Cart

    Sorry, we could not find any results for your search querry.

    Configuring a Windows Active Directory environment with pfSense firewall and VPN

    A network of Windows servers is very flexible and suitable for working remotely with a large number of people via Remote Desktop, for example, or for giving people in different locations access to a shared network folder. You can use multiple servers for this purpose and manage user accounts centrally via a Domain Controller.

    In this tutorial, we describe how to build a network of Windows servers that consists of an Active Directory Domain Controller, Remote Desktop servers, SMB File Server, and a pfSense firewall (also acting as a VPN server). We also describe how to add hardware that is not added in the same private network (e.g., a laptop) to the same Windows domain. Depending on your use case, you can omit components such as the SMB File Server.

    Several components of a Remote Desktop deployment are mentioned in this article (for example, a Remote Desktop Connection Broker). You will find more information about the components that make up a Remote Desktop environment and what they are used for here.

    In the final setup that we describe in this article, the following 'roles' are filled:

    • Domain Controller: the server that provides an Active Directory within a Windows network
    • SMB File Server: for sharing and storing files on a network location
    • Remote Desktop Session Hosts: one or more servers on which you work via Remote Desktop
    • Remote Desktop Connection Broker: manages incoming Remote Desktop connections
    • Remote Desktop Gateway: Encrypts connections to Remote Desktop Session Hosts
    • Remote Desktop Licensing Server: manages Remote Desktop licenses
    • Remote Desktop Web Access Server: Allows users to access Remote Desktops or applications through a web portal
    • Remote Desktop Session Collection: Bundles one or more Remote Desktop Session Hosts and centralizes user profiles.
    • pfSense firewall: Secures incoming and outgoing network traffic
    • OpenVPN server: By using a VPN server, you can set the above servers to only be accessible through a VPN connection and you can also add computers/laptops remotely to your Windows Domain.
    • Private network: Traffic between the servers runs through a private network

    The steps in this tutorial (and referenced articles) have been tested on Windows Server 2019 and 2022 and pfSense 2.5.2.


     

    Required hardware

    The previous section shows a nice list of roles, but you can combine several of these roles on one VPS, for example, the Domain Controller and Remote Desktop Connection Broker. For the above setup including optional parts, you need at least the following hardware when you combine certain components:

    Please note that this is the absolute minimum. An RD Session Host in particular can use a lot of resources and require a much larger VPS (or several VPSs). Therefore, consult Microsoft's guidelines in advance to estimate what size server you need as RD Session Host(s).

    Do you want the best possible performance for your RD Session Host? Then consider a VPS with dedicated CPU cores. Please note that the price of Windows Server licenses with PerformanceVPSs is higher than with a VPS with shared CPU cores.


     

    RD Gateway vs VPN

    In this tutorial, we will discuss the configuration of an RD Gateway and a VPN server. It depends on your use case whether you need one or both. We therefore first consider this choice:

    The main difference between the two is that an RD Gateway encrypts connections to Remote Desktop Servers and only allows the Remote Desktop protocol. A VPN connection allows all traffic from the VPN client to your Windows network.

    For example, does a user need to be able to work via Remote Desktop from a home computer? Then the RD Gateway is the safest option. This certainly does not mean that using a VPN connection to secure Remote Desktop servers is unsafe. However, an RD Gateway is specifically developed for this purpose and therefore has a small edge. In addition, there is a (very) small performance gain when you connect to a Remote Desktop Session Host via a Remote Desktop Gateway, compared to when you connect to a Remote Desktop Session Host via an OpenVPN server on a pfSense firewall.

    For example, does your user have an employee laptop on which he or she does not work via Remote Desktop, but does need access to network resources (for example an SMB share) and/or, for example, that user logs in to his/her laptop via an Active Directory user account? Then a VPN connection is the most convenient.

    In practice it is not inconceivable that you use a combination of these techniques for the scenarios described above. It is especially important that you are aware of the options available to you to customize your setup.


     

    Building the Windows Domain

     

    Step 1

    First, based on the introduction, determine what kind of VPS you need. Purchase this in advance together with a private network. Then add all the VPSs in the TransIP control panel to the private network.


     

    Step 2

    Enable Remote Desktop on the Windows VPSs so that it is easier to work on them than via the VPS console in the control panel.

    Later in this article, we'll set up a VPN server and firewall, but until then, bots will try to attack your Remote Desktop port. For that reason, we recommend that you also change the Remote Desktop port when you enable Remote Desktop (you are free to change it again after going through this manual).


     

    Step 3

    Set an internal IP on every Windows VPS according to the following manual:


     

    Step 4

    Choose one of the X4 Windows Servers and configure it as an Active Directory Domain Controller:


     

    Step 5

    Add the other Windows Servers to the Windows domain. Note that in step 7 of the article linked below you do not yet set a Default Gateway (but you do set the DNS server). You do that at the end of the pfSense installation (step 13 of this article).

    Do not yet add any servers, computers and laptops that are not included in your private network to the Windows Domain. A VPN server is needed for this, and we will come back to this in step 16 of this article.


     

    Step 6

    Now add all Windows VPSs to a server pool on the Domain Controller. With a server pool you can manage (add and remove) roles and services for all Windows VPSs in the server pool from your Domain Controller.

    From this point on, when a manual talks about installing a role or feature, you go through those steps on the Domain Controller. Please note that as the server on which that role or feature is installed (in the 'Server selection' step) you choose the desired VPS and not the Domain Controller (unless stated otherwise).


     

    Step 7 - Optional

    Optionally you can now configure an SMB File Server. This is useful for sharing files on a company network, but also for storing Remote Desktop User Profiles (very useful for larger environments with multiple Remote Desktop Session Hosts). Don't want to use File Server? Then proceed to step 8.

    Choose one of the X4 Windows Servers (not the Domain Controller) and attach the Big Storage to this VPS. A good choice is the server that will also serve as the RD Gateway, RD Web Access role and RD Licensing Services to be installed on.

    Now set up this VPS as an SMB File Server. This allows users to save files to a network location. This makes it easier, for example, to collaborate in the same file with different people.


     

    Step 8

    Install Remote Desktop Services where you:

    • use an unused X4 or larger VPS as a Remote Desktop Session Host.
    • install the Remote Desktop Connection Broker role on the Domain Controller, or an unused X4 Windows Server.
    • install the Remote Desktop Web Access role on the SMB file server, or an unused X4 Windows Server.

     


     

    Step 9

    Configure the Remote Desktop Licensing on the server on which the RD Web Access role and (optionally) the SMB file server roles are also installed.


     

    Step 10

    Optionally, configure an RD Gateway (see the previous section 'RD Gateway vs VPN') using the same server as in the previous step.


     

    Step 11

    In the Active Directory User and Computers tool, create a Domain User for each user of which you want to add a remote computer/laptop to your Windows Domain later in this manual and one account for yourself. Also add your own account to the 'Domain Admins' group.

    For security reasons, it is recommended, regardless of the role within your organization, to create a separate account for each user and to manage the rights of those users via groups. During a security audit, for example, it is much easier to see who has performed which action on your network.


     

    Step 12 - Optional

    A 'Remote Desktop Session Collection' is a collection of apps and desktops (i.e., RDP servers). You use this, for example, to make multiple Remote Desktop Session Hosts available to Remote Desktop users. This is an especially  handy feature when you work with many users on multiple remote desktop servers.

    Suppose you have 20 users that you each want to give their own remote desktop user profile of 20GB (your own user folder e.g., c:\users\transip) and you use two Remote Desktop Session Hosts. You then have two challenges that a Remote Desktop Session Collection answers:

    • The disk of your VPS is filling up quickly
    • The profile on server A is not automatically available on server B.

    A Remote Desktop Session collection solves this because you can store user profiles on a much larger network location, for example a Big Storage. The user profile on your network storage will then be loaded automatically, regardless of which Remote Desktop Session Host you connect to, as long as it is part of the same Remote Desktop Session Collection.


     

    Step 13

    For now, we are done with the Windows Servers. Now grab the pfSense-VPS and go through the installation.


     

    Step 14

    For our setup we would like to manage all users via LDAP (via your Active Directory). Adjust your pfSense configuration so that the pfSense admins are also managed via LDAP.


     

    Step 15

    Now configure your pfSense firewall as an OpenVPN server (this step and up to step 17 are optional, see the section RD Gateway vs VPN):


     

    Step 16

    Next, create OpenVPN users for an administrator and one for each user. For example, you can start here by creating users for the accounts you created in step 11. You can always create more AD user accounts after going through this manual.


     

    Step 17

    Now add any servers, computers and laptops that are not part of your private network to your Windows Domain (requires a VPN connection).


     

    Step 18

    The end is in sight. The foundation has now been laid and it is time to nail down all access where necessary and get the most out of your VPN server. We'll start with the latter: if you're going to use an OpenVPN server, adjust the firewall on all your Windows Servers so that your Remote Desktop port only accepts connections from your VPN network. In the example in our pfSense OpenVPN tutorial, this is the IP range 10.10.0.0/24.

    Optional: you can close the Remote Desktop port of your SMB File Server, RD Gateway, RD Licensing and RD Web Access server. You mainly manage these roles via your domain controller and will rarely connect to these server(s) in practice. If you leave the Remote Desktop port accessible (via your VPN), then limit who has access to it, for example only Domain Admins. An example of how to do that can be found in this tutorial.


     

    Step 19 - Optional

    Remote desktop works a lot better if you don't have to remember the IP addresses of each server but can use a hostname/DNS name like dc.transip.local. Therefore, add a DNS record on your DC for every Windows Server on your private network in which you refer to the local IP (eg 192.168.0.1).


     

    Step 20 - Optional

    If you are using an OpenVPN server (and not an RD Gateway), now optionally disable the public network interface on the Domain Controller/RD Connection Broker and VPS which serves as SMB File Server, RD Gateway, RD Licensing and RD Web Access server.


    Additional documentation
     

    The manuals referenced in this article regularly refer to additional documentation. For your convenience, we've listed some additional guides below to help you manage your setup. Are you looking for additional software such as Office? Then take a look at our Microsoft Essentials page.


     

    Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

    Need help?

    Receive personal support from our supporters

    Contact us