@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato The version I have is 10.2.319 and it doesn't have that option.
There isn't even a 10.2.319 version... you be trollin me! (see https://www.mysonicwall.com/muir/freedownloads)
For the record, the latest version is 10.2.315 and the functionality is there regardless of if you install or upgrade.
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato The version I have is 10.2.319 and it doesn't have that option.
Looks like I'm on 10.2.300. First time connecting it said NetExtender was required to update versions (I had a slightly earlier version on the file share) and it auto-updated with this. I can try updating it and see if the option goes away but I don't understand why they would remove it...
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 That won't work on the latest Sonicwall NetExtender client. It doesn't allow for that.
Can you elaborate on what won't work? I literally downloaded the most recent NetExtender client and its working fine.
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@jasgot said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.
I use this exact same setup for all of our clients. It works perfectly.
Tell me. When you start up the Laptop, and once you press <CTRL>-<ALT>-<DEL> to login, BUT BEFORE you authenticate, do you see the extra icon in the lower right corner?
And do you see this NetExtender logon when you click it?
It will bring you here next. Building the VPN BEFORE authenticating to the domain.
This should all work for you without any issues.
Woah! I'm glad I posted here.. I completely missed that for some reason!!!! Its working now as intended... DUDE THANK YOU. You just saved me so much trouble. I owe ya
@jasgot said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.
I use this exact same setup for all of our clients. It works perfectly.
Tell me. When you start up the Laptop, and once you press <CTRL>-<ALT>-<DEL> to login, BUT BEFORE you authenticate, do you see the extra icon in the lower right corner?
And do you see this NetExtender logon when you click it?
It will bring you here next. Building the VPN BEFORE authenticating to the domain.
This should all work for you without any issues.
Woah! I'm glad I posted here.. no I didn't see that icon and I was actually looking for it, but I will check asap... What settings do you have for NetExtender?
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
On every Windows PC I've seen setup with VPN, you login in to the PC first, using the domain credentials (which I assume are cached). Then you "manually" connect with the VPN client using MFA.
So maybe you're overcomplicating things.
Yeah I think that's my issue. I was at home when I joined my test system to the domain so it couldn't finish the task and cache my credentials. I will have to play around with stuff a bit more not on the weekend. I think I can get this working the way I want...
Hi all, I'm just looking to get some insight and direction with this as I'm a little stuck here...
I currently have several domain joined laptops that I’m looking set up so that users can take then home to work remote when needed, then bring them back to use as their main PC when on site. My company currently uses a Sonicwall NSA UTM which has SSLVPN, which, along with the NetExtender client, allows remote users to connect into to the network as if they were on-prem.
As a POC phase, I have successfully set up the SSLVPN settings with TOTP for MFA on the connection. I have a domain joined laptop with NetExtender installed and I can connect into the corporate network (full tunnel mode) and be on the domain and access everything just as if I was sitting in my office. That all works fine, except one thing.
The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.
I think there is an option to set it up so the VPN client connects automatically (before Windows login) but the issues with that are:
A solution for all those problems would be that I could create local users on the Sonicwall and have NetExtender connect using a super long password that doesn’t expire and without TOPT, but at that point I’m worried I’d be getting a little over-complex and less secure with the solution.
I have also considered VMware Horizon and Citrix Cloud to simply deliver users to their on-prem computers but that would mean an even more complex setup and having two computers for each remote user, their main PC and a laptop acting as a “thin client”.
I think there are other options like Remote Desktop Services / Terminal Services, Always on VPN or per-App VPN but looking on the surface seems like it might be a ton more infrastructure to add. That would be fine if it ended up being necessary, but at the end of the day, I’m just trying to make it so remote users can seamlessly run about only 6 locally installed AD integrated applications along with several Windows file server shares on their computers as if they were on-prem.
@obsolesce said in Any good recommendations for web content filtering and reporting?:
I set up Squid Proxy in the past for a company and it worked really well.
Cool. I've always wanted to try that out. I will have to set up in my lab and check it out.
I'm not happy with our current products. I just need something that is stable and does a good job of reporting on user's web activities. Looking for some suggestions/direction.
@gjacobse you could use Notepad++ with the search and replace function. You might have to do a couple of passes but that is how I've stripped things off of multiple lines of text in the past. You'd just replace whatever text you want to remove with whitespace.
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.
OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.
I guess "knowing to unplug the cable" is the second factor?
Also you can disable that setting and it won't let you login at all in Duo.
My main problem with this is that we lose internet connectivity a few times per year and people won't be happy if they can't get into their computers. We have limited providers in our small and rural area. I would do offline codes but apparently that is per/pc and we have quite a bit of computer sharing, which would essentially mean people would have to deal with the offline registration pop-up on every pc and/or have an offline MFA added to the app for multiple computers. If I find a good way around this in time, I will disable MFA bypass when offline.
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.
OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.
Pretty much lol.
Currently it's more of a audit/exam item check box for us. That said, this is just phase 1 of rollout. I'll gradually tweak and tighten things after deployment. Also, the back of our computers are locked so employees can't really get at the network cable.
Additionally, this is just one of many security layers. I have stuff locked down in other places that I feel matter quite a bit more. This is just going to help prevent unauthorized local and RDP logins for internal computers and servers only (users can't even get at servers currently).
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/
Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
@pete-s said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.
Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin
If you have MFA on your internal stuff then I think you will be dependent on internet for your internal assets as well.
Good to know for business continuity and disaster recovery.
Yes, that goes without saying, especially since many other things rely on our internet connection.
Also I'm learning that some of these MFA applications don't support auth events with things like psexec and powershell, etc.
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.
Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 Honestly, MFA for that use case is great. No complaints there. It's a pain for end users, but a good idea for financial services especially.
even internally for fully on-prem / non-remote access to user computers and servers? And is there a fully Microsoft solution that wouldn't require using a 3rd party app like Duo? (I'm just trying to avoid unnecessary complexity and cost)
I just wanted to get some input before I start diving into research and planning....
My company is in the financial services and we've been told from various sources that we should look at MFA across the board, which includes internal user computers and internal servers.
We currently have a Hybrid on-prem AD/Azure/Exchange 365 (E3) deployment and we already have MFA enabled with Microsoft Azure for all external-related auth/access (remote use employees sign in with their Microsoft identity and use MFA if their access request is coming from a non-company WAN IP address).
I am wondering if any of you can give some input/advice on enabling MFA internally with AD, preferably using Microsoft tools and settings (I'd like to avoid Duo). My thought currently is to utilize the Microsoft Authenticator app and the hybrid joined user workstations along with whatever settings need to be changed to request the MFA codes on the workstations and computers.
Additionally, I welcome any and all questions, criticisms and insults regarding the why and how of this question. I don't personally think we need internal MFA but I still want to gather as much information as possible
@scottalanmiller said in WSUS Location:
@dashrender said in WSUS Location:
@scottalanmiller said in WSUS Location:
@dafyre said in WSUS Location:
Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.
Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.
That's not at all correct. If DHCP fails and your IP fails, then AD fails TOO. If AD fails and DHCP does not, you still have a partial outage.
Your system makes ANY failure twice as likely. Half of the time it is just as bad as having them combined. The other half of the time isn't AS bad, but not good.
So it's that easy. Your dead in the water time is equal either way, because you have a complete DHCP dependency apparently. The other half of the time, even though you are not completely dead, is 100% unnecessary risk caused solely by having designed the system to fail unnecessarily often (by 50%.)
By merging the services you can dramatically reduce your overall risk with literally zero downsides.
I'm really trying to understand the math here considering - two AD servers, two DHCP servers - and crazily, we'll assume one DNS server, because he never stated that he has two DNS servers.
Assuming the DNS is either with the AD or with the DHCP. As DNS is an AD dependency, you have to keep them together for safety. However DHCP is also an AD dependency that you have to keep together for safety. So who knows.
Scott Allan Miller - excellent video and thanks for you awesome input as always. I made it about 5 minutes before I got lost in your beard though xD
@jon-chris said in Backup Solution for XenServer:
Hello everyone
Now, I am using some VMs on XenServer and looking for the most suitable backup software.
The wide spectrum of these products dazzles me. Could you do me a favour to recommend me some?Thanks a lot in advance.
Veeam Backup and Replication is hands down insanely great, and free up to 10 backed up systems.
