[CROSS_POST] Setting up a Wireless DMZ

Discussion in 'Windows Small Business Server' started by Mike Webb, Mar 27, 2007.

  1. Mike Webb

    Mike Webb Guest

    [CROSS-POST from microsoft.public.isaserver]
    Running SBS 2003 Premium, Exchange, ISA, SQL, WSUS, 2 NICs and a router,
    dynamic IP, DDNS service from dyndns.org.
    ======================
    I need to setup a DMZ so that short- and long-term visitors living in our
    "bunk house" can access the internet in their free time. I found a 2-part
    article by Tom Shinder on www.isaserver.org on how to do this. However, I've
    read a couple threads on their message boards that the steps he outlines
    need tweaking. Any comments on that?

    Now for my question. First, background: I have 4 WAP's (D-Link DWL-2200APs);
    the primary WAP is cabled into my unmanaged D-Link switch. All IP's come
    from my server's DHCP server. After discussion with my local IT and IT
    services provider, I am buying a 3rd NIC, another WAP, an omni-directional
    ceiling wireless antenna, and a managed switch (D-Link DES-3828). I plan to
    use the old unmanaged switch to connect to the WAP which I'll place in the
    "attic" of the "bunk house" and install the ceiling antenna for optimum
    signal throughout the building (the attic is mostly metal instead of wood,
    as is the roof). My questions: (1) I have a WAP already in the attic;
    should I connect the old switch to it, or get a longer cable and hook
    directly up to the external directional antenna? (2) I'm assuming the
    original WAP - if kept - should be in the DMZ, too - right? (3) We have two
    houses for long-term graduate students who need acces to the LAN; "bunk
    house" does not. Based on all the above, will the steps in Tom Shinder's
    articles work? If not, what must I change? (Here's the link to those
    articles: http://www.isaserver.org/tutorials/2004wirelessdmzpart1.html and
    http://isaserver.org/articles/2004wirelessdmzpart2.html
     
    Mike Webb, Mar 27, 2007
    #1
    1. Advertisements

  2. I'd normally do it

    internet
    |
    |
    NAT router + WAP
    |
    |
    SBS (ISA optional)
    |
    |
    Internal network

    with the visitors connecting outside the SBS network. They get full
    unfettered internet, security controlled by the WAP.
     
    SuperGumby [SBS MVP], Mar 27, 2007
    #2
    1. Advertisements

  3. BTW, it appears you have not crossposted but multiposted your item.
    Crossposted items go to several groups in one post, this allows tracking the
    item between all posted groups, good thing. Multiposting means no threading
    between groups, bad thing.
     
    SuperGumby [SBS MVP], Mar 27, 2007
    #3
  4. Mike Webb

    Mike Webb Guest

    Good to know, thanks.
     
    Mike Webb, Mar 27, 2007
    #4
  5. Mike Webb

    Mike Webb Guest

    Looks good, but I have an additional 'fly in the ointment.' I have a single
    omni antenna with the primary WAP to connect wireless users to the LAN; and
    I want to have those in the 'bunk house' only have internet access - none to
    the LAN.

     
    Mike Webb, Mar 27, 2007
    #5
  6. I have not used the DWL-2200AP, but based on a (very quick) review of it
    at the D-Link web site, it looks like a fairly vanilla WAP. I say this
    because there are wireless routers (and perhaps WAPs) which provide
    built-in "guest access" capabilities.

    Since the DWL-2200AP does not appear to support that, you should follow
    the plan provided by SuperGumby.

    [1] You assign one or more WAPs an SSID which will be used for the LAN
    and connect it/them to the LAN switch. This SSID should be secured -
    either WPA Personal or (preferably) WPA Enterprise - which restricts
    access to computers / users with the proper credentials.

    [2] You assign your "public" or "guest" WAP(s) a different SSID and
    connect it/them to a LAN jack on the router between your Internet
    connection device and the SBS - *not* to the SBS LAN. (In other words,
    this WAP is "outside" the SBS network.) This SSID is either unsecured
    or uses WPA Personal. If the latter, you should change the WPA password
    from time to time.

    Whether the two SSIDs can share an antenna, I'm not sure. I've always
    used separate antennas.

    Some sample network diagrams - and details for setting up the secure
    access for #1, above - are available here:

    http://home.comcast.net/~clearviewtc

    -- Owen Williams (SBS MVP)
     
    Owen Williams [SBS MVP], Mar 28, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.