Re: ISA 2004 - How to allow Guest and Client access from wireless

I'd thought about the trench idea, but not real practical for us - lotta
asphalt and it's just me to do the digging (I'd probably dig into some
buried cable).

Not a bad idea on buying another set of APs and antennas, but that's another
$500 or so. Bad enough that it seems I bought a new switch for VLANs (about
$900) that now won't solve my problem. I know it's relatively just
pocket-change, but I fight for every dollar for the IT stuff we need. I
really don't know if I can squeeze any more out of our general funds.

And you're right, I mis-spoke -- it is a WAN port, so I have 3 empty ports
available.

Mike

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:uWOqyufqHHA.4108@xxxxxxxxxxxxxxxxxxxxxxx
Ah-dig a trench to the bunkhouse and drop in a CAT 5 cable (max length is
~ 300 ft.). Oops probably not too practical but would sure solve your
problem!

How about another dedicated AP with directional antenna to the bunkhouse
AP? That could plug into another port on the router. With SBS and
external NIC you can actually have a DHCP service turned on a router that
causes no interference with the SBS DHCP server.

One clarification-I'd think the satellite cable connection to the router
would be to some "WAN" port rather than internal?

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:usKKQSfqHHA.4548@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for coming aboard.

The bunkhouse has a directional antenna pointed at the main building, so
it's at the far end -- about 250-ft to the omni-directional antenna on
our roof.

The router has 4 "internal" ports; one is taken up by the cable to/from
the satellite modem and one to the external NIC.

I use SBS's DHCP, not the router - although it is capable.

Cell phones work fine, but not for data at our location. There are
towers in the area, but clear LOS is blocked by lines of trees along the
creeks and fencelines.

Mike

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:OviyJFfqHHA.4324@xxxxxxxxxxxxxxxxxxxxxxx
How far is the bunkhouse from the location of the satellite connection
to the router? How many "internal" ports does the router have? Does it
provide DHCP service for its "internal side." I'm trying to see if there
is some alternative config that will work for you and abide by Cris'
well justified keep the guests on the "outside" of the network. Do you
have cellular service with data capability from any provider out there
in your "boonies?"

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23zG4MveqHHA.4108@xxxxxxxxxxxxxxxxxxxxxxx
Landline won't work. We're 1.5 miles from the main road and another
mile or so to a place we can tap into. We've got someone who ran a T1
our here for a wildlife webcam - costs them $2100/mo (ouch!). Our only
solution is satellite as we're not in the range or line-of-sight for
wireless ISP.

"Cris Hanna [SBS-MVP]"
<crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ucLZYqeqHHA.3372@xxxxxxxxxxxxxxxxxxxxxxx
Mike
If you move it to the router then you will lose connectivity to the
lan for the true workers

Just curious...what about a separate residential DSL or Cable going to
the bunk house with a DLink wireless router there for the "guest
access.

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:urF$yneqHHA.500@xxxxxxxxxxxxxxxxxxxxxxx
I'm getting the strong impression that the "only" way to achieve my
goal is to have 2 wireless networks - one connected to the router and
one as-is connected to the switch. However, money's a problem
(always is with a nonprofit).

If I move the wireless from the switch to the router (which would
mean VLAN's are out - router isn't 802.1Q capable), could I then
accomplish what I want to do? Or is there another way that, while
not the best security-wise, would go most of the way to solving my
problem? If it helps, we're 'way out in the boonies, so those who
come here are by invitation. The big caveat to that is that a bunch
of them are grad students who have down time at night with their
laptops in our "bunk house".

Mike

"Cris Hanna [SBS-MVP]"
<crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:O7s42feqHHA.4180@xxxxxxxxxxxxxxxxxxxxxxx
Guest access should not be from "inside" the LAN and on the same
network as your "workers".
Are these "guests" connecting from anywhere other than the main
building?

In my main enterprise job...we have a secure wireless network for
employees, etc with one SSID we have a second network/SSID for
Guests

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:OvsNBXeqHHA.4100@xxxxxxxxxxxxxxxxxxxxxxx
Running SBS 2003 Premium SP2, SQL, Exchange, ISA 2004, WSUS 3.0, 2
NICs and a router, dynamic IP, DDNS service through dyndns.org,
Symantec Backup Exec 11d, managed switch D-Link DES 3828 (802.1Q
capable), 5 Access Points - D-Link DWL-2200AP's (802.1Q capable),
and the internal NIC is also 802.1Q capable.
========================
I'm in over my head so thought it best to ask for advice than
"experiment".

Goal: Using my wireless access points (AP's), provide guests and
visitors internet ONLY access, and employees, temp. workers LAN
access.

Background: Purchased and installed 5 AP's - one hard-wired to
switch and it "talks" with the other 4 in our outer buildings.
Purchased and installed a managed switch as it can do VLAN's.
Created 4 VLAN's - (1) has all ports and used for management, (2)
has only Port 2 (internal NIC), for internet access, (3), has all
ports except Port 5 (which is checked "Forbidden") for my LAN, and
(4) has ports 2 and 5 for the wireless side.
The AP's are capable of using VLAN's and Multiple SSID's (up to 3
of them for Guests). The AP's can be configured for all the usual
security modes.

I have exchanged many emails and phone calls with D-Link's tech
support to learn and set up the switch and VLAN's. I was told this
morning (by their tech support) that, because I have only a single
VLAN for wireless, I need to set a rule in ISA 2004 to finalize
what my goal is.

I admit to being "scared" to set or change rules in ISA without a
good grasp of SPECIFICALLY what I need to do. That's why I thought
I'd ask. I don't know, through my inexperience, how to mentally
frame the problem and then the solution, in terms I can tanslate
into an ISA rule.

Has someone out there been through this before, and be willing to
lend some advice and lessons-learned?

Many thanks in advance!!
--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501 (c)(3) conservation non-profit organization

















.

Relevant Pages

  • Re: ISA 2004 - How to allow Guest and Client access from wireless
    ... complicated wireless configurations so just trying to suggest something ... That could plug into another port on the router. ... Are these "guests" connecting from anywhere other than the main ... and visitors internet ONLY access, and employees, temp. ...
    (microsoft.public.windows.server.sbs)
  • Re: Adding Linux machine to existing wireless WinXP network - Heeeelllllp!
    ... 1 notebook) connected in peer to peer via wireless NIC's ... > router providing DHCP services and gateway to cable Internet. ... I connected it via hard-wire network cable to my LAN port on the ... > that the router is limited to four connections and that if I ...
    (alt.linux)
  • Re: ISA 2004 - How to allow Guest and Client access from wireless
    ... not the router - although it is capable. ... the bunk house with a DLink wireless router there for the "guest access. ... If I move the wireless from the switch to the router (which would mean ... Are these "guests" connecting from anywhere other than the main ...
    (microsoft.public.windows.server.sbs)
  • RE: cant access others computer anymore
    ... Lots of Access Point has Router function and may have build-in NAT support. ... only HTTP package from port 80) ... | When implementing a wireless solution you usually buy an ADSL ...
    (microsoft.public.windowsxp.general)
  • Re: ISA 2004 - How to allow Guest and Client access from wireless
    ... these Guest SSID's "programmed/preconfigured" to allow internet only access, ... (I'm a relative newbie to wireless, ... That could plug into another port on the router. ... Are these "guests" connecting from anywhere other than the main ...
    (microsoft.public.windows.server.sbs)