• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

allowing domain and guest user through a single wireless AP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> allowing domain and guest user through a single wireless AP Page: [1]
Login
Message << Older Topic   Newer Topic >>
allowing domain and guest user through a single wireles... - 27.Aug.2008 8:17:58 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
I have a Wireless Access Point that is used by the employees to access domain network resources while in the conference room, (the wireless access point is located in the conference room).
 
This access point is connected to the network like any other device/desktop pc.
 
What i would like to know is, is it possible to configure my network/isa server/wireless access point to allow guest users as well as my domain user, but not compromise my network security.
 
Many Thanks
 
 
 
Post #: 1
RE: allowing domain and guest user through a single wir... - 27.Aug.2008 5:00:15 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Sure.

Check this great Article by Tom Shinder :

http://www.isaserver.org/tutorials/2004wirelessdmzpart1.html

http://isaserver.org/articles/2004wirelessdmzpart2.html

HTH,
Tarek

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to cjoyce1980)
Post #: 2
RE: allowing domain and guest user through a single wir... - 28.Aug.2008 2:51:01 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
I'm not sure if thats going to work for me as my setup is like so:
 
Internet
    |
Firewall
    |
Switch
    |
Desktops/Servers/Wireless AP/Other Devices
 
Would I physically need to place the Wireless access point in front of my firewall?

(in reply to elmajdal)
Post #: 3
RE: allowing domain and guest user through a single wir... - 28.Aug.2008 11:13:14 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
No.

You would have to replace the WAP with a wireless "router".  The router's external interface would be on the LAN while its internal side would have to use a different IP subnet.  Then treat the "router" as a SecureNAT Client and give it what access you desire.  Keep the router unpluged and in a locked cabinet when not using it so that employees to try to use it to get around any internet restriction you have placed on them.   Your LAN would still have limited exposure to the Guests,...but the Guest would be protected from your LAN,..so that is kind of backwards.

The best approach would be to have more that one Public IP# and have the wall jack and cable from that room go out to the Public side,...then assign the Public IP# to the wireless "router" and let the guest use it that way.  Now they would be totally separated from the LAN. But this may require a commercial internet connection with commercial equipment rather than a "home user" line (DSL, CableTV).   You would still keep the device powered off and locked in a cabinet when not in use for the same reasons as above.

_____________________________

Phillip Windell

(in reply to cjoyce1980)
Post #: 4
RE: allowing domain and guest user through a single wir... - 28.Aug.2008 6:42:08 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

is it possible to configure my network/isa server/wireless access point to allow guest users as well as my domain user, but not compromise my network security


quote:

Would I physically need to place the Wireless access point in front of my firewall?


Who said anything about installing in Infront of your Firewall

This is the suggested diagram by the article:


Internet ----------------------ISA-------------LAN
                                                |
                                          Wireless AP

Its all about install a 3rd NIC on your ISA Server so that your guest  
quote:

not compromise my network security


Do you want to guest users to ping your Domain Controllers ? or infect your LAN with viruses and worms ?

The best thing is to keep them on a seperated Network.

You can Put the Wireless AP inside your LAN but you are worried about security issues , right ? Then its best recommended to follow the article



_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to cjoyce1980)
Post #: 5
RE: allowing domain and guest user through a single wir... - 28.Aug.2008 6:50:31 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: elmajdal

quote:

is it possible to configure my network/isa server/wireless access point to allow guest users as well as my domain user, but not compromise my network security


quote:

Would I physically need to place the Wireless access point in front of my firewall?


Who said anything about installing in Infront of your Firewall

This is the suggested diagram by the article:


Internet ----------------------ISA-------------LAN
                                               |
                                         Wireless AP

Its all about install a 3rd NIC on your ISA Server so that your guest  
quote:

not compromise my network security


Do you want to guest users to ping your Domain Controllers ? or infect your LAN with viruses and worms ?

The best thing is to keep them on a seperated Network.

You can Put the Wireless AP inside your LAN but you are worried about security issues , right ? Then its best recommended to follow the article




Yep, put a guest wireless AP in an ISA protected (perimeter) network.

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to elmajdal)
Post #: 6
RE: allowing domain and guest user through a single wir... - 29.Aug.2008 6:44:48 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
Cheers guys, thanks for your responses.... they were all very helpful.
 
My DMZ is working fine, non-domain users can access the internet and do there thing which is great :)
 
My domain users can use the internet and get there emails, but my users would also require file server (SAN) access.  without me making them plug into a wall socket, how may i go about achieving this?
 
Many Thanks

(in reply to cjoyce1980)
Post #: 7
RE: allowing domain and guest user through a single wir... - 30.Aug.2008 4:52:28 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Chris,
A solution to that is to enable the VPN server on ISA, so that domain users to first create a VPN connection, and then securely access internal resources.
In this way you keep things separated, the downside is that you have to deal with the hassle of the VPN connections to secure the wireless DMZ.

Another solution, more elegant, is to put back on the Internal Network that WAP, secure/encrypt the wireless connections, so that only domain authenticated users can use that WAP without the worry that someone may "read" their wireless traffic.
Then buy a cheap WAP and put it in that wireless DMZ.
In this way you have a proper wireless infrastructure for your domain users, so they can do their work, while the guest users can access their favourite viruses from the wireless DMZ.
Regards!

(in reply to cjoyce1980)
Post #: 8
RE: allowing domain and guest user through a single wir... - 1.Sep.2008 5:05:56 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
Many Thanks justmee,
 
I've had a play over the weekend, and trying to create an Access Rule to allow my users VPN access through the DMZ into the Network, (a second WAP is not a option after i shelled out on a cisco WAP).
 
What traffic (Protocols) should I be allowing to connect to the VPN Server?
 
Thanks again

(in reply to justmee)
Post #: 9
RE: allowing domain and guest user through a single wir... - 1.Sep.2008 5:11:26 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
Sorry, I found them.  I couldn't see them at first, (wasn't looking properly!)
 
So now I'm letting my Domain users connect throught the DMZ (over L2TP Client) via VPN in order to access there network resources.
 
All sorted....
 
Many Thanks to all that helped.

(in reply to cjoyce1980)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> allowing domain and guest user through a single wireless AP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts