VPN Installation

Standards-

Wireless standards have stabilized substantially in recent years. The older 802.11a, 802.11b, 802.11g, and 802.11N standards are well accepted. While you still need to make sure that the hardware in your network will support whichever standard you decide to use, the odds are good that if you're OK with the speeds the standard provides, you're not going to have to worry about what will and won't work on your network.

802.11a – Up to 54Mb/s 75’-100’ Indoor range 5Ghz

Least used technology due to the cost when it was initially adopted. Now it’s cost is not much more than b or g. Since the 2.4 GHz band is heavily used to the point of being crowded, using the relatively unused 5 GHz band gives 802.11a a significant advantage. However, this high carrier frequency also brings a disadvantage: the effective overall range of 802.11a is less than that of 802.11b/g.

802.11b – Up to 11Mb/s 125’-150’Indoor Range 2.4Ghz

The dramatic increase in throughput of 802.11b (compared to the original standard) along with simultaneous substantial price reductions led to the rapid acceptance of 802.11b as the definitive wireless LAN technology.

802.11b devices suffer interference from other products operating in the 2.4 GHz band. Devices operating in the 2.4 GHz range include: microwave ovens, Bluetooth devices, and cordless telephones.

802.11g – Up to 54Mb/s 125’-150’ Indoor Range 2.4Ghz

This works in the 2.4 GHz band (like 802.11b), and was rapidly adopted by consumers when it was released in 2003. It shares the same bandwidth as the 802.11b standard, and also most standard wireless adapters support b/g. 80211.g still suffers like 802.11b in that even devices like wireless keyboards can affect its signal.

802.11n – Up to 300Mb/s 200’-230’ Indoor Range 2.4/5Ghz

802.11n is a recent amendment which improves upon the previous 802.11 standards by adding multiple-input multiple-output antennas (MIMO). 802.11n operates on both the 2.4GHz and the lesser used 5 GHz bands. It has the longest range and also the least interference of all of the standards.

 Note that in some cases, using different standards at the same time can hurt your network's performance. If blazing-fast performance is your number one priority for your wireless network, only allow 802.11n connections.

Security-

A wireless network creates security problems that wired networks don't have to face. Potential attackers can sit outside of your building, point an antenna, and potentially access everything you've got. It's well known in security circles that some attempts at wireless security are virtually pointless—it's said that the Wired Equivalent Privacy (WEP) standard has been completely cracked and a determined attacker can get through WEP protection in under a minute.

An enterprise environment should definitely support the Wi-Fi Protected Access 2 (WPA2) encryption standard. You might have older wireless equipment that isn't compatible with WPA2, but the risk of leaving your network exposed isn't worth taking for old equipment. Keep the older, pre-WPA2 equipment in mind, however—if you have older laptops or expect on-site guests with them, you'll need to provide an alternative, like a wired network.

Encryption isn't the only defense for your wireless network. Most enterprise-class wireless routers support VPN tunnels, and other features such as integration with a security suite are common. Remember that you have to protect your network, but also remember that advanced security features often carry a performance cost, so carefully balance your networks.

Performance-

Modern wireless routers can handle many simultaneous connections and lots of bandwidth, a major difference from less expensive SOHO routers. Plan ahead and know how much bandwidth and how many connections you'll need, though, because high-bandwidth applications and reliable connections are more vital as laptops and netbooks become more popular than desktops, even in enterprise settings.

An important consideration for wireless performance is range, but unfortunately your building, not your router, is probably going to be the biggest factor in range. It's probably not feasible to change your building's layout and construction materials for the sake of a wireless network, so plan to install repeaters for your wireless signal.

What Are Your Needs-

Wireless technology has advanced quickly in the last few years, so if you need a wireless network to perform certain task, chances are the equipment you need is available. The prices for wireless equipment vary by huge amounts, however, so take a thorough inventory of what you want to connect to your wireless network now and what you'll want to connect in the future.

What is your companies Network Security Policy? If you don't have one I suggest your perform Network Security Assessments and make sure that your putting the best effort you can into maintaing your data's safety.

Remember that you'll probably be connecting much more than laptops to your wireless network. Wi-Fi enabled smart phones are the norm now, and even devices such as media players and video game consoles have wireless access. There's no telling how people will want to use your wireless network in the next few years. SkyByte Consulting can assist with any of your companies network security projects from Cisco ASA firewalls, to Checkpoint support, VPN installations, and even performing network security assessments. 

Recently I had the chance to migrate a Forefront Threat Management Gateway 2010 RC environment over to the TMG 2010 RTM SP1. The RC had been developing some issues and it was time to install with the full produciton release. The server was only needed for reverse proxy for a SharePoint implementation.

Our users access SharePoint sites and our InfoPath form in 1 of 3 different ways:

Via the Intranet: http://sharepoint.mycompany.com
Via the Extranet: http://sharepoint.mycompany.com
Via the TMG 2010 Server: https://sharepoint.mycompany.com

The form is set to domain trust, published from InfoPath as a site content type and associated with a SharePoint document library (browser compatible) at https://sharepoint.mycompany.com

After setting up TMG and verifying that people could access the sites externally and internally I turned to testing the functionality of the site and the forms located within.

When accessing externally I noticed that approving published documents tied to the workflow would generate an InfoPath error stating "The form cannot be submitted to the Web server either because your computer is offline or because the host server is currently unavailable. If this problem persists, contact your network administrator." Internally the forms would work flawlessly, but that was due to TMG only handling the external traffic.

This was perplexing because it worked in the previous RC version of TMG. Now it was time for troubleshooting SharePoint and how the TMG communicated the host headers when accessing the forms.

After some looking and testing I noticed on closing the form users were then redirected to https://sharepoint.intranet (the URL that the form is published to in InfoPath) which of course they could not access. I looked around on the Internet and found some articles on this exact problem but they were relating to ISA Server 2004 and 2006.

I tracked it down via View Source on the InfoPath web form. There's a javascript array variable in there called "g_objCurrentFormData", which contains some URL strings. I guess InfoPath is using these as part of the submit process.

If these domain strings in "g_objCurrentFormData" don't exactly match the domain in which the form is being viewed, **including the https!** then the submit will be blocked (....browser-level prevention of cross-domain shennanigans, I suppose.)

Oddly enough the forward slashes are encoded by InfoPath as u002f.... in case you didn't guess.

In our case, the form was hosted at our SharePoint site https://sharepoint.mydomain.com, but the javascript strings showed "http:u002fu002fmydomain.com", i.e. missing the "s". The Link Translation Rule converted these into "https:u002fu002fmydomain.com", which did the trick.

Running Fiddler before and after the Link Translation Rule was defined showed....
Before:
No Fiddler traffic on submit.
After
A POST to the SharePoint domain on submit!

The Solution:

Create a link translation in your Rule for your published SharePoint site with the InfoPath form.

From: http:u002fu002fsharepoint.mydomain.com
To: https:u002fu002fsharepoint.mydomain.com

Also leaving the

From: http://sharepoint.mydomain.com
To: https://sharepoint.mydomain.com

So you should show both entries in your link translation.

Skybyte Consulting is Chicago's premiere IT consulting firm. We provide local area network design, disaster recovery solutions, Cisco IP Phone Support, Cisco ASA Firewall support, Checkpoint support, VPN installation, (SAN) storage area network support and much more!

DirectAccess is a new technology in Windows 7 that eventually may replace traditional VPN installation solutions such as Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol/Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP). DirectAccess is an automatic connectivity solution that allows clients running Windows 7 to connect seamlessly to the corporate intranet the moment they establish any Internet connection. The adoption of DirectAccess will not occur overnight. Organizations have to make major changes to their network infrastructure, adopt new server and client technologies, and fully change over form IPv4 to IPv6.

DirectAccess is an always connected, IPv6, IPsec VPN connection. If Configured properly a computer or laptop is able to connect to the Internet, and direct access automatically connects the machine to their corporate network. DirectAccess differs from other VPN solutions in the following ways:

• The connection process is automatic and does not require user to do anything. The DirectAccess connection process starts from the minute the computer connects to an active Internet connection. To the user it appears that they are always connected to the company's intranet, whether they are sitting in the office or they are in their hotel room on a business trip. Traditionally, users must initiate VPN connections to the corporate intranet manually.

• DirectAccess is bidirectional, with servers on the intranet being able to interact with the client running Windows 7 in the same way that they would if the client was connected to the local area network. In many traditional VPN solutions, the client can access the intranet but servers on the intranet cannot communicate with the client. DirectAccess provides administrators with a more granular way of controlling what intranet resources are available to remote users and computers. Administrators can integrate DirectAccess with NAP to ensure that remote clients remain up to date with virus definitions and software updates. Administrators can also apply network security policies to isolate servers and hosts.

As you can see DirectAccess is a very useful technology for the corporate user. Although it will require most companies to upgrade their network infrastructure, the simplification of the users involvement compared to a typical VPN installation might outweigh the work involved to implement DirectAccess.

SkyByte is a security based service and solution provider dedicated to the delivery of secure data communications, risk management, data integrity and corporate privacy. SkyByte offers a wide array of IT consulting services such as the design and maintenance of firewalls, VPNs, LANs, WANs, VMware server virtualization, messaging systems and secure wireless networks.