University department network configuration help.

Posted on 2005-04-20
Last Modified: 2010-03-18
Hi everyone. Once again I am requesting help here  to get a project done that was assigned to me.  I hope I can get some good feedback as in the past to start working on the assignment.   I will explain the current setup in the simplest possible way and the requirements at the end of the message:

Brief intro:

I work for a department in a college where the campus is an entire building (in NY).  

My department has offices in the 3rd and 9th floor.  

The main college IT department has control over the wires, routers, DNS, DHCP, SMTP on the entire building

Our  main department has offices on the 9th floor where we setup a sub domain using Microsoft Active Directory.  We  run MS Exchange 2003, Windows Server 2003 and have a whole bunch of web servers.

Our department has just under 300 workstations

We have 2 DNS servers to help in name resolution in our department.  These DNS servers forward requests to the main college DNS  as well, but  serve fine our purpose of internal name resolution within our sub domain.

We have setup 2 VPN server in 2 separate Windows Server 2003 machines to access our internal subnet from outside and use MS Exchange; we are also testing RPC over HTTP.

Our subnet and thus, our entire network is outside the DMZ zone.   The college IT department has allowed that our servers be on the open because we manage our own security.

The 3rd floor offices connect to our servers on the 9th floor by using VPN as well because the 3rd floor is within the College Firewall and inter-floor communication is blocked due to the nimbda virus and all other worms that came out last year.   Port 135 is definitely blocked and will not be opened by the college IT department by any means.


1) The 3rd floor computers keep disconnecting all the time and access to files, databases, Exchange server, etc is interrupted throughout the day.  This causes major conflicts and loss of data very frequently.

2) Because we do not manage our own DHCP, we cannot control the use of laptops in the department.  People come to the laboratories with their home laptops and download all kind of junk (porn, mp3, videos, games, etc).

3) Since it is very easy to install a Wireless router, most lab people have purchased these and plug them into a RJ45 jack to begin IP distribution to all wireless users who pick up the signal


1) We need to implement a more steady solution for the 3rd floor offices to connect to our network.  What do you suggest ?

2) We need to find a way to control the use of network users who come in and plug their laptops.

3) We need to implement an authentication scheme to control the use of Wireless clients who are not authorized by us.   I am thinking about using smart cards or 802.1x type of authentication.  We can go to all the labs and setup passwords and WEP on all devices, but it would be nice to have a centralized authentication setup in the domain using some type of GPO.  

4) We need to implement an authentication scheme to control the use of Laptop users who bring computers from home.   I am thinkng the same as in No. 3 above, but I just need some help in determining  if this is the best solution and how we could implement it.

You have to take into consideration the following before your post your suggestions:

The college IT department WILL NOT help us in any way. They will not allow control of DHCP to use, which will be useful to control IP addresses by MAC addresss.

The college IT department WILL NOT configure routers in any way  to accomodate any request from us.  We are on our own and these are the only tools we have.

I have not read much about these topics because I would like to get some ideas from anyone of you who is willing to help me with this  before I begin my search.    I can then read your reference guides or get more information on any lead you can provide.

Thank you for your help.

Question by:carotech
    LVL 1

    Accepted Solution

    Your college IT department sounds pretty rubbish. You don't say whether you are the designated IT person for your department, but I think that  you need to communicate better with them. If they're willing to let you maintain the security of your own servers, they should also negotiate further fixes. Remember that they are there to serve you, and technology shouldn't get in the way of doing your department's work/research. The arbitary blocking of ports across floors is pretty inexplicable. If you're one department then you should be treated as one network wherever possible.

    I think I'd think about installing your own firewall and blocking DHCP, then setting up your own DHCP server restricted to known MAC addresses. This should help control unknown/uncontrolled laptops. I would suggest checking each laptop for windows patches, and up to date virus checker before you allow it to get a dhcp lease. We do it here (a college in the UK).

    You need good policy documents in place which explain why people shouldn't be installing their own wireless kit (channel management, security, poor default settings etc) and then get the funding to install your own centrally managed wireless network. There are a number of products which will let you control access. I've just set up NoCat ( at my workplace.

    Sounds like a nightmare scenario - good luck!

    Author Comment

    Thank you, NoCat is a very good resource page.    I'll wait for more ideas before distributing points.

    Yes, you are right when you say this is a nightmare becasue it truly is.


    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Suggested Solutions

    Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
    Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now