+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 57
Windows Server 2008 R2 Thread, DHCP/VLAN/BYOD/SMOOTHWALL Problem in Technical; Do you have a second network interface on the server? Rob...
  1. #16

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    149
    Do you have a second network interface on the server?

    Rob

  2. #17
    denon101's Avatar
    Join Date
    Jul 2008
    Location
    Stuck in the server room......
    Posts
    389
    Thank Post
    54
    Thanked 37 Times in 35 Posts
    Rep Power
    20
    What they want it for teachers, outside people to come along and present ideas to a group of teachers. But what they really want is for people to be able to turn up with their own, smartphone, tablet etc and be able to access the wireless to use twitter and facebook to comment on the event whilst is happening... It's something they have seen done elsewhere. So they want to do it here. More trouble than it's worth potentially!

    Hope that helps

  3. #18

    Join Date
    Dec 2009
    Posts
    913
    Thank Post
    96
    Thanked 184 Times in 159 Posts
    Rep Power
    53
    Quote Originally Posted by denon101 View Post
    What they want it for teachers, outside people to come along and present ideas to a group of teachers. But what they really want is for people to be able to turn up with their own, smartphone, tablet etc and be able to access the wireless to use twitter and facebook to comment on the event whilst is happening... It's something they have seen done elsewhere. So they want to do it here. More trouble than it's worth potentially!

    Hope that helps
    It's all well and good people wanting these things, but you need the infrastructure to provide it and do it correctly / safely / reliably.

  4. #19
    denon101's Avatar
    Join Date
    Jul 2008
    Location
    Stuck in the server room......
    Posts
    389
    Thank Post
    54
    Thanked 37 Times in 35 Posts
    Rep Power
    20
    Quote Originally Posted by twin--turbo View Post
    Do you have a second network interface on the server?

    Rob
    Not as yet, but I have a VMWare setup so that would not be difficult at all....

  5. #20
    denon101's Avatar
    Join Date
    Jul 2008
    Location
    Stuck in the server room......
    Posts
    389
    Thank Post
    54
    Thanked 37 Times in 35 Posts
    Rep Power
    20
    Quote Originally Posted by RTFM View Post
    It's all well and good people wanting these things, but you need the infrastructure to provide it and do it correctly / safely / reliably.
    I know, but it was all decided without consulting me..... JOY!

  6. #21

    Join Date
    Dec 2009
    Posts
    913
    Thank Post
    96
    Thanked 184 Times in 159 Posts
    Rep Power
    53
    Quote Originally Posted by denon101 View Post
    I know, but it was all decided without consulting me..... JOY!
    Then they might have to put their hands in their pockets for some additional work to be done to provide it. The most advisable way to achieve what you are after is to VLAN you network off and then you can securely run guest wireless, or at least, from what everyone has said that is the conclusion I would come to.

    It's how we do it, though that doesnt mean its the only way.

    I'm sure if it can be done another way someome here will know how, unfortunately I don't though

  7. Thanks to RTFM from:

    denon101 (21st January 2013)

  8. #22

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    149
    without either a seperate LAN or a VLAN you have the potential for any of the BYOD devices to have unrestricted access to your entire network ( servers, printers, clients, etc )

    Does your Rukus have 2 interfaces? one could go directly to your smoothwall and be firewalled purely for the BYOD internet.

    Rob

  9. #23

    Join Date
    Dec 2009
    Posts
    913
    Thank Post
    96
    Thanked 184 Times in 159 Posts
    Rep Power
    53
    Quote Originally Posted by twin--turbo View Post
    without either a seperate LAN or a VLAN you have the potential for any of the BYOD devices to have unrestricted access to your entire network ( servers, printers, clients, etc )

    Does your Rukus have 2 interfaces? one could go directly to your smoothwall and be firewalled purely for the BYOD internet.

    Rob
    Just thinking out loud, if all your network clients are Windows machines and pick up their proxy from group policy and you forward to a specific port to do some sort of NTLM authentication, couldn't you transparently filter the whole range on port 80 as a location? If a client doesnt have proxy settings, it's going to be hit by that filtering not the NTLM auth (theoretically all your 'BYOD' clients wouldnt have proxy settings in).

    If all your clients though pick up from group policy and you lock down changing of proxy settings from GP then theoretically you could run both at the same time???

    Does that make sense? I know it isnt in any way ideal but it would work.....i think?

    EDIT: I wouldnt want to put my name to the above in terms of security of either what people can or cant access on the web or the security of the network, but just saying the above should work.
    Last edited by RTFM; 21st January 2013 at 02:10 PM.

  10. #24

    Join Date
    Oct 2005
    Posts
    944
    Thank Post
    226
    Thanked 174 Times in 136 Posts
    Rep Power
    102
    Quote Originally Posted by denon101 View Post
    I know, but it was all decided without consulting me..... JOY!
    Well this is where you return and tell them it's no problem to give them what they want but you require the following resources:
    {whatever you decide, enough to provide a separate 'guest' wireless VLAN at the very least, though if they want the event twittered and facebooked and you don't normally allow access to those on site then you'll need to provide alternative filtering policies, etc. and you'll need a 'guest' device to test all this with}.

    If they don't want to go for that then they can't have their magical "BYOD" guest wireless network. Simple as.

    When you posted about a 'teachmeet' I wasn't sure if that was this week's term for a baker day or whatever, but yeah if this is external people coming on site then you need to maintain a gap between the guest wireless network and your main network (we do this) and I'd say this was an absolute requirement both for safeguarding and the security and integrity of the business functions of the school.
    Last edited by Roberto; 21st January 2013 at 02:22 PM.

  11. #25

    Join Date
    Dec 2009
    Posts
    913
    Thank Post
    96
    Thanked 184 Times in 159 Posts
    Rep Power
    53
    Quote Originally Posted by Roberto View Post
    Well this is where you return and tell them it's no problem to give them what they want but you require the following resources:
    {whatever you decide, enough to provide a separate 'guest' wireless VLAN at the very least, though if they want the event twittered and facebooked and you don't normally allow access to those on site then you'll need to provide alternative filtering policies, etc. and you'll need a 'guest' device to test all this with}.
    The strange thing is on site they have Smoothwall, Ruckus, HP ProCurve switches yet no VLAN's.

    Thankfully with smoothwall you can quickly setup a location and filter this accordingly against a new set of filtering policies, literally thats 20 minutes work. That definitely isnt where the issue is. Similarly with Ruckus you can do a guest portal quickly and easily and hand on the responsibility for key generation to someone else without too much time or effort.

    The only downfall you have is your network infrastructure in that it isnt VLAN'd........so unless someone comes up with something that might be what you have to tell them. That opens up a whole set of other issues though as typically you'd have someone come in, spec your network and hardware, make recommendations, then find the time and money to have the work done. Potentially not cheap.

    Won't people have 3G??

  12. #26

    Join Date
    Oct 2005
    Posts
    944
    Thank Post
    226
    Thanked 174 Times in 136 Posts
    Rep Power
    102
    Quote Originally Posted by RTFM View Post
    The strange thing is on site they have Smoothwall, Ruckus, HP ProCurve switches yet no VLAN's.

    Thankfully with smoothwall you can quickly setup a location and filter this accordingly against a new set of filtering policies, literally thats 20 minutes work. That definitely isnt where the issue is. Similarly with Ruckus you can do a guest portal quickly and easily and hand on the responsibility for key generation to someone else without too much time or effort.

    The only downfall you have is your network infrastructure in that it isnt VLAN'd........so unless someone comes up with something that might be what you have to tell them. That opens up a whole set of other issues though as typically you'd have someone come in, spec your network and hardware, make recommendations, then find the time and money to have the work done. Potentially not cheap.

    Won't people have 3G??
    I can see a network that's just grown to meet its needs being configured like this.

    This can all be configured out of current hardware, with maybe a bit of fun and games and a few upgrades, but doing so without disrupting the continuing use of that stuff for curriculum won't be quite so easy.

  13. #27

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    149
    Quote Originally Posted by RTFM View Post
    so unless someone comes up with something that might be what you have to tell them
    It's why I mentione the second port (if it has one) on the Rukus and connect it straight to the Smoothwall.

    Rob

  14. #28

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,477
    Thank Post
    231
    Thanked 282 Times in 163 Posts
    Rep Power
    133
    We're not using a separate VLAN on our setup. Our SmoothWall has both non-transparent and transparent (redirect to SSL login page with session cookie) authentication policies on the main network. Our UniFi wireless network has an open Guest SSID with subnet restrictions so the only device that can be accessed is the SmoothWall box (which also works well for effective client isolation). On their first web request it directs them to log into the filter so we still know who's who and it ticks all the boxes for filtering and logging, just like on the main network.

  15. #29

    Join Date
    Dec 2009
    Posts
    913
    Thank Post
    96
    Thanked 184 Times in 159 Posts
    Rep Power
    53
    Quote Originally Posted by Ephelyon View Post
    We're not using a separate VLAN on our setup. Our SmoothWall has both non-transparent and transparent (redirect to SSL login page with session cookie) authentication policies on the main network. Our UniFi wireless network has an open Guest SSID with subnet restrictions so the only device that can be accessed is the SmoothWall box (which also works well for effective client isolation). On their first web request it directs them to log into the filter so we still know who's who and it ticks all the boxes for filtering and logging, just like on the main network.
    So if you changed the auth method from SSL login to location you could do similar. You couldnt use SSL login as Guest users wouldnt have AD credentials to authenticate with.

  16. #30

    Join Date
    Dec 2009
    Posts
    913
    Thank Post
    96
    Thanked 184 Times in 159 Posts
    Rep Power
    53
    Quote Originally Posted by twin--turbo View Post
    It's why I mentione the second port (if it has one) on the Rukus and connect it straight to the Smoothwall.

    Rob
    We have a ZD3000 and it has a spare interface from the looks of it

SHARE:
+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. VLAN/HP ProCurve problem at work...
    By fracmo2000 in forum Wired Networks
    Replies: 8
    Last Post: 30th September 2011, 01:40 PM
  2. Replies: 15
    Last Post: 20th July 2011, 01:37 PM
  3. Smoothwall Problems
    By Steven in forum Wireless Networks
    Replies: 6
    Last Post: 18th October 2009, 07:22 PM
  4. Smoothwall Problem - Blocking Https sites
    By adhutton in forum Internet Related/Filtering/Firewall
    Replies: 2
    Last Post: 2nd October 2009, 09:56 AM
  5. Replies: 17
    Last Post: 23rd September 2008, 05:12 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •