|
Thanks Ants posted:I honestly prefer VPN applications vs. trying to explain to people how to configure the built-in VPN diallers. Especially if you are looking at using 2-factor auth since using that with OS native tools tends to mean "type your password and then put the 2FA code after it". active directory would be the way to go there. I assume you cant spring for even a basic (shudder..perish my vile thought) SBS Server or VM?
|
#
?
Jul 18, 2015 16:46
|
|
|
|
| # ? Sep 23, 2023 15:39 |
|
|
Sheep posted:Maybe the new Meraki MX stuff would work for you? Site-to-site VPN is as close to "press a button and it works" as you can get. Only real downside is the Meraki licensing scheme. Meraki would do the trick. I've seen this before, it provides RADIUS with a google apps backend, which would work with pretty much any vpn device: http://cloudessa.com/products/cloudessa-radius-service/
|
|
#
?
Jul 18, 2015 18:50
|
|
|
SneakyFrog posted:active directory would be the way to go there. I assume you cant spring for even a basic (shudder..perish my vile thought) SBS Server or VM? Server 2012 Essentials is actually pretty nice, and nowhere as hobbled and lovely as SBS 2003 was. It also doesn't come with Exchange or SQL server, which might be a big part of why it doesn't suck. Comedy option: Samba DC 
|
|
#
?
Jul 18, 2015 18:59
|
|
|
stevewm posted:Ubiquiti Unifi... https://www.ubnt.com/unifi/unifi-ap-ac/ I know this is from a while ago, but we just finished our deployment of UAP-LR's a few weeks ago (11 total for a >500k sqft warehouse) and they've been strong and solid. The controller (management) software was easy to spin up and works decently. The AP's themselves run busybox, so you can ssh in if you want, and I ended up doing to do some basic troubleshooting while we were deploying. There are a couple of weird things: - Out of 13 units, we had 2 defective. - 24V PoE. Who does that? And for >85m runs, they get kind of flaky, you may end up needing to get inline 48V->24V voltage regulators from them and just use your powered switch. That fixed the long runs for us. - DNS suffix doesn't stick when you set a static IP address (which is important if you want to keep the default announcement url). This could be a derp on my side, but I couldn't figure it out and had to hard-code the suffix in the static IP settings. - "The community" seems to provide an unnerving amount of support that I would rather see come from the company. Which leads to... NevergirlsOFFICIAL posted:I was looking at ubiquiti but I'm really concerned about the apparent lack of support. I understand that they ~just work~ but if/when there's a problem it's basically email support only, or use their forums lol. I need to pick up a phone when wifi isn't working. Kwyjibo fucked around with this message at 23:04 on Jul 18, 2015 |
|
#
?
Jul 18, 2015 23:00
|
|
|
The passive PoE is a hangover from when Ubiquiti only did WISP-type radios. Nothing in the point-to-point wireless space seems to use 802.3af/at. It's probably cheaper as well which helps when you are doing APs for $60. The zero-handoff thing basically sets all the APs to the same channel which makes it awful if you are in a built up environment with other businesses around you since you will definitely hit interference. I've had the most luck with roaming on Aerohive APs with 802.11r enabled - Wi-Fi VoIP handsets can be booted off one AP and associate to another one quick enough for no drop in the audio stream at all.
|
|
#
?
Jul 18, 2015 23:25
|
|
|
I guess the passive PoE thing makes sense that way then. My understanding of zero-handoff is that it sets AP's to the same channel and sets the broadcast mac address to be the same for all AP's, so that they effectively look the same to client devices. In our case we don't have to worry about interference since it's a warehouse and we don't have office neighbors. I can see why having many devices on the same channel would be a problem for a place with a lot of other businesses nearby though. Anyway, we didn't have a business requirement for seamless roaming, but figured if we can turn it on, then why not do so and save the time it takes to reassociate?
|
|
#
?
Jul 18, 2015 23:45
|
|
|
Guy Axlerod posted:I'm looking for a new Security Gateway that will handle Site-to-Site and Client VPN. I'm no expert in this area, and neither is my coworker. sonicwall + netextender is honestly fine. for that number of people you could run it on a sonicwall firewall itself or do it off a vm.
|
|
#
?
Jul 19, 2015 02:23
|
|
|
Thanks for the advice all. Last time I looked at the Meraki MX, it sounded like they wouldn't handle the AWS VPN which was a dealbreaker for us. I'll have to look at them again, maybe ask for a trial. Also, we're 90% OSX, am I wrong in thinking that AD doesn't make sense for us?
|
|
#
?
Jul 19, 2015 14:39
|
|
|
Guy Axlerod posted:Thanks for the advice all. Ah in that case... yeah no to AD
|
|
#
?
Jul 19, 2015 14:43
|
|
|
Active Directory makes more sense than Open Directory since more stuff integrates with it, though I appreciate the cost to get going is quite steep once you buy CALs etc. How do you currently authenticate to file shares etc? Meraki MX does work fine with Azure, it just isn't on Microsoft's list. It's just an IPSec VPN tunnel so you really shouldn't have issues with getting anything connected to it, at least nothing that reading the logs from your UTM appliance and Googling around won't be able to fix.
|
|
#
?
Jul 19, 2015 15:39
|
|
|
Kwyjibo posted:One thing we learned through their support is that their zero-handoff feature is caveat emptor -- our old MC9090G's don't play nice with ZH with WPA for whatever reason and so we had to turn it off. Which is too bad, it's a neat idea.
|
|
#
?
Jul 20, 2015 12:45
|
|
|
Thanks Ants posted:Active Directory makes more sense than Open Directory since more stuff integrates with it, though I appreciate the cost to get going is quite steep once you buy CALs etc. How do you currently authenticate to file shares etc? Don't forget that pretty much everyone runs AD. This means any goofy hosed up AD error you are getting has already been fixed a million times. I love oddball solutions as much as the next guy until I'm trying to find an answer to an error message w/o shelling out $1000 of support phone calls.
|
|
#
?
Jul 20, 2015 22:59
|
|
|
Kwyjibo posted:I guess the passive PoE thing makes sense that way then. We ran into problems when we got above 20-30 clients with ZH enabled. Clients would drop connections, internet was slow as poo poo. Turned off ZH and havent heard a complaint since. Granted, we are located in the middle of a major metropolitan area, so YMMV.
|
|
#
?
Jul 21, 2015 01:56
|
|
|
i messed around with it, and had better luck with minimum rssi. We aren't doing voip over wifi, so a few ms of drop time was not a dealbreaker.
|
|
#
?
Jul 21, 2015 03:45
|
|
|
Guy Axlerod posted:Also, we're 90% OSX, am I wrong in thinking that AD doesn't make sense for us? We're 100% Mac OS X desktops and an entire Windows backend with Active Directory. In my opinion, Mac OS X Server stopped being viable the day that Apple decided to drop an honest to god server to host it on. That, coupled with their joke of a support infrastructure for businesses, means that any day of the week I'd much rather rely on Dells running Windows server than even go near a Mac running OS X Server if I can help it. The latest Macs play perfectly well with Active Directory and there are 3rd party apps out there that unlock a lot of the extended functionality of Managed OS X computers hosted on OD.
|
|
#
?
Jul 28, 2015 20:52
|
|
|
^^^ any specific products to bridge the gap? We've tried a few things and nothing has quite got the job done. While I'm at it, does anyone have a preferred method of making sure macs get patches -- ours are still on the honor system.
|
|
#
?
Jul 29, 2015 01:27
|
|
|
Just got done upgrading our HQ network to an all-Meraki setup. I don't even care that it's midnight and I just got home. It feels so good to finally have some control over the madness that doesn't require some poo poo Java application or screwing with an ASA via the command line, and it's so nice having VLAN tagging and switchport security properly setup. And a separate VLAN for voice. And subnets that make sense. And guest traffic properly isolated. And a wireless setup that doesn't involve BestBuy-bought "network extenders". And and and... Can't wait to roll this stuff out to all our branch offices and get all of our networks running on the butt.
|
|
#
?
Jul 29, 2015 05:11
|
|
|
wwb posted:^^^ any specific products to bridge the gap? We've tried a few things and nothing has quite got the job done. Currently using Centrify to allow macs to bind to AD and then use GP's to manage computer and user-specific settings. Other than a pretty cryptic product descriptions, it works pretty well. Since it requires AD to function correctly you might want to invest in a correctly configuring AD forest first though. If you have all the time in the world, you could try Puppet Sheep posted:Just got done upgrading our HQ network to an all-Meraki setup. A word of warning about Meraki. I was testing a couple of their AP's and had everything set up all hunky dory. One day I wonder into a satellite office with my laptop to take some notes using Asana and noticed an unsucured, open wi-fi network with our SSID. Turns out that Merakis will occasionally reset themselves to factory default but not retain any of the security settings that you set up, therefore turning themselves into unsecured wireless AP's plugged directly into your LAN. Fun times. This was a couple of months ago so not sure if that's been fixed yet...
|
|
#
?
Jul 29, 2015 05:48
|
|
|
McDeth posted:If you have all the time in the world, you could try Puppet Puppet doesn't solve this unless you want puppet to configure centrify or to configure ldap.conf and krb5.conf, but then you already need to know how to do it without puppet in order to make a manifest
|
|
#
?
Jul 29, 2015 06:36
|
|
|
McDeth posted:A word of warning about Meraki. I was testing a couple of their AP's and had everything set up all hunky dory. One day I wonder into a satellite office with my laptop to take some notes using Asana and noticed an unsucured, open wi-fi network with our SSID. Turns out that Merakis will occasionally reset themselves to factory default but not retain any of the security settings that you set up, therefore turning themselves into unsecured wireless AP's plugged directly into your LAN. We already started deploying Meraki APs last year in some of our other locations and haven't had any issues whatsoever with them yet. Dunno what happened in your case - did you contact support about that?
|
|
#
?
Jul 29, 2015 06:54
|
|
|
Sheep posted:We already started deploying Meraki APs last year in some of our other locations and haven't had any issues whatsoever with them yet. Dunno what happened in your case - did you contact support about that? Yup, to be fair it was a defective unit that was for whatever reason unable to pull the proper config without rebooting, but it still was a pretty big wtf moment to somebody in charge of securing a network with sensitive medical data on it.
|
|
#
?
Jul 29, 2015 07:00
|
|
|
wwb posted:While I'm at it, does anyone have a preferred method of making sure macs get patches -- ours are still on the honor system. AFAIK you're pretty much limited to using OS X server in some capacity to manage patches/releases for Mac OS X.
|
|
#
?
Jul 29, 2015 07:02
|
|
|
McDeth posted:Yup, to be fair it was a defective unit that was for whatever reason unable to pull the proper config without rebooting, but it still was a pretty big wtf moment to somebody in charge of securing a network with sensitive medical data on it. Someone else posted at some point about a semi-acknowledged issue with some model (I want to say MR26?) of AP that had a run of faulty wireless chipsets. I'm sure I bookmarked the post somewhere but the Meraki hardware guys were basically like "yup it's just jacked, nothing we can do". No idea if they ever got around to fixing it in future production runs or whatever. Meraki stuff is great when it works but there are occasionally really weird issues with it, it seems. The ease of management and configuration is totally worth dealing with it for us assuming large swathes of our equipment doesn't just up and die one day.
|
|
#
?
Jul 29, 2015 07:22
|
|
|
McDeth posted:AFAIK you're pretty much limited to using OS X server in some capacity to manage patches/releases for Mac OS X. http://www.jamfsoftware.com/products/integrations/netboot-sus-server/
|
|
#
?
Jul 29, 2015 07:59
|
|
|
Yes, unfortunately jamfs pricing puts it way out of range for a lot of smbs. For 50 machine deployment they wanted something like 15k for the license and configuration. Os x server is what, 100 bucks?
|
|
#
?
Jul 29, 2015 10:01
|
|
|
McDeth posted:Yes, unfortunately jamfs pricing puts it way out of range for a lot of smbs. That's a free virtual appliance.
|
|
#
?
Jul 29, 2015 10:57
|
|
|
Speaking of Macs when I join macs to the domain (just vanilla no centrify or admitmac) boots go heeeeellllla slow. When I was troubleshooting this it was talking about the workstations looking for domain controllers that no longer exist but even when I tried to specify a one specific very-physically-close domain controller, no help. I ended up having the Macs not on domain and making the users authenticate when they want to connect to network share. This is obviously the wrong way to do this so what do I do to fix? Will Centrify solve my problem? Is my problem totally weird? Second question, "we" now want to back up all the workstations in addition to the servers. For Windows we do folder redirs so that takes care of that, but I know Mac home folders are just trash when it comes to Windows. I don't want to get into using something like mozy/crashplan/carbonite but maybe that's the best for desktop...
|
|
#
?
Jul 29, 2015 14:14
|
|
|
Thanks Ants posted:That's a free virtual appliance. Intteerrrrrrresting
|
|
#
?
Jul 29, 2015 19:13
|
|
|
NevergirlsOFFICIAL posted:Speaking of Macs when I join macs to the domain (just vanilla no centrify or admitmac) boots go heeeeellllla slow. When I was troubleshooting this it was talking about the workstations looking for domain controllers that no longer exist but even when I tried to specify a one specific very-physically-close domain controller, no help. I ended up having the Macs not on domain and making the users authenticate when they want to connect to network share. What version of Mac OS? We've run into a ton of problems with the loading bar taking forreeeevvveerrrrr (if at all, most of the time the computer freezes) to get to the password screen. Apparently that was a known bug in 10.10.1-3 that's sense been fixed. Although it wasn't a bug that reared its head a ton, the only solution was to reboot the machine, reset PRAM until it decided to get to the loading screen. Although to be honest a problem with slow loading only when bound to AD is likely a DNS issue... NevergirlsOFFICIAL posted:Second question, "we" now want to back up all the workstations in addition to the servers. For Windows we do folder redirs so that takes care of that, but I know Mac home folders are just trash when it comes to Windows. I don't want to get into using something like mozy/crashplan/carbonite but maybe that's the best for desktop... We use CrashPlan ProE for all of our servers & desktops. It's honestly probably not the best solution for servers because of the lack of bare metals recovery, but for desktops it is bad rear end.
|
|
#
?
Jul 29, 2015 19:17
|
|
|
Thanks for the hints, I'll check those out. For macs (and iOS) -- the DNS issue was because they replaced the open source DNS responder with their own homebrewed version had a bunch of problems. This change was rolled back in 10.4 which fixed a lot of DNS related headaches.
|
|
#
?
Jul 29, 2015 21:10
|
|
|
McDeth posted:What version of Mac OS? We've run into a ton of problems with the loading bar taking forreeeevvveerrrrr (if at all, most of the time the computer freezes) to get to the password screen. Apparently that was a known bug in 10.10.1-3 that's sense been fixed. Although it wasn't a bug that reared its head a ton, the only solution was to reboot the machine, reset PRAM until it decided to get to the loading screen. quote:We use CrashPlan ProE for all of our servers & desktops. It's honestly probably not the best solution for servers because of the lack of bare metals recovery, but for desktops it is bad rear end. do you find crashplan causes some undesired behavior with users (as in they just save everything on the desktop because "it's backed up")?
|
|
#
?
Jul 29, 2015 21:30
|
|
|
What happens if you nslookup / dig your AD domain? E.g. nslookup corporation.local ? Are all the addresses returned valid?
|
|
#
?
Jul 29, 2015 22:17
|
|
|
NevergirlsOFFICIAL posted:Do you find crashplan causes some undesired behavior with users (as in they just save everything on the desktop because "it's backed up")? I'm not sure why that would be considered undesired behavior, what the hell do I care where people store files on their personal computer? My users barely even know what the internet is, let alone what Crashplan ProE is. Crashplan is HIGHLY customizable in what kind of files you can tell it to back up, avoid backing up, file paths to back up, file paths to omit, backup frequency, REGEX patterns, etc. It doesn't matter where the users store their files, I can back it up if I want to or I can omit it backing up. The only thing that I avoid is the Microsoft User Data folder since all of our emails are stored on a central server anyway.
|
|
#
?
Jul 29, 2015 22:54
|
|
|
NevergirlsOFFICIAL posted:This is exactly what we were seeing... but again only on domain. Why is OSX looking for DNS before even getting to the login screen though?
|
|
#
?
Jul 30, 2015 00:06
|
|
|
Thanks Ants posted:What happens if you nslookup / dig your AD domain? E.g. nslookup corporation.local ? Will check tomorrow
|
|
#
?
Jul 30, 2015 00:49
|
|
|
evol262 posted:You can root through the plists to find this out. Hostname resolution early is common, but discoveryd sucks, which is probably the issue FYI upgrading to 10.10.4 removes discoveryd entirely.
|
|
#
?
Jul 30, 2015 05:36
|
|
|
Cross posting from the poo poo thread - is dirsync still the in-thing for O365? What don't I get that I would get if I rolled out ADFS? Also could someone describe when a user would need to talk to the O365 server? Is it every time they launch Word or is it a once a month licence check like Adobe? I really need a good primer on this whole 365 business.
|
|
#
?
Jul 30, 2015 13:00
|
|
|
It changed again - https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnect/
|
|
#
?
Jul 30, 2015 13:34
|
|
|
Swink posted:Cross posting from the poo poo thread - is dirsync still the in-thing for O365? What don't I get that I would get if I rolled out ADFS? I'm using ad connect it's fine the desktops apps will phone home to o365 constantly and I don't know how many days it can go without throwing a warning. If you're posting in this thread I'm going to go on a limb and say you absolutely do not need ADFS.
|
|
#
?
Jul 30, 2015 16:22
|
|
|
|
| # ? Sep 23, 2023 15:39 |
|
|
Thanks Ants posted:What happens if you nslookup / dig your AD domain? E.g. nslookup corporation.local ? yes it returns 3 domain controller IP addresses that all exist irl
|
|
#
?
Jul 30, 2015 16:26
|
|