@gjacobse said in New customer - greenfield setup:

@dashrender said in New customer - greenfield setup:

@gjacobse said in New customer - greenfield setup:

Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.

We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.

The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.

These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be). For now, I think four will do me.
Production
IOT - internet only
Guest
medical equipment - future potential

lol - well as much as I don't like them - we use Cisco and Meraki... I think we have almost 30 vlans and a dozen SSIDs.. but some are getting added to retire others.

knock wood beyond the price I can't say anything too bad about Meraki for wireless.... firewalls is another topic, but we've got their wireless deployed at 10 or so sites and it just works. The only thing I've had to do that's a bit outside the norm is script a nightly reboot of the antennas and it was setup strictly as a peace of mind thing as the gear is getting on in age.

@dashrender said in New customer - greenfield setup:

@notverypunny said in New customer - greenfield setup:

@dashrender said in New customer - greenfield setup:

@notverypunny said in New customer - greenfield setup:

For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.

Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.

Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.

I personally do refuse to use any guest WiFi that requires the installation of a third party cert to use. That said - I can only recall this happening one time.

I'm not against DNS filtering - all the things Pete.S mentioned, but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.

Absolutely this too. A FW shouldn't have to do anything like MiTM for basic webfiltering, just block traffic out to undesirable sites. Your subscription service is keeping that list of sites up to date and accessible to you..... The SO's place of work wants to to dpi / MiTM on their guest wifi, so guess who's data plan got upgraded recently.

@dashrender said in New customer - greenfield setup:

@notverypunny said in New customer - greenfield setup:

For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.

Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.

Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.

For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.

There's mention of a tftp recovery option in the link below:

https://community.ui.com/questions/EdgeRouter-X-bricked-after-factory-reset/12c82f1b-8fd1-47ec-9a92-88ec81ea208b

Don't know if it still applies but might be worth trying.

Also:
https://help.ui.com/hc/en-us/articles/360018189493-EdgeRouter-Manual-TFTP-Recovery#4

and
https://help.ui.com/hc/en-us/articles/360019289113

@dustinb3403 said in TacticalRMM issue today, anyone else?:

Sounds like you're using this in production, correct?

Truth. It's not the only remote tool that we're using, but it's a nice backup / complement to our other options.

@pmoncho I don't think it's bricked, but I seem to recall problems when going from the 1 series to 2... IIRC part of the problem might be that the button inside that pinhole for the paperclip reset is a bugger to actually hit and hold... I can't say with 100% certainty whether it was the ER-X or one of my dd-wrt projects that I ended up having to hold the paperclip / pinhole reset for something crazy like 5 minutes for things to play nice.

@stuartjordan
Yeah, the fix was pushed yesterday evening from what I can see and is working great this morning.

So far I love it, the only thing that I would change is have a SN check or some other validation to avoid duplicating objects if the agent is uninstalled and re-installed.

Few techs using it in our setup (less than 5 concurrent at any given time) but should be something north of 500 devices. Actually trying to clean things up this morning as I messed things up with some scripting from our main inventory and deployment system.

@dashrender said in Patch your Windows DCs - else they will break in July 2022 from a patch:

@notverypunny said in Patch your Windows DCs - else they will break in July 2022 from a patch:

How about this month's updates that sent 2 of our DCs into a wonderful boot loop first thing this morning...

it could be related.

Here's the article that saved us
https://borncity.com/win/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/

Had to boot the VMs without networking and remove KB5009624 and KB5009595 as they were both 2012R2.

Wondering if it's something just for me or if anyone else is having this issue. Took a snapshot of the server before updating but discarded it when the upgrade and other functions appeared to all work correctly.

https://github.com/wh1te909/tacticalrmm/issues/933

Basically the reboot function doesn't work any more from the web GUI.

How about this month's updates that sent 2 of our DCs into a wonderful boot loop first thing this morning...

Depending on what you're looking for, AccessEnum from sysinternals might be suitable.

You indicate that you want to know "Who has access to what", this is more of a "what's accessible to who" report, so it may or may not do what you're looking for.

It generates a report in txt but the formatting is compatible with csv ( just change the file extension to csv and you're good)

@stuartjordan said in Nextcloud 23:

You just go to configuration > Nextcloud Office > and select use this server.

Nice

@stuartjordan Are they truly built-in or does it still require a linked onlyoffice or collabora install?

@dustinb3403 said in Miscellaneous Tech News:

University loses 77TB of research data due to backup error

Just saw it on slashdot.... talk about a bad way to end the year.

@gjacobse said in Why was the BSOD Blue?:

@dashrender said in Why was the BSOD Blue?:

@gjacobse said in Why was the BSOD Blue?:

The (BSOD) thing is - that for some reason I can't play any YT video some parts of the day. Open anything and all you get is the swirly loading icon. But, you can click the timeline and see that content is there, regardless of browser... And no one can tell me why - as we don't block it or throttle it. People are playing Spotify at the same time - so it's bandwidth issue either.....

I've had issues like that before too - never found a solution.

I would test cross platform, but since I get 'yelled at ' for Powershell, I'm not putting Linux on the network.

Not to give your network / sec guys any problems, but run it in VirtualBox with the network set to NAT... then from the perspective of the ones doing the yelling it should only be seen as just another app.

@obsolesce said in windows based FREE imaging app:

@dashrender said in windows based FREE imaging app:

@obsolesce said in windows based FREE imaging app:

@dashrender said in windows based FREE imaging app:

they generally come with AV and other crap you don't want at purchase

Oh I see, that sucks. Are the company devices being bought from Walmart or something?

Seriously?

I order these from DCW. I haven't had a laptop not come with at least some third party AV in ages...

I suppose one of the reasons to not order Dell/HP, or at least not the default stuff.

Can't speak to HP, but with Dell, unless you get setup with their imaging program (you provide them with your desired stock image and it's $$$ from what I recall) they're sending you their stock OEM image with a significant amount of bloat-ware. In a corporate / enterprise setup consistency is king so it's normal that you want to reimage with something that's tested and known to play nice in your environment.

@siringo said in windows based FREE imaging app:

@notverypunny said in windows based FREE imaging app:

@siringo said in windows based FREE imaging app:

@dashrender said in windows based FREE imaging app:

It's not windows based - but Clonzilla does what you want, and you can figure out the script/command line for it too.

Does clonezilla run off a usb stick?? I need something that doesn't require a network.

Yes, I can't recall if you can have the image repo on the bootable media since it' been a while, but it's definitely an off-line option. When I was using it the USB sticks I could afford weren't big enough to hold an image so it was a USB to boot and an external HDD for the images.

Yep, sounds like what I'll do.

They've released a Lite version so you don't need a server anymore, runs off a USB. I'm checking it out now.

I think you're looking for the live version: https://clonezilla.org/clonezilla-live.php

From what I'm seeing, the Lite version looks like it still wants to use a network source as the image repo.

@siringo said in windows based FREE imaging app:

@dashrender said in windows based FREE imaging app:

It's not windows based - but Clonzilla does what you want, and you can figure out the script/command line for it too.

Does clonezilla run off a usb stick?? I need something that doesn't require a network.

Yes, I can't recall if you can have the image repo on the bootable media since it' been a while, but it's definitely an off-line option. When I was using it the USB sticks I could afford weren't big enough to hold an image so it was a USB to boot and an external HDD for the images.

Used HP procurve from ebay... if it dies they have a lifetime warranty

You can usually pick up something like a 2530 24G for not too much.

https://www.ebay.com/itm/193536665656?hash=item2d0faf2838:g:8GoAAOSwAnZgdhzU

Depends on your use-case and budget though.