[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Shared office - How to allow users to access the internet but not our network

Posted on 2004-11-08
13
Medium Priority
?
319 Views
Last Modified: 2010-04-10
We have an office of about 40 staff but also have clients that come and out and we want to be able to give them access to the internet and a printer.
We have a Windows 2003 Active Directory network. The Windows 2003 Server is the DHCP file and print server.
We don’t want to have to create a user each time so would like to have it so they can just plug in the network cable and go.
What is the best way to configure the network so that they can get access to the internet and a printer without comprising the security of out network, file servers etc.?



0
Comment
Question by:galtee25
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 2

Expert Comment

by:virtuoso1
ID: 12522896
You could set the printer up as a network printer in active directory.  Create the printer, and put it inside of an OU.  Right click on OU, select new, and Printer.  Now type the path where its shared, ex.  \\Server1\Printer1.  Maybe the printer OU.  You can then have users goto Start > Settings > Printer > Add Printer.  Next > Network Printer > Find in directory.  Find printer, double click, and it is now installed on end user's machine.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 12522958
I would create 2 VLANs.  One could be your internal "trusted" people, the other one could be "untrusted".  You could have an ACL control access from the untrusted to the trusted allowing printing service only.  The untrusted vlan could be allowed access out to the Internet.  Pretty easy.

If you have the infrastructure - port based authentication would be better.
0
 

Author Comment

by:galtee25
ID: 12523471
Hi pseudocyber, sorry I’m a bit new to this so need a lot more details. How do I go about setting up 2 VLANs, and where and how do I go about setting the ACL control access for the printers.
What infrastructure would I need for port based authentication if that’s better (if very expensive or too complex forget this option)?
The trusted and untrusted users need to be able to share the same network points (i.e. if someone isn’t using their desk then the client needs to be able to just plug their laptop into the network cable browse for a printer and go).
I’ve upped the points to 400 if anyone can step me though it.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 27

Expert Comment

by:pseudocyber
ID: 12523512
Setting up VLANs would be done on your network switches.  If you're going to allow untrusted people to sit at a trusted location and access the network, then the way to do it is to use the port based authentication - which is expensive (assuming you don't already have the gear to do it) and complicated.
0
 
LVL 88

Expert Comment

by:rindi
ID: 12524521
If your DHCP Server is set up correctly and you don't need a proxy to connect to the internet, the external clients should have internet connectivity once they are on the network. The easiest way to connect to a printer would be if that printer is connected directly to the lan (either via internal lan interface or via an external lan print-server). You should then assign that printer a static IP Address. You should then also be able to connect to that printer with any PC on the network without it having to have an account to the lan.
0
 

Author Comment

by:galtee25
ID: 12524672
Thanks rindi,
When you say DHCP Server is set up correctly, how should it be set up.
The Windows 2003 Server is the DHCP so if the user doesn't have an account in the Active Directory for our lan will they still be able to see the internet but not able to see everying else in the domain even if people have shared folders?
With the printer, if I buy say a HP JetDirect box and give it a fixed IP will both sets of users be able to browse to the printer to install it and print?
0
 
LVL 88

Accepted Solution

by:
rindi earned 1200 total points
ID: 12525063
With DHCP setup correctly I mean that it has all necessary to pass on to clients like the IP of DNS Servers, IP of the internet gateway, etc. It must also be able to supply IPs to enough clients (the scope must be large enough).

If those users aren't members of the domain, they shouldn't be able to connect to any of its resources, (they will probably be able to see the server, but not connect to any recources on it) if you secured it enough (disable guest and anonymous accounts, but that should be default in win2k3 servers, etc).

With a jetdirect box the IP Address of the printer should be visible to any attached device (You can probably change the values of a lot of settings through the Jetdirect administration software).
0
 

Author Comment

by:galtee25
ID: 12532667
Thanks rindi, this solution sounds the easiest by far to implement, is there any drawbacks I should know about or why would one use port based authentication, as pseudocyber suggested, when it’s this easy?
0
 
LVL 2

Assisted Solution

by:trymelatr
trymelatr earned 400 total points
ID: 12536131
I agree with rindi.  I think the port based authentication infrastructure and setup is more than you need.  Just DHCP the ip, netmask, gateway, and dns server out and setup the printer directly on the network with a Jet direct card and you'll have everything you need.

Make sure your virus protection is up to date if you are letting strange pc's onto your network.
0
 

Author Comment

by:galtee25
ID: 12553626
Thanks for all your help.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 12554074
Part of your original question was, "What is the best way to configure the network so that they can get access to the internet and a printer without comprising the security of out network, file servers etc.?" and you asked, "why would one use port based authentication, as pseudocyber suggested, when it’s this easy?"

Because it's not the BEST way to do it since you are compromising the security of the network - you're in the same situation we are in - anyone visiting can plug into a jack and BINGO, they're on the network - on the inside.  Granted, they don't have a network account, but there's plenty of mischief someone could cause without even getting into the servers - like throwing on rogue access points with DHCP enabled, duplicating IP addresses of key routers taking networks down, etc.

With port based authentication - you can dump your authenticated users into a full access vlan, and those that aren't they can be put in a restricted vlan.

As long as your needs are met and the level of risk is acceptable to you.  Glad we could help.

:)
0
 
LVL 2

Expert Comment

by:trymelatr
ID: 12554439
Pseudocyber pointed out some very important things to think about that .  you always need to weigh the risk with the cost.  If you have the money and time to implement the infrastructure then more secure is always better.  
0
 

Author Comment

by:galtee25
ID: 12556742
Point taken on the security, most of the people coming in are high level clients that we bring over on business so while there is always a risk it isn't as great.

Still don't know how port based authentication works, is this done with certain type of switches? If you have a link with info please send it on.

Thanks again
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Make the most of your online learning experience.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question