How to deploy ADSelfService Plus over the internet for remote user access

How to deploy ADSelfService Plus over the internet for remote user access

Objective   

This article explains how to deploy ADSelfService Plus over the internet to enable remote users to securely access the self-service portal from any location. This configuration is useful for organizations supporting hybrid or remote workforces that require password reset, account unlock, and multi-factor authentication (MFA) services outside the corporate network.

Prerequisites   

Before initiating the configuration, ensure you have:
  • Permissions:
    • Administrator access to the ADSelfService Plus server.
    • Administrative access to the organization's perimeter firewall or router to configure port forwarding or NAT rules.
    • Access to DNS Manager if DNS records are managed internally.
  • A dedicated public static IP address (e.g., 64.12.13.11).
  • A registered public hostname (e.g., selfservice.yourdomain.com) mapped to the public IP.
  • A valid third-party SSL certificate (recommended) installed on ADSelfService Plus to ensure encrypted communication. Refer to the documentation to learn how to install SSL certificates.
  • The internal IP address and listening port of the ADSelfService Plus server (the default port is 8888 for HTTP or 9251 for HTTPS).

Steps to deploy ADSelfService Plus over the internet   

Step 1: Configure firewall port forwarding  

  1. Log in to your organization's firewall or router administrative interface.
  2. Create a new port forwarding rule with the following parameters:
    • External IP: Your public IP address
    • External Port: 443 (HTTPS) or 80 (HTTP)
    • Internal IP: The ADSelfService Plus server IP address
    • Internal Port: The port on which ADSelfService Plus is listening (the default 8888 for HTTP, 9251 for HTTPS, or a custom configured port)
    • Protocol: TCP
  3. If ADSelfService Plus is configured to use nonstandard internal ports, configure port translation. For example:
    • External port 443 → internal port 9251
    • External port 80 → internal port 8888
  4. Save and apply the firewall rule.

Step 2 (optional): Enable public access via DNS (CNAME setup)   

To allow users to access the portal using a friendly DNS alias:
  1. Navigate to Start Administrative Tools > DNS to open DNS Manager.
  2. Navigate to your Forward Lookup Zone.
  3. Right-click the zone and click New Alias (CNAME).
  4. In the Alias name field, enter your alias.
  5. In the Fully qualified domain name (FQDN) for target host field, enter the public hostname registered earlier (for example, selfservice.yourdomain.com).
  6. Click OK to save and apply the record.
Once this is configured, users can access ADSelfService Plus from outside the corporate network using the public hostname or alias.

Best practices 

  • Enforce HTTPS: Always use HTTPS with a trusted SSL/TLS certificate to encrypt user credentials and prevent browser security warnings.
  • Enable MFA: Configure MFA for user logins in ADSelfService Plus to prevent unauthorized access.
  • Restrict access using firewall rules: Implement IP allowlists or geo-based access controls.
  • Use a DMZ or reverse proxy: For enhanced security, avoid exposing the ADSelfService Plus server directly to the internet. Instead, deploy a reverse proxy (such as ADSelfService Plus' built-in reverse proxy component, NGINX, or IIS) in a DMZ zone to handle external traffic.

How to reach support                                          

If you face any issues, contact our support team here.

      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • How to configure and troubleshoot the cached credentials update feature

                      ManageEngine ADSelfService Plus' cached credentials update feature helps remote users reset their domain password from their login screens using the self-service password reset feature, and regain access to their Windows machines from outside the ...

                    • How to deploy ADSelfService Plus over the internet?

                      Description Deploying ADSelfService Plus over the internet will allow end-users who are on the move to access the tool from anywhere, anytime. Resolution Register an IP address (say 64.12.13.11) and a public hostname (like ...

                    • Multi-factor authentication techniques in ADSelfService Plus

                      Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication (MFA). Why should you use MFA? Authentication based solely on usernames and passwords is no longer considered secure. ...

                    • ADSelfService Plus product startup issues

                      What do you need to know before troubleshooting You need to have administrator access to ADSelfService Plus. When you experience an error with ADSelfService Plus, check if these prerequisites are satisfied: Install ADSelfService Plus as a service ...

                    • Sequential ADSelfService Plus Windows agent login installation process

                      This article highlights the process sequence for the ADSelfService Plus Windows login agent installation via the admin portal and the prerequisites to be addressed to successfully complete each step. Additionally, we're also discussing some common ...

                      Related Products