@adamf said in Reboot on ping loss:
@pete-s thanks, I was just looking at that one before you sent it.
Yes, it's good to know that Tripp Lite is a real brand and commercial grade, not no-name consumer gadget.
Eaton owns them now.
And Schneider owns APC. Both Schneider and Eaton are big manufacturers of electrical equipment for all kinds of industries and applications. Both are among the 500 largest companies in the world (Fortune Global 500).
Make sure you're not confusing the port on the sender and the port on the receiver.
For instance a web browser connecting to a webserver will use a random port on the client to connect to port 80 or 443 on the server.
The primary reason to allocate a random port in this case is so it can support multiple client connections at the same time.
@scottalanmiller said in VPN Slowdowns - Anything I Can Do?:
So chances are the VPN isn't the slowdown itself, so moving to a "better" VPN might help, but likely only marginally. The fundamental issue is generally "WAN speed" vs. "LAN speed." There are generally three ways to tackle this depending on exactly what apps you use and how they work.
- Switch apps to something that doesn't care about WAN speed as much. Sounds trite, but it's what a lot of us have done. It's the best answer at a technical level, the hardest politically. But long term, it's the investment in the future because almost always what you are seeing is exposing legacy components and antiquated systems that could be addressed directly, or just bandaided through a solution below...
- Encapsulate the apps so that you "view" them remotely instead of doing transfers. Basically you literally stop being "remote" and start "remote controlling." This is most typically done through Windows RDS or VDI solutions (RDS when you can, VDI as a fallback.) This is the most common approach because it is simple, cheap-ish, and well understood. MS makes a killing making this outrageously expensive because they know that these kinds of apps trap customers and customers will pay a lot to not have to update the apps that they use. It is what it is, it's the common answer.
- WAN acceleration. Sometimes this works magic, sometimes it is useless. Things like Riverbed systems that do tons and tons of high speed network reduction, latency faking, and compression. They use less actual bandwidth while making things seem to move faster. It's a lot of horsepower (and typically cost) but for certain workloads can literally make a night and day difference. For other workloads it can theoretically actually make it worse. So you have to test.
Local caching. Working on a local copy of a file that is being synced automatically and often transparently to central storage. Many things falls in this category such as cloud based storage like onedrive but also pure file sync applications.
Split tunneling. Don't route internet traffic over your VPN link. It's easy to have this enabled by default without realizing it. You want to make sure only traffic destined for your LAN is routed through the VPN link and the rest goes directly to wherever it has to go.
@garak0410 said in VPN Slowdowns - Anything I Can Do?:
We now have 6 people who work out of state. 4 in Texas, 1 in California and 1 in Maryland. They all have domain connected laptops that I pre-configure with our applications before they get them and they connect to our VPN via the build in VPN connector in Windows 10/11. Our VPN is provided by our Windows Server with port forwarding on our ISP provided Vigor firewall.
I understand issues like internet pipes and the "hops" it takes to get back to our office on VPN but we see some significant drops in speed. Some apps that require a lot of file transfers, are almost unusable.
Is there anything I can do on our end to aid in some speed increases? I'm also willing to spend money if we have to on software or a network appliance.
Thanks!
You should do some basic investigation so you know what you should expect.
For instance:
It's very possible that low priority internet traffic, from clients in the office, is starving your VPN link of bandwidth.
@woodbutcher said in Why Hyperconverged For Small Business:
Is there truly a case for a hyperconverged infrastructure for a small business?
Not if you're looking for high availability.
Most small businesses lacks a lot of things to get a fault-tolerant high availability system. You need to look beyond the servers themselves because there are a lot of dependencies that also needs to be highly available. Like network, power, cooling etc.
Look at a commercial datacenter. It's usually redundant all the way through, from one end to the other.
@scottalanmiller said in Why Hyperconverged For Small Business:
@woodbutcher said in Why Hyperconverged For Small Business:
The concern with that approach would be minimizing data loss. Primarily transactions in the ERP, though the volume of these transactions is low relative to other companies. But I would guess with proper backups at the DB level, this could be minimized as well if they had to recover via a backup.
Unless you have DB level HA, nothing in your current set up (or in the HA setup!!!) will protect against transactional losses. Only proper database protection does that and nothing being discussed here touches on that.
I know you know Scott, but it bears repeating how HA usually works in pool/cluster of virtualized hosts.
The hosts in a HA cluster have storage in common but not much else.
When a host dies all data in each VM that has not been saved to disk (and replicated) is lost.
When the other hosts detects that one host is dead, all VMs that were running will now start and boot up again on other hosts. Since the storage is shared the VMs will have the same files as the ones that died.
The effect for the VM, and availability of the service the VM provided, will be about the same as killing the power to a server mid-operation and then power it up again.
That why it won't work reliably without transaction loss on a database.
@carnival-boy said in Why Hyperconverged For Small Business:
I'm not talking about HA. Just plain old non-HA environments.
However, with the ability to run some, or all, environments on a single host if another host fails. But you don't need to double the resources, as it is generally acceptable to run a slower environment for a few days.
That's manual HA with caveats.
Sure, it might be the best thing is some cases. Overconsolidating and putting all your eggs in one basket is not always the best.
But even if you get away with less than double the hardware you still need more than with just one host. So the hardware is going to be more expensive, the licensing of hosts and guest VMs is going to be more and energy is going to cost more.
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
To find out how to configure a proxy server just search for forward proxy:
https://duckduckgo.com/?q=forward+proxy+nginx
https://duckduckgo.com/?q=forward+proxy+apacheYou'll find more info on how to set up reverse proxies because that is what everybody does all the time. But a forward proxy is just a matter of a slightly different configuration with the same software.
Thanks. I hope I can avoid all this horse pucky... but I appreciate the info.
No problem. I wanted to share some info on proxies since it sounds more complicated than it is and it's a staple in the enterprise space. And proxies are available as services too.
@killmasta93 said in Issue with NGINX passthough TLS:
@pete-s
correct, whats odd is that it works perfectly fine on HA proxy on pfSense its just that i want to move better to a virtual machine and not depend on pfSense
Im not sure howcome it works on HA proxy and not on NGINX
I don't know but why not install HAproxy instead of nginx in your VM?
You could access pfsense over ssh and look at the HAproxy config files directly for inspiration.
BTW, it's quite possible that haproxy uses the tcp session just as a router would. Not looking at it as a series of http requests but as a series of packets. That means the backend will get the IP.
Since haproxy is a load balancer it makes sense that it can work on the router layer (L4) while nginx works at the application layer (L7).
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?
You don't need a VPN because https is a VPN.
A proxy on a LAN works exactly like a proxy on another server outside the LAN.
So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websites
In your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websites
It's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.
The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.
@mr-jones said in "Site not secure" | Self-signed Certificate?:
Can you prevent the formentioned error when visiting a domain server from a domain computer with a self-signed certificate? i.e. https://server:8080
Yes, but it's a little difficult.
Either you add the self-signed certificate for every server to all your computers. That's impractical though.
Or you set up your own CA and add that to all your computers. Then you issue your own server certificates with your own CA and they will be trusted automatically.
You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs.
Option 2 is what you are supposed to do. We've been planning to do it at work (linux infrastructure) but we haven't started on it yet.
I'm not sure how you set up CA on Windows AD but I believe you can. Don't know if you can use that for non-Windows appliances.
I don't have a guide but have researched it and the basic building blocks are your linux OS of choice and postfix.
So if you search for smtp relay and postfix you will find a lot of info.
Yes, on a VLAN for each network.
If it's highly sensitive or for compliance, separate switches are needed for these networks to avoid vlan hopping or misconfigured switches that allow access to restricted network assets. Normally it's not needed though.
A separate firewall also sounds like it's not needed unless you have some serious security concerns.
ZeroTier doesn't sound like the best tool for the job though.
Something like OpenVPN with certificates and perhaps with added OTP is much better suited.
You want to give access to people on a time-limited basis. Certificates have expiration so that is great. OTP ensures that knowing passwords and having a certificate is not enough.
When clients log in they are put in a specific IP and you control their network access to their VLANs through your firewall's rules..
That way you have something that can grow. VPN provides access and security is handled in your firewall.
If you want something hosted (like ZeroTier is), I'd look into Cloudflare Access. They use wireguard for the VPN access and their network controls access.
What do you use as an identity provider for all different logins the users have?
I mean if the users have 20 different web apps, they don't really want to login with different usernames, passwords, OTP etc for every one of them. But perhaps that is what most people do?
If you use an identity provider are users using that to logging on their workstation as well? Also VPNs perhaps if that is in use?
I'm trying to figure out what options are commonly deployed, if any.
@Dashrender said in What do you use as an identity provider?:
Have no type of SSO.
All systems are separate.
I think that is pretty common too.
A lot of SaaS apps also requires that you have signed up for the enterprise tier to be able to do SSO. From what I've seen legacy on-prem software usually needs AD and then from there you can sync to an identity provider.
@scottalanmiller said in What do you use as an identity provider?:
@Pete-S said in What do you use as an identity provider?:
You mean if you paid for M365 then you're already using Azure AD as your identity provider in which case JumpCloud serves no purpose?
For one thing, Azure AD is lacking connectors for normal things like Linux desktops. Doesn't even WORK in our environment or most of our customers, almost none. At most it works for SOME workloads.
There is another factor as well, which favors an independent identity provider and authentication. When you have everything in one place, you give too much power over your business to a single company. If you have a problem with Microsoft (or Google) all other services will be useless if you tied everything to Azure AD (or Google Identity Services).
Also changing "Office" apps from Microsoft to Google or to Zoho or whatever you might fancy will have far reaching implications. So less freedom to pick whatever is best for your company.
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
That's a good answer.
When devices are in the same subnet, traffic doesn't pass any external router/firewall. So any device can access any port on any other device in the subnet.
When two devices are in different subnets the traffic must pass the router/firewall and you can set up rules there to allow or block certain traffic.
Being picky here but VLAN are just a way to split switches into virtual switches. It's having different subnets that makes the traffic pass the router.
Sharepoint is such a mess and it's user hostile. If your users had problems before with a single mapped drive, it's going to be chaos when they're having files in onedrive, teams and sharepoint at the same time. The confusion is going to be never-ending.
So yeah, good luck with your project, you're going to need it!
@WrCombs said in SQL Server 2019:
Thanks - I'm looking to move a private client to this. anything I need to keep in mind?
SQL server can run a database in compatibility mode and does so by default when you migrate from something older. 2012 however supports older version than 2019 does so it's possible to run into problems.
There is also some breaking changes between versions as well as functionality that has been discontinued. Only advanced SQL applications are likely to run into any of these though. But it's really the job of the application developers to make sure the app is compatible with newer SQL versions.
I suggest a test run before upgrading production workloads. Or just have the ability to roll back until full functionality has been verified. In most cases there will not be any problems whatsoever.
The only problem you really have is inherited permissions. As you found out you can't effectively use inherit permissions when you don't want everything to inherit the permission. So you need to use explicit permissions in those cases at the top levels.
In a larger company you have many groups and employees belongs to the groups they need and then they might have individual permissions added as needed as well.
I think you just need to give the groups and permissions needed some more thought.