possible to add a dsl line to our lan for browsing?

Discussion in 'Server Networking' started by Guest, Jan 4, 2006.

  1. Guest

    Guest Guest

    I am in a corporate environment with building all over the city. We have
    lousy internet speed. The IT dept says that the entire city shares the same
    switch and T1 line at a single location. They have also said that they are
    not going to do anything about the speed issue.

    My boss says that if I can find a way to use a DSL (or even a T1) line
    for our plant's internet access, he will buy what ever I need to make it
    happen and will also take the complaints from IT. We would still have have
    to have access to the city's LAN but for web browsing we would use the DSL
    line .

    I can envision this being possible but at this point I'm not smart
    enough to figure it out. We will have no IT support (and they will be ticked
    off if I screw it up) but I have the Bosses full support (in writing no
    less) to try.

    I imagine that I would need another router betewwn our lan and the
    corporate router. Configuration from that point would be interesting. How do
    I direct intranet and shared folder requests to the city's Lan while all
    other browser requests to the DSL line?

    Can anyone get me started on requirements for this ? Caveats?
    Thank you in advance
     
    Guest, Jan 4, 2006
    #1
    1. Advertisements

  2. Guest

    Neteng Guest

    I doubt you have control over the DHCP server(s), so I would say no. If
    enough of you complain, especially management types, the IT dept will do
    something about it. It's probably low on their list and the management team
    needs to move it up (if it really is a business issue and not just people
    complaining that surf speeds are slow).
     
    Neteng, Jan 4, 2006
    #2
    1. Advertisements

  3. The two basic options are:

    1. A proxy server such as ISA running on a Windows server or a hardware
    proxy device with a DSL line. Note that if you also need to access internal
    web servers on the city LAN, you will need to be able to configure
    rules/exceptions to reach them.

    2. You could use simple routing: Connect a DSL router to a LAN port on
    your existing network; give it a compatible non-conflicting IP; and
    configure your local machines to use this IP as a default gateway. However,
    if the city LAN comprises multiple subnets which you need to reach, you must
    configure static routes to all of them on the DSL router - routes would
    point to your old LAN gateway. If your DSL router did not support multiple
    static routes, you could configure the routes on individual machines.
    Whether or not the static route issue is significant requires more
    information about the city LAN and your specific needs.

    Doug Sherman
    MCSE, MCSA, MCP+I, MVP
     
    Doug Sherman [MVP], Jan 4, 2006
    #3
  4. Hi, guys...

    That is what I would suggest too,..except I would leave the existing LAN
    router as the Default Gateway (requires no changes to Hosts, DHCP Scopes,
    etc), then change the Default Gateway of the LAN Router to be the DSL
    Device. If routing protocols are in use it will already know about the
    other LAN segments and have routes to them,...if not then give it the
    required static routes.

    This way only one device is ever touched (the existing LAN Router) and it
    prevents the LAN's Routing System from becomming dependent on a DSL Device
    of which most are "home user" quality. Besides that, with multi-segment
    LANS, I am always against making the "Internet Sharing Device" (whatever
    that may be) from being the lynch-pin of the LAN's Routing ability. I like
    to keep the LAN's routing abilty independent of anything associated with the
    Internet.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Deployment Guidelines for ISA Server 2004 Enterprise Edition
    http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
    -----------------------------------------------------
     
    Phillip Windell, Jan 4, 2006
    #4
  5. Phill's idea is indeed better - I was kind of assuming that you didn't have
    access to the corporate router.

    Doug Sherman
    MCSE, MCSA, MCP+I, MVP

     
    Doug Sherman [MVP], Jan 4, 2006
    #5
  6. Configuring it may not be for the timid either. It will have to be up to
    them to decide which way to go,...I'll just thought I'd toss in the idea.
     
    Phillip Windell, Jan 4, 2006
    #6
  7. Guest

    Vanguard Guest


    Did you or your boss actually read the terms of service for the contract
    between you and them? The "city's LAN" may not permit you to subvert
    security of their network by installing "backdoors" that allow viruses and
    other malware to get into the network at points within the network that are
    after any protections they have implemented in their LAN. It is *their* LAN
    to which you *subscribe*. I'm sure there would be no problem if you
    disconnect from their LAN and use your own.
     
    Vanguard, Jan 4, 2006
    #7
  8. Guest

    Guest Guest

    Thanks folks,
    You are correct in that I wouldn't have access to the lan router. It
    would probably be possible to get IT to make a config change but we would
    rather just do it ourselves. I imagine that they will have a fit once they
    find out anyway but something has to change. This might be the catalyst.
    I didn't consider the DHCP aspect, but we could static all the machines
    we have easily enough. I prefer that anyway so I can sniff out problems
    without chasing mac addresses.
    I'm not familar with static routes. I have seen the entry for them but
    never had a need, can you give me a cliff notes version of how to use them?
    We also use Exchange server and domain logons that woul dhave to be
    validated through the central server. How much does that complicate things?
    Perhaps a proxy (ISA) is the answer for browsing?



     
    Guest, Jan 4, 2006
    #8
  9. The way you configure static routes on a router, as distinguished from a
    Windows computer, is product specific. As an example, a low end router such
    as Linksys BEFSR11 claims to support 20 static routes and the manual
    explains how to configure them;

    http://www.linksys.com/servlet/Satellite?childpagename=US/Layout&packedarg
    s=c%3DL_Product_C2%26cid%3D1115416832017&pagename=Linksys%2FCommon%2FVisitor
    Wrapper

    The first thing you need to do is determine whether this is a significant
    issue - how many subnets are on this network and how many do you really need
    to access. Possibly you could use dynamic routing, but this is probably not
    a good idea in this scenario.

    Doug Sherman
    MCSE, MCSA, MCP+I, MVP

     
    Doug Sherman [MVP], Jan 4, 2006
    #9
  10. Guest

    Asher_N Guest

    Talk to your IT folks. In most orgs, and yours sounds like a large one,
    somebody installing a rogue device, ESPECIALLY a router to the internet,
    You could find yourself unemployed so fast you'll have no idea what hit
    you. Think about it, would you install a new door in your company's
    building?

     
    Asher_N, Jan 5, 2006
    #10
  11. Guest

    Guest Guest

    I really do understand that issue and will deal with it once I have a
    solution to the real problem. Which in this case is a crippling lack of
    available bandwidth. IT is aware of it and has even switched thier own pipe
    to another T1 so they can function but they won't do that for anyone else.
    It's so bad that for our plant, windows update doesn't work properly because
    it times out, email calls go out occaisionally asking everyone to conserve
    usage whenever anyone is doing a presentation that requires bandwidth. It's
    just silly and my boss want me to fix it.
    Using DSL will be a cost effective solution and once I demonstrate a
    viable solution (short of running fiber 20 miles to the noc) IT will come
    around. I have the support of my Boss and his. I know this can be secured
    better than they currently provide so I'm not too worried about that end.
    I'm just looking for the best way to do it. Somthing that IT will appreciate
    and understand, even if they didn't think of it themselves.

     
    Guest, Jan 5, 2006
    #11
  12. Guest

    Asher_N Guest

    Have your boss take it up with management. From the perspective of IT,
    NO, they will not appreciate. At best, work with them. Introducing a new
    connection to the internet behind their back will only piss them off and
    put your job in jeopardy. There are other issues that you are not aware
    of withregards to bandwidth. One of wich is cost. DSL may be cheap, but
    it's not reliable.. You can be assured that if given the budget, your IT
    folks would be more than happy to increase bandwidth.

    Deal with the issue BEFORE you implement a solution. I run a network, I
    can assue you that if I ever found a rogue router, regardless of the
    intentions, I'd have the person responsible fired.

     
    Asher_N, Jan 5, 2006
    #12
  13. Maybe.

    Since clients do not "find" the ISA via the LAN's Routing Scheme, you can
    add an ISA to your new Internet Link and have the users use it for the
    Internet access and it will not effect the LAN's Routing Scheme at all as
    long as you *never* try to use SecureNAT Clients with the ISA. Use only Web
    Proxy Clients or Firewall Clients (aka Winsock Clients).

    Since Web Proxy Clients use the browser's "proxy settings" to find the ISA
    and Firewall Clients use the locally installed "Firewall Client Software" to
    find the ISA,...you can therefore use the ISA and never effect or alter the
    existing Routing Scheme of the LAN.

    This is how I run my system here and have about 3+ ways out to the Internet
    with ISA being only one of them. I of course cannot use SecureNAT Clients
    with my ISA,...because NAT depends on, and runs on top of, Layer3 Routing,
    therefore any clients configured this way would be taken out via a different
    Firewall Box because that is the box (not the ISA) that sits within the
    "Layer3 Path" of the LAN.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Deployment Guidelines for ISA Server 2004 Enterprise Edition
    http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
    -----------------------------------------------------
     
    Phillip Windell, Jan 5, 2006
    #13
  14. Guest

    Guest Guest

    When I come up with a solution that works, I will do exactly that.


     
    Guest, Jan 5, 2006
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.