Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
TehRedWheelbarrow
Mar 16, 2011



Fan of Britches
have more cals than people

dont virtualize more than license allowance

have backup copies of everything, and receipts help

-guy who gets audited by MS almost like clockwork every two years

Adbot
ADBOT LOVES YOU

Ham Equity
Apr 16, 2013

i hosted a great goon meet and all i got was this lousy avatar
Grimey Drawer

Internet Explorer posted:

Network+ is a good start. If you feel you are interested in more after that work on your CCNA.
Echoing this.

The A+/Network+ get poo poo on a lot, but as someone whose educational background is in Political Science, studying for them filled in a lot of holes in my knowledge.

Internet Explorer
Jun 1, 2005





sneakyfrog posted:

have more cals than people

dont virtualize more than license allowance

have backup copies of everything, and receipts help

-guy who gets audited by MS almost like clockwork every two years

Microsoft started a new program a few years ago, specifically targeted at SMBs where they do "soft audits." Some random contractor from Microsoft will reach out every year or so to have you do a self-audit so they can sell you things.

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

We got those people calling for audits and we get all licensing from Softchoice. So we tell the auditors to call them and our sales rep tells em to gently caress off. Works well.

Moey
Oct 22, 2010

I LIKE TO MOVE IT

sneakyfrog posted:

-guy who gets audited by MS almost like clockwork every two years

I don't know how I have never had to deal with an audit.

I'm sure I have one coming now.

Beefstorm
Jul 20, 2010

"It's not the size of the tower. It's the motion of the airwaves."
Lipstick Apathy

Internet Explorer posted:

Microsoft started a new program a few years ago, specifically targeted at SMBs where they do "soft audits." Some random contractor from Microsoft will reach out every year or so to have you do a self-audit so they can sell you things.

That must be the type of audit I have dealt with in the past. It was a third party in Australia, auditing a company on the east coast in the US. What?

pixaal
Jan 8, 2004

All ice cream is now for all beings, no matter how many legs.


I had a phone message where I couldn't understand the person at all for the name code or anything. I called support and they told me to just wait for them to call again, I left a year later and never called back while I was there. Basically they could only verify that someone had the company on an audit list, but they wouldn't give me their contract info without a case number (which was unintelligible).

Not like it would have been a problem, all our licences were in the Microsoft portal and to the correct count. The only thing that fucks most people up is CALs, grab user CALs and have 1 for every user account that isn't a service account. You can setup up checks fairly easily, especially if you have service accounts in their own OU. run a PS command to get all active accounts in your user OU and make sure you have at least that many CALs. Everything else will yell at you and not let you use more than you are licenced for. Bonus points if you keep the script updated with your CAL count so you can set it up to email you if you go over and have it run weekly.

I'd really like a "user" CAL that wouldn't let you make new users in AD without a CAL unless you check "service account" which removes the ability to log into the GUI. It'd make it drat near impossible to gently caress up. Keep the regular CAL stuff in play for people who want to deal with that, but it's 2018 and this should be automated.

Thanks Ants
May 21, 2004

#essereFerrari


There's no justification for CALs when the server license is priced at what it is

pixaal
Jan 8, 2004

All ice cream is now for all beings, no matter how many legs.


Thanks Ants posted:

There's no justification for CALs when the server license is priced at what it is

I assume the original fear behind why CALs exist is if technology keeps progressing people will only need one server for tens of thousands of people. You would need to buy desktop licenses for all of them, but let's step back and say a new rival desktop OS comes out that replaces windows desktop, but doesn't replace windows server.

You now get paid for each of the people using Linux or whatever else too. With per-core licensing this is no longer an issue and I'm not sure I'd opt to run Windows Servers in a shop that used a different Desktop OS. It's still around because of inertia at this point, at least they are cheap. They could also just make it each Windows Client counts as a device CAL, hell that might help push Windows phones into business since you'd need a CAL for an iPhone.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams
Microsoft 365 basically rolls all your CALs into a single subscription, if I recall correctly. So that's the "easy" licensing path forward, just pay X dollars per month per head and be done with it.

CampingCarl
Apr 28, 2008




On this topic I have been asked to P to V some old server 2k3 era stuff and this may make windows prompt for activation again. Is all I need to do is extract the key from the current machine and enter it again or am I going to have to go through a whole bunch of hoops?


I also need to find a tape drive and backup software as we have some VMs that are not allowed to back up to the cloud. Maybe I am missing something but it seems harder than it should be to get quotes on this stuff.

Spring Heeled Jack
Feb 25, 2007

If you can read this you can read

CampingCarl posted:

On this topic I have been asked to P to V some old server 2k3 era stuff and this may make windows prompt for activation again. Is all I need to do is extract the key from the current machine and enter it again or am I going to have to go through a whole bunch of hoops?


I also need to find a tape drive and backup software as we have some VMs that are not allowed to back up to the cloud. Maybe I am missing something but it seems harder than it should be to get quotes on this stuff.

I’ve had to do this exactly one time, but I remember having to run a repair install to get the Windows OS version from OEM to VL or whatever before I could reactivate. It was a pain in the rear end but we have datacenter licensing for all of our hosts so I could give less of a poo poo what key a server has so long as it’s activated and functioning.

Happiness Commando
Feb 1, 2002
$$ joy at gunpoint $$

CampingCarl posted:

I also need to find a tape drive and backup software as we have some VMs that are not allowed to back up to the cloud. Maybe I am missing something but it seems harder than it should be to get quotes on this stuff.

I vaguely recall the AWS storage gateway lets you set a local backup target (or maybe it was just giving it a large amount of local cache?) and presents itself to the OS as a virtual iSCSI tape drive that works with Veeam. It's been a while since I played with it, though. Look into it if you haven't.

Edit: actually just get a local storage target and point Veeam at it, no need to use the storage gateway.

Thanks Ants
May 21, 2004

#essereFerrari


Point Veeam at a Synology NAS or similar, have one SMB share for things that can go to the cloud and one share for things that can't.

Digital_Jesus
Feb 10, 2011

Veeam + *insert remote storage option here* is always the answer.

pixaal
Jan 8, 2004

All ice cream is now for all beings, no matter how many legs.


Thanks Ants posted:

Point Veeam at a Synology NAS or similar, have one SMB share for things that can go to the cloud and one share for things that can't.

You can even thin provision with a Synology so you don't have to declare 20% of it is for non cloud and 80% of it is for cloud. Each partition will just keep growing until the entire array is out of space (you still want to keep an eye on it, but both Synology and Veeam should yell at you if you setup email notifications when you start running low).

Potato Salad
Oct 23, 2014

nobody cares


Just check that full recovery of your environment by Veeam Data Mover Agent would run in an acceptable amount of time, as you won't benefit from storage appliance integration features like instant rollback on prod tier snapshots

Agrikk
Oct 17, 2003

Take care with that! We have not fully ascertained its function, and the ticking is accelerating.

The Fool posted:

Split tunnel VPN doesn't solve the DNS issue.

One solution is to have a local device do DNS and DHCP.

I like having an AD server at the remote site doing the DNS and DHCP. But for a site that small, the licensing will cost more than the hardware and it may be a hard sell.

e: You could also have your remote site edge device serve DHCP and set the primary DNS to HQ and secondary DNS to your ISP/Google

This is the solution.

Set up split tunnel on your VPN links and set up dhcp to use the following order:

1. home office DNS server
2. Local satellite dns server [if exists]
3. ISP / Google DNS

You’ll have DNS forwarding set up on your dns servers to forward non-local requests out to your isp, and the local DNS is purely in case the link goes down.

And a small Atom-based mini desktop plus a license will run you less than a thousand dollars and might be a good sell, though it does increase management time. YMMV.

Albinator
Mar 31, 2010

Had a nice moment last night as we migrated some machines from an on-premises VMWare setup to Azure. As we completed a file server move (that happened to also be a domain controller, because it was set up by idiots), vcenter suddenly completely poo poo the bed. Sure enough, resolv.conf turned out to have a single line entry for the file server we'd just moved. Proving once again that it's loving morons all the way down.

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010

Happiness Commando posted:

I vaguely recall the AWS storage gateway lets you set a local backup target (or maybe it was just giving it a large amount of local cache?) and presents itself to the OS as a virtual iSCSI tape drive that works with Veeam. It's been a while since I played with it, though. Look into it if you haven't.

Edit: actually just get a local storage target and point Veeam at it, no need to use the storage gateway.

I opted for copy-jobs of backups to storage gateway iscsi target, and daily snapshotting those. There is nobody here who would get recovering from VTL so its best to present them the easiest methods to restore.

Dans Macabre
Apr 24, 2004


I have a small client that is all Macs and getting rid of their physical office. They will not need active directory anymore. Any gotchas about simply disabling AD Sync on their O365 envrionment?

nexxai
Jul 17, 2002

quack quack bjork
Fun Shoe

NevergirlsOFFICIAL posted:

I have a small client that is all Macs and getting rid of their physical office. They will not need active directory anymore. Any gotchas about simply disabling AD Sync on their O365 envrionment?
Just pay attention to the password policy in O365. Last thing you want is a single day every 60 days where every single password expires and everyone's calling you to help them log back in.

spiny
May 20, 2004

round and round and round
Anyone got any tips for making rules using Trend Micro Hosted Email Security ?

we have it for our hosted 365 and I would like to create a rule that adds a subject tag to messages sent to an alias of an account, but I can't seem to figure out how to make it trigger.

we have support@company that has an alias of info@company.

I'd like to tag messages to info@company with [sales crap] as thats the email we give out to cold callers to get them off the phone.

Not giving out an email address is beyond my powers currently, so I can't change that.

I've tried setting the info@company as the recipient in the rule, but it never matches.

pixaal
Jan 8, 2004

All ice cream is now for all beings, no matter how many legs.


spiny posted:

Anyone got any tips for making rules using Trend Micro Hosted Email Security ?

we have it for our hosted 365 and I would like to create a rule that adds a subject tag to messages sent to an alias of an account, but I can't seem to figure out how to make it trigger.

we have support@company that has an alias of info@company.

I'd like to tag messages to info@company with [sales crap] as thats the email we give out to cold callers to get them off the phone.

Not giving out an email address is beyond my powers currently, so I can't change that.

I've tried setting the info@company as the recipient in the rule, but it never matches.

Setup a separate shared mailbox. Shared mailboxes are free on office 365.

spiny
May 20, 2004

round and round and round

pixaal posted:

Setup a separate shared mailbox. Shared mailboxes are free on office 365.

good plan :)

spiny
May 20, 2004

round and round and round

pixaal posted:

Setup a separate shared mailbox. Shared mailboxes are free on office 365.



thanks again, got it working :)

CampingCarl
Apr 28, 2008




We have a bunch of terminals that are only used to remote desktop into a server for data entry and I have been asked to look into using NUCs instead of normal PCs. The idea seems fine but I am not sure what needs to be on the NUC to make that happen. I find lots of info on the hardware but not as much on the thin clients.

Spring Heeled Jack
Feb 25, 2007

If you can read this you can read

CampingCarl posted:

We have a bunch of terminals that are only used to remote desktop into a server for data entry and I have been asked to look into using NUCs instead of normal PCs. The idea seems fine but I am not sure what needs to be on the NUC to make that happen. I find lots of info on the hardware but not as much on the thin clients.

They make pre built thin clients for this exact purpose that won’t require you to buy and build NUCs. You’ll also get the benefit of some central management of the devices.

CampingCarl
Apr 28, 2008




Spring Heeled Jack posted:

They make pre built thin clients for this exact purpose that won’t require you to buy and build NUCs. You’ll also get the benefit of some central management of the devices.
Just to be clear I am talking about finding info on the software/OS itself, like OpenThinClient.

dogstile
May 1, 2012

fucking clocks
how do they work?
I've been asked to look into CCTV for a shop that my boss owns the property of. It needs to be sharp enough to recognise faces and I need to be able to store/auto cycle the data without actually being there.

I've never done anything like this before, anyone got a good idea of where to start? UK suppliers would be handy if you can help, if not general advice is appreciated.

Jack the Lad
Jan 20, 2009

Feed the Pubs

dogstile posted:

I've been asked to look into CCTV for a shop that my boss owns the property of. It needs to be sharp enough to recognise faces and I need to be able to store/auto cycle the data without actually being there.

I've never done anything like this before, anyone got a good idea of where to start? UK suppliers would be handy if you can help, if not general advice is appreciated.

I'm also in the UK and looked into this recently.

Depending on your budget and use case the Meraki kit is actually pretty good. It stores video on the camera (so theoretically someone can take the camera and you don't have the recording, but you also don't need anything else to make it work, just PoE/internet) and you can do analytics and motion heatmaps and whatever from the cloud interface. It was something like £530/camera and £88/year licensing. Easy to remote manage.

If you are on a complete shoestring there are various consumer options which talk to smartphone apps for £cheap but which are more about the realtime feed with maybe motion sensor alerting on the app than storing footage.

Otherwise there's the traditional talk to an alarm/camera/lock company approach, where they come out and install cameras which pass the footage back to some weird old software on an old PC (or whatever you like). Varies but in my case (4 cameras) would have been about ~£3k all in with no ongoing (pay per use for maintenance/replacement/whatever).

pixaal
Jan 8, 2004

All ice cream is now for all beings, no matter how many legs.


Synology has a line of NAS for storing camera footage. You might want to look at that if you want all your video centrally located and not on cam. Both methods are valid and it's going to be a personal choice there. I haven't used Synology's camera software but every camera system I've seen that was already setup had lovely software so I can't say I recommend anything.

You really want to throw this onto a vendor if possible; Cameras seem IT related and you can get them to work just fine, but laying out proper coverage is not a normal IT skill set. Sure you should know how to do wireless (ideally you have a professional place map this properly for you too). You are putting cameras in for a reason, you want them to be optimal. If that adds a few grand to the total so be it. If that's more than what you are attempting to protect is worth, you probably just want a fake camera as a deterrent. It's an option to keep in mind, since I've seen a vendor bill in the $20,000 range to attempt to prevent under $200 in losses a year. It is not your job to do the math, but you should provide the options and the numbers from your end, tell them to fill in the other numbers and see if it's worth doing in the first place.

pixaal fucked around with this message at 15:19 on Oct 24, 2018

dogstile
May 1, 2012

fucking clocks
how do they work?
Fantastic. I've had a brief look and given them options, but as I won't physically be on site i've suggested they go with a vendor. I don't want anything to do with it and I don't want to start getting loaned out to all the various businesses my boss lets out his properties too.

Well, I mean, he can, but i'd be asking for a significant pay bump.

I'll let you know if we go ahead with it. The property tenant might move out of the shop because she's being harassed by local kids anyway. I suggested hiring a dude with a big stick, as a sidenote.

Ham Equity
Apr 16, 2013

i hosted a great goon meet and all i got was this lousy avatar
Grimey Drawer

dogstile posted:

Fantastic. I've had a brief look and given them options, but as I won't physically be on site i've suggested they go with a vendor. I don't want anything to do with it and I don't want to start getting loaned out to all the various businesses my boss lets out his properties too.

Well, I mean, he can, but i'd be asking for a significant pay bump.

I'll let you know if we go ahead with it. The property tenant might move out of the shop because she's being harassed by local kids anyway. I suggested hiring a dude with a big stick, as a sidenote.

They should most definitely use a loving vendor. Security cameras are their own pretty specialized field, and managing to get images you can pull faces from involves experience and expertise, not just your IT person Googling some poo poo.

eames
May 9, 2009

Is it a common/accepted practice to run a public guest WiFi off the same firewall as the internal one(s) or should I push our contractor to keep it on a separate box? The ISP provides us multiple public IPs/ethernet ports on the router so it wouldn't be hard to just set up an extra device.
Our venue has ~250 devices (peak), 40 Unifi APs, 500 Mbit WAN and the firewall is pfsense on a quadcore machine. This of course all assumes the setup is done by certified professionals. My worry isn't so much about security but about something on the guest lan causing resource problems on the firewall that potentially takes all other internal networks down. The contractor thinks it'll be fine with one box. Any thoughts would be welcome.

Rick
Feb 23, 2004
When I was 17, my father was so stupid, I didn't want to be seen with him in public. When I was 24, I was amazed at how much the old man had learned in just 7 years.

dogstile posted:

I've been asked to look into CCTV for a shop that my boss owns the property of. It needs to be sharp enough to recognise faces and I need to be able to store/auto cycle the data without actually being there.

I've never done anything like this before, anyone got a good idea of where to start? UK suppliers would be handy if you can help, if not general advice is appreciated.

For what it's worth we've talked about this quite a bit in the Inspect your Gadgets Home Automation thread. If you can search it, smart people give me (dumb person) good feedback on the subject.

But everyone is right that outsourcing it is the best bet, but unfortunately at my job it's not going to happen.

The Fool
Oct 16, 2003


eames posted:

Is it a common/accepted practice to run a public guest WiFi off the same firewall as the internal one(s) or should I push our contractor to keep it on a separate box? The ISP provides us multiple public IPs/ethernet ports on the router so it wouldn't be hard to just set up an extra device.
Our venue has ~250 devices (peak), 40 Unifi APs, 500 Mbit WAN and the firewall is pfsense on a quadcore machine. This of course all assumes the setup is done by certified professionals. My worry isn't so much about security but about something on the guest lan causing resource problems on the firewall that potentially takes all other internal networks down. The contractor thinks it'll be fine with one box. Any thoughts would be welcome.

I always recommend having public wifi on a seperate internet connection than the business. It's not just about security, but also for service quality and liability.

wolrah
May 8, 2006
what?

eames posted:

Is it a common/accepted practice to run a public guest WiFi off the same firewall as the internal one(s) or should I push our contractor to keep it on a separate box? The ISP provides us multiple public IPs/ethernet ports on the router so it wouldn't be hard to just set up an extra device.
Our venue has ~250 devices (peak), 40 Unifi APs, 500 Mbit WAN and the firewall is pfsense on a quadcore machine. This of course all assumes the setup is done by certified professionals. My worry isn't so much about security but about something on the guest lan causing resource problems on the firewall that potentially takes all other internal networks down. The contractor thinks it'll be fine with one box. Any thoughts would be welcome.

I'm with The Fool, it's best to separate guest networks from production in any way possible. If available I recommend getting a separate connection from the local broadband company specifically for that purpose. Since it's guest only it doesn't have to be symmetric or have a SLA.

At minimum have guest traffic going out it's own IP, and preferably through its own firewall.

The former means that if your guests start loving around it will be less likely to result in problems for your business IPs, the latter makes it so that even configuration errors shouldn't allow guests on to the company LAN.

redeyes
Sep 14, 2002

by Fluffdaddy

eames posted:

Is it a common/accepted practice to run a public guest WiFi off the same firewall as the internal one(s) or should I push our contractor to keep it on a separate box? The ISP provides us multiple public IPs/ethernet ports on the router so it wouldn't be hard to just set up an extra device.
Our venue has ~250 devices (peak), 40 Unifi APs, 500 Mbit WAN and the firewall is pfsense on a quadcore machine. This of course all assumes the setup is done by certified professionals. My worry isn't so much about security but about something on the guest lan causing resource problems on the firewall that potentially takes all other internal networks down. The contractor thinks it'll be fine with one box. Any thoughts would be welcome.

Just get a seperate router. Costs what, $100 bux at most?!

quote:

At minimum have guest traffic going out it's own IP, and preferably through its own firewall.

Yeah and what if a guest downloads the latest blockbuster movie torrent on your business IP address. Not good things anyhow.

This can easily be done with VLANs as well.

Adbot
ADBOT LOVES YOU

eames
May 9, 2009

redeyes posted:

Just get a seperate router. Costs what, $100 bux at most?!

Their main argument is maintenance overhead and the fact the same WiFI will eventually provide access to the internal LANs via a seperate WPA2 encrypted SSID anyway (which I'm hesitant about due to security concerns :tinfoil:).

redeyes posted:

Yeah and what if a guest downloads the latest blockbuster movie torrent on your business IP address. Not good things anyhow.

This can easily be done with VLANs as well.

It's pretty easy to get pfsense to NAT one interface out through its own external IP (using multiple virtual IPs on one physical WAN interface) but I think you all are right despite the argument of the contractor, for now I'll sleep better knowing that the guest network is on its own box.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply