Re: ISA 2004 - How to allow Guest and Client access from wireless

Thanks, it's a good idea and might be the one I will go with. Had an idea
during these posts and sent the following to D-Link's tech support:

"On the DWL-2200AP's I know I can set up to 3 Guest SSID's. The PDF manual
didn't explain specifically what this means, but I think you can help. Are
these Guest SSID's "programmed/preconfigured" to allow internet only access,
while leaving known users (those I've given LAN access to) able to use the
primary SSID to access the LAN? If so, THAT solves my problem!"

Their response usually comes in 12-24 hours, so it'll be Monday before I
know. Certainly an idea.

Another is to use ISA and/or Group Policy to severely restrict a generic
user account that I can handout for Guest use. Comments?
Mike
"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:efoaXbgqHHA.192@xxxxxxxxxxxxxxxxxxxxxxx
No I wasn't suggesting that it would handle 2 separate signals and doubt
that is possible either. I was assuming it would be dedicated at the
bunkhouse only for external internet connectivity with no need for the
internal. If that's not what you want to do then yes you probably need a
2nd AP & antenna at the bunkhouse. I don't really have experience with
complicated wireless configurations so just trying to suggest something
that might work.

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:OFxBBJgqHHA.4180@xxxxxxxxxxxxxxxxxxxxxxx
Interesting idea....I didn't know an AP could handle signals from 2 other
APs simultaneously. (I'm a relative newbie to wireless, too). How'd that
work?

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:eCzl8DgqHHA.532@xxxxxxxxxxxxxxxxxxxxxxx
Hire some gophers/moles to help with the trench?

Couldn't you use the existing AP/antenna at the bunkhouse and only need
1 more set at the main building?

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:uNN8o4fqHHA.3484@xxxxxxxxxxxxxxxxxxxxxxx
I'd thought about the trench idea, but not real practical for us -
lotta asphalt and it's just me to do the digging (I'd probably dig into
some buried cable).

Not a bad idea on buying another set of APs and antennas, but that's
another $500 or so. Bad enough that it seems I bought a new switch for
VLANs (about $900) that now won't solve my problem. I know it's
relatively just pocket-change, but I fight for every dollar for the IT
stuff we need. I really don't know if I can squeeze any more out of
our general funds.

And you're right, I mis-spoke -- it is a WAN port, so I have 3 empty
ports available.

Mike

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:uWOqyufqHHA.4108@xxxxxxxxxxxxxxxxxxxxxxx
Ah-dig a trench to the bunkhouse and drop in a CAT 5 cable (max length
is ~ 300 ft.). Oops probably not too practical but would sure solve
your problem!

How about another dedicated AP with directional antenna to the
bunkhouse AP? That could plug into another port on the router. With
SBS and external NIC you can actually have a DHCP service turned on a
router that causes no interference with the SBS DHCP server.

One clarification-I'd think the satellite cable connection to the
router would be to some "WAN" port rather than internal?

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:usKKQSfqHHA.4548@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for coming aboard.

The bunkhouse has a directional antenna pointed at the main building,
so it's at the far end -- about 250-ft to the omni-directional
antenna on our roof.

The router has 4 "internal" ports; one is taken up by the cable
to/from the satellite modem and one to the external NIC.

I use SBS's DHCP, not the router - although it is capable.

Cell phones work fine, but not for data at our location. There are
towers in the area, but clear LOS is blocked by lines of trees along
the creeks and fencelines.

Mike

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:OviyJFfqHHA.4324@xxxxxxxxxxxxxxxxxxxxxxx
How far is the bunkhouse from the location of the satellite
connection to the router? How many "internal" ports does the router
have? Does it provide DHCP service for its "internal side." I'm
trying to see if there is some alternative config that will work for
you and abide by Cris' well justified keep the guests on the
"outside" of the network. Do you have cellular service with data
capability from any provider out there in your "boonies?"

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23zG4MveqHHA.4108@xxxxxxxxxxxxxxxxxxxxxxx
Landline won't work. We're 1.5 miles from the main road and
another mile or so to a place we can tap into. We've got someone
who ran a T1 our here for a wildlife webcam - costs them $2100/mo
(ouch!). Our only solution is satellite as we're not in the range
or line-of-sight for wireless ISP.

"Cris Hanna [SBS-MVP]"
<crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ucLZYqeqHHA.3372@xxxxxxxxxxxxxxxxxxxxxxx
Mike
If you move it to the router then you will lose connectivity to
the lan for the true workers

Just curious...what about a separate residential DSL or Cable
going to the bunk house with a DLink wireless router there for the
"guest access.

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:urF$yneqHHA.500@xxxxxxxxxxxxxxxxxxxxxxx
I'm getting the strong impression that the "only" way to achieve
my goal is to have 2 wireless networks - one connected to the
router and one as-is connected to the switch. However, money's a
problem (always is with a nonprofit).

If I move the wireless from the switch to the router (which would
mean VLAN's are out - router isn't 802.1Q capable), could I then
accomplish what I want to do? Or is there another way that,
while not the best security-wise, would go most of the way to
solving my problem? If it helps, we're 'way out in the boonies,
so those who come here are by invitation. The big caveat to that
is that a bunch of them are grad students who have down time at
night with their laptops in our "bunk house".

Mike

"Cris Hanna [SBS-MVP]"
<crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:O7s42feqHHA.4180@xxxxxxxxxxxxxxxxxxxxxxx
Guest access should not be from "inside" the LAN and on the same
network as your "workers".
Are these "guests" connecting from anywhere other than the main
building?

In my main enterprise job...we have a secure wireless network
for employees, etc with one SSID we have a second network/SSID
for Guests

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:OvsNBXeqHHA.4100@xxxxxxxxxxxxxxxxxxxxxxx
Running SBS 2003 Premium SP2, SQL, Exchange, ISA 2004, WSUS
3.0, 2 NICs and a router, dynamic IP, DDNS service through
dyndns.org, Symantec Backup Exec 11d, managed switch D-Link DES
3828 (802.1Q capable), 5 Access Points - D-Link DWL-2200AP's
(802.1Q capable), and the internal NIC is also 802.1Q capable.
========================
I'm in over my head so thought it best to ask for advice than
"experiment".

Goal: Using my wireless access points (AP's), provide guests
and visitors internet ONLY access, and employees, temp. workers
LAN access.

Background: Purchased and installed 5 AP's - one hard-wired to
switch and it "talks" with the other 4 in our outer buildings.
Purchased and installed a managed switch as it can do VLAN's.
Created 4 VLAN's - (1) has all ports and used for management,
(2) has only Port 2 (internal NIC), for internet access, (3),
has all ports except Port 5 (which is checked "Forbidden") for
my LAN, and (4) has ports 2 and 5 for the wireless side.
The AP's are capable of using VLAN's and Multiple SSID's (up to
3 of them for Guests). The AP's can be configured for all the
usual security modes.

I have exchanged many emails and phone calls with D-Link's tech
support to learn and set up the switch and VLAN's. I was told
this morning (by their tech support) that, because I have only
a single VLAN for wireless, I need to set a rule in ISA 2004 to
finalize what my goal is.

I admit to being "scared" to set or change rules in ISA without
a good grasp of SPECIFICALLY what I need to do. That's why I
thought I'd ask. I don't know, through my inexperience, how to
mentally frame the problem and then the solution, in terms I
can tanslate into an ISA rule.

Has someone out there been through this before, and be willing
to lend some advice and lessons-learned?

Many thanks in advance!!
--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501 (c)(3) conservation non-profit organization

























.

Relevant Pages

  • Re: TV service query ? ? ?
    ... a wireless router. ... a router with extended coverage. ... cable and a wireless connection that you can not see. ... contract with the cable company for one legitimate internet service? ...
    (alt.home.repair)
  • Re: ISA 2004 - How to allow Guest and Client access from wireless
    ... internet access and now wireless that are a pain in the rear. ... That could plug into another port on the router. ... The router has 4 "internal" ports; one is taken up by the cable ...
    (microsoft.public.windows.server.sbs)
  • Re: TV service query ? ? ?
    ... a wireless router. ... a router with extended coverage. ...   Probably not. ... contract with the cable company for one legitimate internet service? ...
    (alt.home.repair)
  • Re: ISA 2004 - How to allow Guest and Client access from wireless
    ... peace and quiet here are great for working; it's just the darn internet ... access and now wireless that are a pain in the rear. ... That could plug into another port on the router. ... The router has 4 "internal" ports; one is taken up by the cable ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA 2004 - How to allow Guest and Client access from wireless
    ... complicated wireless configurations so just trying to suggest something ... That could plug into another port on the router. ... Are these "guests" connecting from anywhere other than the main ... and visitors internet ONLY access, and employees, temp. ...
    (microsoft.public.windows.server.sbs)
Loading