Access Active Directory behind pfSense



  • Good morning everyone, I have a scenario :

    Workstation01(10.10.10.100) – external network(10.10.10.0/24) -- pfsense -- internal network(192.168.1.0/24) -- AD Server (192.168.1.10)

    The internal network usually ping on the external network, the external network already has a few releases and Nats to access some services on the servers on the internal network, everything working properly. My question is how to create rules that my station outside network can access the AD within the internal network. Need to update security policies, add and remove machines from the domain and etc..

    I apologize if I posted in the wrong forum, or if you already have some post about this, but I do not know how to look.

    I appreciate if someone can help me.


  • Banned

    Read the M$ documentation. (Note: the list in there and the steps in there are in no way even remotely complete.) I strongly recommend against attempting any such futile things. Use some sort of VPN instead.



  • @doktornotor:

    Read the M$ documentation. (Note: the list in there and the steps in there are in no way even remotely complete.) I strongly recommend against attempting any such futile things. Use some sort of VPN instead.

    I do not like to use vpn for this purpose because there are many sites with different seasons each and every reach external network link 4MB in my current scenario I am with AD out of pfSense, I would bring it into to become more secure.

    I thank the idea.


  • Banned

    Afraid I do not really understand you English above. What you trying to do is a reliability and maintenance nightmare. You should clarify what goal are you trying to achieve with AD in the first place.



  • @doktornotor:

    Afraid I do not really understand you English above. What you trying to do is a reliability and maintenance nightmare. You should clarify what goal are you trying to achieve with AD in the first place.

    friend

    Sorry my English, what I need is trust relationship between the workstation and the AD,  through the pfSense.


  • Banned

    Afraid this won't go anywhere…

    A trust is a relationship, which you establish between domains, that makes it possible for users in one domain to be authenticated by a domain controller in the other domain.

    Cf. Active Directory Domains and Trusts



  • @doktornotor:

    Afraid this won't go anywhere…

    A trust is a relationship, which you establish between domains, that makes it possible for users in one domain to be authenticated by a domain controller in the other domain.

    Cf. Active Directory Domains and Trusts

    Ok, come on I'll try to be more clear and objective.

    I need a workstation (is in the pfSense WAN network) authenticate their users in the domain that is on the LAN of pfsense.

    And also need to enter and remove stations this domain  where the external network (10.10.10.0/24)


  • Banned

    Well, then use VPN. End of story.



  • @doktornotor:

    Well, then use VPN. End of story.

    Is infeasible, but okay thanks for the help … I will continue to search ..


  • Banned

    VPN is perfectly feasible and used daily by thousands on huge enterprises. Unlike digging huge holes into the AD security by making it wide open on internet. Then there's ADFS and others. All of this being totally out of scope of this forum.



  • In no time I said it is not 100% feasible, I said it is not feasible for me! because I do not have 35 PCs to interconnect everything. And one more detail, at no time spoke of internet! The network where the computer is a great peer network. Within this network I have my private network.

    As for the scope, ask some moderator EDUCATED that move the topic to correct location.

    Unfortunately started in the world of pfSense with the left foot and a bad person educated to give me tips!



  • Moderator please close the thread or delete.



  • Yes, it will be possible. Most people (like me) have an internal network that has multiple subnets, sometimes in the same office, and the internal subnets are connected with pfSense firewall/routers. But I my case, all the internal subnets are treated as being at the same "security level", so there are rules allowing traffic to/from the known internal private IP subnets. And of course, my AD Windows Domain works fine in this environment.
    Personally, I don't know all the ports that will need to be allowed through the firewall, but in theory it should (might) be possible. In a Windows Domain the clients do the initiating of most things - they try to join the domain, authenticate a login, check for new/changed group policy and pull it down… The Windows Server is listening on various known ports for clients to ask for stuff. But then it seems the client and server talk on the known port connection and use it to agree an ephemeral port pair to use for the client to do a particular task. That means opening up a big block of ephemeral port numbers.
    Here are a couple of articles:
    http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/WhatAllPortsAreRrequiredByDomainControllersAndClientComputers.html
    http://support.microsoft.com/kb/832017#method39
    I do not think it is as simple as the 1st article looks!
    For example, the 2nd (Microsoft) article has:

    RPC does not use only the hard-coded ports that are listed in the table. Ephemeral range ports that are used by Active Directory and other components occur over RPC in the ephemeral port range. The ephemeral port range depends on the server operating system that the client operating system is connected to.

    In the end, you have to open so many ports, that the client system in "external" network has as good as full access to the server in "internal" network. If there really is a big security requirement/difference between "external" and "internal", then doing this defeats the requirement.
    The most practical way would be to allocate these clients IPs in a known range on the external network, then allow all traffic from those IPs in to the internal network server. I think that any other slightly tighter solution would not really be significantly more secure in any case. And, of course, if someone/something on the external network sets itself to one of those IPs, then it will get access in to the server.
    It all depends on your real security requirements between external and internal and your effective physical control of what people can connect and configure themselves on external.



  • Does this change anything?

    http://support.microsoft.com/kb/224196

    P.S.  What is your first language?