NAT/Proxy 443 on domain controllers to outside web server

If I understand well your request I think you need policy routes.

https://docs.fortinet.com/document/fortigate/7.4.5/administration-guide/144044

Are the DCs already reached through a VIP? If the VIP is in use than the IP of the real servers behind can be easily added/changed. When dealing with AD/DC I would prefer to go with a DNS approach (new sub/domain) as a cleaner solution and not create VIPs.

@ebilcari The DC's are currently reached through a regular firewall policy: Allow interface/subnet1 -> interface/subnet2 all source / DC IP destination / all services.

I have read through and I agree that a new sub/domain would be cleaner, but this is currently not possible.

Would you mind pointing me in the right direction with VIP? Can I create one that has the same IP as the DC? I would have assumed it would be a conflict.

Also @AEK regarding policy routes, that looks interesting, but what would be the outgoing interface and gateway?

Essentially we use SDWAN but I can not select that here, so I would have to select the WAN interface directly I assume. But what is meant by gateway? Is that my ISP's gateway?

Thank you.

It seems I misunderstood your initial post. So forget about the policy route.

I don't think using a VIP with the same address as your DC is a good idea, I never tested it and I don't know if it actually works, since I find such solution/workaround not so clean.

I don't have a solution in mind to implement in FortiGate level but in your case another possible solution is to implement HTTP redirection on your local DC web server. It is easy to implement and I find it much cleaner.