I'm in the process of transitioning away from using a WSUS server, which currently has IIS running for redirects on our domain. We've moved our ClickOnce apps to MSI installations, and we'll be replacing WSUS with InTune for clients and Azure Update Manager for servers soon. Now, I'm left with configuring the redirect for our website.
Right now, our www A record points directly to the 3rd party web host, while the root domain goes to our HQ's external IP. The firewall takes any HTTP or HTTPS requests and redirects them to the IIS server, which in turn sends users to www.domain.com. However, with the upcoming changes, that server's only role will be to handle this redirect, making it seem like a waste of resources.
I've looked into having the firewall handle the redirect directly, but it's not a currently enabled feature, although it's on their roadmap. I don't believe we have services requiring direct access to the hostname anymore since our VPN and RDP sessions use specific subdomains.
I want to know if it's standard practice to point the root domain at a 3rd party host for handling, or if it's better to keep it redirected like I'm doing now. Originally, I was advised to point it to the 3rd party, but since we've eliminated the services relying on the root domain, I wonder if I'm better off simplifying things.
5 Answers
We manage our domain names both externally and internally. Internal DNS takes care of app accessibility, while the external DNS serves the public website. It keeps everything well-organized.
I've set up forwarding rules in the past where the www subdomain would point to a different DNS server for lookups, while also having a redirect from domain.com to www. This allows you to change web host IPs without needing to update everything at once. Sounds like a feature your firewall could use!
It's generally safer to avoid pointing the domain at your own infrastructure if you don't need to. If there's no strong business case for handling that traffic internally, keep it pointed elsewhere. Just be sure your 3rd party host is secure.
Totally agree! Just make sure your RDP access is locked down to specific IPs and not open to the public.
If you're using AWS, you might want to look into pointing your Apex record at a CNAME, and handling redirections with a load balancer. It's quite efficient for those types of setups.
I prefer to keep web traffic separate from internal services. It minimizes the risk of failures affecting internal tools. If your organization has many subdomains, consider using something like Plesk or IIS to manage it all in-house. At my last job, we had a dedicated server for managing hundreds of domains—it made things a lot easier!
That makes sense! We have a smaller setup, so we've been managing most redirects through our registrar, just to keep it simple.
I wish my firewall had that feature too! Having a direct redirect would simplify things. Maybe you should consider just pointing the root domain to the web host to streamline your setup.