Since I have almost no rep, I can’t ask questions yet, so I’ll attempt to ask a question whilst posting an answer and hope I don’t get canned. 😉
I’m going to assume that you’ve insured that the GPO portion of this case is a non-issue, by testing this GPO against a “traditional” UNC share on another Windows system. The important missing information though in my opinion is whether or not the Synology devices are joined to the domain. A lot of Linux-based NAS units like Synology, QNAP, et al, have software components imbedded that allow them to participate in Active Directory domains. Whether or not this device is participating in the domain affects the solution.
That being said, I have remote facilities in my network interconnected with T1 circuits. We require the use of Acronis imaging backups on all systems due to system requirements. Thus, remotely backing up multi-GB images of Windows workstations over T1s is a non-starter. So we placed Drobo NAS units on each local segment to overcome this and give us a bit of fault tolerance. These particular Drobos do not have the ability to participate in the AD domain.
To enable the UNC shares as configured, we had to set up two main things. First, we created static DNS entries on the DNS servers to allow for proper name resolution. And second, we had to “loosen” two policies that DISA normally recommends for most domain members. We only loosened these policies on the backup server, and the workstations being backed up at “slow link” sites, as these were the only systems needing to access the respective shares:
- Computer Config\Windows Settings\Security Settings\Security Options:
- Microsoft Network Client: Digitally Sign Communications (Always) = Disabled
- Microsoft Network Client: Send Uncrypted Password to Third Party SMB servers = Enabled
- Microsoft Network Server: Digitally Sign Communications (Always) = Disabled
The GPOs to “Digitally Sign Communications if Negotiated” are still set to Enabled, mitigating a bit of the security risk involved. Once we enabled these changes, the shares could immediately be accessed via UNC path, whereas previously it was impossible.
This is why I said earlier that depending on whether your NASes can participate in the domain or not determines the path of the solution. If they can participate, then DNS and the “SMB” group policies should be a non-issue for you, and thus the solution would lie elsewhere. If they CAN’T participate (like my NASes), then this may be your solution.