ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    MPLS alternative

    Scheduled Pinned Locked Moved IT Discussion
    mplsvpnmutli site
    172 Posts 13 Posters 30.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @JaredBusch
      last edited by

      @JaredBusch said in MPLS alternative:

      @Dashrender said in MPLS alternative:

      you meant that they somehow exposed those AD servers directly to the Internet

      No, he clearly meant they used the existing local AD and made that the login for the Citrix farm.

      Thus exposing it to the internet via the citrix log on process. No different than RDS..

      Of course the fucking DC was not directly on the internet.. WTF, this was clear as a bell when he stated it.

      My Fucking bad - the idea of standing up a completely separate AD just for Citrix completely escaped me until his more recent post. That just seems CRAZY complex... UNTIL you get rid of AD for users as well. users already complain about having to log into 37 different things every day, splitting AD from local logon vs Citrix logon means just one more set of creds to remember.. users will definitely complain..

      yeah yeah - JB says F the user.

      scottalanmillerS 1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said in MPLS alternative:

        @scottalanmiller said in MPLS alternative:

        @Dashrender said in MPLS alternative:

        @scottalanmiller said in MPLS alternative:

        We use essentially no files any longer.

        I love this -

        So you have email
        and what Rocket Chat for texting....

        Maybe your company has zero need for an individual to make a personal spreadsheet, etc... but if they did, how would you handle that?

        So we have email and no one should be sending files on it internally. We have Cliq for internal chat. Again, no one should send files (not counting memes, of course, gotta send those.)

        We have spreadsheets, but we don't use legacy file based ones. Ours are all database managed with no files behind them as it should be. If we had to send a file to an outside entity, you for example, we would generate a file to send just for you. It's not a file we use internally, we don't have that file on our network. We generate it at the time that we are sending it to you.

        Nice - yeah, I'd love to get us there with several things we do here... we pull data out of our EHR and then use Excel to bend it to the reports we want (the EHR can't), I assume you're OK with that. the problem is - our users don't want to give up the excel file they've created after they massaged the data.

        It's not that using files is "wrong", but it is a "thing" to be considered. Files like that are big attack vectors and make you have to worry about a lot of things that we don't have to worry about.

        For example, if Valentina does something and gets infected, at no time does a file transfer from her to someone else in the company. That doesn't mean that the malware couldn't leverage her email somehow, or her IM somehow or grab her keyboard or whatever. Malware can certainly do damage. But the fear of the "open window" infection where infected files just flow from her to someone else doesn't happen in our workflows and there is no mechanism connecting us together that we just are avoiding using. There's no file sharing system under normal circumstances.

        1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @scottalanmiller
          last edited by

          @scottalanmiller said in MPLS alternative:

          @Dashrender said in MPLS alternative:

          you meant that they somehow exposed those AD servers directly to the Internet - which is just crazy. But leaving them in the background behind the RDS/ICA servers should be pretty secure.?

          So sadly, no. That's the problem with RDS. It exposes AD directly! That's why it sucks so much. It requires AD and then exposes it! WTF MS?!?!?

          That's why we either have to isolate AD away from the LAN to being used only for RDS, or we need to replace AD, or we need to harden it significantly.

          In NTG's RDP farm case, we do it by running without AD. But everyone has different needs.

          yeah, this points back to the multiple credentials needed I just pointed out, driving users crazy - and to the use of aweful passwords. of course we can mitigate the passwords to a point, but that leads to other issues.

          Basically if Hobbit is going to do this - he needs to get management to buy into a completely new paradigm of the design. which would be great, but a hard sell.

          hobbit666H scottalanmillerS 2 Replies Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @Dashrender said in MPLS alternative:

            @JaredBusch said in MPLS alternative:

            @Dashrender said in MPLS alternative:

            you meant that they somehow exposed those AD servers directly to the Internet

            No, he clearly meant they used the existing local AD and made that the login for the Citrix farm.

            Thus exposing it to the internet via the citrix log on process. No different than RDS..

            Of course the fucking DC was not directly on the internet.. WTF, this was clear as a bell when he stated it.

            My Fucking bad - the idea of standing up a completely separate AD just for Citrix completely escaped me until his more recent post. That just seems CRAZY complex... UNTIL you get rid of AD for users as well. users already complain about having to log into 37 different things every day, splitting AD from local logon vs Citrix logon means just one more set of creds to remember.. users will definitely complain..

            yeah yeah - JB says F the user.

            So that's the logic most companies use. They say...

            We have AD already. All users are in AD. RDS needs AD. Let's just use the AD that we already have.

            Makes sense, this isn't stupid or anything. It's so common and so obvious, this is why people assume RDS/XA have certain risks inherently when they actually don't.

            But often you either needs lots of users on RDS and not on the LAN or vice versa and separating the two can be done. Or in a lot of our cases, AD exists nowhere and we have to stand it up just for RDS. So it becomes just another form of "local" users for RDS. It's just that RDS' required you store the local users that exists only for it in AD. And they recommend it be on a separate VM, which is dumb. But for a cluster / farm it makes sense. Local "to the farm".

            1 Reply Last reply Reply Quote 0
            • hobbit666H
              hobbit666
              last edited by

              So in a way thinking about just Citrix, we would drop AD and move the devices to local users.

              Then either create a "New Local AD" with the users credentials just for Citrix use?
              Or use one of those 3rd party VPN things (AppGate)
              We have 600+ devices out there, but only 300 odd need Citrix Access.

              This would make Citrix LANless/Zero Trust as the user will need to authorize them selves via the "Local AD" credentials or that AppGate thing?

              scottalanmillerS 1 Reply Last reply Reply Quote 2
              • hobbit666H
                hobbit666
                last edited by

                Printing LANless / Zero Trust
                I'll tackle that another day 🙂

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @hobbit666
                  last edited by

                  @hobbit666 said in MPLS alternative:

                  So in a way thinking about just Citrix, we would drop AD and move the devices to local users.

                  Then either create a "New Local AD" with the users credentials just for Citrix use?
                  Or use one of those 3rd party VPN things (AppGate)
                  We have 600+ devices out there, but only 300 odd need Citrix Access.

                  This would make Citrix LANless/Zero Trust as the user will need to authorize them selves via the "Local AD" credentials or that AppGate thing?

                  Exactly. And once LANless, there is no need for XenApp to sit on your LAN at all. You can move it to colo or cloud whenever you want. Ours is in colo and uses zero LAN resources.

                  hobbit666H S 2 Replies Last reply Reply Quote 1
                  • hobbit666H
                    hobbit666 @scottalanmiller
                    last edited by

                    @scottalanmiller said in MPLS alternative:

                    Exactly. And once LANless, there is no need for XenApp to sit on your LAN at all. You can move it to colo or cloud whenever you want. Ours is in colo and uses zero LAN resources.

                    When you say move XenApp that's our servers with the 15VMs into a Co-Lo hosts or spin up 15 VM's in AWS/AZure etc?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @hobbit666
                      last edited by

                      @hobbit666 said in MPLS alternative:

                      @scottalanmiller said in MPLS alternative:

                      Exactly. And once LANless, there is no need for XenApp to sit on your LAN at all. You can move it to colo or cloud whenever you want. Ours is in colo and uses zero LAN resources.

                      When you say move XenApp that's our servers with the 15VMs into a Co-Lo hosts or spin up 15 VM's in AWS/AZure etc?

                      Right, those would be the options. Obviously the colo approach is cheap and easy and going to AWS/Azure would require the gift of a firstborn child, but technically both work.

                      hobbit666H S 2 Replies Last reply Reply Quote 0
                      • hobbit666H
                        hobbit666 @scottalanmiller
                        last edited by

                        @scottalanmiller said in MPLS alternative:

                        going to AWS/Azure would require the gift of a firstborn child, but technically both work.

                        Yeah whenever i've looked at "Cloud" for VM's we run i've always just closed the browser tab.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller
                          last edited by

                          but then this will beg the obvious question... what's the function of the XenApp farm? Most companies only do this to deal with LANbased assets. So that becomes more of the onion - one LANbased requirement on top of another.

                          We do it to provide a standard working environment with a standard IP address for all staff when needed, but it's a specialty thing, not where they work all the time. Ours remains LANless and there are good reasons to do that. But if you are LANless, you'd likely not want to use XenApp to do it.

                          DashrenderD hobbit666H 2 Replies Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @hobbit666
                            last edited by

                            @hobbit666 said in MPLS alternative:

                            @scottalanmiller said in MPLS alternative:

                            going to AWS/Azure would require the gift of a firstborn child, but technically both work.

                            Yeah whenever i've looked at "Cloud" for VM's we run i've always just closed the browser tab.

                            Well, I'd assume that that is for two reasons. One because you don't have elastic workloads, which is the sole intended purpose of cloud computing. And the second is because you seem to have a very legacy environment that would feel natural around 2001 (literally, all this stuff feels about twenty years old.). Lift and shift to cloud is a really bad idea, cloud isn't meant for that and those workloads aren't meant for cloud.

                            Going to cloud in any sensible way requires "starting over" and rethinking your infrastructure from the ground up. Every decision. Every app.

                            And even then, most smaller companies have no reason to be looking at cloud because even if they design absolutely everything around it, it still doesn't make sense for their workload patterns.

                            DashrenderD 1 Reply Last reply Reply Quote 1
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by

                              @scottalanmiller said in MPLS alternative:

                              but then this will beg the obvious question... what's the function of the XenApp farm? Most companies only do this to deal with LANbased assets. So that becomes more of the onion - one LANbased requirement on top of another.

                              @hobbit666 said in MPLS alternative:

                              We use MS Dynamics GP. So instead of installing this on 300+ computers (then having to update 300+ computers when updated keys and modules come out) we have 15 Citrix Xen Desktop servers that these computers access to get onto the GP stuff.

                              travisdh1T scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said in MPLS alternative:

                                @hobbit666 said in MPLS alternative:

                                @scottalanmiller said in MPLS alternative:

                                going to AWS/Azure would require the gift of a firstborn child, but technically both work.

                                Yeah whenever i've looked at "Cloud" for VM's we run i've always just closed the browser tab.

                                Well, I'd assume that that is for two reasons. One because you don't have elastic workloads, which is the sole intended purpose of cloud computing. And the second is because you seem to have a very legacy environment that would feel natural around 2001 (literally, all this stuff feels about twenty years old.). Lift and shift to cloud is a really bad idea, cloud isn't meant for that and those workloads aren't meant for cloud.

                                Going to cloud in any sensible way requires "starting over" and rethinking your infrastructure from the ground up. Every decision. Every app.

                                And even then, most smaller companies have no reason to be looking at cloud because even if they design absolutely everything around it, it still doesn't make sense for their workload patterns.

                                I.e. this isn't for Azure or AWS, but more for something like Vultr, or as already mentioned Colo

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • hobbit666H
                                  hobbit666 @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in MPLS alternative:

                                  ... what's the function of the XenApp farm? Most companies only do this to deal with LANbased assets. So that becomes more of the onion - one LANbased requirement on top of another.

                                  It hosts dynamics GP
                                  We run it over Citrix as installing the "Fat" client on all the machines and then updating them when module updates/license updates come in. It's simpler to do this on 15 servers not 300 devices. also means only 15 machines are accessing SQL

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • travisdh1T
                                    travisdh1 @Dashrender
                                    last edited by

                                    @Dashrender said in MPLS alternative:

                                    @scottalanmiller said in MPLS alternative:

                                    but then this will beg the obvious question... what's the function of the XenApp farm? Most companies only do this to deal with LANbased assets. So that becomes more of the onion - one LANbased requirement on top of another.

                                    @hobbit666 said in MPLS alternative:

                                    We use MS Dynamics GP. So instead of installing this on 300+ computers (then having to update 300+ computers when updated keys and modules come out) we have 15 Citrix Xen Desktop servers that these computers access to get onto the GP stuff.

                                    MS Dynamics GP is such utter garbage. I'd rather support Quickbooks, and you all know how much I love Quickbooks.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @travisdh1
                                      last edited by

                                      @travisdh1 said in MPLS alternative:

                                      @Dashrender said in MPLS alternative:

                                      @scottalanmiller said in MPLS alternative:

                                      but then this will beg the obvious question... what's the function of the XenApp farm? Most companies only do this to deal with LANbased assets. So that becomes more of the onion - one LANbased requirement on top of another.

                                      @hobbit666 said in MPLS alternative:

                                      We use MS Dynamics GP. So instead of installing this on 300+ computers (then having to update 300+ computers when updated keys and modules come out) we have 15 Citrix Xen Desktop servers that these computers access to get onto the GP stuff.

                                      MS Dynamics GP is such utter garbage. I'd rather support Quickbooks, and you all know how much I love Quickbooks.

                                      wow

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said in MPLS alternative:

                                        @scottalanmiller said in MPLS alternative:

                                        but then this will beg the obvious question... what's the function of the XenApp farm? Most companies only do this to deal with LANbased assets. So that becomes more of the onion - one LANbased requirement on top of another.

                                        @hobbit666 said in MPLS alternative:

                                        We use MS Dynamics GP. So instead of installing this on 300+ computers (then having to update 300+ computers when updated keys and modules come out) we have 15 Citrix Xen Desktop servers that these computers access to get onto the GP stuff.

                                        Ah, legacy client/server crap.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said in MPLS alternative:

                                          @scottalanmiller said in MPLS alternative:

                                          @hobbit666 said in MPLS alternative:

                                          @scottalanmiller said in MPLS alternative:

                                          going to AWS/Azure would require the gift of a firstborn child, but technically both work.

                                          Yeah whenever i've looked at "Cloud" for VM's we run i've always just closed the browser tab.

                                          Well, I'd assume that that is for two reasons. One because you don't have elastic workloads, which is the sole intended purpose of cloud computing. And the second is because you seem to have a very legacy environment that would feel natural around 2001 (literally, all this stuff feels about twenty years old.). Lift and shift to cloud is a really bad idea, cloud isn't meant for that and those workloads aren't meant for cloud.

                                          Going to cloud in any sensible way requires "starting over" and rethinking your infrastructure from the ground up. Every decision. Every app.

                                          And even then, most smaller companies have no reason to be looking at cloud because even if they design absolutely everything around it, it still doesn't make sense for their workload patterns.

                                          I.e. this isn't for Azure or AWS, but more for something like Vultr, or as already mentioned Colo

                                          I like Vultr a lot, but does nothing to improve the situation in this kind of case. It's still cloud.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @hobbit666
                                            last edited by

                                            @hobbit666 said in MPLS alternative:

                                            @scottalanmiller said in MPLS alternative:

                                            ... what's the function of the XenApp farm? Most companies only do this to deal with LANbased assets. So that becomes more of the onion - one LANbased requirement on top of another.

                                            It hosts dynamics GP
                                            We run it over Citrix as installing the "Fat" client on all the machines and then updating them when module updates/license updates come in. It's simpler to do this on 15 servers not 300 devices. also means only 15 machines are accessing SQL

                                            Yeah, that's the standard use case. To work around a non-business class legacy application that's not being maintained.

                                            There is a Dynamics 365 current product that is cloud based, though. Should not need any of this if the app was updated. So this should be a temporary situation till it gets updated.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 9
                                            • 8 / 9
                                            • First post
                                              Last post