@Fredtx said in Multiple Tombstoned DC's:

@JaredBusch said in Multiple Tombstoned DC's:

Mesh of multiple locations like you have is simply asking for crypto to hit all the things.

Exactly what I've been telling them.

VPNs and AD the same. The mesh "should" not pose any threat because there should be nothing exposed over the mesh. But given the rest of the design, we can safely assume there are security holes everywhere and they are just trying to open more.

These are the flags that hackers look for for finding easy targets.

@Dashrender said in Wix Form "Harry Potter" Issue:

@scottalanmiller said in Wix Form "Harry Potter" Issue:

@garak0410 said in Wix Form "Harry Potter" Issue:

@scottalanmiller said in Wix Form "Harry Potter" Issue:

@garak0410 said in Wix Form "Harry Potter" Issue:

@scottalanmiller said in Wix Form "Harry Potter" Issue:

Not familiar with Wix at all, I'm afraid. They don't have a good reputation. The new GeoCities.

Well it does help me as I am still in a SOLO IT shop after 11 years...don't have time to code a website...

Is Wix saving you time? LOL

You don't code websites, you use tools like Hugo or Gatsby if you need something simple, or WordPress if you need a CMS.

One of the reasons those tools are recommended for businesses is the time savings.

It might actually help now, there's every possibility that it might actually be faster to move to something else than to troubleshoot Wix where you are dependent on their support.

Well, it also helps that the owners daughter wants control of website too so this is another reason I did Wix about 5-6 years ago.

That makes sense. WordPress is typically used specifically for that too, but doesn't tie you in to a vendor-only supported product where the host owns the site that you make. WP keeps you from being able to be extorted for support or whatever. That's its purpose (to allow easy editing by a staff of people.) Since WP is the best known tool, it's the one that best allows random third party people to be involved.

Definitely seems odd to pick Wix over WP.

Maybe they already knew it (the daughter). Wix is definitely my #1 platform to avoid. It's been the bane of the web since its inception. Just a totally shit product and lots of people avoid companies that host with it as being similar to using hotmail email instead of your domain.

try putting the switches in the 'arguments' field of the Action tab.

b4560553-30a6-44aa-9926-70959d3ce835-image.png 1.png

@scottalanmiller said in Migrating to xxxxx:

I have a similar situation. There's no more panic. Just "let me do my job and get on with it." People sometimes see that as not taking it seriously when really, I'm just that much more on top of things.

I've definitely walked into a few crisis that way with my old boss. Actually those were the best of work conditions - the confidence to just roll up the sleeves and get shit done. If only more of my life was like that.

Thanks everyone for the input.

I had another play with rclone and got it to work, looks quite useful.

@Dashrender That's what I have to play with as I'm not sure at the channel level how permission inheritance works

Sorry about dragging this old topic back but, it is probably the most relevant to what I'm looking for.

I have been trying to get the ZeroTier FlowRules to work but must be doing something wrong. My ruleset is very close to what @JaredBusch has but, the ZeroTier nodes don't work as expected.

When I leave the final accept statement, ZeroTier passes all traffic. When I comment out that last accept all traffic stops.

# Allow only IPv4, IPv4 ARP # drop not ethertype ipv4 and not ethertype arp # Drop IPv6 Ethernet frames. # and not ethertype ipv6 ; # # # Uncomment to drop non-ZeroTier issued and managed IP addresses. # # This prevents IP spoofing but also blocks manual IP management at the OS level and # bridging unless special rules to exempt certain hosts or traffic are added before # this rule. # #drop # not chr ipauth #; accept ipprotocol tcp and dport 80 ; # Accept anything else. This is required since default is 'drop'. accept;

Any help on what I'm doing wrong will be greatly appreciated.

@WrCombs said in vLANs random question.:

@dashrender said in vLANs random question.:

@scottalanmiller said in vLANs random question.:

@WrCombs said in vLANs random question.:

@scottalanmiller said in vLANs random question.:

@WrCombs said in vLANs random question.:

@scottalanmiller said in vLANs random question.:

@WrCombs said in vLANs random question.:

@dafyre said in vLANs random question.:

The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.

if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..

Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.

So how would you make that work? just using firewall rules, to let the 2 talk to pull transaction information?

If they talk only to the hosted apps, the intercommunications should be on the server, not the client. Is that not correct?

If you need devices on two different LANs (vLANs are just LANs without physical separation) then communications between them is always through a router, and routers are firewalls. So first you have to build a route, then block traffic, then allow the traffic that you want.

in a "normal" IT system, that would be the case, as I'm sure you know.
POS however, the Pin pads talk directly to the Register to pull that transaction data to the Pin Pad - otherwise the pin pad wont know how much to charge the credit card -

Then you need to connect the two VLANs, effectively defeating the purpose. It's not entirely defeated, it is still a secondary firewall but only replicating the vastly more important local firewall.

ROFMAO - like the terminals have firewalls - HAHAHAHAHAHA

on this particular system (which I am the Admin for) Windows firewalls are required to stay on - for all 3 options no matter what.

See!! Firewalls!

@Pete-S said in What do you use as an identity provider?:

@scottalanmiller said in What do you use as an identity provider?:

@Pete-S said in What do you use as an identity provider?:

You mean if you paid for M365 then you're already using Azure AD as your identity provider in which case JumpCloud serves no purpose?

For one thing, Azure AD is lacking connectors for normal things like Linux desktops. Doesn't even WORK in our environment or most of our customers, almost none. At most it works for SOME workloads.

There is another factor as well, which favors an independent identity provider and authentication. When you have everything in one place, you give too much power over your business to a single company. If you have a problem with Microsoft (or Google) all other services will be useless if you tied everything to Azure AD (or Google Identity Services).

Also changing "Office" apps from Microsoft to Google or to Zoho or whatever you might fancy will have far reaching implications. So less freedom to pick whatever is best for your company.

Excellent points.

@WrCombs Thanks!

@gjacobse said in InfoPath Support:

I don't know all of what is needed - as I'm not included in that circle. But I have been told that one of the littlest things needed is changing an email address. That simple. Change from this person to another person (should be a distro / security group to ....never mind).

We need -the quick fix- so that we can address the point that it's EOL and only going to worsen with support falling off.

make a rule in the the email system that checks for something from that machine and forwards it to the desired location... might be a doable workaround for now.

I've been using the Grandstream WiFi phones
http://www.grandstream.com/products/ip-voice-telephony/wifi-cordless

for a year and a half - they have been working well for us. No roaming issues that have been reported either.

@obsolesce said in Wsus for remote vpn and on-premise users:

@scottalanmiller said in Wsus for remote vpn and on-premise users:

There is little different between an MSP and internal IT.

They are basically the same thing. In many cases the internal IT is a separate entity that basically bills the company and/or child companies, but is on the payroll of the company.

Yup, the key difference isn't their relationship to the rest of the org, effectively MSP, ITSP, Internal IT, etc. are all external in how they are approached. Only how they are paid really differs and the staff don't always see that.

What makes the two different is that an Internal IT department (even one treated as a consulting group) has only a single top level customer and MSPs have multiple. That's really it.

And that doesn't always make a real difference. If the top level internal IT customer doesn't force all underlying groups to unify under a single IT strategy you get an effective situation of multiple customers, sometimes as you said, even with separate billing.

@jaredbusch said in jira + nginx - can't login via https:

@pete-s said in jira + nginx - can't login via https:

You're using https but you don't have any information for proxying tcp 443 assigned in the nginx config.

It is, you even quoted it

My bad. I thought his internal server running jira was setup to use https (self-signed certificate) on port 8443 (with redirect on 8080).

@jasgot said in Dymo vs. other print servers:

@ccwtech said in Dymo vs. other print servers:

Is there any particular advantage or reason to use their print server over just another vendors print server?

What did you end up doing? I need to make a Dymo a networked printer and I have learned the Dymo printer server does not handle multiple subnets. I don't know why, just a common complaint.

I would like to toss any old usb printer server at it and have it work.

I've been using Dymo print servers across subnets for 3+ years, no issues that I'm aware of.

@jaredbusch said in Locking down vendors:

@scottalanmiller said in Locking down vendors:

@dashrender said in Locking down vendors:

They MIGHT have an internal team for this, but since we have our own IT department, my management has decide to take the costs internal versus paying the new vendor to set up remote access for themselves.

That doesn't really make sense as this is all questions about THEIR IT. All your team can do is get in the way 😉

Right, I have no idea WTF you think you are doing here @Dashrender.

The most you should do is setup a VLAN or actual separate LAN with no access to your network. The other company can deal with putting something on this shit old device that reaches to their support infrastructure.

No one on there side has even breathed a word about something like that.

As I previously mentioned - the old HVAC vendor did all of their own management - I only provided them an internet connection, they managed everything else.
I can see the advantages of that - time to toss this at the new vendor similarly.