I have a scenario where I have an App Segment created for RDP access for system admins. I am using a wildcard discovery for hostnames and a CIDR of 10.10.10.0/24 for IP access. This app segment is referenced by an access policy where I use user group for criteria to limit RDP access to system admins only.
A small subset of these servers are also SQL servers so I created an app segment to allow SQL access to these servers via an access policy restricted to a user group for SQL users. I used specific hostnames and IPs in this app segment.
Once I created the SQL app segment, I was unable to RDP to these servers. I discovered that for each server where I used a specific FQDN or IP, I then had to add that specific FQDN and IP to the RDP app segment because wildcards and CIDR blocks no longer work.
Any on else running into this issue? I cannot imagine that this is a viable solution for an organization that has thousands of servers.
Support has initially told me that this is “just how it works.” But in an environment where we want to adopt a true ZTNA, this becomes exponentially unmanageable as the number of servers grows (with RDP being just ONE example).