ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Friday, December 01, 2006

Protecting Wireless Networks - 3 Ways

Recently there's been a rash of clients needing to setup open wireless access for visitors. For the record, I hate open wireless. But some clients won't be convinced. Since this is the real world we do what we can do to protect them. Depending on the circumstances there are 3 options:

1. Install a 3rd NIC into your server. Create a network for this NIC corresponding to your wireless network and assign rules accordingly. Keep in mind, that if this is an SBS server, this is an unsupported option. The reason it is unsupported is that the Connect to the Internet Wizard will choke on the extra NIC. It was written to expect only 2 NICs. To work around this problem you should disable your 3rd NIC and the rules associated with it before running that wizard.

2. Use a different public IP for your wireless router and create an entirely seperate network for wireless. Most of the time an ISP will provide 5 IP addresses to business accounts. Most businesses are only using one of those. Plug the wireless router directly into the router provided by your ISP and assign the wireless router one of your unused IP address. Configure the wireless router as needed.

3. Connect the wireless router to your internal network and give it a static IP address. Set it up to assign DHCP addresses to the wireless guests that are on a seperate network. For example, if your internal network is 192.168.16 then setup the wireless router's built-in DHCP server to pass out 192.168.17 addresses. Assign rules to keep the wireless router away from everything but the Internet.

Here's what option 3 looks like in practice:

1. Create a DHCP reservation for your wireless router.
2. In ISA, create an Address Range Object for the wireless router.
3. In ISA, create a new Access Rule. From Wireless Router, To External, Specified Protocols: HTTP, HTTPS. Other protocols your guests might need include FTP, ICA and SMTP but keep the list as short as possible. Place this rule above the SBS Protected Networks Access Rule.
4. In ISA, create a new Acces Rule. From Wireless Router, to LocalHost, Specified Protocols: DNS. This will allow the wireless router to resolve addresses. Place this rule above the one you just created.


At 11:48 AM, Anonymous Ben said...

what about option 4?

A. Setup a wired firewall router or security appliance in front of
your SBS box (that is routing internet traffic with or without ISA).
B. Install el-cheapo wireless router or access point in the newly-created perimeter network.
C. This also helps set the groundwork for inexpensive but secure wireless company network access, as laptops can PPTP VPN back in to/through the SBS box over that encrypted path.


At 4:29 PM, Anonymous Anonymous said...

I was referred to this post by Owen Williams (SBS-MVP). Had a question about ISA rules with regard to your Option 3 and his paper, "Configuring Secure Wireless Network Access with Microsoft Windows Small Business Server 2003".
I'm the techie for a small nonprofit org. The requirement given me was to find a way to provide wireless LAN access, and Guest access to the internet. Based on advice, I purchased equipment that will allow me to setup 2 SSID's per Access Point, and point each to a VLAN created on a switch.
Hasn't worked so far, despite working with vendor's 2nd level tech support on and off for a month. I now think it's because I didn't think about ISA in this mix.
Using Owen's article on 1-NIC setup and this blog entry, I now think I can make this work using his instructions for GPO on the secure LAN side, but need advice on a GPO for the Guest side. Would your Option 3 work on the Guest side with Owen's GPO and ISA rule on the LAN side?

Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
501(c)(3) nonprofit org.


Post a Comment

<< Home