Allow external domain join through pfsense

alxbob · Oct 15, 2015, 8:45 AM

Hi i am trying to connect external user to active directory and domain controller through pfsense.

I found the one way domain override and to allow ports and restrict rpc range.

Is there another option like cisco DCERPC helper for pfsense to dynamically allow rpc ports?

doktornotor · Oct 15, 2015, 11:29 AM

Perhaps try a VPN instead of digging gapping security holes into your network?! :o

alxbob · Oct 15, 2015, 11:35 AM

@doktornotor:

Perhaps try a VPN instead of digging gapping security holes into your network?! :o

Yes i know that answer was coming … i know the risks but i wanna do that this way

doktornotor · Oct 15, 2015, 11:35 AM

Yeah. Good luck. There's no "helper" for this. Thanks god.

alxbob · Oct 15, 2015, 3:16 PM

@doktornotor:

Yeah. Good luck. There's no "helper" for this. Thanks god.

So pity…

KOM · Oct 15, 2015, 3:28 PM

i know the risks but i wanna do that this way

But why?? OpenVPN is easy to configure for the admin, easy to install & run for the user and very secure.

alxbob · Oct 15, 2015, 3:34 PM

@KOM:

i know the risks but i wanna do that this way

But why?? OpenVPN is easy to configure for the admin, easy to install & run for the user and very secure.

Yes but the pcs that will join the domain externally are in 90 different locations!

doktornotor · Oct 15, 2015, 3:37 PM

Well, seriously - exposing RPC and similar crap on internet is totally insane. And setting up ~100 locations in some alias will take more time than distributing preconfigured OpenVPN package to click-click-install-connect-join-uninstall.

johnpoz · Oct 15, 2015, 4:25 PM

"i know the risks but i wanna do that this way"

That is just plain stupid!! It would be one thing if you just didn't understand the risks and thought you could do it this way - but understanding the risks and still wanting to do it is just plain MORONIC!!

If you have remote users that need to interact with your AD, then have them vpn in..

alxbob · Oct 15, 2015, 4:37 PM

Thanks all for you time i was just asking if it was something similar to this http://clintboessen.blogspot.gr/2011/06/allowing-domain-membership-through.html as an option

johnpoz · Oct 15, 2015, 4:42 PM

There is a HUGE difference between creating pinholes that allow access from a firewalledsegment into your AD from your own network vs doing such a thing from the public internet..

Normally if you have boxes in your dmz that need access to your AD you put a read only DC in your dmz vs opening up your dmz into your normal network.

KOM · Oct 15, 2015, 5:18 PM

A good analogy might be that the locks you have on your bathroom door in your house are not suitable for your front door. The protections you have between internal LAN segments is potentially not strong enough to protect you from the public Internet.