Allowing Visitor Internet access

I also agree with Merv. The configuration he recommends is exactly what
I do to support this functionality. It is an excellent balance of
simplicity and functionality.

-- Owen Williams

In article ,
mwport.RemoveThis@no_spam_hotmail.com says...
> Don't let the Salepeople connect to the LAN side of the network. You don't
> know where these laptops have been and you have absolutely no control over
> them. Assuming the SBS network setup is (2 NICs + router), connect a WAP
> (Wireless Access Point) to a port on the router and let the laptops have
> wireless Internet access through it.
>
> Just my $0.02.
 >> Stay informed about: Allowing Visitor Internet access 

Bibbob:

Following up on my earlier post (to Merv's response), I am using a
configuration like this at one client's site so that an SBS2003 network
and a Guest PC can share a DSL Internet connection:

+-------+
|DSL Mdm| 192.168.1.1
+-------+
|
+-------+ 192.168.2.1
| Router| DHCP Server Enabled -
+-------+ Exclude 1st 10 IPs
| |
| +-------------+
| |
|192.168.2.2 |
| [Ext. NIC] |DHCP IP
+-------+ +-------+
|SBS2003| |GuestPC|
+-------+ +-------+
| [Int. NIC]
|192.168.16.1
|
+--------+
| Switch |
+--------+
| | | |
| | | |
[Domain PCs]

SBS2003 runs either the RRAS or ISA2004 firewall so Ext. NIC
(192.168.2.2) is protected.

"GuestPC" could be a Wireless Access Point with a STATIC address of, for
example, 192.168.2.3 (which is used primarily for WAP administration).
Then, guest PCs with wireless capabilities associate with the WAP and
get an IP address from the (wired) Router.

Since Wireless Routers are easier to find (and often less expensive)
than WAPs, you can use one as a WAP provided you:

- disable the DHCP server on the Wireless Router
- connect an Ethernet cable from the (wired) Router to one of the switch
jacks (there are most often 4) on the Wireless Router. Do NOT connect
anything to the Wireless Router's "WAN" or "Internet" jack.

-- Owen Williams
 >> Stay informed about: Allowing Visitor Internet access 

Owen: lets assume the laptop belongs to a trusted business partner or client
and that he does not want access to the local domain but only wants access
from inside the local lan to the internet. My client does not want to
"insult" his partner/client by implying that he has not kept up the security
of his laptop. So given this scenario I have to provide the safe connection
"within these parameters" for the clients client. So I guess what I need to
Know is what firewall settings in ISA 2004 would configure such a "safe"
connection.

"Owen Williams" wrote:

> Bibbob:
>
> Following up on my earlier post (to Merv's response), I am using a
> configuration like this at one client's site so that an SBS2003 network
> and a Guest PC can share a DSL Internet connection:
>
> +-------+
> |DSL Mdm| 192.168.1.1
> +-------+
> |
> +-------+ 192.168.2.1
> | Router| DHCP Server Enabled -
> +-------+ Exclude 1st 10 IPs
> | |
> | +-------------+
> | |
> |192.168.2.2 |
> | [Ext. NIC] |DHCP IP
> +-------+ +-------+
> |SBS2003| |GuestPC|
> +-------+ +-------+
> | [Int. NIC]
> |192.168.16.1
> |
> +--------+
> | Switch |
> +--------+
> | | | |
> | | | |
> [Domain PCs]
>
> SBS2003 runs either the RRAS or ISA2004 firewall so Ext. NIC
> (192.168.2.2) is protected.
>
> "GuestPC" could be a Wireless Access Point with a STATIC address of, for
> example, 192.168.2.3 (which is used primarily for WAP administration).
> Then, guest PCs with wireless capabilities associate with the WAP and
> get an IP address from the (wired) Router.
>
> Since Wireless Routers are easier to find (and often less expensive)
> than WAPs, you can use one as a WAP provided you:
>
> - disable the DHCP server on the Wireless Router
> - connect an Ethernet cable from the (wired) Router to one of the switch
> jacks (there are most often 4) on the Wireless Router. Do NOT connect
> anything to the Wireless Router's "WAN" or "Internet" jack.
>
> -- Owen Williams
>
 >> Stay informed about: Allowing Visitor Internet access 

If the partner uses a wireless connection to a WAP outside of your client's
network, the partner won't know (or care) that they aren't connecting to the
Internet from the LAN. They'll just fire up their laptop and connect to the
web. No discussion needs to take place between your client and their
partner other than: you can get access to the Internet by configuring your
laptop to automatically get an IP address via your wireless NIC. The
partner is happy... your client is happy... you're happy.

--
Merv Porter [SBS MVP]
===================================
"Bitbob" wrote in message

> Owen: lets assume the laptop belongs to a trusted business partner or
> client
> and that he does not want access to the local domain but only wants access
> from inside the local lan to the internet. My client does not want to
> "insult" his partner/client by implying that he has not kept up the
> security
> of his laptop. So given this scenario I have to provide the safe
> connection
> "within these parameters" for the clients client. So I guess what I need
> to
> Know is what firewall settings in ISA 2004 would configure such a "safe"
> connection.
>
> "Owen Williams" wrote:
>
>> Bibbob:
>>
>> Following up on my earlier post (to Merv's response), I am using a
>> configuration like this at one client's site so that an SBS2003 network
>> and a Guest PC can share a DSL Internet connection:
>>
>> +-------+
>> |DSL Mdm| 192.168.1.1
>> +-------+
>> |
>> +-------+ 192.168.2.1
>> | Router| DHCP Server Enabled -
>> +-------+ Exclude 1st 10 IPs
>> | |
>> | +-------------+
>> | |
>> |192.168.2.2 |
>> | [Ext. NIC] |DHCP IP
>> +-------+ +-------+
>> |SBS2003| |GuestPC|
>> +-------+ +-------+
>> | [Int. NIC]
>> |192.168.16.1
>> |
>> +--------+
>> | Switch |
>> +--------+
>> | | | |
>> | | | |
>> [Domain PCs]
>>
>> SBS2003 runs either the RRAS or ISA2004 firewall so Ext. NIC
>> (192.168.2.2) is protected.
>>
>> "GuestPC" could be a Wireless Access Point with a STATIC address of, for
>> example, 192.168.2.3 (which is used primarily for WAP administration).
>> Then, guest PCs with wireless capabilities associate with the WAP and
>> get an IP address from the (wired) Router.
>>
>> Since Wireless Routers are easier to find (and often less expensive)
>> than WAPs, you can use one as a WAP provided you:
>>
>> - disable the DHCP server on the Wireless Router
>> - connect an Ethernet cable from the (wired) Router to one of the switch
>> jacks (there are most often 4) on the Wireless Router. Do NOT connect
>> anything to the Wireless Router's "WAN" or "Internet" jack.
>>
>> -- Owen Williams
>>
 >> Stay informed about: Allowing Visitor Internet access 

BitBob:

Leythos, Gavin, and Merv have all taken the words out of my mouth! But
just to summarize / concur: IMO, the key words of the "parameters" are:

"he does not want access to the local domain but only wants access from
inside the local lan to the internet"

There is a constraint here that does not make sense to me: "from inside
the local LAN." The actual requirement I am seeing is: "he only wants
access to the internet." The configuration shown provides the
requirement without compromising the business network.

In answer to your other question: "I need to Know is what firewall
settings in ISA 2004 would configure such a 'safe' connection." - There
are NOT any. If you implement according to your client's constraint
("from inside the local LAN"), by definition you are WITHIN the firewall
perimeter. ISA2004 won't protect access to resources WITHIN the local
network - your LAN is subject to compromise from the unmanaged PC.

-- Owen Williams

In article ,
Bitbob.RemoveThis@discussions.microsoft.com says...
> Owen: lets assume the laptop belongs to a trusted business partner or client
> and that he does not want access to the local domain but only wants access
> from inside the local lan to the internet. My client does not want to
> "insult" his partner/client by implying that he has not kept up the security
> of his laptop. So given this scenario I have to provide the safe connection
> "within these parameters" for the clients client. So I guess what I need to
> Know is what firewall settings in ISA 2004 would configure such a "safe"
> connection.
 >> Stay informed about: Allowing Visitor Internet access 

This message is not archived
 >> Stay informed about: Allowing Visitor Internet access 

Leythos wrote:
> In article ,
> Bitbob DeleteThis @discussions.microsoft.com says...
>> Owen: lets assume the laptop belongs to a trusted business partner or client
>> and that he does not want access to the local domain but only wants access
>> from inside the local lan to the internet. My client does not want to
>> "insult" his partner/client by implying that he has not kept up the security
>> of his laptop. So given this scenario I have to provide the safe connection
>> "within these parameters" for the clients client. So I guess what I need to
>> Know is what firewall settings in ISA 2004 would configure such a "safe"
>> connection.
>
> It's not INSULTING when you provide them a connection and don't suggest
> that it's not on the LAN. It's good business to not allow unmanaged
> machines on your LAN, or to put them in your DMZ for access to the
> Internet.
>
> If they need access to your LAN then they should have a machine in your
> company, not some unmanaged laptop.
>
> I've seen more servers/network compromised because of what you want to
> do.....
>
> To suggest that anyone, even a trusted business partner, be able to
> connect anything to your LAN is unreasonable. Give them a connection in
> the DMZ via wireless (or wired if you have guest jacks) and they will be
> happy.
>

I concur completely.

Give them a PC that is already on your lan, patched to use if he needs
internal resources.

I would NEVER hook up a laptop that I knew nothing about to a corp
network. Thats why our switches are locked down to an allowed MAC
address ACL.

Gavin.
 >> Stay informed about: Allowing Visitor Internet access 

Is there a way to provide wifi access to visiting clients just using a
wireless router? For example cablemodem - wireless router - sbs2003 (2 nic
standard) - switch - internal lan. Thanks

"Owen Williams" wrote:

> Bibbob:
>
> Following up on my earlier post (to Merv's response), I am using a
> configuration like this at one client's site so that an SBS2003 network
> and a Guest PC can share a DSL Internet connection:
>
> +-------+
> |DSL Mdm| 192.168.1.1
> +-------+
> |
> +-------+ 192.168.2.1
> | Router| DHCP Server Enabled -
> +-------+ Exclude 1st 10 IPs
> | |
> | +-------------+
> | |
> |192.168.2.2 |
> | [Ext. NIC] |DHCP IP
> +-------+ +-------+
> |SBS2003| |GuestPC|
> +-------+ +-------+
> | [Int. NIC]
> |192.168.16.1
> |
> +--------+
> | Switch |
> +--------+
> | | | |
> | | | |
> [Domain PCs]
>
> SBS2003 runs either the RRAS or ISA2004 firewall so Ext. NIC
> (192.168.2.2) is protected.
>
> "GuestPC" could be a Wireless Access Point with a STATIC address of, for
> example, 192.168.2.3 (which is used primarily for WAP administration).
> Then, guest PCs with wireless capabilities associate with the WAP and
> get an IP address from the (wired) Router.
>
> Since Wireless Routers are easier to find (and often less expensive)
> than WAPs, you can use one as a WAP provided you:
>
> - disable the DHCP server on the Wireless Router
> - connect an Ethernet cable from the (wired) Router to one of the switch
> jacks (there are most often 4) on the Wireless Router. Do NOT connect
> anything to the Wireless Router's "WAN" or "Internet" jack.
>
> -- Owen Williams
>
 >> Stay informed about: Allowing Visitor Internet access 

Hi Chad,

Yes. With two NICS in the SBS server, the SBS LAN is isolated from the
router LAN. You could then turn on the DHCP service on the router and it
should not interfere with the SBS DHCP service. That would give your your
wireless guests Internet access (only) by providing them an IP address in
the same subnet as the LAN side of the router.

Owen Williams wrote a great article on setting up an even more secure
wireless network:

Configuring Secure Wireless Network Access with Microsoft® Windows® Small
Business Server 2003
http://home.comcast.net/~clearviewtc/

--
Merv Porter [SBS-MVP]
============================

"Chad" wrote in message

> Is there a way to provide wifi access to visiting clients just using a
> wireless router? For example cablemodem - wireless router - sbs2003 (2
> nic
> standard) - switch - internal lan. Thanks
>
> "Owen Williams" wrote:
>
>> Bibbob:
>>
>> Following up on my earlier post (to Merv's response), I am using a
>> configuration like this at one client's site so that an SBS2003 network
>> and a Guest PC can share a DSL Internet connection:
>>
>> +-------+
>> |DSL Mdm| 192.168.1.1
>> +-------+
>> |
>> +-------+ 192.168.2.1
>> | Router| DHCP Server Enabled -
>> +-------+ Exclude 1st 10 IPs
>> | |
>> | +-------------+
>> | |
>> |192.168.2.2 |
>> | [Ext. NIC] |DHCP IP
>> +-------+ +-------+
>> |SBS2003| |GuestPC|
>> +-------+ +-------+
>> | [Int. NIC]
>> |192.168.16.1
>> |
>> +--------+
>> | Switch |
>> +--------+
>> | | | |
>> | | | |
>> [Domain PCs]
>>
>> SBS2003 runs either the RRAS or ISA2004 firewall so Ext. NIC
>> (192.168.2.2) is protected.
>>
>> "GuestPC" could be a Wireless Access Point with a STATIC address of, for
>> example, 192.168.2.3 (which is used primarily for WAP administration).
>> Then, guest PCs with wireless capabilities associate with the WAP and
>> get an IP address from the (wired) Router.
>>
>> Since Wireless Routers are easier to find (and often less expensive)
>> than WAPs, you can use one as a WAP provided you:
>>
>> - disable the DHCP server on the Wireless Router
>> - connect an Ethernet cable from the (wired) Router to one of the switch
>> jacks (there are most often 4) on the Wireless Router. Do NOT connect
>> anything to the Wireless Router's "WAN" or "Internet" jack.
>>
>> -- Owen Williams
>>
 >> Stay informed about: Allowing Visitor Internet access 

Merv thanks for the super quick response!

I will have a static IP address provided from comcast so how will these IP
addresses be assigned?

For example:
cable (static) 75.144.223.1 - Wireless router w/ dhcp
192.168.1.1...2...3....etc - SBS external NIC 75.144.223.2 - SBS internal NIC
(w/dhcp) 192.168.16.1

All internal LAN computers 192.168.2....3....4 etc

Thanks

"Merv Porter [SBS-MVP]" wrote:

> Hi Chad,
>
> Yes. With two NICS in the SBS server, the SBS LAN is isolated from the
> router LAN. You could then turn on the DHCP service on the router and it
> should not interfere with the SBS DHCP service. That would give your your
> wireless guests Internet access (only) by providing them an IP address in
> the same subnet as the LAN side of the router.
>
> Owen Williams wrote a great article on setting up an even more secure
> wireless network:
>
> Configuring Secure Wireless Network Access with Microsoft® Windows® Small
> Business Server 2003
> http://home.comcast.net/~clearviewtc/
>
> --
> Merv Porter [SBS-MVP]
> ============================
>
> "Chad" wrote in message
>
> > Is there a way to provide wifi access to visiting clients just using a
> > wireless router? For example cablemodem - wireless router - sbs2003 (2
> > nic
> > standard) - switch - internal lan. Thanks
> >
> > "Owen Williams" wrote:
> >
> >> Bibbob:
> >>
> >> Following up on my earlier post (to Merv's response), I am using a
> >> configuration like this at one client's site so that an SBS2003 network
> >> and a Guest PC can share a DSL Internet connection:
> >>
> >> +-------+
> >> |DSL Mdm| 192.168.1.1
> >> +-------+
> >> |
> >> +-------+ 192.168.2.1
> >> | Router| DHCP Server Enabled -
> >> +-------+ Exclude 1st 10 IPs
> >> | |
> >> | +-------------+
> >> | |
> >> |192.168.2.2 |
> >> | [Ext. NIC] |DHCP IP
> >> +-------+ +-------+
> >> |SBS2003| |GuestPC|
> >> +-------+ +-------+
> >> | [Int. NIC]
> >> |192.168.16.1
> >> |
> >> +--------+
> >> | Switch |
> >> +--------+
> >> | | | |
> >> | | | |
> >> [Domain PCs]
> >>
> >> SBS2003 runs either the RRAS or ISA2004 firewall so Ext. NIC
> >> (192.168.2.2) is protected.
> >>
> >> "GuestPC" could be a Wireless Access Point with a STATIC address of, for
> >> example, 192.168.2.3 (which is used primarily for WAP administration).
> >> Then, guest PCs with wireless capabilities associate with the WAP and
> >> get an IP address from the (wired) Router.
> >>
> >> Since Wireless Routers are easier to find (and often less expensive)
> >> than WAPs, you can use one as a WAP provided you:
> >>
> >> - disable the DHCP server on the Wireless Router
> >> - connect an Ethernet cable from the (wired) Router to one of the switch
> >> jacks (there are most often 4) on the Wireless Router. Do NOT connect
> >> anything to the Wireless Router's "WAN" or "Internet" jack.
> >>
> >> -- Owen Williams
> >>
>
>
>
 >> Stay informed about: Allowing Visitor Internet access 

Based on the info provided, I don't think you can implement Merv's
suggestion "as-is." It is common practice to deploy a firewall device in
front of SBS, but in your case it appears that your SBS box has your public
IP address directly. This would imply that your internet connection device
(cable/DSL modem) is acting strictly as an ethernet bridge. That really
prevents you from segmenting your network as Merv suggested.

From a security perspective, BTW, I'd recommend adding a firewall to your
configuration. Then you can move forward. Otherwise you will have to look
at doing a more complex deployment. One thing to keep in mind when making
this decision, which you may not have realized, is that by deploying the
access point outside of the LAN, you won't be able to have it serve dual
duty as a guest AP and provide authenticated access to your SBS server.

Again, IMO, from security perspective, this is a *good* thing. Wireless
access points are inexpensive and I'd rather buy two than try to go through
the effort and risk of having one perform two tasks and attempt to keep
guests isolated. I just wanted to point it out as I've seen people go
through the setup and then not get the results they expected.

-Cliff


"Chad" wrote in message

> Merv thanks for the super quick response!
>
> I will have a static IP address provided from comcast so how will these IP
> addresses be assigned?
>
> For example:
> cable (static) 75.144.223.1 - Wireless router w/ dhcp
> 192.168.1.1...2...3....etc - SBS external NIC 75.144.223.2 - SBS internal
> NIC
> (w/dhcp) 192.168.16.1
>
> All internal LAN computers 192.168.2....3....4 etc
>
> Thanks
>
> "Merv Porter [SBS-MVP]" wrote:
>
>> Hi Chad,
>>
>> Yes. With two NICS in the SBS server, the SBS LAN is isolated from the
>> router LAN. You could then turn on the DHCP service on the router and it
>> should not interfere with the SBS DHCP service. That would give your
>> your
>> wireless guests Internet access (only) by providing them an IP address in
>> the same subnet as the LAN side of the router.
>>
>> Owen Williams wrote a great article on setting up an even more secure
>> wireless network:
>>
>> Configuring Secure Wireless Network Access with Microsoft® Windows® Small
>> Business Server 2003
>> http://home.comcast.net/~clearviewtc/
>>
>> --
>> Merv Porter [SBS-MVP]
>> ============================
>>
>> "Chad" wrote in message
>>
>> > Is there a way to provide wifi access to visiting clients just using a
>> > wireless router? For example cablemodem - wireless router - sbs2003
>> > (2
>> > nic
>> > standard) - switch - internal lan. Thanks
>> >
>> > "Owen Williams" wrote:
>> >
>> >> Bibbob:
>> >>
>> >> Following up on my earlier post (to Merv's response), I am using a
>> >> configuration like this at one client's site so that an SBS2003
>> >> network
>> >> and a Guest PC can share a DSL Internet connection:
>> >>
>> >> +-------+
>> >> |DSL Mdm| 192.168.1.1
>> >> +-------+
>> >> |
>> >> +-------+ 192.168.2.1
>> >> | Router| DHCP Server Enabled -
>> >> +-------+ Exclude 1st 10 IPs
>> >> | |
>> >> | +-------------+
>> >> | |
>> >> |192.168.2.2 |
>> >> | [Ext. NIC] |DHCP IP
>> >> +-------+ +-------+
>> >> |SBS2003| |GuestPC|
>> >> +-------+ +-------+
>> >> | [Int. NIC]
>> >> |192.168.16.1
>> >> |
>> >> +--------+
>> >> | Switch |
>> >> +--------+
>> >> | | | |
>> >> | | | |
>> >> [Domain PCs]
>> >>
>> >> SBS2003 runs either the RRAS or ISA2004 firewall so Ext. NIC
>> >> (192.168.2.2) is protected.
>> >>
>> >> "GuestPC" could be a Wireless Access Point with a STATIC address of,
>> >> for
>> >> example, 192.168.2.3 (which is used primarily for WAP administration).
>> >> Then, guest PCs with wireless capabilities associate with the WAP and
>> >> get an IP address from the (wired) Router.
>> >>
>> >> Since Wireless Routers are easier to find (and often less expensive)
>> >> than WAPs, you can use one as a WAP provided you:
>> >>
>> >> - disable the DHCP server on the Wireless Router
>> >> - connect an Ethernet cable from the (wired) Router to one of the
>> >> switch
>> >> jacks (there are most often 4) on the Wireless Router. Do NOT connect
>> >> anything to the Wireless Router's "WAN" or "Internet" jack.
>> >>
>> >> -- Owen Williams
>> >>
>>
>>
>>
 >> Stay informed about: Allowing Visitor Internet access 

Hi Chad,

See the diagram at:

Two Nics, a static IP address, ISA, router
(the diagram works with or without ISA)
http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleVi...article

The WAN side of your router will use the static IP address supplied by your
ISP. The workstations will be 192.168.16.x.

--------------------------------------------------------------
Internet
|
Router (WAN, static IP 75.144.223.1)
|
Router (LAN, static IP 192.168.1.1)
|
SBS (External NIC, static IP 192.168.1.2)
||
SBS (Internal NIC, static IP 192.168.16.2)
|
Switch
| | | | | |
Workstations (dynamic IPs 192.168.16.x)
--------------------------------------------------------------

In the router, forward the ports for the services you need to the external
NIC IP address:

SSL... 443
RWW... 4125
VPN... 1723 and GRE Protocol 47 (for PPTP VPN)
Mail Server... 25 (if you'll be hosting your own Exchange mail server)
RDP... 3389 (straight RDP session to SBS server)

Once you get it physically set up, run CEICW to configure the SBS server for
DHCP and other services:

CEICW Walkthrough
http://www.sbs-rocks.com/sbs2k3/sbs2k3-n2.htm


--
Merv Porter [SBS-MVP]
============================

"Chad" wrote in message

> Merv thanks for the super quick response!
>
> I will have a static IP address provided from comcast so how will these IP
> addresses be assigned?
>
> For example:
> cable (static) 75.144.223.1 - Wireless router w/ dhcp
> 192.168.1.1...2...3....etc - SBS external NIC 75.144.223.2 - SBS internal
> NIC
> (w/dhcp) 192.168.16.1
>
> All internal LAN computers 192.168.2....3....4 etc
>
> Thanks
>
> "Merv Porter [SBS-MVP]" wrote:
>
>> Hi Chad,
>>
>> Yes. With two NICS in the SBS server, the SBS LAN is isolated from the
>> router LAN. You could then turn on the DHCP service on the router and it
>> should not interfere with the SBS DHCP service. That would give your
>> your
>> wireless guests Internet access (only) by providing them an IP address in
>> the same subnet as the LAN side of the router.
>>
>> Owen Williams wrote a great article on setting up an even more secure
>> wireless network:
>>
>> Configuring Secure Wireless Network Access with Microsoft® Windows® Small
>> Business Server 2003
>> http://home.comcast.net/~clearviewtc/
>>
>> --
>> Merv Porter [SBS-MVP]
>> ============================
>>
>> "Chad" wrote in message
>>
>> > Is there a way to provide wifi access to visiting clients just using a
>> > wireless router? For example cablemodem - wireless router - sbs2003
>> > (2
>> > nic
>> > standard) - switch - internal lan. Thanks
>> >
>> > "Owen Williams" wrote:
>> >
>> >> Bibbob:
>> >>
>> >> Following up on my earlier post (to Merv's response), I am using a
>> >> configuration like this at one client's site so that an SBS2003
>> >> network
>> >> and a Guest PC can share a DSL Internet connection:
>> >>
>> >> +-------+
>> >> |DSL Mdm| 192.168.1.1
>> >> +-------+
>> >> |
>> >> +-------+ 192.168.2.1
>> >> | Router| DHCP Server Enabled -
>> >> +-------+ Exclude 1st 10 IPs
>> >> | |
>> >> | +-------------+
>> >> | |
>> >> |192.168.2.2 |
>> >> | [Ext. NIC] |DHCP IP
>> >> +-------+ +-------+
>> >> |SBS2003| |GuestPC|
>> >> +-------+ +-------+
>> >> | [Int. NIC]
>> >> |192.168.16.1
>> >> |
>> >> +--------+
>> >> | Switch |
>> >> +--------+
>> >> | | | |
>> >> | | | |
>> >> [Domain PCs]
>> >>
>> >> SBS2003 runs either the RRAS or ISA2004 firewall so Ext. NIC
>> >> (192.168.2.2) is protected.
>> >>
>> >> "GuestPC" could be a Wireless Access Point with a STATIC address of,
>> >> for
>> >> example, 192.168.2.3 (which is used primarily for WAP administration).
>> >> Then, guest PCs with wireless capabilities associate with the WAP and
>> >> get an IP address from the (wired) Router.
>> >>
>> >> Since Wireless Routers are easier to find (and often less expensive)
>> >> than WAPs, you can use one as a WAP provided you:
>> >>
>> >> - disable the DHCP server on the Wireless Router
>> >> - connect an Ethernet cable from the (wired) Router to one of the
>> >> switch
>> >> jacks (there are most often 4) on the Wireless Router. Do NOT connect
>> >> anything to the Wireless Router's "WAN" or "Internet" jack.
>> >>
>> >> -- Owen Williams
>> >>
>>
>>
>>
 >> Stay informed about: Allowing Visitor Internet access 

Merv, in this example do I forward the ports from the 1st router or the
second router or both? Do I turn on DHCP for the 1st wireless router to
provide IP addresses for the wireless clients to access the internet and
disable DHCP for the second wireless router?

What about setting DMZ for the first router so all the ports are accessible?
Can a wireless router support wireless clients without DHCP being enabled?

Thanks for your input.

Chad



"Merv Porter [SBS-MVP]" wrote:

> Hi Chad,
>
> See the diagram at:
>
> Two Nics, a static IP address, ISA, router
> (the diagram works with or without ISA)
> http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleVi...article
>
> The WAN side of your router will use the static IP address supplied by your
> ISP. The workstations will be 192.168.16.x.
>
> --------------------------------------------------------------
> Internet
> |
> Router (WAN, static IP 75.144.223.1)
> |
> Router (LAN, static IP 192.168.1.1)
> |
> SBS (External NIC, static IP 192.168.1.2)
> ||
> SBS (Internal NIC, static IP 192.168.16.2)
> |
> Switch
> | | | | | |
> Workstations (dynamic IPs 192.168.16.x)
> --------------------------------------------------------------
>
> In the router, forward the ports for the services you need to the external
> NIC IP address:
>
> SSL... 443
> RWW... 4125
> VPN... 1723 and GRE Protocol 47 (for PPTP VPN)
> Mail Server... 25 (if you'll be hosting your own Exchange mail server)
> RDP... 3389 (straight RDP session to SBS server)
>
> Once you get it physically set up, run CEICW to configure the SBS server for
> DHCP and other services:
>
> CEICW Walkthrough
> http://www.sbs-rocks.com/sbs2k3/sbs2k3-n2.htm
>
>
> --
> Merv Porter [SBS-MVP]
> ============================
>
> "Chad" wrote in message
>
> > Merv thanks for the super quick response!
> >
> > I will have a static IP address provided from comcast so how will these IP
> > addresses be assigned?
> >
> > For example:
> > cable (static) 75.144.223.1 - Wireless router w/ dhcp
> > 192.168.1.1...2...3....etc - SBS external NIC 75.144.223.2 - SBS internal
> > NIC
> > (w/dhcp) 192.168.16.1
> >
> > All internal LAN computers 192.168.2....3....4 etc
> >
> > Thanks
> >
> > "Merv Porter [SBS-MVP]" wrote:
> >
> >> Hi Chad,
> >>
> >> Yes. With two NICS in the SBS server, the SBS LAN is isolated from the
> >> router LAN. You could then turn on the DHCP service on the router and it
> >> should not interfere with the SBS DHCP service. That would give your
> >> your
> >> wireless guests Internet access (only) by providing them an IP address in
> >> the same subnet as the LAN side of the router.
> >>
> >> Owen Williams wrote a great article on setting up an even more secure
> >> wireless network:
> >>
> >> Configuring Secure Wireless Network Access with Microsoft® Windows® Small
> >> Business Server 2003
> >> http://home.comcast.net/~clearviewtc/
> >>
> >> --
> >> Merv Porter [SBS-MVP]
> >> ============================
> >>
> >> "Chad" wrote in message
> >>
> >> > Is there a way to provide wifi access to visiting clients just using a
> >> > wireless router? For example cablemodem - wireless router - sbs2003
> >> > (2
> >> > nic
> >> > standard) - switch - internal lan. Thanks
> >> >
> >> > "Owen Williams" wrote:
> >> >
> >> >> Bibbob:
> >> >>
> >> >> Following up on my earlier post (to Merv's response), I am using a
> >> >> configuration like this at one client's site so that an SBS2003
> >> >> network
> >> >> and a Guest PC can share a DSL Internet connection:
> >> >>
> >> >> +-------+
> >> >> |DSL Mdm| 192.168.1.1
> >> >> +-------+
> >> >> |
> >> >> +-------+ 192.168.2.1
> >> >> | Router| DHCP Server Enabled -
> >> >> +-------+ Exclude 1st 10 IPs
> >> >> | |
> >> >> | +-------------+
> >> >> | |
> >> >> |192.168.2.2 |
> >> >> | [Ext. NIC] |DHCP IP
> >> >> +-------+ +-------+
> >> >> |SBS2003| |GuestPC|
> >> >> +-------+ +-------+
> >> >> | [Int. NIC]
> >> >> |192.168.16.1
> >> >> |
> >> >> +--------+
> >> >> | Switch |
> >> >> +--------+
> >> >> | | | |
> >> >> | | | |
> >> >> [Domain PCs]
> >> >>
> >> >> SBS2003 runs either the RRAS or ISA2004 firewall so Ext. NIC
> >> >> (192.168.2.2) is protected.
> >> >>
> >> >> "GuestPC" could be a Wireless Access Point with a STATIC address of,
> >> >> for
> >> >> example, 192.168.2.3 (which is used primarily for WAP administration).
> >> >> Then, guest PCs with wireless capabilities associate with the WAP and
> >> >> get an IP address from the (wired) Router.
> >> >>
> >> >> Since Wireless Routers are easier to find (and often less expensive)
> >> >> than WAPs, you can use one as a WAP provided you:
> >> >>
> >> >> - disable the DHCP server on the Wireless Router
> >> >> - connect an Ethernet cable from the (wired) Router to one of the
> >> >> switch
> >> >> jacks (there are most often 4) on the Wireless Router. Do NOT connect
> >> >> anything to the Wireless Router's "WAN" or "Internet" jack.
> >> >>
> >> >> -- Owen Williams
> >> >>
> >>
> >>
> >>
>
>
>
 >> Stay informed about: Allowing Visitor Internet access