Allow external domain join through pfsense
-
Hi i am trying to connect external user to active directory and domain controller through pfsense.
I found the one way domain override and to allow ports and restrict rpc range.
Is there another option like cisco DCERPC helper for pfsense to dynamically allow rpc ports?
-
Perhaps try a VPN instead of digging gapping security holes into your network?! :o
-
Perhaps try a VPN instead of digging gapping security holes into your network?! :o
Yes i know that answer was coming … i know the risks but i wanna do that this way
-
Yeah. Good luck. There's no "helper" for this. Thanks god.
-
-
i know the risks but i wanna do that this way
But why?? OpenVPN is easy to configure for the admin, easy to install & run for the user and very secure.
-
@KOM:
i know the risks but i wanna do that this way
But why?? OpenVPN is easy to configure for the admin, easy to install & run for the user and very secure.
Yes but the pcs that will join the domain externally are in 90 different locations!
-
Well, seriously - exposing RPC and similar crap on internet is totally insane. And setting up ~100 locations in some alias will take more time than distributing preconfigured OpenVPN package to click-click-install-connect-join-uninstall.
-
"i know the risks but i wanna do that this way"
That is just plain stupid!! It would be one thing if you just didn't understand the risks and thought you could do it this way - but understanding the risks and still wanting to do it is just plain MORONIC!!
If you have remote users that need to interact with your AD, then have them vpn in..
-
Thanks all for you time i was just asking if it was something similar to this http://clintboessen.blogspot.gr/2011/06/allowing-domain-membership-through.html as an option
-
There is a HUGE difference between creating pinholes that allow access from a firewalledsegment into your AD from your own network vs doing such a thing from the public internet..
Normally if you have boxes in your dmz that need access to your AD you put a read only DC in your dmz vs opening up your dmz into your normal network.
-
A good analogy might be that the locks you have on your bathroom door in your house are not suitable for your front door. The protections you have between internal LAN segments is potentially not strong enough to protect you from the public Internet.
