Tuesday, September 3, 2013

Port forward FQDN website requests on Active Directory domain controllers

I don't like to use (.local etc) for Active Directory domains. There are numerous problems with this and Microsoft stopped recommending it years ago. The problem for those of us who have moved to using sites without the oldschool www hostname is that AD requires the A records of the FQDN domain point to the domain controllers.

There are a number of ways to solve this IT headache that boil down to leveraging the servers or the network.

Thanks like:
  • Install IIS on the DCs - A heavy handed approach and not recommended.
  • Perform some network trickery to intercept and forward port 80/443 
  • Use multiple DNS servers (inside, outside, etc)
The least complicated way I have found is to use the port forwarding capabilities of Windows 2008 R2.  This way you don't have to twist standard network services with an additional layer of complexity.

On Linux, I'd use iptables to redirect the HTTP and HTTPS ports like this:

iptables -I FORWARD -p tcp -d 192.168.1.31 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -d 192.168.1.31 --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.31:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.31:443 

From the command line on Windows 2008 R2, you can do the same using the netsh cli.

netsh interface portproxy add v4tov4 listenport=80 listenaddress=192.168.1.11 connectport=80 connectaddress=192.168.1.31
netsh interface portproxy add v4tov4 listenport=443 listenaddress=192.168.1.11 connectport=443 connectaddress=192.168.1.31

Now any browser requests using the FQDN root will be automatically forwarded through an AD controller. No extra software need be installed.


My thanks to Rick Wargo for sharing his example of port forwarding on Windows 2008 R2.