Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
allowing domain and guest user through a single wireless AP
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
allowing domain and guest user through a single wireles... - 27.Aug.2008 8:17:58 AM
|
|
|
cjoyce1980
Posts: 35
Joined: 25.Apr.2008
Status: offline
|
I have a Wireless Access Point that is used by the employees to access domain network resources while in the conference room, (the wireless access point is located in the conference room).
This access point is connected to the network like any other device/desktop pc.
What i would like to know is, is it possible to configure my network/isa server/wireless access point to allow guest users as well as my domain user, but not compromise my network security.
Many Thanks
|
|
|
|
|
RE: allowing domain and guest user through a single wir... - 28.Aug.2008 2:51:01 AM
|
|
|
cjoyce1980
Posts: 35
Joined: 25.Apr.2008
Status: offline
|
I'm not sure if thats going to work for me as my setup is like so:
Internet
|
Firewall
|
Switch
|
Desktops/Servers/Wireless AP/Other Devices
Would I physically need to place the Wireless access point in front of my firewall?
|
|
|
|
|
RE: allowing domain and guest user through a single wir... - 28.Aug.2008 11:13:14 AM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
No.
You would have to replace the WAP with a wireless "router". The router's external interface would be on the LAN while its internal side would have to use a different IP subnet. Then treat the "router" as a SecureNAT Client and give it what access you desire. Keep the router unpluged and in a locked cabinet when not using it so that employees to try to use it to get around any internet restriction you have placed on them. Your LAN would still have limited exposure to the Guests,...but the Guest would be protected from your LAN,..so that is kind of backwards.
The best approach would be to have more that one Public IP# and have the wall jack and cable from that room go out to the Public side,...then assign the Public IP# to the wireless "router" and let the guest use it that way. Now they would be totally separated from the LAN. But this may require a commercial internet connection with commercial equipment rather than a "home user" line (DSL, CableTV). You would still keep the device powered off and locked in a cabinet when not in use for the same reasons as above.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: allowing domain and guest user through a single wir... - 28.Aug.2008 6:42:08 PM
|
|
|
elmajdal
Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
quote:
is it possible to configure my network/isa server/wireless access point to allow guest users as well as my domain user, but not compromise my network security
quote:
Would I physically need to place the Wireless access point in front of my firewall?
Who said anything about installing in Infront of your Firewall
This is the suggested diagram by the article:
Internet ----------------------ISA-------------LAN
|
Wireless AP
Its all about install a 3rd NIC on your ISA Server so that your guest quote:
not compromise my network security
Do you want to guest users to ping your Domain Controllers ? or infect your LAN with viruses and worms ?
The best thing is to keep them on a seperated Network.
You can Put the Wireless AP inside your LAN but you are worried about security issues , right ? Then its best recommended to follow the article
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: allowing domain and guest user through a single wir... - 28.Aug.2008 6:50:31 PM
|
|
|
Jason Jones
Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
quote:
ORIGINAL: elmajdal
quote:
is it possible to configure my network/isa server/wireless access point to allow guest users as well as my domain user, but not compromise my network security
quote:
Would I physically need to place the Wireless access point in front of my firewall?
Who said anything about installing in Infront of your Firewall
This is the suggested diagram by the article:
Internet ----------------------ISA-------------LAN
|
Wireless AP
Its all about install a 3rd NIC on your ISA Server so that your guest quote:
not compromise my network security
Do you want to guest users to ping your Domain Controllers ? or infect your LAN with viruses and worms ?
The best thing is to keep them on a seperated Network.
You can Put the Wireless AP inside your LAN but you are worried about security issues , right ? Then its best recommended to follow the article
Yep, put a guest wireless AP in an ISA protected (perimeter) network.
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: allowing domain and guest user through a single wir... - 29.Aug.2008 6:44:48 AM
|
|
|
cjoyce1980
Posts: 35
Joined: 25.Apr.2008
Status: offline
|
Cheers guys, thanks for your responses.... they were all very helpful.
My DMZ is working fine, non-domain users can access the internet and do there thing which is great :)
My domain users can use the internet and get there emails, but my users would also require file server (SAN) access. without me making them plug into a wall socket, how may i go about achieving this?
Many Thanks
|
|
|
|
|
RE: allowing domain and guest user through a single wir... - 30.Aug.2008 4:52:28 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Chris,
A solution to that is to enable the VPN server on ISA, so that domain users to first create a VPN connection, and then securely access internal resources.
In this way you keep things separated, the downside is that you have to deal with the hassle of the VPN connections to secure the wireless DMZ.
Another solution, more elegant, is to put back on the Internal Network that WAP, secure/encrypt the wireless connections, so that only domain authenticated users can use that WAP without the worry that someone may "read" their wireless traffic.
Then buy a cheap WAP and put it in that wireless DMZ.
In this way you have a proper wireless infrastructure for your domain users, so they can do their work, while the guest users can access their favourite viruses from the wireless DMZ.
Regards!
|
|
|
|
|
RE: allowing domain and guest user through a single wir... - 1.Sep.2008 5:05:56 AM
|
|
|
cjoyce1980
Posts: 35
Joined: 25.Apr.2008
Status: offline
|
Many Thanks justmee,
I've had a play over the weekend, and trying to create an Access Rule to allow my users VPN access through the DMZ into the Network, (a second WAP is not a option after i shelled out on a cisco WAP).
What traffic (Protocols) should I be allowing to connect to the VPN Server?
Thanks again
|
|
|
|
|
RE: allowing domain and guest user through a single wir... - 1.Sep.2008 5:11:26 AM
|
|
|
cjoyce1980
Posts: 35
Joined: 25.Apr.2008
Status: offline
|
Sorry, I found them. I couldn't see them at first, (wasn't looking properly!)
So now I'm letting my Domain users connect throught the DMZ (over L2TP Client) via VPN in order to access there network resources.
All sorted....
Many Thanks to all that helped.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
