Replace ISA server with OPNSense

[astudillojr]

Greetings and happy new year to you all.

I just entered to a company in which there's a domain host and an active directory set of users working, the rules for acceding the internet are controlled by an ISA server which depending on the user, gives permissions to web browse or not...( this ISA is microsoft 2006). as you all know, now-a-days ISA server is not a good tool for this functions(reason of me entering the company)... so I wanted to try the OPNSense to do this function.

They have windows server 2012.

So before getting in troubles for damaging something, I made a small testing lab in my office and I installed the latest version of OPNSense on a computer that I assembled with two network cards, I have enabled the internet access already. I used one card for wan, and another for lan.

Now I think the next step will be to enable the LDAP. all I've done is by following your docs, and here's the problem, after setting the firewall rule for letting the ldap pass, I went to the access, and Add server option, but after writing the DC=domainname,DC=com I click select but it always shows...

Could not connect to the LDAP server. Please check your LDAP configuration.

so i checked if the opnsense could see the windows server on the network, and yes they ping each other, no problem with that.

therefore I'm here to ask you if is there something I have to install on windows server, or something I'm missing... thank you guys, if you need more information, please ask and I will provide it.

[weust]

Would this help you in any way?
I've set it up a long time ago, btw. Not even sure how exactly I did it :-)

[astudillojr]

thanks for your reply, Mr Weust.

I've tried that configuration, but still the error of Could not connect to the LDAP server. Please check your LDAP configuration.

I've checkd the firewll, and it allows the ldap port, I'm using as bind credentials, an admin of the domain, I use in Base DN both DC=local and DC=com, after the DC=nameofdomain but same error...

I don't know if i'm missing something in the active directory, or windows server, or opnsense...

[astudillojr]

i just did it!

I tried using the ip of the domain instead of the domain name and it connected.

now i want to set the permissions for the users group. I have 3 on my AD, one group will have full access to internet, one will have access to a list of websites and the last one would not have access to any website.

any tips for doing it? thank you!

[weust]

Not really, tbh. I hate proxies, and the last one I worked with was TMG in combination with UAG.

Regarding the lookup of the domain name, which DNS server are you using?
I've set my OPNsense box to use the AD integrated DNS server.
If yours is set to an outside DNS server, it won't resolve your internal domain.

[astudillojr]

I set the dns to the domain, I can import all users, now I need to set the restrictions of the internet...

I had the same proxie before, but It only worked with internet explorer, other web browsers just didn't pay attention to the rules...

I'll see what configurations can I do with proxy in OPNsense, any suggestions will be appreciate...