Tuesday, September 3, 2013

Port forward FQDN website requests on Active Directory domain controllers

I don't like to use (.local etc) for Active Directory domains. There are numerous problems with this and Microsoft stopped recommending it years ago. The problem for those of us who have moved to using sites without the oldschool www hostname is that AD requires the A records of the FQDN domain point to the domain controllers.

There are a number of ways to solve this IT headache that boil down to leveraging the servers or the network.

Thanks like:
  • Install IIS on the DCs - A heavy handed approach and not recommended.
  • Perform some network trickery to intercept and forward port 80/443 
  • Use multiple DNS servers (inside, outside, etc)
The least complicated way I have found is to use the port forwarding capabilities of Windows 2008 R2.  This way you don't have to twist standard network services with an additional layer of complexity.

On Linux, I'd use iptables to redirect the HTTP and HTTPS ports like this:

iptables -I FORWARD -p tcp -d --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -d --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 

From the command line on Windows 2008 R2, you can do the same using the netsh cli.

netsh interface portproxy add v4tov4 listenport=80 listenaddress= connectport=80 connectaddress=
netsh interface portproxy add v4tov4 listenport=443 listenaddress= connectport=443 connectaddress=

Now any browser requests using the FQDN root will be automatically forwarded through an AD controller. No extra software need be installed.

My thanks to Rick Wargo for sharing his example of port forwarding on Windows 2008 R2.

1 comment:

  1. Wow! I cant believe I found this post but I hope this is exactly what Im looking for (somewhat) but I have a question that I hope you have the answer to,your port forwarding example hopefully will help me get rid of a software that im using called PassPort which works OK but would rather have windows deal with it completely.now to my question, I have a DNS server on my network which forwards www.mike.com to an IP (for example) but would like to be able to forward certain requests to If I tyoe this into my explorer it works GREAT but cannot configure this on my windows server, how could this be possible? Now just to clarify my DNS CAN redirect to subdomains like son.mike.com but cannot redirect to anything AFTER the .com for example www.mike.com/something. Windows wont let me. :( I would really appreciate the help I have been stuck for a month now...