LDSAccess, Odyssey Client and Desktop 5.5

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
jdlessley
Community Moderators
Posts: 9858
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#31

Post by jdlessley »

Don’t get me wrong – I don’t have a problem with the configuration setup on the administrative computer I’ve been discussing. I was just wondering where the configuration changes came from. While I do not know where the changes are specifically from, I have found how the changes were made and how to modify them so that I can manage the system. Originally I thought that the configuration changes were the source of my wireless network connection difficulties using the LDS Access profile on the CCN. What I am getting from my communications with the GSD tech team and others wrestling with the same problem is that the Cisco Aeronet 1200 series WAPs and many desktop wireless network cards do not play well together. I did, however, get connectivity using Odyssey Client. I had just hoped to be able to use the LDSAccess profile without Odyssey Client.

The software CD titled Local Unit Internet Security Application, version 1.6.1, is evidently a locally developed FM group compilation of software provided as a convenience in setting up administrative computers to use the internet over the CCN. The package contains the following: Windows XP Service Pack 2, Windows XP Hot Fixes for Service Pack 2 (89 of them), Symantec Client Security for Type 3 Sites, Cisco VPN Client 4.8.1.0003 with new Local LAN access profile, LANDesk Management Suite for Type 3 Sites, Microsoft Office 2003 file format converters, and Desktop Troubleshooter 1.7. I still had to get the latest Local Unit Security Suite and Symantec Antivirus Definition Update from the mls.lds.org site.
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#32

Post by russellhltn »

I'd like to know how the whitelist is done. That so a) I can implement it where needed and b) manage it if it run across it.

Of course being a public site, I'd probably have to figure out how to lock it down too.
jdlessley
Community Moderators
Posts: 9858
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#33

Post by jdlessley »

I'm working on the instructions now. I want to make sure I don't pass some bad information before I post it. I will include it as a post to the White list internet browsing thread in the next day or two.
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

#34

Post by aebrown »

Alan_Brown wrote:Well, I just tried to connect our stake administrative computer to our CCN using the LDSAccess profile, and I failed. I spent about an hour working with the GSD, and we never got it working

In our stake's second CCN building, I was eventually able to connect an administrative computer to the CCN using LDSAccess. Perhaps my experience will be helpful for others.

This building has a CCN for a FHC that is not heavily used. It was installed about the same time as the stake center (2-3 years ago), and has a Cisco PIX 501 firewall, and two Cisco Aironet Wireless Access Points. On the client side, I had the same Linksys WUSB54G wireless adapter we are using our stake center.

I called the GSD for advice. I knew that if I installed the Odyssey client, I would need the GSD to give me an activation key anyway, but I wanted to give LDSAccess one more try. Once I explained what I was trying to do, I was transferred pretty quickly to second level support (OTSS). The OTSS technician said they recommended that we try the LDSAccess approach. So that's the path we embarked on.

The tech found he couldn't see my PIX, even though the DSL connection was up and running. The "VPN Tunnel" light was not on for the PIX. He eventually had me connect my laptop to the PIX to gather some information. He determined that the firmware version was 6.3(1), but needed to be at least 6.3(4) or the current version 6.3(5).

So we had to upgrade the PIX firmware. Unfortunately that required the use of a console cable to connect a PC to the PIX, and that console cable requires a 9-pin serial port. Those aren't so common anymore. Fortunately, my old computer at home that my children now use has a 9-pin port. So I took the router home, and we worked through a rather lengthy process that involved some remote control software where the tech took over control of my machine and ran some utilities to upgrade the firmware and run some scripts on the PIX. Finally the PIX was on 6.3(5) and I headed back to the church building.

I plugged in the PIX and the VPN Tunnel light came on. The technician was able to see the PIX and the associated WAPs. So we were in good shape, or so I thought. But we still didn't have the administrative computer connected. So I headed to the clerk's office to take care of that step. I installed the Linksys software provided with the adapter. That worked fine, but I couldn't yet see any wireless network to connect to.

The tech pushed the LDSAccess profile out to the WAPs. Once that was done, my laptop could see LDSAccess in the list of Available Wireless Networks, and I connected easily. The administrative computer could see LDSAccess as available, but was unable to connect. Upon instructions from the tech, I uninstalled the Linksys software (by default Linksys installs not only a driver, but also configuration software that replaces the Windows wireless configuration system) and installed just the Linksys driver (which I fortunately had on my flash drive from my experience in the stake center). I enabled the Wireless Zero Configuration service in Control Panel, and then I could use Windows to configure settings for the adapter. But it still didn't work -- when I would click the Connect button from the list of Available Wireless Networks, I would just get the "Connecting to LDSAccess" dialog which would try for a few minutes and then the dialog would eventually just go away. No connection.

So then the tech said he was going to try something else on his end of things, and asked me to be patient as it would take a while. It took him about ten minutes, but when he was done, he asked me to try to connect the administrative computer to LDSAccess again. It worked right away!

I asked the tech what he had done. He said that the "Moroni" profile is the wireless profile which was already at the WAPs. This is the profile that requires the Odyssey client in order to establish a connection. Originally, he had simply run a script that pushed the LDSAccess profile to the WAPs in addition to the Moroni profile. That was the point at which my laptop could connect, but not the administrative computer. But then his last step was to remove both the Moroni and LDSAccess profiles from the WAPs, and then push just the LDSAccess profile back. That's what finally worked.

So I'm grateful that the OTSS tech was persistent and creative enough to solve the problem. Sometime when I have some extra time I may go back to the stake center and try again to configure the connection without the Odyssey cleint. I now have a ticket number and the GSD techs take meticulous notes as to what they do, so hopefully another tech could look at the notes for that ticket and do the same thing in the stake center that worked in this other building.
User avatar
mkmurray
Senior Member
Posts: 3266
Joined: Tue Jan 23, 2007 9:56 pm
Location: Utah
Contact:

#35

Post by mkmurray »

Alan_Brown wrote:Upon instructions from the tech, I uninstalled the Linksys software (by default Linksys installs not only a driver, but also configuration software that replaces the Windows wireless configuration system) and installed just the Linksys driver...
I have a wireless PCI card from Linksys and I installed the driver plus software. The icon in the system tray has a right-click menu option that says something like "Use Windows Wireless Configuration". If you select that, and then remove the Linksys software shortcut from your Startup items, Windows will control it from then on.

However, if you aren't going to use the software at all (like I'm doing), then I guess it is a good idea to uninstall it to free up resources. I guess I'd have to find the driver somewhere on the CD.
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#36

Post by russellhltn »

So this "LDSAccess profile" is actually a package of settings for the WAP that includes an "LDSAccess" SSID? Now some earlier posts make sense.

Does it have anything to do with what web sites you can and can access (filtered or LDS only)?
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

#37

Post by aebrown »

RussellHltn wrote:So this "LDSAccess profile" is actually a package of settings for the WAP that includes an "LDSAccess" SSID? Now some earlier posts make sense.

Does it have anything to do with what web sites you can and can access (filtered or LDS only)?

The method used for connecting wirelessly has nothing to do with the filtering (what web sites you can see). The filtering occurs at the firewall, and so would affect every computer connected to the firewall, whether it is directly wired (as would be common in a FHC, and may be also true for an administrative computer) or goes through a wireless access point (which may well be the case with an administrative computer, or a clerk's personal laptop).
jdlessley
Community Moderators
Posts: 9858
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#38

Post by jdlessley »

In this threadon the Meetinghouse Internet forum russellja says that meetinghouses with collocated CCNs can have their own SSID and WPA key installed as an answer to the incompatibility issue between LDSAccess and Odyssey Client.

From all the threads that discuss the problem associated with wireless connectivity I am getting that because LDSAccess uses the newer WPA security protocol and Odyssey Client the older WEP protocol the two together on the same WAP create a conflict for the administrative computers.

So what I understand is the administrative computers with Desktop 5.5 connecting wirelessly need to have one, and only one, security protocol installed on the WAP(s) to function. It appears that the two best choices are either LDSAccess or your own local SSID with WPA key (assuming that russellja is correct).

I like the idea of a local SSID and WPA key. This has several advantages over one Church-wide SSID and key. With headquarters still controlling administration of the network most of the negative aspects are not issues.
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#39

Post by russellhltn »

OK, I was confused by the "LDSAccess" name.

What I'd like to see is a way to control access so that the FHC has normal filtered access but other computers, including member's machines connecting wirelessly, can only connect to LDS sites.
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

#40

Post by Mikerowaved »

RussellHltn wrote:OK, I was confused by the "LDSAccess" name.

What I'd like to see is a way to control access so that the FHC has normal filtered access but other computers, including member's machines connecting wirelessly, can only connect to LDS sites.
I don't think CHQ is setup to do that. You either get one or the other for each building. However, it seems to me you could use a router to create a new subnet for everything except the FHC computers and use the router's internal security settings to create an LDS whitelist. The effectiveness of the whitelist will depend solely on the router, so as Indiana Jones was once told, "Choose wisely", ;) as some are definitely better than others.

We also have THIS rather long thread regarding the "best" way to create a whitelist too.
So we can better help you, please edit your Profile to include your general location.
Post Reply

Return to “Meetinghouse Internet”