«
»

Guest Networks


When configuring a guest network in your organization, you limit the access. Most probably you’ll only allow certain popular services such as (http, https) to the outside world and block all incoming traffic into your network.

That is guest network can not access private internal network.

One thing to keep in mind when assigning the network details, IP, gateway, DNS, etc. Is assign an external DNS to guest network clients.

They won’t have a problem as long as they are accessing sites and services outside your network but once they try to access anything within your network, there might be a problem.

If they are using your internal DNS to resolve names, they’ll have a problem when accessing for example your homepage, email page, since the internal DNS will resolve it to the internal IP and your firewall settings doesn’t allow guest users access to the internal network.

Where as, if you assign an external DNS, it’ll resolve to the public IP, so they’ll access your published sites and services, like all other outside users, then you won’t have a problem. And that will save you the headache of configuring the firewall to allow guest users access to published sites and services via internal IP.

Each network has their own setup and configuration, but the outcome is the same.

This entry was posted on April 6, 2009, 10:01 PM and is filed under troubleshooting. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. #1 by MBH on April 7, 2009 - 12:36 AM

    We have Cisco’s Network Admission Control (NAC). As soon as you hook up ethernet cable, you get to a page to download an application that inspects your machine to see if it contains the patches and applications (antivirus & its updates) required to access the network.
    If you meet the requirements, then you are authenticated, and when you are, only at that point you’re given an IP on the internal VLAN.

    But you brought up an interesting point, with using the internal DNS. I don’t think we have tested that scenario.

    Quote

  2. #2 by Bloggylife on April 7, 2009 - 7:13 PM

    So did you test the scenario or not ??

    Quote

  3. #3 by MBH on April 7, 2009 - 9:10 PM

    Not yet. Haven’t been to the head office in a week. Probably next week.

    Quote

  4. #4 by MBH on April 12, 2009 - 2:46 PM

    I asked the network Admin and he said the person who logs in to the guest network will obtain an IP within our network, in an isolated VLAN that access to the Internet only, and some permitted servers in the DMZ.

    The DNS server is the same as our internal one and it will report the permitted servers’ internal IP server.

    Quote
(will not be published)