Search Amazon.com:
Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«33 »
  • Post
  • Reply
sneakyfrog
Mar 16, 2011



Fan of Britches

Thanks Ants posted:

I honestly prefer VPN applications vs. trying to explain to people how to configure the built-in VPN diallers. Especially if you are looking at using 2-factor auth since using that with OS native tools tends to mean "type your password and then put the 2FA code after it".

I presume you don't have an AD on-prem that you can utilise as the user directory?

active directory would be the way to go there. I assume you cant spring for even a basic (shudder..perish my vile thought) SBS Server or VM?

Adbot
ADBOT LOVES YOU

Maneki Neko
Oct 27, 2000



Sheep posted:

Maybe the new Meraki MX stuff would work for you? Site-to-site VPN is as close to "press a button and it works" as you can get. Only real downside is the Meraki licensing scheme.

Never heard of anything working with Google Apps for authentication but I've not looked very hard either.

Meraki would do the trick. I've seen this before, it provides RADIUS with a google apps backend, which would work with pretty much any vpn device:

http://cloudessa.com/products/cloudessa-radius-service/

SamDabbers
May 26, 2003

Oh my god...

Lipstick Apathy

SneakyFrog posted:

active directory would be the way to go there. I assume you cant spring for even a basic (shudder..perish my vile thought) SBS Server or VM?

Server 2012 Essentials is actually pretty nice, and nowhere as hobbled and lovely as SBS 2003 was. It also doesn't come with Exchange or SQL server, which might be a big part of why it doesn't suck.

Comedy option: Samba DC

Kwyjibo
Apr 1, 2003


stevewm posted:

Ubiquiti Unifi... https://www.ubnt.com/unifi/unifi-ap-ac/

The AC capable models are about $260 USD. Management software is free and does not require a subscription/support contract/yearly extortion fee. Runs on Linux, Mac, Windows.

For even cheaper, the 2.4Ghz only models (UniFi UAP) are only around $80USD each..

I know this is from a while ago, but we just finished our deployment of UAP-LR's a few weeks ago (11 total for a >500k sqft warehouse) and they've been strong and solid. The controller (management) software was easy to spin up and works decently. The AP's themselves run busybox, so you can ssh in if you want, and I ended up doing to do some basic troubleshooting while we were deploying. There are a couple of weird things:

- Out of 13 units, we had 2 defective.
- 24V PoE. Who does that? And for >85m runs, they get kind of flaky, you may end up needing to get inline 48V->24V voltage regulators from them and just use your powered switch. That fixed the long runs for us.
- DNS suffix doesn't stick when you set a static IP address (which is important if you want to keep the default announcement url). This could be a derp on my side, but I couldn't figure it out and had to hard-code the suffix in the static IP settings.
- "The community" seems to provide an unnerving amount of support that I would rather see come from the company. Which leads to...

NevergirlsOFFICIAL posted:

I was looking at ubiquiti but I'm really concerned about the apparent lack of support. I understand that they ~just work~ but if/when there's a problem it's basically email support only, or use their forums lol. I need to pick up a phone when wifi isn't working.
We've opened a few tickets with them, and they respond pretty quickly, although with people who very clearly do not speak English as their first language and sometimes do not understand your question. One thing we learned through their support is that their zero-handoff feature is caveat emptor -- our old MC9090G's don't play nice with ZH with WPA for whatever reason and so we had to turn it off. Which is too bad, it's a neat idea.

Kwyjibo fucked around with this message at Jul 18, 2015 around 22:04

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

The passive PoE is a hangover from when Ubiquiti only did WISP-type radios. Nothing in the point-to-point wireless space seems to use 802.3af/at. It's probably cheaper as well which helps when you are doing APs for $60.

The zero-handoff thing basically sets all the APs to the same channel which makes it awful if you are in a built up environment with other businesses around you since you will definitely hit interference. I've had the most luck with roaming on Aerohive APs with 802.11r enabled - Wi-Fi VoIP handsets can be booted off one AP and associate to another one quick enough for no drop in the audio stream at all.

Kwyjibo
Apr 1, 2003


I guess the passive PoE thing makes sense that way then.

My understanding of zero-handoff is that it sets AP's to the same channel and sets the broadcast mac address to be the same for all AP's, so that they effectively look the same to client devices. In our case we don't have to worry about interference since it's a warehouse and we don't have office neighbors. I can see why having many devices on the same channel would be a problem for a place with a lot of other businesses nearby though. Anyway, we didn't have a business requirement for seamless roaming, but figured if we can turn it on, then why not do so and save the time it takes to reassociate?

NevergirlsOFFICIAL
Apr 24, 2004



Guy Axlerod posted:

I'm looking for a new Security Gateway that will handle Site-to-Site and Client VPN. I'm no expert in this area, and neither is my coworker.

We have about 15 people at my site, and about 5 at the other, and we'd be connecting to AWS as well.

I'd really like it if the client VPN would work with the OS native VPN clients on both OSX and Windows. Failing that, the client needs to be readily available and not be garbage.

I'm asking for a thing that probably doesn't exist here, but it would also be really nice if they somehow used Google Apps to authenticate, because that's the closest thing we have to single sign-on at the moment.

sonicwall + netextender is honestly fine. for that number of people you could run it on a sonicwall firewall itself or do it off a vm.

Guy Axlerod
Dec 29, 2008


Thanks for the advice all.

Last time I looked at the Meraki MX, it sounded like they wouldn't handle the AWS VPN which was a dealbreaker for us. I'll have to look at them again, maybe ask for a trial.

Also, we're 90% OSX, am I wrong in thinking that AD doesn't make sense for us?

sneakyfrog
Mar 16, 2011



Fan of Britches

Guy Axlerod posted:

Thanks for the advice all.

Last time I looked at the Meraki MX, it sounded like they wouldn't handle the AWS VPN which was a dealbreaker for us. I'll have to look at them again, maybe ask for a trial.

Also, we're 90% OSX, am I wrong in thinking that AD doesn't make sense for us?

Ah in that case... yeah no to AD

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

Active Directory makes more sense than Open Directory since more stuff integrates with it, though I appreciate the cost to get going is quite steep once you buy CALs etc. How do you currently authenticate to file shares etc?

Meraki MX does work fine with Azure, it just isn't on Microsoft's list. It's just an IPSec VPN tunnel so you really shouldn't have issues with getting anything connected to it, at least nothing that reading the logs from your UTM appliance and Googling around won't be able to fix.

ThinkFear
Sep 14, 2007

igni ferroque


Kwyjibo posted:

One thing we learned through their support is that their zero-handoff feature is caveat emptor -- our old MC9090G's don't play nice with ZH with WPA for whatever reason and so we had to turn it off. Which is too bad, it's a neat idea.
I had the same problem with zh and mc9090's. Zh worked fine with everything else. Motorola had a few patches targeting ZH issues, but they didn't help.

Rhymenoserous
May 23, 2008


Thanks Ants posted:

Active Directory makes more sense than Open Directory since more stuff integrates with it, though I appreciate the cost to get going is quite steep once you buy CALs etc. How do you currently authenticate to file shares etc?

Meraki MX does work fine with Azure, it just isn't on Microsoft's list. It's just an IPSec VPN tunnel so you really shouldn't have issues with getting anything connected to it, at least nothing that reading the logs from your UTM appliance and Googling around won't be able to fix.

Don't forget that pretty much everyone runs AD. This means any goofy hosed up AD error you are getting has already been fixed a million times. I love oddball solutions as much as the next guy until I'm trying to find an answer to an error message w/o shelling out $1000 of support phone calls.

Mr. Clark2
Sep 17, 2003

Rocco sez: Oh man, what a bummer. Woof.


Kwyjibo posted:

I guess the passive PoE thing makes sense that way then.

My understanding of zero-handoff is that it sets AP's to the same channel and sets the broadcast mac address to be the same for all AP's, so that they effectively look the same to client devices. In our case we don't have to worry about interference since it's a warehouse and we don't have office neighbors. I can see why having many devices on the same channel would be a problem for a place with a lot of other businesses nearby though. Anyway, we didn't have a business requirement for seamless roaming, but figured if we can turn it on, then why not do so and save the time it takes to reassociate?

We ran into problems when we got above 20-30 clients with ZH enabled. Clients would drop connections, internet was slow as poo poo. Turned off ZH and havent heard a complaint since. Granted, we are located in the middle of a major metropolitan area, so YMMV.

adorai
Nov 2, 2002

10/27/04 Never forget

Grimey Drawer

i messed around with it, and had better luck with minimum rssi. We aren't doing voip over wifi, so a few ms of drop time was not a dealbreaker.

McDeth
Jan 12, 2005


Guy Axlerod posted:

Also, we're 90% OSX, am I wrong in thinking that AD doesn't make sense for us?

We're 100% Mac OS X desktops and an entire Windows backend with Active Directory. In my opinion, Mac OS X Server stopped being viable the day that Apple decided to drop an honest to god server to host it on. That, coupled with their joke of a support infrastructure for businesses, means that any day of the week I'd much rather rely on Dells running Windows server than even go near a Mac running OS X Server if I can help it.

The latest Macs play perfectly well with Active Directory and there are 3rd party apps out there that unlock a lot of the extended functionality of Managed OS X computers hosted on OD.

wwb
Aug 17, 2004



^^^ any specific products to bridge the gap? We've tried a few things and nothing has quite got the job done.

While I'm at it, does anyone have a preferred method of making sure macs get patches -- ours are still on the honor system.

Sheep
Jul 24, 2003


Just got done upgrading our HQ network to an all-Meraki setup. I don't even care that it's midnight and I just got home. It feels so good to finally have some control over the madness that doesn't require some poo poo Java application or screwing with an ASA via the command line, and it's so nice having VLAN tagging and switchport security properly setup. And a separate VLAN for voice. And subnets that make sense. And guest traffic properly isolated. And a wireless setup that doesn't involve BestBuy-bought "network extenders". And and and...



Can't wait to roll this stuff out to all our branch offices and get all of our networks running on the butt.

McDeth
Jan 12, 2005


wwb posted:

^^^ any specific products to bridge the gap? We've tried a few things and nothing has quite got the job done.

While I'm at it, does anyone have a preferred method of making sure macs get patches -- ours are still on the honor system.

Currently using Centrify to allow macs to bind to AD and then use GP's to manage computer and user-specific settings. Other than a pretty cryptic product descriptions, it works pretty well. Since it requires AD to function correctly you might want to invest in a correctly configuring AD forest first though.

If you have all the time in the world, you could try Puppet

Sheep posted:

Just got done upgrading our HQ network to an all-Meraki setup.

Can't wait to roll this stuff out to all our branch offices and get all of our networks running on the butt.

A word of warning about Meraki. I was testing a couple of their AP's and had everything set up all hunky dory. One day I wonder into a satellite office with my laptop to take some notes using Asana and noticed an unsucured, open wi-fi network with our SSID. Turns out that Merakis will occasionally reset themselves to factory default but not retain any of the security settings that you set up, therefore turning themselves into unsecured wireless AP's plugged directly into your LAN.

Fun times. This was a couple of months ago so not sure if that's been fixed yet...

evol262
Nov 30, 2010
#!/usr/bin/perl

McDeth posted:

If you have all the time in the world, you could try Puppet

Puppet doesn't solve this unless you want puppet to configure centrify or to configure ldap.conf and krb5.conf, but then you already need to know how to do it without puppet in order to make a manifest

Sheep
Jul 24, 2003


McDeth posted:

A word of warning about Meraki. I was testing a couple of their AP's and had everything set up all hunky dory. One day I wonder into a satellite office with my laptop to take some notes using Asana and noticed an unsucured, open wi-fi network with our SSID. Turns out that Merakis will occasionally reset themselves to factory default but not retain any of the security settings that you set up, therefore turning themselves into unsecured wireless AP's plugged directly into your LAN.

Fun times. This was a couple of months ago so not sure if that's been fixed yet...

We already started deploying Meraki APs last year in some of our other locations and haven't had any issues whatsoever with them yet. Dunno what happened in your case - did you contact support about that?

McDeth
Jan 12, 2005


Sheep posted:

We already started deploying Meraki APs last year in some of our other locations and haven't had any issues whatsoever with them yet. Dunno what happened in your case - did you contact support about that?

Yup, to be fair it was a defective unit that was for whatever reason unable to pull the proper config without rebooting, but it still was a pretty big wtf moment to somebody in charge of securing a network with sensitive medical data on it.

McDeth
Jan 12, 2005


wwb posted:

While I'm at it, does anyone have a preferred method of making sure macs get patches -- ours are still on the honor system.

AFAIK you're pretty much limited to using OS X server in some capacity to manage patches/releases for Mac OS X.

Sheep
Jul 24, 2003


McDeth posted:

Yup, to be fair it was a defective unit that was for whatever reason unable to pull the proper config without rebooting, but it still was a pretty big wtf moment to somebody in charge of securing a network with sensitive medical data on it.

Someone else posted at some point about a semi-acknowledged issue with some model (I want to say MR26?) of AP that had a run of faulty wireless chipsets. I'm sure I bookmarked the post somewhere but the Meraki hardware guys were basically like "yup it's just jacked, nothing we can do". No idea if they ever got around to fixing it in future production runs or whatever.

Meraki stuff is great when it works but there are occasionally really weird issues with it, it seems. The ease of management and configuration is totally worth dealing with it for us assuming large swathes of our equipment doesn't just up and die one day.

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

McDeth posted:

AFAIK you're pretty much limited to using OS X server in some capacity to manage patches/releases for Mac OS X.

http://www.jamfsoftware.com/product...oot-sus-server/

McDeth
Jan 12, 2005


Yes, unfortunately jamfs pricing puts it way out of range for a lot of smbs.

For 50 machine deployment they wanted something like 15k for the license and configuration.

Os x server is what, 100 bucks?

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

McDeth posted:

Yes, unfortunately jamfs pricing puts it way out of range for a lot of smbs.

For 50 machine deployment they wanted something like 15k for the license and configuration.

Os x server is what, 100 bucks?

That's a free virtual appliance.

NevergirlsOFFICIAL
Apr 24, 2004



Speaking of Macs when I join macs to the domain (just vanilla no centrify or admitmac) boots go heeeeellllla slow. When I was troubleshooting this it was talking about the workstations looking for domain controllers that no longer exist but even when I tried to specify a one specific very-physically-close domain controller, no help. I ended up having the Macs not on domain and making the users authenticate when they want to connect to network share.

This is obviously the wrong way to do this so what do I do to fix? Will Centrify solve my problem? Is my problem totally weird?

Second question, "we" now want to back up all the workstations in addition to the servers. For Windows we do folder redirs so that takes care of that, but I know Mac home folders are just trash when it comes to Windows. I don't want to get into using something like mozy/crashplan/carbonite but maybe that's the best for desktop...

McDeth
Jan 12, 2005


Thanks Ants posted:

That's a free virtual appliance.

Intteerrrrrrresting

McDeth
Jan 12, 2005


NevergirlsOFFICIAL posted:

Speaking of Macs when I join macs to the domain (just vanilla no centrify or admitmac) boots go heeeeellllla slow. When I was troubleshooting this it was talking about the workstations looking for domain controllers that no longer exist but even when I tried to specify a one specific very-physically-close domain controller, no help. I ended up having the Macs not on domain and making the users authenticate when they want to connect to network share.

This is obviously the wrong way to do this so what do I do to fix? Will Centrify solve my problem? Is my problem totally weird?

What version of Mac OS? We've run into a ton of problems with the loading bar taking forreeeevvveerrrrr (if at all, most of the time the computer freezes) to get to the password screen. Apparently that was a known bug in 10.10.1-3 that's sense been fixed. Although it wasn't a bug that reared its head a ton, the only solution was to reboot the machine, reset PRAM until it decided to get to the loading screen.

Although to be honest a problem with slow loading only when bound to AD is likely a DNS issue...

NevergirlsOFFICIAL posted:

Second question, "we" now want to back up all the workstations in addition to the servers. For Windows we do folder redirs so that takes care of that, but I know Mac home folders are just trash when it comes to Windows. I don't want to get into using something like mozy/crashplan/carbonite but maybe that's the best for desktop...

We use CrashPlan ProE for all of our servers & desktops. It's honestly probably not the best solution for servers because of the lack of bare metals recovery, but for desktops it is bad rear end.

wwb
Aug 17, 2004



Thanks for the hints, I'll check those out.

For macs (and iOS) -- the DNS issue was because they replaced the open source DNS responder with their own homebrewed version had a bunch of problems. This change was rolled back in 10.4 which fixed a lot of DNS related headaches.

NevergirlsOFFICIAL
Apr 24, 2004



McDeth posted:

What version of Mac OS? We've run into a ton of problems with the loading bar taking forreeeevvveerrrrr (if at all, most of the time the computer freezes) to get to the password screen. Apparently that was a known bug in 10.10.1-3 that's sense been fixed. Although it wasn't a bug that reared its head a ton, the only solution was to reboot the machine, reset PRAM until it decided to get to the loading screen.

Although to be honest a problem with slow loading only when bound to AD is likely a DNS issue...
This is exactly what we were seeing... but again only on domain. Why is OSX looking for DNS before even getting to the login screen though?

quote:

We use CrashPlan ProE for all of our servers & desktops. It's honestly probably not the best solution for servers because of the lack of bare metals recovery, but for desktops it is bad rear end.

do you find crashplan causes some undesired behavior with users (as in they just save everything on the desktop because "it's backed up")?

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

What happens if you nslookup / dig your AD domain? E.g. nslookup corporation.local ?

Are all the addresses returned valid?

McDeth
Jan 12, 2005


NevergirlsOFFICIAL posted:

Do you find crashplan causes some undesired behavior with users (as in they just save everything on the desktop because "it's backed up")?

I'm not sure why that would be considered undesired behavior, what the hell do I care where people store files on their personal computer?

My users barely even know what the internet is, let alone what Crashplan ProE is. Crashplan is HIGHLY customizable in what kind of files you can tell it to back up, avoid backing up, file paths to back up, file paths to omit, backup frequency, REGEX patterns, etc. It doesn't matter where the users store their files, I can back it up if I want to or I can omit it backing up. The only thing that I avoid is the Microsoft User Data folder since all of our emails are stored on a central server anyway.

evol262
Nov 30, 2010
#!/usr/bin/perl

NevergirlsOFFICIAL posted:

This is exactly what we were seeing... but again only on domain. Why is OSX looking for DNS before even getting to the login screen though?
You can root through the plists to find this out. Hostname resolution early is common, but discoveryd sucks, which is probably the issue

NevergirlsOFFICIAL
Apr 24, 2004



Thanks Ants posted:

What happens if you nslookup / dig your AD domain? E.g. nslookup corporation.local ?

Are all the addresses returned valid?

Will check tomorrow

McDeth
Jan 12, 2005


evol262 posted:

You can root through the plists to find this out. Hostname resolution early is common, but discoveryd sucks, which is probably the issue

FYI upgrading to 10.10.4 removes discoveryd entirely.

Swink
Apr 18, 2006
Left Side <--- Many Whelps

Cross posting from the poo poo thread - is dirsync still the in-thing for O365? What don't I get that I would get if I rolled out ADFS?

Also could someone describe when a user would need to talk to the O365 server? Is it every time they launch Word or is it a once a month licence check like Adobe?

I really need a good primer on this whole 365 business.

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

It changed again - https://azure.microsoft.com/en-gb/d...ory-aadconnect/

NevergirlsOFFICIAL
Apr 24, 2004



Swink posted:

Cross posting from the poo poo thread - is dirsync still the in-thing for O365? What don't I get that I would get if I rolled out ADFS?

Also could someone describe when a user would need to talk to the O365 server? Is it every time they launch Word or is it a once a month licence check like Adobe?

I really need a good primer on this whole 365 business.

I'm using ad connect it's fine

the desktops apps will phone home to o365 constantly and I don't know how many days it can go without throwing a warning.

If you're posting in this thread I'm going to go on a limb and say you absolutely do not need ADFS.

Adbot
ADBOT LOVES YOU

NevergirlsOFFICIAL
Apr 24, 2004



Thanks Ants posted:

What happens if you nslookup / dig your AD domain? E.g. nslookup corporation.local ?

Are all the addresses returned valid?

yes it returns 3 domain controller IP addresses that all exist irl

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«33 »