Wireless posturing at branch sites

Similar Messages

• Moving wireless controllers to another site

  I am planning to move our WLC's (5508) from a branch site to HQ so that all branch site APs will just report centrally in the HQ.
  There are two WLCs working as Active/Standby. Plan is to move one then the other. Any plans, tips or advise on how I could accomplish this?
  I am not really inclined with wireless.

  Its pretty simple... You move one and make changes to that WLC (IP address, etc) and then configure the mobility group to reflect the new ip address of the WLC.  Then you would change the ap's primary wlc to be that of the one that will stay (just in case) and set the secondary to the one that will move.  Verify that the mobility is up between the two WLC's after you move the on to HQ.  When you have connectivity between the two WLC's and the mobility is up, go ahead an set the primary to one of the AP's to the WLC at HQ's and the secondary to the WLC that didn't move.  If the AP's joins the WLC at the HQ, you are good to go to make the changes to all the other AP's (of course if you have enough license).  Then do the same procedure with the other WLC.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008064a294.shtml

• Static PAT entry blocking Branch site from accessing resource on same port. How to get around this?

  Hello, I have a UC560 and UC540 connected using an IPSec Site to Site tunnel.
  There is a server on the main site they are trying to access (lets say IP is 192.168.1.252) and they need to access this server on ports 13000, 14000, and 15000.
  Unfortunately, since there are users from the internet and other places that need to access this server on these ports, these static pat entries are in the server (Lets say 99.99.99.99 is the WAN IP):
  ip nat inside source static tcp 192.168.1.252 13000 99.99.99.99 13000 extendable
  ip nat inside source static tcp 192.168.1.252 14000 99.99.99.99 14000 extendable
  ip nat inside source static tcp 192.168.1.252 15000 99.99.99.99 15000 extendable
  The users in the branch site that is connected via VPN can reach this server on all TCP ports(RDP, http, etc) so that's not the issue. When I remove these nat statements, the VPN users can access the resource via that port (I.e telnet 192.168.1.252 13000 ) whereas they are shut down and connection fails if the static pat entries are in there.
  I need to have outside users and VPN users be able to access this server whether they are coming in across the VPN goin to 192.168.1.252:13000 or coming in from the internet on 99.99.99.99:13000
  Is there a way around this other than forcing the VPN users to access this server via the WAN IP for these ports? And does anyone know the logic behind this? I'm curious. From what I've seen in other cases, this is expected behavior, I'd just like a better understanding of it.
  Any help on this would be GREATLY appreciated! Thank you

  I hope I explained this properly. If not, please let me know!
  Thanks

• I bought a new MacBook Pro several months ago.  I keep losing my wireless connection (my wife, sitting several feet from me has no problem with her iPad2).  I find the quickest fix ix to turn Airport off and back on.  Very annoying.   Suggestions please?

  I bought a new MacBook Pro several months ago.  I keep losing my wireless connection (my wife, sitting several feet from me has no problem with her iPad2).  I find the quickest fix ix to turn Airport off and back on.  Very annoying.   Suggestions please?

  What kind of wireless router are you using? more importantly which protocol are you connecting with? Are you and wife connecting using the 2.4Ghz band? or do you have a dual band router that offers the 5GHZ band?  Are you both connecting vie 802.11 a/b/g or n?
  The best thing to do is to go into SYSTEM PREFERENCES and select NETWORK, then select AIRPORT and click on the ADVANCED button.
  Under the AirPort tab you should delete all the preferred networks and only add back in your network with the proper security settings and passwords.
  If you hold down the option key on your keyboard while clicking on the airport icon at the top on your macbook pro. you'll seesome data that will tell you what band and mode you're connecting at, as well as in an indication of signal strength (RSSI) if you write down and post back that information it'll tell us what's going on.

• How many Domain Controllers required to support Branch sites?

  We are planning to place 1 Domain Controller at HQ
  with one RODC at each branch location.
  There would be no more than 10 users at each branch location, none of which would be physically located at the branch site.  They would all be transient.
  My question is with only 5 possible Branch locations will 1 DC be able to support this environment?  I realize
  normally there would be two DCs at HQ for redundancy
  but that is not an issue for this scenario.
  Thank you,
  Barb
  bc

  Hi,
  About placing a domain controller in the branch office or not. This is decided mostly by the quality of the wide area network (WAN) link between your branch office and the hub site. If the WAN is highly reliable and available and if the performance of directory-enabled
  applications and logons in the branch office is acceptable, you do not have to place a domain controller at that branch office location.
  Deciding Which Type of Domain Controller Meets the Needs of a Branch Office Location
  http://technet.microsoft.com/en-us/library/dd736142(v=ws.10).aspx
  Regards.
  Vivian Wang

• Branch office Exchange 2010 Role base administration control for branch site administrator

  Dear sir,
       Customer has a Exchange 2010 Main and Branch office environment:
  - Main office Exchange 2010 CAS x2 +HTS & Mailbox x2  (Server1,2 & Server 3,4)
    (Main office administrator:domain1\administrator) - DAG1
  - Branch office Exchange 2010 CAS+HTS x2 & Mailbox with DAG x2 (Server5,6 & Server7,8
     (Branch Administrator: domain1\badmin) - DAG2
       Customer would like to know what is the role which permission should grant / delegate for ID: badmin in order to manage Exchange server 5,6,7,8 ?  (with manage user account and performance in DAG2 failover & branch exchange server)
  Regards,
  Joe Tam

  Dear Brian,
     I have try in my lab to scale down into 2 x Server in 1 AD Single Domain And Single Forest.  It still have many unexpected behaviour, can you please suggest whether it is a design or bug of Exchagne 2010 SP1?
  Procedure:
  ============================================================================
  Exchange 2010 Role Delegation Problem: (Single AD, Single Site)
  Environment:
  Server: Windows 2008 R2 AD x1 + (CAS+HTS+Mailbox) Server x1
  AD Server: AD1
  Exchange2010 Server : EX2010 (with SP1) – Member Server Joined to testdomain1.net
  Domain Name: testdomain1.net (NETBIOS: TESTDOMAIN1)
  In AD,
  Login as domain administrator: Testdomain1\administrator
  1. Create an Organization Unit OU1.
  2. Create User User1 under OU1
  3. Delegate User1 to allow create user in OU1
  Select all item in “Delegate the following common tasks:
  In Exchange 2010 Server,
  Login as domain administrator: Testdomain1\administrator
  1. Rename existing database name to HKDB1
  2. Create a new database AUDB1 in EX2010 Server:
  AUDB1 Create Done.
  Assign testdomain1\User1 as Exchange 2010 local administrators group.
  Logoff Testdomain1\administrator and Login Testdomain1\User1
  Open Exchange EMC: (Failed, because no user management roles is grant).
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange 2010 PowerShell:
  Delegate User1 to allow perform recipient management in HKDB1 only:
  ====================================================================
  New-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Eq 'HKDB*' }
  $RoleGroup = Get-RoleGroup "Recipient Management"
  New-RoleGroup "HKDBRecipientManagement" -Roles $RoleGroup.Roles -CustomConfigWriteScope "HKDBSCOPE"
  Add-RoleGroupMember “HKDBRecipientMANAGEMENT” -Member User1
  ====================================================================
  Result:
  In Exchange 2010 Server, logon as domain user: Testdomain1\User1
  Open Exchange Management Console: (User1 able to open EMC now)
  Perform Create User User2 in OU1 with Mailbox located in HKDB1
  Mailbox Creation Failed because it cannot match the Database name = HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  In Exchange Management Shell, enter:
  Set-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Like 'HKDB*' }
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Open Exchange Mangement Shell and Create User2 again.
  Create user successfully.
  Perform create User User3 in OU1 with Mailbox located in AUDB1
  User3 Creation Failed because it is not meet the Database restriction of User1 – Like HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange Management Console, create User3 in AUDB1
  Create User3 in Users Container, by administrator ID.
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Perform mailbox remove of User2
  User2 mailbox remove successfully.
  Perform deletion of User3
  Mailbox User3 Remove Successfully.
  Why User3 is allowed to deleted mailbox which is located in by using delegated of User1?
  Moreover, it found that User3 properties can also be changed by using User1. Why?
  Does it mean delegation cannot handle delete operation?
  In Active Directory User and Computer: User2 is deleted successfully by using User1 ID.
  In Active Directory User and Computer: User3 is also deleted successfully by using User1 ID.

• Best wireless deployment at Remote Sites - designe

  Dears,
  I have many remote sites with Hub and Spoke topology, and I have Cisco wireless controller 5508 on our HQ serve the wireless network at HQ (approximate 25 Aps)
  The business need to deploy the wireless on RSs for public customer (not for employees).
  I have concerns about security if we going to terminate the SSID - for public- at Remote sites toward HQ over WAN connections (viruses, malware, sniffing … etc.) to control it using our Cisco wlc even if I terminate the vlan represented this SSID toward our firewall (on dedicated DMZ), and congestion will happen since this SSID will be used by the public (Non-employees persons).
  Please your kind suggestion.
  Thanks in advance

  Hi,
  For you scenario.
  Below deployment will work
  http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html

• Wireless guest and HTTPS sites issue

  Dear all,
  I'm experiencing an issue with wireless guest, when accessing a site with https, the traffic is not intercepted by my controller, http sites are intercepted without any issue, I've found a document where this issue is mentioned as bug ID CSCar04580
  http://cisco.biz/application/pdf/paws/108501/webauth-tshoot.pdf
  could you please let me know what the fix is?
  Thanks,

  Thanks for the feedback, however I've added the 443 port and the traffic
  is still not redirected.
  AP Fallback ................................ Enable
  Web Auth Redirect Ports .................... 80,443
  Fast SSID Change ........................... Disabled
  802.3 Bridging ............................. Disable
  Any other suggestion?
  Thanks,
  Aziz

• Wireless deployment on remote site

  Hi all,
  I will deploy a 4400 series WLC and APs in HQ and about 10 remote sites soon. I have some requirments, the HQ and remote sites are running VPN, the WLC will be placed in HQ, the AP will run H-REAP mode and each site will have 2 SSID, one for public, one for internal. My question is, should each site use same SSID and subnet or create different SSID and subnet for the remote sites? Please help. Thank you.

  Kam,
       I'd go with all sites using the same SSID.  This will make the management easier, 2 SSID instead of 22( 20 remote, 2 local).  It will also make it easier if you have people that visit to a different site, they will already have a profile created to connect to the wireless.
  HTH,
  Steve
  *Please remember to rate helpful posts*

• Wireless Data Account Linked to FIOS Account -Can't Access Wireless Data on Web Site

  First: I am absolutely furious at your voice jail system. It keeps sending me down completely inappropriate rabbit holes. If I'm lucky, I eventually stagger back to where I started.
  Your tech support reps should be extremely concerned about this, as it practically guarantees that their customers will be furious by the time they finally get a human being.
  Google "Picadores". That's what your voice jail system is.
  Next, I have had a wireless data account connected to my FIOS account for quite some time. I need to make some changes to it (read: Give Verizon more money).
  However, your system absolutely refuses to let me access the Wireless account. Instead, it keeps dumping me back to the FIOS panel.
  It's a real mess.
  Please consider fixing it.
  I like Verizon for this (even though you are expensive). However, T-Mobile is looking better every day...

  I had previously complained about the Web site delinking my Wireless account from my FIOS account, effectively "cloaking" my Wireless account.
  I wanted to add a note about how I think that it may have been connected to the passwords (but not the user ID) being different, but then I ran into an "authentication error" that would not let me post a reply to my own post.
  This was a stubborn error. As far as I know, it will still happen if I try to reply to my own post.
  As a Web developer, I fully appreciate the difficulty and scope of the enterprise portal you guys are running, but I also appreciate the requirement for good user experience.
  Also, the plethora of obvious bugs makes me nervous, as we all know that site bugs are usually vectors for hacks. I wonder how many hackers you have roaming around in your admin area?

• One Wireless Profile for Multiple Sites

  Hello,
  I was wondering if someone can help me get my head around what I am trying to do and whether or not it is even possible.  The goal is to give our users the ability to go to any of our locations (which are connected via circuits) with a Cisco 7925 phone and have it function.  So in essence we want to have a single Network Profile so the user doesn't need to do anything to the phone for it to function if the move between locations.  We are using a 5508 Controller w/ 3502 APs.
  So at our main location I have an SSID created, which is bound to an interface I created on the controller in our Voice VLAN.  This works great, the phones pickup an IP in the block and everything functions as it should.  My confusion is how do I create the same SSID / security parameters for each of our other locations, so if they leave our main site with the phone and goto the other location it sees the SSID, associates and then picks up an IP address in the Voice VLAN at the other location?  What confuses me is the AP / controller seem to handle all the DHCP requests, so even if I have a ip helper-address on say the routers interface it isn't actually being forwarded from the router, it is coming from whatever interface is bound to the WLAN on the controller.  I'm sure I didn't explain this well, I'm not looking for a step by step guide maybe just some pointers as to examples or what I need to study up on to accomplish this.  Thank you very much for all your time.

  If this other location is not deemed remote (with a slower WAN link), then you may want to look into utilizing AP groups vs H-REAP.
  AP groups would allow you to specify which SSIDs and associated VLANs are enabled per AP group. Then just add the necessary APs (e.g. APs in BLDG-2) to that group (e.g. BLDG-2).
  But also depends on where you want the client subnet terminated.
  With AP groups or H-REAP central switching the client subnet would terminate at the central location where the WLC is located.
  With H-REAP local switching, the client subnet would terminate locally where the AP resides.
  Central switching just means all data will be sent back to the WLC, where local switching means that the data will be routed out locally.
  To me, AP groups are easier to configure as the config is done at the AP group and then just a matter of putting the AP in that group.
  With H-REAP, you have to configure the AP, H-REAP group including adding the AP to the group as well as SSID config if wanting local switching.
  See the following for more info.
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/emob41dg-wrapper.html
  Sent from Cisco Technical Support iPhone App

• Can't get Wireless up from Core, sitting here like wtf mate?

  Hey all
  I'm not a newcomer to Linux in general, having been tinkering with it pretty consistently for about four years now, but this is my first attempt at Arch. Basically everybody on every forum who repped Arch was so Raving Fan about it that I had to give it a try. Read it does well on older hardware, which this qualifies as:
  IBM Thinkpad 380XD
  300mhz PII Processor
  96mb SDRAM
  3 gig HD
  I'm using a Lucent Technologies Orinoco PCMCIA card, which I know works with WEP because I used it under Puppy (maybe there was some kind of special transient firmware fix? Can't recall...)
  I've got Core installed and I've followed all the instructions on the Wireless Setup - Arch Wiki page.
  http://wiki.archlinux.org/index.php/Wireless_Setup
  I'm actually already familiar with the commands and the process since at the basic level they're the same as with Puppy Linux, which I was running on this system before the last HD wrecked.
  I'm manually typing responses of the system since it's not online and I seem to be having difficulty in copying data to the USB stick I'm using, so I can't paste the output directly.
  lspci kicks back:
  Socket 0 Bridge: [yenta_cardbus] (bus ID: ....)
  Socket 0 Device 0: [orinoco_cs] (bus ID: ...)
  when I plug in the device, dmesg | tail shows:
  Firmware determiend as Lucent/Agere 7.28
  Ad0hoc demo mode suported
  IIEEE standard IBSS ad-hoc mode supported
  WEP supported, 104-bit key
  MAC address ....
  Station name "HERMES I"
  etho: ready
  orinoco_cs at 0.0, irq 3, io 0x0100-0x013f
  eth0 shows up on ifconfig, and iwconfig. I can even pass the correct essid and key to iwconfig, which subsequently shows up in iwconfig | eth0. Plus, one of the two lights on the card comes on when I give it the right essid and key (without the right key/code the light doesn't come on).
  But running dhcpcd results in a time-out, and running iwlist scan says
  Failed to read scan data ; Resource temporarily unavailable.
  I've restarted, I've switched PCMCIA ports, I even tried my other Orinoco card but it didn't have the firmware so no linux will even touch it.
  I've tried modprobe -r orinoco_cs then modprobe orinoco_cs to reinstall it, ifconfig eth0 down and up, and every combination of the above I've been able to think about.
  Please give a recommendation. Arch seems really promising and I need this system up for my main note-taking computer at school! (My eeepc was stolen...bastards...)
  ~Ender

  I was chatting on #aircrack-ng and psycho_oreos pointed me to this
  Maybe it will help..
  09:12:41 < Daenyth> the orinoco one is assy, I can't even iwlist scan
  09:12:55 < psycho_oreos> Daenyth, that and the ability to do 802.11g modes.. I'm presuming you have ar5212abg.. which also means 802.11a as well
  09:13:09 < Daenyth> psycho_oreos: lspci tells me I have AR5001x+
  09:13:12 < psycho_oreos> orinoco can scan, you just have to choose the right firmware
  09:13:36 < Daenyth> psycho_oreos: oh really? If you could point me to any info on that, I would _much_ appreciate it.. right now when I roam I use airodump and filter for OPN
  09:13:54 < Daenyth> it works, but it's not fun
  09:14:07 < psycho_oreos> Daenyth, I've documented a bit on backtrack's wiki, however I too myself never bothered to flash it personally, you need windows to do it
  09:14:16 < Daenyth> ugh
  09:14:21 < Daenyth> that's not polite
  09:14:26 < Daenyth> hrmm... would vmware work?
  09:14:30 < Daenyth> I don't own any windows machines
  09:15:03 < psycho_oreos> Daenyth, http://backtrack.offensive-security.com … _High_Rate
  09:15:17 < psycho_oreos> only with usb should one use vmware
  09:15:26 < Daenyth> hmm, no go then
  09:15:36 < Daenyth> well thanks a lot, that gives me something to look into.
  09:15:39 < psycho_oreos> I've got all the firmwares and stuff for it but never got around testing it
  09:16:28 < Daenyth> where do you get the firmware?
  09:16:43 < psycho_oreos> I've listed the links on that link I just posted
  09:16:58 < psycho_oreos> but the firmware, you can't flash it via linux I believe, they are all .exe binary blobs
  09:17:12 < Daenyth> ahh thanks
  09:17:20 < Daenyth> wonder if wine could do it...
  09:17:52 < psycho_oreos> wine might be able to do it but I wouldn't risk bricking it
  09:18:10 < Daenyth> well my dad has a partly windows laptop.. I'll try that
  09:18:44 < psycho_oreos> Daenyth, if you have any success, I'd like to hear about it I need to do something similar with a pair of hermes I cards I got
  09:19:02 < Daenyth> will do
  09:19:08 < psycho_oreos> and I'm not sure about using win2k, you might need win98
  09:19:15 < Daenyth> uh... hrm
  09:19:22 < Daenyth> well it's winXP MCE
  09:19:33 < psycho_oreos> *shrug* might work
  Last edited by Daenyth (2009-03-22 13:19:48)

• Wireless printing - from shipping sites - not working after update to iOS7

  I am no longer able to print shipping labels from PayPal or USPS after updating to iOS7. I am able to print emails, etc. from other sites online - just not shipping labels. Is anyone else having the same problem? Is there a fix?

  Tap Settings > General > Reset > Reset All Settings
  Then restart the device.
  Press and hold the Sleep/Wake button for a few seconds until the red "slide to power off" slider appears, then swipe the slider to power off.
  Then press and hold the Sleep/Wake button until the Apple logo appears.
  Then try printing.

• Lync Mobility at Branch site

  Hi,
  I have a Lync 2013 Standard Edition FE and Lync 2013 Edge server at location A, and a Lync 2013 Standard Edition FE with Enterprise Voice at location B. I have deployed mobility, and users are location A are able to sign in with their mobiles,
  but users at location B are not able to. Do I need to enable any features on the server at location B as well?
  Appreciate any advice.
  Thank you. Regards.
  Mathew

  You'll need to publish the Lync External web services FQDN externally for each Lync Pool. This will require an external IP, public certificate and Reverse Proxy rule pointing to the location B FE pool.
  See: http://blogs.technet.com/b/nexthop/archive/2012/04/25/lync-server-2010-mobility-deep-dive-autodiscover-service.aspx
  "The Lync Autodiscover Service is a component that the Lync Mobile client queries to find a user's home pool URLs"
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• Inline Posture deployment for non Cisco Wireless Controler

  Hi all of you
  I have to deploy an Inline Posture to manage non Cisco Wireless Controler ( ZoneDirecteur 1000 Ruckus), It seem easy but I don't know from where to start. All documentation I rode it's about Inline Posture for VPN. I want just to use this Inline Posture to manage Wireless user through ZoneDirector wirelss controler. Thank you.
  Regards
  Kouassi

  So what is the solution for this scenario?
  remote site has non-cisco autonomous wireless AP. NAC is centralized. I can not use OOB since there is no support for non-cisco AP in OOB mode. As a result I use InBand mode. This means that local wireless trffic in remote site must travel to central site, go through NAC Server and go back to remote site. Is this correct?