Jason Powell - Church IT and Other Musings

(update 10/13/2010 - Hard to believe we've been using pretty much the same wifi solution at GCC since March of 2004! Below you'll find some of the details about our initial implementation. The biggest changes since 2004 have been the introduction of VLANs into the mix and additional access points over the years. We just replaced this proxim/nomadix solution on 10/11/10 with a new centrally managed Ruckus Wireless solution which brings new capabilities along with greater signal range, speed, and client density. We've also already found a new home for the prior gear at another church, so it will continue providing service to the Kingdom after it's stint at GCC :-)

(update 8/8/2006 - almost a year and a half later this info is somewhat out of date, but still serves as a great reference point for anyone interested in our wifi setup.  We'll try to get it updated in the next month or so.)

My boss, Tony Morgan (Administrative Pastor at GCC), was interviewed by Indiana Business Magazine recently about our Saturday night services and in particular our implementation of wireless access.  Somehow the Saturday Evening Post picked up the article and published it in their March/April issue!  I'm now getting many phone calls and emails about our setup so I thought I'd direct folks here for the low down :-)

I'll start this off by giving monster props to Tom Templin or "WiFi Tom" as I like to call him.  I met Tom shortly after I started at GCC when I began advertising for a volunteer IT team.  It was easy to see that Tom had a passion for technology and GCC along with a great tech background (he's an Advanced Technologies Director for CIBER Enterprise Solutions).  After our Senior Mangement Team tasked me with figuring out how to make their ideas for a wireless service work, I knew I would need some help (at this time our IT dept was just me).  I knew Tom had a lot of WiFi experience so I asked if he'd be interested helping do research...he jumped on it!  He put in about 100hrs research...on the net...calling vendors...keeping me up to date on what he'd found...it was awesome!  So we put together a WiFi solution which, at that time, was one of a kind according to our research and discussions with vendors.  Tom continues to improve our WiFi setup...currently doing research on moving from WEP to WPA for the private access and setting up wireless VLANs.  Tom, you totally rock dude! :-)

Following is an blurb Tom wrote up about our wireless solution as we were implementing it.  I'll post it mainly unedited for now...and will update it as time permits.

Typically when anyone opens their browser, the first thing they see is their preferred home page (like my.yahoo.com, www.msn.com, www.comcast.net, AOL, etc.).

But at GCC, when someone first connects a laptop, we can intercept their browser settings and direct them to an initial GCC "portal page".

Since Pocket PC browsers have local home pages, they can see a GCC "portal page" as soon as they request ANY Internet web site.

The "portal page" is crucial to the user's experience at GCC.  It needs to be different than www.gccwired.com because the audience is already here!  Right away the first page people see can have links for "today's service", or information about GCC events.  This will be great for people attending a wireless service, visitors to a GCC church conference, and for people browsing at the Connection Café anytime during the week.  GCC gets the right information immediately to every user without any technical complexity, and without having to publish what web site to go to first from church.  That's awesome!

When they take their computer away from church, their original home page remains the same...it never changed any settings on their computer.

For starters, we support all three of today's wireless radio standards: 802.11a, 802.11b, and 802.11g.  Even if the user has no idea which type of wireless radio they have, we already have them covered...we'll talk the language they talk.

But how the computer is configured, normally, is a big issue for connecting to a new network.

Lots of people have no idea how their computer is configured, and really are not interested...they just want their computer to connect!  They want to get online and get closer to God right away; not speak computer-ese.

We really have no control over the computers that get brought into GCC.  We expect and invite people to bring whatever they have.  Some folks will be technical experts, ready to dive in and configure themselves.  Others will simply carry in the wireless laptop or wireless PDA they were issued by their employer and have no idea how it is set up.  They're just excited to try this thing out at our church!

The varieties of configurations would be a huge problem for trying to get everyone online within seconds of entering the building and turning their computers on.  People would hate it because it would not work for some folks unless we printed lengthy, precise instructions to change stuff.  Even if we did that, corporate I.T. departments could get angry at our churchgoers because they changed settings on their computers and did not know how to change them back.  Jason Powell's phone would ring endlessly with calls from irate I.T. managers all around the community.  Darkness would fall.

But we have a secret weapon...

One that will delight and confound even the most technically savvy computer geek who walks into GCC...

Our solution doesn't care!  That's right.  We can handle computers that are configured CORRECTLY (Automatic IP addresses) as well as INCORRECTLY (Static IP addresses, proxy servers)! Our solution talks to everyone.

The secret is "Dynamic Address Translation" (DAT)...a patented technology that ensures everyone gets easy access to the network.

Bottom line...NO CHANGES are needed (except to connect to the Wireless Network called "GCC").  It just works.  Very cool, very professional, and very important in helping GCC to make that connection to people who are looking for GCC to communicate with them in this way.

Most wireless routers can only handle 16 or 32 simultaneous users.  Most wireless hotspot portal appliances and gateways can only handle 50 simultaneous users.  One medium-sized platform can grow above 50, but tops out at 150 simultaneous users.  We were not comfortable with a ceiling of 150 users...our growth rate is just too high to stop there.

Our solution at GCC has two pieces...multiple Wi-Fi Wireless Access Points positioned throughout the building, and a single Nomadix USG II "Universal Subscriber Gateway" appliance in the server room.

The Proxim AP-4000 Access Points are new generation, enterprise-class access points that deliver unprecedented capacity, rigorous security and scalability, and high reliability.

Each Proxim ORiNOCO AP-4000 wireless access point can handle up to 64 connected users per radio, and each access point contains one 802.11b/g radio and one 802.11a radio.  We will begin with two access points in the Auditorium, and one access point in the Atrium which has the range to reach part of the Auditorium.  As attendance increases and the building expands, additional access points can be deployed as needed.

Note: Most wireless cards sold for computers today are 802.11b or 802.11g, but several corporate and hospital wireless networks are built with 802.11a radios.  If new technologies are needed, we can update or change the wireless access points, or add whatever future connection appliance is invented.

The single back-end Nomadix USG II gateway can initially support up to 250 simultaneous users, and by purchasing 250-user license increments, it can grow to up to 2,000 users!

The Nomadix USG II gateway is a high performance platform designed for large, public-access HotSpots.  It's target market includes Hotels, Convention Centers, Universities, and Airports.  We are probably the first church to implement such a highly-scalable gateway.  This gateway is the machine that performs the first two cool things mentioned already: Home Page Redirection and Dynamic Address Translation.

Where else might you find a Nomadix gateway?  Here is a short, partial list:

• Minneapolis Airport, Minnesota
• Oslo Airport, Norway
• Schipol Airport, The Netherlands
• Georgia World Congress Convention Center, Atlanta
• Shutters On The Beach Hotel, Santa Monica, California

Since our church building will host multiple types of gatherings besides services (such as church conferences and meetings), as well as future "un"-common spaces (like a food court), we can accommodate nearly any group or gathering that would demand large-scale Internet connectivity.

When any organization adds wireless network capability, a whole range of security concerns can crop up.

For example, most wireless networks are designed so that each computer can communicate not only with the wired servers and the Internet, but also with other wireless computers in the room.  An attack could be launched or files could be compromised within the building by one wicked user onto the rest of the unsuspecting wireless users.  This could spell disaster for anyone without a personal firewall installed on their own computer.

So we have configured a special block at each wireless access point that prohibits any direct communication between wireless computers.  All communications must be directed at the GCC servers or the Internet.

Additional security steps have also been taken to protect the church network and the wireless users.

We hope that our precautions will be unnecessary, especially in a church setting.  But our weekend services are designed to reach pre-Christrians, and temptations exist...so we must be diligent and responsible by taking these steps to prevent any of these problems.

In summary, the wireless solution at GCC provides hassle-free simultaneous Internet access to a large number of temporary users.  It is also the most future-proof and flexible solution in the marketplace.  At the same time, it is robust and scalable.

Some computers are set to "Obtain an IP address automatically"...ready to adopt whatever address is handed out by the network they visit (this is called DHCP).  Others have "Static IP addresses", often configured by a corporate I.T. department for use in one location.  To make matters worse, some computers are configured to connect to corporate "proxy servers" to get out of their local networks and onto the Internet from their office.

If a computer has a "static IP address" and the user does not change their configuration to "Obtain an IP address automatically"...then a typical solution would refuse to talk to that computer.  If they have a "proxy server" and the user does not take that out of their configuration...then again, no success.  The browser would just spin and spin and eventually give an error message.

"Dynamic Address Translation" (DAT) results in NO CHANGES to the computer IP address, subnet mask, gateway, or proxy server.  When DHCP is not selected on a computer, a mapping is generated to handle each bad setting to a valid setting for each MAC address.  Very cool!

Unencrypted "open" transmissions can be intercepted by other computers, so multiple current and future wireless security standards can be simultaneously allowed on the same access points as open connections.  For example, we can create VLAN's for both a private, chuch staff network that utilizes 128-bit WEP encryption and also have a VLAN for the public that remains open (SSID "GCC").  To accomplish this, we will need to add a VLAN-aware (802.1Q compliant) switch between the access points and the gateway.  This switch will be able to send the public traffic to the gateway and the private traffic to the secure church network.

Additional security considerations have also been enabled, such as "rogue" access point detection (to alert us if someone using special software pretends to be "GCC" right at their computer in order to gain access to others).