Shared office - How to allow users to access the internet but not our network

We have an office of about 40 staff but also have clients that come and out and we want to be able to give them access to the internet and a printer.
We have a Windows 2003 Active Directory network. The Windows 2003 Server is the DHCP file and print server.
We don’t want to have to create a user each time so would like to have it so they can just plug in the network cable and go.
What is the best way to configure the network so that they can get access to the internet and a printer without comprising the security of out network, file servers etc.?



galtee25Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

virtuoso1Commented:
You could set the printer up as a network printer in active directory.  Create the printer, and put it inside of an OU.  Right click on OU, select new, and Printer.  Now type the path where its shared, ex.  \\Server1\Printer1.  Maybe the printer OU.  You can then have users goto Start > Settings > Printer > Add Printer.  Next > Network Printer > Find in directory.  Find printer, double click, and it is now installed on end user's machine.
0
pseudocyberCommented:
I would create 2 VLANs.  One could be your internal "trusted" people, the other one could be "untrusted".  You could have an ACL control access from the untrusted to the trusted allowing printing service only.  The untrusted vlan could be allowed access out to the Internet.  Pretty easy.

If you have the infrastructure - port based authentication would be better.
0
galtee25Author Commented:
Hi pseudocyber, sorry I’m a bit new to this so need a lot more details. How do I go about setting up 2 VLANs, and where and how do I go about setting the ACL control access for the printers.
What infrastructure would I need for port based authentication if that’s better (if very expensive or too complex forget this option)?
The trusted and untrusted users need to be able to share the same network points (i.e. if someone isn’t using their desk then the client needs to be able to just plug their laptop into the network cable browse for a printer and go).
I’ve upped the points to 400 if anyone can step me though it.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

pseudocyberCommented:
Setting up VLANs would be done on your network switches.  If you're going to allow untrusted people to sit at a trusted location and access the network, then the way to do it is to use the port based authentication - which is expensive (assuming you don't already have the gear to do it) and complicated.
0
rindiCommented:
If your DHCP Server is set up correctly and you don't need a proxy to connect to the internet, the external clients should have internet connectivity once they are on the network. The easiest way to connect to a printer would be if that printer is connected directly to the lan (either via internal lan interface or via an external lan print-server). You should then assign that printer a static IP Address. You should then also be able to connect to that printer with any PC on the network without it having to have an account to the lan.
0
galtee25Author Commented:
Thanks rindi,
When you say DHCP Server is set up correctly, how should it be set up.
The Windows 2003 Server is the DHCP so if the user doesn't have an account in the Active Directory for our lan will they still be able to see the internet but not able to see everying else in the domain even if people have shared folders?
With the printer, if I buy say a HP JetDirect box and give it a fixed IP will both sets of users be able to browse to the printer to install it and print?
0
rindiCommented:
With DHCP setup correctly I mean that it has all necessary to pass on to clients like the IP of DNS Servers, IP of the internet gateway, etc. It must also be able to supply IPs to enough clients (the scope must be large enough).

If those users aren't members of the domain, they shouldn't be able to connect to any of its resources, (they will probably be able to see the server, but not connect to any recources on it) if you secured it enough (disable guest and anonymous accounts, but that should be default in win2k3 servers, etc).

With a jetdirect box the IP Address of the printer should be visible to any attached device (You can probably change the values of a lot of settings through the Jetdirect administration software).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
galtee25Author Commented:
Thanks rindi, this solution sounds the easiest by far to implement, is there any drawbacks I should know about or why would one use port based authentication, as pseudocyber suggested, when it’s this easy?
0
trymelatrCommented:
I agree with rindi.  I think the port based authentication infrastructure and setup is more than you need.  Just DHCP the ip, netmask, gateway, and dns server out and setup the printer directly on the network with a Jet direct card and you'll have everything you need.

Make sure your virus protection is up to date if you are letting strange pc's onto your network.
0
galtee25Author Commented:
Thanks for all your help.
0
pseudocyberCommented:
Part of your original question was, "What is the best way to configure the network so that they can get access to the internet and a printer without comprising the security of out network, file servers etc.?" and you asked, "why would one use port based authentication, as pseudocyber suggested, when it’s this easy?"

Because it's not the BEST way to do it since you are compromising the security of the network - you're in the same situation we are in - anyone visiting can plug into a jack and BINGO, they're on the network - on the inside.  Granted, they don't have a network account, but there's plenty of mischief someone could cause without even getting into the servers - like throwing on rogue access points with DHCP enabled, duplicating IP addresses of key routers taking networks down, etc.

With port based authentication - you can dump your authenticated users into a full access vlan, and those that aren't they can be put in a restricted vlan.

As long as your needs are met and the level of risk is acceptable to you.  Glad we could help.

:)
0
trymelatrCommented:
Pseudocyber pointed out some very important things to think about that .  you always need to weigh the risk with the cost.  If you have the money and time to implement the infrastructure then more secure is always better.  
0
galtee25Author Commented:
Point taken on the security, most of the people coming in are high level clients that we bring over on business so while there is always a risk it isn't as great.

Still don't know how port based authentication works, is this done with certain type of switches? If you have a link with info please send it on.

Thanks again
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.