Solved

Wireless network design for work (exercise)

Posted on 2004-08-26
15
248 Views
Last Modified: 2013-11-12
Problem:
Ok, we need to deploy a wireless network for an exercise at work. This is going to be set up in a van. So obviously we will have to be able to connect to the WAN wirelessly.  We are going to be using satellite or possibly CDMA cell phone technology to do this. But I am open to suggestions. We need to be able to hit the WAN, then log into our company's VPN from there (pptp).

Goal:
 For all clients to be able to access the companys VPN wirelessly in the event of an emergency. (will be using the laptop with cdma card as their gateway to WAN. Or any thing else you can suggest that doesnt require a network drop). It is a PPTP vpn they need to hit.

Last time we did this, we had a Verizon CDMA card in a laptop. The CDMA card was shared (ICS enabled).  A wireless access point was then attached to the ethernet interface on the laptop.  This allowed all clients, to connect to the WAP and use the Laptop's internal interface (ethernet interface) as their gateway.  Diagram here http://mvpbaseball.cc/wireless.jpg

That worked great, but now my boss wants to incorporate some type of "site VPN "? into the mix.    I dont know what that is, but apparently it allows all clients to log into one ( local )central router, that automatically connects them to the company's VPN?


Any insight appreciated
Thanks
0
Comment
Question by:dissolved
  • 7
  • 7
15 Comments
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902599
If your PPTP server is Internet facing, your old solution would work. Clients connect to the WAP and are ICS'ed to the internet via the CDMA modem and authenticate on the VPN server.

It would be slow but would work in a crunch.

Kent
0
 

Author Comment

by:dissolved
ID: 11902663
Ok thanks. Any idea on what a site vpn is and how it would be incorporated in this lan?
Thanks

ps: Open to any design suggestions
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902712
A site to site VPN is one that the users would not need to authenticate. It would seem just like a WAN link to them. Your Windows box would then be acting as a router.

That would work but your wireless network should be encrypted then as that would open your network to the public effectively.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:dissolved
ID: 11902753
So for site to site VPN, the users would authenticate to a local router. Which in turn, would authenticate to the VPN server (over the WAN). That way, when the users go to hit the WAN, they are not prompted for credentials and are automatically logged into our VPN?
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11902784
Not quite. Users would connect to your WAP in the van which would already be part of your domain. Just like a branch office would. They would not need to authenticate to anything near the van, just the domain controller back at the office.
0
 

Author Comment

by:dissolved
ID: 11902980
Hmm, kind of confused.
Ok, from my understanding there are two ways for users to hit the company VPN

1. Having the wireless card hit the WAN. Have each individual user use their client VPN software to connect over the CDMA link

2. Having the laptop(acting as router) authenticate to the VPN for us. Therefore, clients are automatically authenticated when they hit the wap?
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11903020
Almost. In the site to site setup, there is no automatic authentication. Users would need to authenticate on the domain (if that is the way they do it in the office) they would never see a VPN...

You would want to make sure that your WLAN is secure as if it were wide open, anyone walking by could get an IP on your network.
0
 

Author Comment

by:dissolved
ID: 11903195
so site to site VPN is a direct connection to your companies VPN? so you wouldnt need client VPN software on the clients to get in?  I'm confused as to how they would be able to log in without using software ?
0
 
LVL 7

Accepted Solution

by:
EmpKent earned 500 total points
ID: 11903248
Think of the laptop being just like a router with a leased line running to head office. Users would be unable to tell the difference aside from speed.

This is probably what your manager is talking about although I am not certain it is a better solution. Well, maybe... Once it is setup, you could just leave it in the van until there is an emergency.
0
 

Author Comment

by:dissolved
ID: 11903320
Ok I read ya i read ya.. Just one question.  The laptop acting as router, is going to be connecting via wireless cdma. It wont be a direct connection to our company. Rather, we are using the internet to access the VPN.

My brain hurts
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11903337
You got it.

Brain pain is good. Limbers you up...
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11904414
In a "client" VPN, each client authenticates back to the server on the far end of the WAN link.

In a "site" VPN, *one* box on this side of the WAN link authenticates back to a server/router at the far end, and all traffic from local clients travels over that single encrypted link (which is why the far end needs to acta as a router).  Authentication of clients could be handled at either end.

Ideally, clients should still be doing a client VPN, or something equivalently secure, but that only needs to go to the local box and not all the way to the far end of the WAN link.  The exercise may be motivated by trying to get client VPN complexity off of the individual client machines, but WEP is probably not sufficient, and anything less is just not acceptable.



0
 

Author Comment

by:dissolved
ID: 11906229
So we need to have a local network device that authenticates for the VPN. What would a device like this be called? And where could it be placed in my above diagram?
Thanks
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 11906317
That will be your laptop which is multi-homed with the WAP and the CDMA modem. PennGwyn was clarifying the differences between client and site to site VPN's.

He is also reiterating that this solution is not the most secure. You would be safer to simply create the laptop as a router to provide the wireless clients with Internet access through the CDMA and then have them establish client tunnels.

If this is for an emergency situation, WEP might be enough. It is a judgement call, really.
0
 

Author Comment

by:dissolved
ID: 11906830
using WPA w/radius server for authentication. Not broadcasting SSID , the usual stuff etc.
Thanks guys.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question