Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Protech

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 51
Reply with quote  #1 

Hi guys,

Wondering how you address this issue which is a vairant of the "can't access external website from local domain" issue.

Our internal AD domain is called company.com
Our external website is called company.com
We are not going to rename our internal domain name to company.com.local etc
Internal users can't access the external company.com website (as it resolves in DNS to the local Domain name/AD etc)
For various reasons, we can't setup http://www.company.com and add an A record to the internal DNS that points to the external website in the normal way
We could add an entry to the local hosts file to overide where company.com points too, but this is messy solution

Is there any solution to this issue or is there no way around it?

Cheers

PT

0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 337
Reply with quote  #2 
Hi,
the hosts solution wouldn’t work either because this would disrupt AD communication.

The only way around it that I am aware of is implementing a web proxy that doesn’t use AD DNS for name resolution. This way, browsers will go out to the external website and the rest of the comms to company.com stays on the LAN.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Protech

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 51
Reply with quote  #3 
Hi,

Yes I am not a fan of hosts option. 

If I understand you correctly, but using a web proxy you mean using a proxy for web browsers to bypass the local AD/DNS?

Thanks
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 269
Reply with quote  #4 
Hi Dave,

My two cents:
- If you can't use www.company.com, maybe external.company.com is an option ?
- install IIS (or other ?) on the DC's and setup a redirect for company.com (on port 80) to the external IP address.


__________________
Pieter Demeulemeester
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 337
Reply with quote  #5 
Quote:
Originally Posted by Protech

If I understand you correctly, but using a web proxy you mean using a proxy for web browsers to bypass the local AD/DNS?


Yes, that's what I mean

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Howard2nd

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 11
Reply with quote  #6 
I am an old computer tech. I still believe that simple solutions are best.

Hosts and lmhosts exist for a reason, you don’t control your DNS.

1st is there a firewall between you and the internet? (There damn well should be!)

Yes means you need a clear path for ports 80 AND 443 on the specific IP address.

Can you connect when you use the numerical address?

If yes, then DNS is the problem, No means there is a block. Remove it!

If not blocked, and the DNS operator doesn’t return your call, then

Write a ‘batch file, or Powershell script or edit Active Directory.

Stop looking for lazy solutions.






__________________
If I buy it, I own it! Right?
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 337
Reply with quote  #7 
Quote:
Originally Posted by Pieter

- install IIS (or other ?) on the DC's and setup a redirect for company.com (on port 80) to the external IP address.

Ah well...

First, in a larger infrastructure you would end up installing a web service on *all* DCs in the domain. If I were in charge of security there, you would have quite some explaining to do ;-)

Second, depending on how well the website can handle multiple addresses, a redirect from company.com to http://www.company.com may or may not work correctly. There could be hard coded absolute paths to resources like scripts which do not play well with redirection.

Third, depending on what SSL cert is being used, this approach may not work with HTTPS.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 241
Reply with quote  #8 
> For various reasons, we can't setup http://www.company.com and add an A record to the internal DNS that points to the external website in the normal way

"various reasons"... care to elaborate? This is definitely unusual. You should be able to control your AD zones.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 71
Reply with quote  #9 
I remember years ago I use to block internet access on secured workstations by using IPSec IP filter rules and group policy.

I wonder if the same technique (albeit with some massaging) could be used for this situation?

https://www.petri.com/block_internet_but_allow_intranet_with_ipsec
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.