I'm going to make an assumption here in my next question: why are you then
issuing laptops with wireless NICs? In most cases, organizations give
employees laptops with wireless so that the employees will work for free in
airports, hotels, at home, wherever. But since I don't know the specifics of
your case, I could be wrong. Tell us more?

You can configure policies in Windows Vista to do what you want. However,
Windows XP doesn't have any built-in way to do this.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Dean" wrote in message
news:387B4F52-25CC-4F78-BF3D-DABDFFDCDC98@microsoft.com...
> This may sound a bit backwards, but I would like to find out how to limit
> XP
> to a single wireless network. We do not wish the adapter to connect to,
> or
> even "find" any other wireless nets, ssid's, or hotspots, when it is not
> connected to ours.
> Thanks !
> Dean
>

Steve,

Oh yes, there is more... These laptops are in County Sheriff's cars.
About 75 of them. We use Cingular (EDGE) for wide area mobile data services,
throughout about 1800 sq. miles of the county, as well as outside the county.
We use Netmotion Mobility for VPN & encryption. We have placed our AP's
(about 30) to cover the parking lots at the various Police Dept's in the
county, and many other places that the police cars are regularly parked.
These include the jail parking lots & sally ports, the city hall parking
lots, fire stations, etc. These places are already connected countywide, by
fiber network. The wireless "DMZ" vlan is carried on that fiber network.
Until lately, ONLY Cingular has been used for the County Sheriff cars, and
the wireless net was used for other purposes, mostly indoors.

The Netmotion Mobility VPN client has the ability (by design) to roam from
network to network. It will choose the fastest available interface, by
itself, without disrupting the AES VPN connection. While police cars are at
common locations, we would have (considerably) faster service to/from the
cars, yet when they leave the wireless net, they will roam back to Cingular
seamlessly.

Management has decreed that these mobiles are to NEVER connect to any other
802.11a,b,g wireless net as they travel. So, that is why they need the
"opposite" sort of approach to wireless connectivity.

A rather lengthy response, but I hope this clears upthe question of "Why ?".

Dean


"Steve Riley [MSFT]" wrote:

> I'm going to make an assumption here in my next question: why are you then
> issuing laptops with wireless NICs? In most cases, organizations give
> employees laptops with wireless so that the employees will work for free in
> airports, hotels, at home, wherever. But since I don't know the specifics of
> your case, I could be wrong. Tell us more?
>
> You can configure policies in Windows Vista to do what you want. However,
> Windows XP doesn't have any built-in way to do this.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
> "Dean" wrote in message
> news:387B4F52-25CC-4F78-BF3D-DABDFFDCDC98@microsoft.com...
> > This may sound a bit backwards, but I would like to find out how to limit
> > XP
> > to a single wireless network. We do not wish the adapter to connect to,
> > or
> > even "find" any other wireless nets, ssid's, or hotspots, when it is not
> > connected to ours.
> > Thanks !
> > Dean
> >
>

Thanks for the details, now I understand.

Next question: why has management issued this decree? What risk do they feel
requires this kind of mitigation? Since it seems like all your
communications are encrypted (VPN), and you've already been using another
public network anyway (Cingular), this decree seems quite arbitrary. The VPN
is sufficient for protecting the data traveling any public network. So as
long as you're enabling the built-in firewall on all the laptops (to protect
them from attack from the Internet), I'd say it's perfectly fine to allow
these machines to use any wireless network they want. Millions of people
operate in this same mode every day (public network connection, VPN to
protect corporate data).

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Dean" wrote in message
news:B0B505B7-F4BE-4597-8FB4-308F84210034@microsoft.com...
> Steve,
>
> Oh yes, there is more... These laptops are in County Sheriff's cars.
> About 75 of them. We use Cingular (EDGE) for wide area mobile data
> services,
> throughout about 1800 sq. miles of the county, as well as outside the
> county.
> We use Netmotion Mobility for VPN & encryption. We have placed our
> AP's
> (about 30) to cover the parking lots at the various Police Dept's in the
> county, and many other places that the police cars are regularly parked.
> These include the jail parking lots & sally ports, the city hall parking
> lots, fire stations, etc. These places are already connected countywide,
> by
> fiber network. The wireless "DMZ" vlan is carried on that fiber network.
> Until lately, ONLY Cingular has been used for the County Sheriff cars, and
> the wireless net was used for other purposes, mostly indoors.
>
> The Netmotion Mobility VPN client has the ability (by design) to roam from
> network to network. It will choose the fastest available interface, by
> itself, without disrupting the AES VPN connection. While police cars are
> at
> common locations, we would have (considerably) faster service to/from the
> cars, yet when they leave the wireless net, they will roam back to
> Cingular
> seamlessly.
>
> Management has decreed that these mobiles are to NEVER connect to any
> other
> 802.11a,b,g wireless net as they travel. So, that is why they need the
> "opposite" sort of approach to wireless connectivity.
>
> A rather lengthy response, but I hope this clears upthe question of "Why
> ?".
>
> Dean
>
>
> "Steve Riley [MSFT]" wrote:
>
>> I'm going to make an assumption here in my next question: why are you
>> then
>> issuing laptops with wireless NICs? In most cases, organizations give
>> employees laptops with wireless so that the employees will work for free
>> in
>> airports, hotels, at home, wherever. But since I don't know the specifics
>> of
>> your case, I could be wrong. Tell us more?
>>
>> You can configure policies in Windows Vista to do what you want. However,
>> Windows XP doesn't have any built-in way to do this.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>> "Dean" wrote in message
>> news:387B4F52-25CC-4F78-BF3D-DABDFFDCDC98@microsoft.com...
>> > This may sound a bit backwards, but I would like to find out how to
>> > limit
>> > XP
>> > to a single wireless network. We do not wish the adapter to connect
>> > to,
>> > or
>> > even "find" any other wireless nets, ssid's, or hotspots, when it is
>> > not
>> > connected to ours.
>> > Thanks !
>> > Dean
>> >
>>

Steve,

For the most part, you have hit the nail on the head. The key word is
"arbitrary". I was seeking a technical solution to a (percieved) political
problem. If it was reasonably possible to meet the wishes of management,
without placing a heavy burden on the workstation support crew, it was worth
asking. If not, then I'll have to schedule a meeting with the director, and
draw some pictures on his white board.

The only actual technical issue, in our particular case, are open access
points that have a captive portal for web based authentication (such as most
hotels, coffee shops, etc.). These will actually cause a temporary outage
for the client, as the car passes by or is parked near. The mobility VPN
client will find the alternate network, pause, try to send crafted udp
packets to the VPN server, only to discover that the network has no path.
Then it will revert to Cingular. This process takes about 10-15 seconds.
Not a major issue, but a noticable delay to the user. We may just have to
deal with it.

Thanks !

Dean



"Steve Riley [MSFT]" wrote:

> Thanks for the details, now I understand.
>
> Next question: why has management issued this decree? What risk do they feel
> requires this kind of mitigation? Since it seems like all your
> communications are encrypted (VPN), and you've already been using another
> public network anyway (Cingular), this decree seems quite arbitrary. The VPN
> is sufficient for protecting the data traveling any public network. So as
> long as you're enabling the built-in firewall on all the laptops (to protect
> them from attack from the Internet), I'd say it's perfectly fine to allow
> these machines to use any wireless network they want. Millions of people
> operate in this same mode every day (public network connection, VPN to
> protect corporate data).
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
> "Dean" wrote in message
> news:B0B505B7-F4BE-4597-8FB4-308F84210034@microsoft.com...
> > Steve,
> >
> > Oh yes, there is more... These laptops are in County Sheriff's cars.
> > About 75 of them. We use Cingular (EDGE) for wide area mobile data
> > services,
> > throughout about 1800 sq. miles of the county, as well as outside the
> > county.
> > We use Netmotion Mobility for VPN & encryption. We have placed our
> > AP's
> > (about 30) to cover the parking lots at the various Police Dept's in the
> > county, and many other places that the police cars are regularly parked.
> > These include the jail parking lots & sally ports, the city hall parking
> > lots, fire stations, etc. These places are already connected countywide,
> > by
> > fiber network. The wireless "DMZ" vlan is carried on that fiber network.
> > Until lately, ONLY Cingular has been used for the County Sheriff cars, and
> > the wireless net was used for other purposes, mostly indoors.
> >
> > The Netmotion Mobility VPN client has the ability (by design) to roam from
> > network to network. It will choose the fastest available interface, by
> > itself, without disrupting the AES VPN connection. While police cars are
> > at
> > common locations, we would have (considerably) faster service to/from the
> > cars, yet when they leave the wireless net, they will roam back to
> > Cingular
> > seamlessly.
> >
> > Management has decreed that these mobiles are to NEVER connect to any
> > other
> > 802.11a,b,g wireless net as they travel. So, that is why they need the
> > "opposite" sort of approach to wireless connectivity.
> >
> > A rather lengthy response, but I hope this clears upthe question of "Why
> > ?".
> >
> > Dean
> >
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> I'm going to make an assumption here in my next question: why are you
> >> then
> >> issuing laptops with wireless NICs? In most cases, organizations give
> >> employees laptops with wireless so that the employees will work for free
> >> in
> >> airports, hotels, at home, wherever. But since I don't know the specifics
> >> of
> >> your case, I could be wrong. Tell us more?
> >>
> >> You can configure policies in Windows Vista to do what you want. However,
> >> Windows XP doesn't have any built-in way to do this.
> >>
> >> --
> >> Steve Riley
> >> steve.riley@microsoft.com
> >> http://blogs.technet.com/steriley
> >> http://www.protectyourwindowsnetwork.com
> >>
> >>
> >> "Dean" wrote in message
> >> news:387B4F52-25CC-4F78-BF3D-DABDFFDCDC98@microsoft.com...
> >> > This may sound a bit backwards, but I would like to find out how to
> >> > limit
> >> > XP
> >> > to a single wireless network. We do not wish the adapter to connect
> >> > to,
> >> > or
> >> > even "find" any other wireless nets, ssid's, or hotspots, when it is
> >> > not
> >> > connected to ours.
> >> > Thanks !
> >> > Dean
> >> >
> >>
>

That's a really odd behavior for a VPN client. Usually, VPN clients don't go
about redirecting the underlying Internet connection!

Let me know how you get on with your whiteboarding session. Email me if you
need any more help. Oftentimes, all it takes is a bit of education on the
part of those setting such "arbitrary" policies.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Dean" wrote in message
news:A76210EC-4B43-448B-B0B0-C17ACD86BD5A@microsoft.com...
> Steve,
>
> For the most part, you have hit the nail on the head. The key word is
> "arbitrary". I was seeking a technical solution to a (percieved)
> political
> problem. If it was reasonably possible to meet the wishes of management,
> without placing a heavy burden on the workstation support crew, it was
> worth
> asking. If not, then I'll have to schedule a meeting with the director,
> and
> draw some pictures on his white board.
>
> The only actual technical issue, in our particular case, are open access
> points that have a captive portal for web based authentication (such as
> most
> hotels, coffee shops, etc.). These will actually cause a temporary outage
> for the client, as the car passes by or is parked near. The mobility VPN
> client will find the alternate network, pause, try to send crafted udp
> packets to the VPN server, only to discover that the network has no path.
> Then it will revert to Cingular. This process takes about 10-15 seconds.
> Not a major issue, but a noticable delay to the user. We may just have
> to
> deal with it.
>
> Thanks !
>
> Dean
>
>
>
> "Steve Riley [MSFT]" wrote:
>
>> Thanks for the details, now I understand.
>>
>> Next question: why has management issued this decree? What risk do they
>> feel
>> requires this kind of mitigation? Since it seems like all your
>> communications are encrypted (VPN), and you've already been using another
>> public network anyway (Cingular), this decree seems quite arbitrary. The
>> VPN
>> is sufficient for protecting the data traveling any public network. So as
>> long as you're enabling the built-in firewall on all the laptops (to
>> protect
>> them from attack from the Internet), I'd say it's perfectly fine to allow
>> these machines to use any wireless network they want. Millions of people
>> operate in this same mode every day (public network connection, VPN to
>> protect corporate data).
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>> "Dean" wrote in message
>> news:B0B505B7-F4BE-4597-8FB4-308F84210034@microsoft.com...
>> > Steve,
>> >
>> > Oh yes, there is more... These laptops are in County Sheriff's cars.
>> > About 75 of them. We use Cingular (EDGE) for wide area mobile data
>> > services,
>> > throughout about 1800 sq. miles of the county, as well as outside the
>> > county.
>> > We use Netmotion Mobility for VPN & encryption. We have placed our
>> > AP's
>> > (about 30) to cover the parking lots at the various Police Dept's in
>> > the
>> > county, and many other places that the police cars are regularly
>> > parked.
>> > These include the jail parking lots & sally ports, the city hall
>> > parking
>> > lots, fire stations, etc. These places are already connected
>> > countywide,
>> > by
>> > fiber network. The wireless "DMZ" vlan is carried on that fiber
>> > network.
>> > Until lately, ONLY Cingular has been used for the County Sheriff cars,
>> > and
>> > the wireless net was used for other purposes, mostly indoors.
>> >
>> > The Netmotion Mobility VPN client has the ability (by design) to roam
>> > from
>> > network to network. It will choose the fastest available interface, by
>> > itself, without disrupting the AES VPN connection. While police cars
>> > are
>> > at
>> > common locations, we would have (considerably) faster service to/from
>> > the
>> > cars, yet when they leave the wireless net, they will roam back to
>> > Cingular
>> > seamlessly.
>> >
>> > Management has decreed that these mobiles are to NEVER connect to any
>> > other
>> > 802.11a,b,g wireless net as they travel. So, that is why they need
>> > the
>> > "opposite" sort of approach to wireless connectivity.
>> >
>> > A rather lengthy response, but I hope this clears upthe question of
>> > "Why
>> > ?".
>> >
>> > Dean
>> >
>> >
>> > "Steve Riley [MSFT]" wrote:
>> >
>> >> I'm going to make an assumption here in my next question: why are you
>> >> then
>> >> issuing laptops with wireless NICs? In most cases, organizations give
>> >> employees laptops with wireless so that the employees will work for
>> >> free
>> >> in
>> >> airports, hotels, at home, wherever. But since I don't know the
>> >> specifics
>> >> of
>> >> your case, I could be wrong. Tell us more?
>> >>
>> >> You can configure policies in Windows Vista to do what you want.
>> >> However,
>> >> Windows XP doesn't have any built-in way to do this.
>> >>
>> >> --
>> >> Steve Riley
>> >> steve.riley@microsoft.com
>> >> http://blogs.technet.com/steriley
>> >> http://www.protectyourwindowsnetwork.com
>> >>
>> >>
>> >> "Dean" wrote in message
>> >> news:387B4F52-25CC-4F78-BF3D-DABDFFDCDC98@microsoft.com...
>> >> > This may sound a bit backwards, but I would like to find out how to
>> >> > limit
>> >> > XP
>> >> > to a single wireless network. We do not wish the adapter to connect
>> >> > to,
>> >> > or
>> >> > even "find" any other wireless nets, ssid's, or hotspots, when it is
>> >> > not
>> >> > connected to ours.
>> >> > Thanks !
>> >> > Dean
>> >> >
>> >>
>>

"Dean" wrote:

> This may sound a bit backwards, but I would like to find out how to limit XP
> to a single wireless network. We do not wish the adapter to connect to, or
> even "find" any other wireless nets, ssid's, or hotspots, when it is not
> connected to ours.
> Thanks !
> Dean
>

I have a similar issue. I am in New York City and there are dozens of WAPs
around. Some secure some not.

We have a secure wireless network connection to our LAN. I do not want
our machines connecting to any other wireless networks.

Is it possible to limit my machines to only my network.

Thanks



"Dean" wrote:

> This may sound a bit backwards, but I would like to find out how to limit XP
> to a single wireless network. We do not wish the adapter to connect to, or
> even "find" any other wireless nets, ssid's, or hotspots, when it is not
> connected to ours.
> Thanks !
> Dean
>

This how to may help.

How to limit the machine only connect to one secure wireless network
http://www.wifimvp.com/howto/limitoneconnection.htm

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"NYRadio" wrote in message
news:A5B56FB6-7942-4E63-80AF-1F98C52E7185@microsoft.com...
>
>
> "Dean" wrote:
>
>> This may sound a bit backwards, but I would like to find out how to limit
>> XP
>> to a single wireless network. We do not wish the adapter to connect to,
>> or
>> even "find" any other wireless nets, ssid's, or hotspots, when it is not
>> connected to ours.
>> Thanks !
>> Dean
>>