MPLS alternative
-
@hobbit666 said in MPLS alternative:
@Dashrender said in MPLS alternative:
You serve Citrix directly on the internet, Citrix's protocol ICA includes encryption. Sending ICA over VPN is double encryption.
This is one thing management have never liked. Opening the server to the outside world .
But times are changing so going a mix of VPN for some serves and direct serve (i.e. on the internet) might be an option.Another fundamental flaw of the business in general: "management have never liked." Management's job here is to make sure that "what is good for the business" is what is chosen, not what someone "likes" emotionally. An emotional manager is a saboteur. They have no place in IT or business. Their job is to protect against this, not do it themselves. This is like the security card stealing from the till. It's doing exactly the thing that they are paid to protect against. In one case it is stealing, in the other it is illogical and reckless decision making.
It's nothing to do with the times changing. It's about common myths being finally exposed often enough. ICA has always, or at least for a really long time been secure. But people constantly misconfiguring it is the issue, not the protocol. You know what else is a huge risk from misconfiguration? VPNs and MPLS!!
-
@dafyre said in MPLS alternative:
@hobbit666 said in MPLS alternative:
How would multiple vpns be handled. Would it be a case each sites router would have multiple vpns to each site? Or a single VPN to a singe "master" site/device.
To make it simple, I'd do Each site's router would have a single VPN to HQ (the master site).
AKA hub and spoke.
-
@Pete-S said in MPLS alternative:
I don't know much about MPLS except that even with redundant links the entire connection goes down if the company that runs it has a problem. So it's some kind of half-redundancy.
For real redundancy you need to have multiple links using different operators.
Exactly. MPLS is for companies who don't care about reliability. It's the polar opposite of reliable. Everything about it is unnecessarily fragile and risky.
I know Fortune 100s that have it and it's 99% the cause of their downtime. It fails way more often than any other link, and it takes way longer to fix than any other link. Bigger outages, more often. Plus high cost. The worst of all worlds.
-
@gjacobse said in MPLS alternative:
Just happened to think back,
The emergency system (911) used MPLS between the county sites and the main server.
How would a VPN have replaced this? Down time is one thing, but down time and no ability to get emergency calls passed,... that’s serious
Well, since a VPN beats an MPLS is every way... any risk you have with the MPLS is reduced with a VPN. So there's nothing for VPN to do. If MPLS is acceptable, literally anything is acceptable. There's nothing worse.
-
@hobbit666 said in MPLS alternative:
@Dashrender said in MPLS alternative:
You serve Citrix directly on the internet, Citrix's protocol ICA includes encryption. Sending ICA over VPN is double encryption.
This is one thing management have never liked. Opening the server to the outside world .
But times are changing so going a mix of VPN for some serves and direct serve (i.e. on the internet) might be an option.They are missing the point then... the VPN is exposed directly to the web...why is it better than the Citrix server?
-
@Dashrender said in MPLS alternative:
@hobbit666 said in MPLS alternative:
@Dashrender said in MPLS alternative:
You serve Citrix directly on the internet, Citrix's protocol ICA includes encryption. Sending ICA over VPN is double encryption.
This is one thing management have never liked. Opening the server to the outside world .
But times are changing so going a mix of VPN for some serves and direct serve (i.e. on the internet) might be an option.They are missing the point then... the VPN is exposed directly to the web...why is it better than the Citrix server?
Well, so here is what happens....
Someone accidentally ties the Citrix ICA authentication to AD. They then expose AD to the Internet. They then realize that AD depends on LAN security and the mechanisms that work on a LAN are useless on the WAN and they disable them. Then they are exposed not because ICA is risky, not because the Internet is scary, but because AD is fragile and a bad overall security mechanism and totally unable to be used without the addition of a trusted LAN space (e.g. simply not very secure.)
Instead of learning from their mistakes (of using the wrong technology, AD in this case, and configuring Citrix wrong) they double down on their mistakes by trying to use a VPN, which is exactly the same security technology as Citrix ICA, but typically don't tie this to AD and voila, they think that the VPN fixed their previous mistake that they never took time to figure out.
It's a standard pattern of incompetence that happens so often (much like the Inverted Pyramid design) that one clueless shop repeats this story to another clueless shop and they get agreement that the same thing happened to them and you start to get people corroborating each other's incorrect theories and soon it becomes Internet myth.
-
@scottalanmiller said in MPLS alternative:
Remember "4 hr replacement" doesn't say that they WILL replace in 4hrs,
Yes it does, we've used it several times when we were with BT foe the MPLS. We log a call and WITHIN 4hrs the hardware is replaced.
Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.
Wrong!!! We are in the UK and bound by Openreach infrastructure, where some site only have ADSL products and long line lengths. If we need more bandwidth we have to pay for better lines. Thankfully 4G coverage is getting better and that's a good alternative.
All that traffic from the sites can be handled by normal VPNs. But that begs the question, why are you doing things like printing over the WAN in the first place? Or SMB shares over the WAN? These are LAN-focused, 1990s technologies. I get that things linger, but this feels more and more like one basic mistake that no one evaluated and then piling mistakes on top of that layer after layer. None of it matches anything remotely modern, secure, or affordable but each mistake relies on another mistake as the excuse for itself.
Agreed but unfortunately i'm not management, i can only recommend better ways of doing it. If the Management have the mind set of "if it works don't break it" i have to work with what we have.
Another fundamental flaw of the business in general: "management have never liked." Management's job here is to make sure that "what is good for the business"
Their mind set is to keep the business running, i.e. if it's working why change? (I'm not disagreeing with you but we live in the real world)
-
@hobbit666 said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
Remember "4 hr replacement" doesn't say that they WILL replace in 4hrs,
Yes it does, we've used it several times when we were with BT foe the MPLS. We log a call and WITHIN 4hrs the hardware is replaced.
Just because they managed to get it done in 4 hours those times doesn’t mean they are 100% assures to every time.
As Scott mentioned, if they are in a situation where they have to choose between fixing your thing on time and some other issue that’s costing them more than the contract say they have to pay you for missing the SLA, you can bet they will miss your deadline, because it makes financial sense to do so.Now that said, let’s not forget that they are very likely charging you an arm and a leg just to have that SLA, so if they miss it, they still likely come out ahead because they’ve capped their losses through the SLA (most I’ve seen say your max paying is the cost of the service for the outage timeframe, or all affected billing periods, whichever is greater. Clearly the cost of the service comes no where near to the losses you most likely suffer do to said outages.
-
So if we were looking at a green field.
We've got 300 end points in 60 locations that need access to the Citrix Server at a single location. They also have documents that everyone needs access to (Some Read some Read/Write).
E-mails/Word/Excel etc are already handled by Office365.
So would you say, don't even look at AD. Move all the documents to SharePoint for the shared documents & OneDrive for "personal" files.
Then for Citrix just publish the ICA part so people just connect via the internet.How do you handle Username/Passwords for accessing the Citrix with out AD? Then are we going to have different credentials for SharePoint and Office365
(Think this is where my LAN thinking is failing me) -
@hobbit666 said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.
Wrong!!! We are in the UK and bound by Openreach infrastructure, where some site only have ADSL products and long line lengths. If we need more bandwidth we have to pay for better lines. Thankfully 4G coverage is getting better and that's a good alternative.
Is your internet charge a different charge on top of the MPLS?
If so you should be able to get leased lines with internet for the same or less cost, because they are dropping the MPLS component.
-
@hobbit666 said in MPLS alternative:
@scottalanmiller said in MPLS alternative:
All that traffic from the sites can be handled by normal VPNs. But that begs the question, why are you doing things like printing over the WAN in the first place? Or SMB shares over the WAN? These are LAN-focused, 1990s technologies. I get that things linger, but this feels more and more like one basic mistake that no one evaluated and then piling mistakes on top of that layer after layer. None of it matches anything remotely modern, secure, or affordable but each mistake relies on another mistake as the excuse for itself.
Agreed but unfortunately i'm not management, i can only recommend better ways of doing it. If the Management have the mind set of "if it works don't break it" i have to work with what we have.
Another fundamental flaw of the business in general: "management have never liked." Management's job here is to make sure that "what is good for the business"
Their mind set is to keep the business running, i.e. if it's working why change? (I'm not disagreeing with you but we live in the real world)
Because save money, and as reliable or more.
-
@hobbit666 said in MPLS alternative:
So if we were looking at a green field.
We've got 300 end points in 60 locations that need access to the Citrix Server at a single location. They also have documents that everyone needs access to (Some Read some Read/Write).
E-mails/Word/Excel etc are already handled by Office365.
So would you say, don't even look at AD. Move all the documents to SharePoint for the shared documents & OneDrive for "personal" files.
Then for Citrix just publish the ICA part so people just connect via the internet.How do you handle Username/Passwords for accessing the Citrix with out AD? Then are we going to have different credentials for SharePoint and Office365
(Think this is where my LAN thinking is failing me)Yeah, What you mention is doable.share point/OD4B.
I’m not sure if RDS/Citrix can use AAD, but that could be an option for your central Authentication. -
What is your Citrix environment providing you? What are you deploying using it?
-
@Dashrender said in MPLS alternative:
Is your internet charge a different charge on top of the MPLS?
No, we get charged for the line and service as one.
If so you should be able to get leased lines with internet for the same or less cost, because they are dropping the MPLS component.
Yes if we dropped the MPLS side and just had them as "Internet" it would be cheaper. But still x10 the cost of ADSL/FTTC.
My point was to Scott's comment
Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.
We can't in the UK it's either copper line or Fibre, copper has speed limits the further from the BT exchanges you get. If that's not good enough then your only option (well it was until 4G came along, but coverage not great) is install fibre. We had a quote for one site was £12K+.
I think we may be getting terminology mixed from US and UK. To us a leased line is a direct Fibre connection to the BT Exchange this then gives you internet access and what ever speed you pay for. -
@Dashrender said in MPLS alternative:
What is your Citrix environment providing you? What are you deploying using it?
We use MS Dynamics GP. So instead of installing this on 300+ computers (then having to update 300+ computers when updated keys and modules come out) we have 15 Citrix Xen Desktop servers that these computers access to get onto the GP stuff. They've always used Citrix instead of RDS as "apparently" ICA protocol uses less bandwidth.
-
@Dashrender said in MPLS alternative:
Yeah, What you mention is doable sharepoint/OD4B.
Yeah we moving more to this everyday, especially when replacing machines/deploying new ones.
I’m not sure if RDS/Citrix can use AAD, but that could be an option for your central Authentication.
Why AAD instead of on site AD? As i thought you didn't want AD doing the central point for security/authentication?
Or is AAD a better choice as it's protected in the cloud? -
I'd guess we still would want a Firewall of some sorts at each site?
-
@hobbit666 said in MPLS alternative:
@Dashrender said in MPLS alternative:
Is your internet charge a different charge on top of the MPLS?
No, we get charged for the line and service as one.
If so you should be able to get leased lines with internet for the same or less cost, because they are dropping the MPLS component.
Yes if we dropped the MPLS side and just had them as "Internet" it would be cheaper. But still x10 the cost of ADSL/FTTC.
My point was to Scott's comment
Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.
We can't in the UK it's either copper line or Fibre, copper has speed limits the further from the BT exchanges you get. If that's not good enough then your only option (well it was until 4G came along, but coverage not great) is install fibre. We had a quote for one site was £12K+.
I think we may be getting terminology mixed from US and UK. To us a leased line is a direct Fibre connection to the BT Exchange this then gives you internet access and what ever speed you pay for.They may be expensive - but that doesn't make him wrong - he said same cost or less - you just said they would be cheaper.. so where was he wrong?
Sure it's not super cheap, but he never said it would be, only that it would be the "same or less", which you've already said it is.
One thing we need to make sure not to inject is personal expectations - like something getting cheap.
Scott's primary point was to point out that a leased line (even the UK definition) is still just a connection back to the Exchange, from there, the vendor either connects it to their internet equipment or they connect it to some other routing solution, but the line is the same. -
@hobbit666 said in MPLS alternative:
@Dashrender said in MPLS alternative:
What is your Citrix environment providing you? What are you deploying using it?
We use MS Dynamics GP. So instead of installing this on 300+ computers (then having to update 300+ computers when updated keys and modules come out) we have 15 Citrix Xen Desktop servers that these computers access to get onto the GP stuff. They've always used Citrix instead of RDS as "apparently" ICA protocol uses less bandwidth.
Yep, that's been generally true ICA has used less bandwidth than RDP (*pssst - the server side still has RDS installed on it as far as I know - they just add the Citrix stuff on top of RDS to gain access to ICA and other Citrix stuff)
-
@hobbit666 said in MPLS alternative:
@Dashrender said in MPLS alternative:
Yeah, What you mention is doable sharepoint/OD4B.
Yeah we moving more to this everyday, especially when replacing machines/deploying new ones.
I’m not sure if RDS/Citrix can use AAD, but that could be an option for your central Authentication.
Why AAD instead of on site AD? As i thought you didn't want AD doing the central point for security/authentication?
Or is AAD a better choice as it's protected in the cloud?AAD =/= AD
Azure AD is a completely different beast than AD.
That said, I know of many larger networks 1000+ users (could easily be 5000+, I just don't know) that do exactly what you're looking at. They have on prem AD, which syncs with AAD, and that same credential is what they use to access all of their systems as they have SSO'ed them all together.
@scottalanmiller said in MPLS alternative:
Someone accidentally ties the Citrix ICA authentication to AD. They then expose AD to the Internet.
I'm not sure what he means by the expose AD to the internet? I would hope that he doesn't simply mean that Citrix's exposure is exposing AD to the internet?
Frankly, at this level I don't know where good practices sit.
You have 300+ users, and since Citrix runs on Windows (the Citrix product we are talking about anyway) I can't imagine not using AD to manage those users on the 15 Citrix servers. You could use SAMBA instead, it might be a bit more secure, but by it's nature of being compatible with AD, I "feel" that seems unlikely.
@scottalanmiller what would your system look like that does this? 15 Citrix server farm, 300+ users. Assuming everyone has a laptop provided and managed by the company - what are you doing for those devices?