Port forward for RDP
Hello pfSense Experts,
Sometimes we need to provide quick RDP access for external technicians to our server. Usually we use VPN to protect our RDP connections. And it is not convenient for external technicians.
One of commercial firewalls has quite interesting method for this scenario. External technicians enter specific address in web browser and login there. This enables port forward to RDP service of server or jump-in PC. This port forward is enabled for some limited period (1 hour eg).
It is interesting because guests do not need to install anything on their computers, they only need logon address and credentials.
Is there something like this for pfSense?
As far as I know, there is no clientless vpn solution for PFsense. OpenVPN provides an SSL-based connection but it uses an installable client. The only 'free' (as in beer) clientless VPN solution I know of is OpenVPN ALS/SSL Explorer, though as far as I know it hasn't been in live development for some time.
if you just want easy Remote into desktop, there are plenty of 3rd party paid services for that, or you can use the open source UltraVNC 1 click solution.
the catch with the 1 click you'll need to create and configure the client, and the techs will need to do that for you, since they are the ones trying to connect to you.
if that is too much work then use services Go To My PC, or Log Me In, Adobe also have something similar, actually many many services including Citrix and Cisco have something similar.
Like Checkpoint firewall have a VPN built-into their switches/routers that lets you pick which machine to remote into, but it's also a paid service.
The alternative method if you use pFsense is to setup PPPoE server, in your end, so they can PPPoE into your network.
you can create a vlan and tag the PPPoE to only access a separate vlan, where it would be the same vlan as where your remote desktop machine is located.
this will securely isolate them from your normal network.
Thanks for your tips. I have tried already some of them and mostly those methods are not the same easy as just port forward to RDP.
I do not expect clientless VPN. I think it would be possible to setup simple web page which enables RDP port forward to one of my LAN PCs. With additional precautions (port forward allowed for specific source address only and expires in certain period of time) this should be safe enough. Or not?
I just though that this simple way is probably already implemented by other people.