Re: ISA 2004 - How to allow Guest and Client access from wireless

Hi Mike:

Too bad you can't get to use some of that T1 line that runs the web cam.
They would not miss part of it, and you would benefit greatly.

Care to share that ip with us?

Larry Struckmeyer

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:u97GVLhqHHA.4268@xxxxxxxxxxxxxxxxxxxxxxx
Not bad, really. I live 35 miles away in a nice, small college town. The
peace and quiet here are great for working; it's just the darn internet
access and now wireless that are a pain in the rear.

"Cris Hanna [SBS-MVP]" <crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:u7Hi%23EhqHHA.4108@xxxxxxxxxxxxxxxxxxxxxxx
Way too far out in the boonies for me ;-)

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:uz2XB6gqHHA.4104@xxxxxxxxxxxxxxxxxxxxxxx
Naw, we use a satellite dish for TV.

"Cris Hanna [SBS-MVP]"
<crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23UUtorgqHHA.4280@xxxxxxxxxxxxxxxxxxxxxxx
Mike
You don't get cable TV into the bunk house?

Satellite would about as expensivie to do hardware wise as a second set
of antenna's/APs for the "guest" wireless

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:efoaXbgqHHA.192@xxxxxxxxxxxxxxxxxxxxxxx
No I wasn't suggesting that it would handle 2 separate signals and
doubt that is possible either. I was assuming it would be dedicated at
the bunkhouse only for external internet connectivity with no need for
the internal. If that's not what you want to do then yes you probably
need a 2nd AP & antenna at the bunkhouse. I don't really have
experience with complicated wireless configurations so just trying to
suggest something that might work.

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:OFxBBJgqHHA.4180@xxxxxxxxxxxxxxxxxxxxxxx
Interesting idea....I didn't know an AP could handle signals from 2
other APs simultaneously. (I'm a relative newbie to wireless, too).
How'd that work?

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:eCzl8DgqHHA.532@xxxxxxxxxxxxxxxxxxxxxxx
Hire some gophers/moles to help with the trench?

Couldn't you use the existing AP/antenna at the bunkhouse and only
need 1 more set at the main building?

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:uNN8o4fqHHA.3484@xxxxxxxxxxxxxxxxxxxxxxx
I'd thought about the trench idea, but not real practical for us -
lotta asphalt and it's just me to do the digging (I'd probably dig
into some buried cable).

Not a bad idea on buying another set of APs and antennas, but
that's another $500 or so. Bad enough that it seems I bought a new
switch for VLANs (about $900) that now won't solve my problem. I
know it's relatively just pocket-change, but I fight for every
dollar for the IT stuff we need. I really don't know if I can
squeeze any more out of our general funds.

And you're right, I mis-spoke -- it is a WAN port, so I have 3
empty ports available.

Mike

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:uWOqyufqHHA.4108@xxxxxxxxxxxxxxxxxxxxxxx
Ah-dig a trench to the bunkhouse and drop in a CAT 5 cable (max
length is ~ 300 ft.). Oops probably not too practical but would
sure solve your problem!

How about another dedicated AP with directional antenna to the
bunkhouse AP? That could plug into another port on the router.
With SBS and external NIC you can actually have a DHCP service
turned on a router that causes no interference with the SBS DHCP
server.

One clarification-I'd think the satellite cable connection to the
router would be to some "WAN" port rather than internal?

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:usKKQSfqHHA.4548@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for coming aboard.

The bunkhouse has a directional antenna pointed at the main
building, so it's at the far end -- about 250-ft to the
omni-directional antenna on our roof.

The router has 4 "internal" ports; one is taken up by the cable
to/from the satellite modem and one to the external NIC.

I use SBS's DHCP, not the router - although it is capable.

Cell phones work fine, but not for data at our location. There
are towers in the area, but clear LOS is blocked by lines of
trees along the creeks and fencelines.

Mike

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:OviyJFfqHHA.4324@xxxxxxxxxxxxxxxxxxxxxxx
How far is the bunkhouse from the location of the satellite
connection to the router? How many "internal" ports does the
router have? Does it provide DHCP service for its "internal
side." I'm trying to see if there is some alternative config
that will work for you and abide by Cris' well justified keep
the guests on the "outside" of the network. Do you have cellular
service with data capability from any provider out there in your
"boonies?"

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23zG4MveqHHA.4108@xxxxxxxxxxxxxxxxxxxxxxx
Landline won't work. We're 1.5 miles from the main road and
another mile or so to a place we can tap into. We've got
someone who ran a T1 our here for a wildlife webcam - costs
them $2100/mo (ouch!). Our only solution is satellite as we're
not in the range or line-of-sight for wireless ISP.

"Cris Hanna [SBS-MVP]"
<crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:ucLZYqeqHHA.3372@xxxxxxxxxxxxxxxxxxxxxxx
Mike
If you move it to the router then you will lose connectivity
to the lan for the true workers

Just curious...what about a separate residential DSL or Cable
going to the bunk house with a DLink wireless router there for
the "guest access.

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:urF$yneqHHA.500@xxxxxxxxxxxxxxxxxxxxxxx
I'm getting the strong impression that the "only" way to
achieve my goal is to have 2 wireless networks - one
connected to the router and one as-is connected to the
switch. However, money's a problem (always is with a
nonprofit).

If I move the wireless from the switch to the router (which
would mean VLAN's are out - router isn't 802.1Q capable),
could I then accomplish what I want to do? Or is there
another way that, while not the best security-wise, would go
most of the way to solving my problem? If it helps, we're
'way out in the boonies, so those who come here are by
invitation. The big caveat to that is that a bunch of them
are grad students who have down time at night with their
laptops in our "bunk house".

Mike

"Cris Hanna [SBS-MVP]"
<crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:O7s42feqHHA.4180@xxxxxxxxxxxxxxxxxxxxxxx
Guest access should not be from "inside" the LAN and on the
same network as your "workers".
Are these "guests" connecting from anywhere other than the
main building?

In my main enterprise job...we have a secure wireless
network for employees, etc with one SSID we have a second
network/SSID for Guests

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:OvsNBXeqHHA.4100@xxxxxxxxxxxxxxxxxxxxxxx
Running SBS 2003 Premium SP2, SQL, Exchange, ISA 2004, WSUS
3.0, 2 NICs and a router, dynamic IP, DDNS service through
dyndns.org, Symantec Backup Exec 11d, managed switch D-Link
DES 3828 (802.1Q capable), 5 Access Points - D-Link
DWL-2200AP's (802.1Q capable), and the internal NIC is also
802.1Q capable.
========================
I'm in over my head so thought it best to ask for advice
than "experiment".

Goal: Using my wireless access points (AP's), provide
guests and visitors internet ONLY access, and employees,
temp. workers LAN access.

Background: Purchased and installed 5 AP's - one hard-wired
to switch and it "talks" with the other 4 in our outer
buildings. Purchased and installed a managed switch as it
can do VLAN's. Created 4 VLAN's - (1) has all ports and
used for management, (2) has only Port 2 (internal NIC),
for internet access, (3), has all ports except Port 5
(which is checked "Forbidden") for my LAN, and (4) has
ports 2 and 5 for the wireless side.
The AP's are capable of using VLAN's and Multiple SSID's
(up to 3 of them for Guests). The AP's can be configured
for all the usual security modes.

I have exchanged many emails and phone calls with D-Link's
tech support to learn and set up the switch and VLAN's. I
was told this morning (by their tech support) that, because
I have only a single VLAN for wireless, I need to set a
rule in ISA 2004 to finalize what my goal is.

I admit to being "scared" to set or change rules in ISA
without a good grasp of SPECIFICALLY what I need to do.
That's why I thought I'd ask. I don't know, through my
inexperience, how to mentally frame the problem and then
the solution, in terms I can tanslate into an ISA rule.

Has someone out there been through this before, and be
willing to lend some advice and lessons-learned?

Many thanks in advance!!
--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501 (c)(3) conservation non-profit organization

































.

Relevant Pages