0

I've (our tiny group) been using the naked domain for Active Directory for quite a while now, at the beginning we knew it wouldn't be available for other uses without heavy setup. At the time it seemed like no big deal as you can use the www. subdomain anyway, but, now seeing it in the browsers and on the sketching it doesn't look so hot.

From the outside it's not problem getting to it (web content on naked domain,) the proxy handles it but from the inside, requests naturally go to the domain controllers. The network is subnetted, so again, the proxy solves half of the problem redirecting ports but there's still the group of clients on the domain controllers' subnet that can't reach the web servers.

IIS has this ARR thingy that forward proxies traffic but doesn't work with secure traffic. Can you think of another way we could proxy or reroute web traffic (and keep using standard ports) to the web servers?

The only thing I can come up with is isolating the DCs completely but that means changing IP addresses in tons of devices a lot of which we don't remember in the network, then it's haunting for them because if they aren't bugging the DHCP servers they basically go into stealth mode. It'll take forever.

I do have one other idea but I don't know how damaging it could be, the server net goes from let's say;

10.0.0.1 to 10.0.3.254, a /22 network, but devices are only allocated in the first /24 segment of it and the DCs actually are at the begging on the second /24 at: 10.0.1.1, 10.0.1.2, and so on.

So I thought, maybe if I reduce the subnet mask from /22 to /24 then communication isn't lost as I create VLANs and move stuff around, then even if I have to go IP address after IP address from 0.1 all the way up to 3.254 all the time. DHCP for that subnet is allocated in the third /24 segment, in the 10.0.2.0 block. I don't know if there's potential for storms, or what kind of mess I'll be into and I thought or going into Quora but just about to post remembered this place that had gotten me out of trouble countless times.

Million thanks!

Vita
  • 111
  • 1
  • 1
  • 7
  • Maybe instead of trying to implement some janky solution you could just tell your users to always use "www" when on the corporate network. - The domain joined clients need to be able to communicate with the Domain Controllers. If you're trying to prevent that with your VLAN/Subnet idea then you're just going to make AD unusable. – joeqwerty Mar 27 '18 at 21:00
  • Oh no, nothing like that, I wasn't clear enough sorry, yes they're different subnets but for organizational purposes, not security. They still pass traffic freely, except for two or three that are used to guests and for malware testing. My AP system has this thing that can show you a passwordless splash screen (captive portal) and maybe that could accomplish what u say but only for wireless clients and I don't know if devices without a browser to show the splash would be compatible. Thanks for the idea, I'll keep it as a backup. :) – Vita Mar 27 '18 at 22:26
  • IIS can certainly serve a 301 redirect on https, just like on http, at least with the URL Rewrite module. – Michael Hampton Mar 27 '18 at 23:09

0 Answers0