So if we were looking at a green field.

We've got 300 end points in 60 locations that need access to the Citrix Server at a single location. They also have documents that everyone needs access to (Some Read some Read/Write).

E-mails/Word/Excel etc are already handled by Office365.

So would you say, don't even look at AD. Move all the documents to SharePoint for the shared documents & OneDrive for "personal" files.
Then for Citrix just publish the ICA part so people just connect via the internet.

How do you handle Username/Passwords for accessing the Citrix with out AD? Then are we going to have different credentials for SharePoint and Office365
(Think this is where my LAN thinking is failing me)

@scottalanmiller said in MPLS alternative:

Remember "4 hr replacement" doesn't say that they WILL replace in 4hrs,

Yes it does, we've used it several times when we were with BT foe the MPLS. We log a call and WITHIN 4hrs the hardware is replaced.

Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.

Wrong!!! We are in the UK and bound by Openreach infrastructure, where some site only have ADSL products and long line lengths. If we need more bandwidth we have to pay for better lines. Thankfully 4G coverage is getting better and that's a good alternative.

All that traffic from the sites can be handled by normal VPNs. But that begs the question, why are you doing things like printing over the WAN in the first place? Or SMB shares over the WAN? These are LAN-focused, 1990s technologies. I get that things linger, but this feels more and more like one basic mistake that no one evaluated and then piling mistakes on top of that layer after layer. None of it matches anything remotely modern, secure, or affordable but each mistake relies on another mistake as the excuse for itself.

Agreed but unfortunately i'm not management, i can only recommend better ways of doing it. If the Management have the mind set of "if it works don't break it" i have to work with what we have.

Another fundamental flaw of the business in general: "management have never liked." Management's job here is to make sure that "what is good for the business"

Their mind set is to keep the business running, i.e. if it's working why change? (I'm not disagreeing with you but we live in the real world)

@Dashrender said in MPLS alternative:

You serve Citrix directly on the internet, Citrix's protocol ICA includes encryption. Sending ICA over VPN is double encryption.

This is one thing management have never liked. Opening the server to the outside world .
But times are changing so going a mix of VPN for some serves and direct serve (i.e. on the internet) might be an option.

Just testing an Xbox One X that i've just installed an SSD in.

Any link to good reading on zero-trust stuff?

@scottalanmiller said in MPLS alternative:

1990's LAN-based thinking. Modern networks with security are zero-trust (aka LANless) in design and VPN/MPLS would not serve any purpose.

I'll put my hand up and agree this is me, but will be looking at LANless/zero-trust on Monday and learn what it means fully.

So what about SDWAN? Would this be an alternative too?

@scottalanmiller said in MPLS alternative:

Neither of these would have any benefits from MPLS or a VPN set to work like MPLS.

Agreed with o365 but I mainly mentioned as its one of our main traffic usage now

@Obsolesce said in MPLS alternative:

Why no intent towards a Zero Trust architecture

Because I've never heard of it . Now I have I've got 3yrs to look into it.

@scottalanmiller said in MPLS alternative:

@hobbit666 said in MPLS alternative:

3 sites have 20+ users these are served by 100mb leased lines, would like to keep these.

Why would you ever want a leased line? Leased lines essentially only exist today to make MPLS possible. They are costly and risky.

Because we "couldn't" get a line above 5mb so Replication to the DR site would be impossible. Also handling the traffic from all the sites, like print servers, smb shares etc
(most of these are getting replaced slowly with things like o365)

@scottalanmiller said in MPLS alternative:

These are things you never want. "Managed"

This I kind of disagree with, if we have an issue with a connection we phone it in and they sort withing the SLA. Down time means £££ loss.
Currently with the MPLS we have 4hr replacement on hardware and high SLA with BT on the pstn lines.

But looking at replacing that with possible 4g backups so we can wait 48hr for BT to fix

I only said VPN because Scott mentioned it several times in the other thread.

If we didn't have VPN/MPLS how would we serve our Citrix farm at the main site?

@notverypunny how is Internet access handled? Also firewall policies?

@notverypunny said in MPLS alternative:

We're doing hub and spoke as far as vpn topology and it works for us, what's best for you will depend on what the rest of your infrastructure topology looks like.

Basics are the Citrix/SQL/DC are all at main site then a DR site at another site.

Should add.
3 sites have 20+ users these are served by 100mb leased lines, would like to keep these. Handy as two sites house our infrasturcture. The rest have under 10.
Main traffic that goes over is Citrix Xen Desktop. Also access to 365.
Web usage is light.

So following on from another thread.

I'm today's modern day how would you handle:-

*Multiple site connections around 60 sites.
*Internet access via a firewall for "security" either at a single point or something per connection? Nice to have Intruction detection blah blah blah and content filtering. Will need to allow certain ports in and out (I know this is normally standard on Firewalls/UTMs but worth mentioning)
*semi managed with high SLA.

How would multiple vpns be handled. Would it be a case each sites router would have multiple vpns to each site? Or a single VPN to a singe "master" site/device.

And that explains it thanks Scott. I've always thought in those terms hopefully that will help me sell a semi vpn/managed solution

@scottalanmiller said in Hosted VoIP???:

It's normally slower, less secure (way less - it has zero security)

Care to expand on the less/zero secure part?
As I thought it was a closed private network, with only one breakout to the Internet if you wanted one.

Converting a VirtualBox machine onto a ESXi host (My home Lab)

@Obsolesce said in Security Information Event Management (SIEM):

How much data per day do you imagine?

For me no idea.