How to setup public DNS record overrides on Astaro/Sophos firewall.

There has been some debate both inside and outside of Microsoft if it is better to have your internal Active Directory domain match or be valid as your external or public domain (e.g Microsoft.com as the AD domain as well as their public presence).

Now I have customers that are setup both ways for different reasons.  In many ways, I prefer the ".local" domain internally because then public websites, etc are managed on public DNS only.  This would be especially true if you host your Public DNS (which I strongly suggest companies not do), but even then it can be managed.  Overall my point is that it is cleaner and simpler to have private.local and public.com separate.

Unfortunately, by having a disjointed namespace, sometimes you will want clients to be redirected back internally when using an external URL...most commonly for Exchange services (Outlook Anywhere, OWA, ActiveSync) though there are other times, such as using SSO on your firewall.

Now, there are many ways to accomplish this re-routing using NAT rules on a router/firewall or hosting a stub zone on private DNS, etc.  The simplest way I've devised is to use the firewall as my DNS forwarder and setup the static entries there.

Here's how it works (we'll use Exchange as an example):

1. Clients need to resolve email.publicdomain.com which is hosted internally.
2. Clients obviously point to internal DNS servers (usually AD servers, but not necessarily) looking for email.publicdomain.com, but they don't host that domain; only email.private.local.
3. Those private DNS servers use the Sophtaro firewall as their "forwarder" (could also read as: next DNS hop) and pass the request onto to the firewall.
4. The Sophtaro has static entries setup for email.publicdomain.com that point to the internal IP address of the Exchange server (or whatever application needed) and passes that back to the AD server which passes back to the client (that's not EXACTLY how it works, but close enough).
5. The client can now use the public URL of https://email.publicdomain.com in their Outlook and iPhones to access the Exchange server whether they're at home or on wireless in or outside of the office (i.e. everywhere) and the URL will always work.

These static entries are created on the Astaro firewall by going Network Services -> DNS -> Static Entries. Most people might not think to use the function this was as usually you have to manage a full domain in DNS.  Fortunately, the Astaro allows you to treat it almost like a local hosts file for the network.

Good Luck.