How to setup external & internal dns that have an external & internal destination using IIS / Windows Server / Application Proxy

Question

Short question:

How to setup a local and external dns that have an external destination and a internal destination.

Technologie used:

• Websites are hosted in IIS
• Local DNS is in Windows server
• External DNS via CPanel
• using Azure Application proxy for the bridge external to internal

Explanation:

I've made a schema, see image.

1. entrepriseName.com: website hosted externally somewhere by somebody.
2. site1.entrepriseName.com : Contains some basic webpages. Which are referenced by https://entrepriseName.com. With html . url site1.entrepriseName.com is not existing yet, and its hosted under https://site1-entrepriseName.msappproxy.net
3. site2.entrepriseName.com : Availaible ONLY locally / vpn. With https. url site2.entrepriseName.com is not existing yet. currently hosted on https://site2.entrepriseName.local, but https is complaining. And its not clean, should be under site2.entrepriseName.com

https://site1-entrepriseName.msappproxy.net should in reality be https://site1.entrepriseName.com. Assuming I added a custom domain name in azure and configure the app proxy correctly. The next step would be to add some sort of dns... When I tried to add a foward lookup zone "entrepriseName.com" in the LOCAL dns. Our external website "entrepriseName.com" didn't work locally, as everything with entrepriseName.com (which is normal, after tought haha...)

Actual Question

So how respect make sure that these 3 conditons are met:

1. Internal request route to site1.entrepriseName.com but is also accesible externally (with AAD app proxy connector)

2. Internal request an also route to site2.entrepriseName.com (only avalaible locally).

3. Lets say that site1 load a script like <script src="js/potato.js"></script>

   Since https://entrepriseName.com have reference to site1 with iframe. Will entrepriseName.com attempt to load the realtive script js/potato.js? Obviously we want to prevent this from happening.

Answer 1

Internal request route to site1.entrepriseName.com but is also accesible externally (with AAD app proxy connector)

• Since, the domain ‘enterprise.com’ is owned by your organization and thus has an internal AD DNS server setup for it, for the ‘site1.enterprisename.com’, you will have to create an ‘A’ host record in the internal DNS server for the requests to the application ‘site1.enterprisename.com’ to be redirected to internally as well as similarly, ‘A’ DNS host record also need to be created in the public DNS server where ‘enterprisename.com’ domain is registered so that any external (over the internet) requests are routed correctly to the externally facing application homepage. Also, you need to configure conditional forwarding to the public IP address of the domain hosted on the public DNS server in the internal DNS server of your domain environment for any internal requests to redirect to the publicly hosted DNS records and through it, to the application.

• Also, since the AAD application proxy connector is a syncing and request forwarding software to be installed on the member server that syncs the database of the application in Azure as well as that running on-premises and forwards the requests directed to Azure through it, a wildcard certificate with the CN ‘.enterprisename.com’ or a SSL HTTPS certificate with the CN ‘site1.enterprisename.com’ where ‘site1’ is the name of the application hosted with this subdomain should be installed on the server* running the application in on-premises environment and on the member server where the app proxy connector is installed in the personal certificate store of the server. In this way, you can configure the application ‘site1.enterprisename.com’ to be accessed internally as well as externally.

Note: - The member server where the app proxy connector is installed should be dedicatedly a part of the application farm itself so that the certificate installed on it authorizes and identifies the application server as valid.

Internal request an also route to site2.entrepriseName.com (only avalaible locally).

• To configure the internal request route to ‘site2.enterprisename.com’ available only locally, you will need to create an ‘A’ host DNS record in the internal DNS server for it and remove the conditional forwarding configured in the internal DNS server for the externally (over the internet) available website of the application. Also, remove the ‘A’ host record for the ‘site2.enterprisename.com’ if created in the public DNS server for the ‘over the internet’ routing and redirection to disable completely. This will ensure that the application ‘site2’ is available only in the intranet locally. Also, note that, if you want to manage multiple types of DNS records for a subdomain in the internal server, then you can create a DNS zone with the FQDN of the subdomain (application) in the internal DNS server.

Note: - You may want to edit and configure the ‘hosts’ file on the server hosting the ‘site2’ application as well as the ‘site1’ application to include the application (subdomain) FQDN so that the server responds to network requests for the application hosted on it along with individual hostname records.

Will entrepriseName.com attempt to load the realtive script js/potato.js? Obviously we want to prevent this from happening.

• If the ‘potato.js’ script is configured to load when the ‘https://enterprisename.com’ website is requested, then that script will surely load up but if the reference ‘site1’ is with ‘iFrame’, when referencing to the site address, then the ‘site1’ referencing to the FQDN of the ‘site1’ have to be removed from the website code during initializing and startup and replaced with that of the website itself, i.e., ‘https://enterprisename.com’.