SAM-SD anyone?

@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@voip_n00b said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 I use certificates to only allow company owned and managed devices to connect.

Interesting, can you elaborate more on how you achieve that?

It's common to have certificates with VPN.

A OpenVPN client for example without any MFA is usually setup so that it needs a client certificate and a username and a password as well as the connection info. The same goes for Cisco AnyConnect and others.

The VPN connection uses mutual authentication so the client authenticate that the server is who he is suppose to be and the server authenticate the client is who he says he is.

If you install the certificate on your company devices you can't connect to the VPN just by downloading and installing the client on another computer and enter the credentials. Because you don't have the certificate.

So that's how you can control what device is allowed to connect. For more security the certificates can also be stored on smart cards, hardware devices or even the TPM module inside the computer.

You should have something similar on NetExtender. Look for client certificate or client authentication.

Another thing with certificates is that you can prevent VPN access by revoking the client's certificate. And also certificates expire so you can give someone a short term access if you like.

Nice, I will check it out. I have opened a few tickets and asked around other places regarding NetExtender and nobody has said anything about this, so I don't know if its possible with the Sonicwall NSA / NetExtender setup, but I will find out.

@gjacobse said in Launching Windows settings, screen shot etc from URI:

Interesting - I created a batch file that launches all of my daily applications in the office. It'll be interesting to see what I can move to this method...

You can look at what URI are registered to what applications by searching for protocol and you'll find "Choose default application by protocol".

That's how Windows knows what program to launch when it finds something like mailto:

You can also add your own URI to launch whatever app you want. That's done in the registry.

BTW, ubuntu and others have the same capability to handle URIs.

@pete-s said in What do you think about .app domain names?:

@scottalanmiller said in What do you think about .app domain names?:

If it is under the hood, why bother. If it isn't under the hood, I think customers get confused.

So you mean if it's customer facing it's better to stick to .com and there will be no confusion?

That is the only aspect that matters tbh, what people / customers think of it. All other aspects have zero impact.

If you upgrade to FreePBX 16, the script handler needs updated to reflect PHP7.

The git repository is updated, but if you have an existing install, this will fix it for you

sudo sed -i "s/php5/php7/" /etc/httpd/conf.d/yealink.conf sudo systemctl restart httpd

If you upgrade to FreePBX 16, the script handler needs updated to reflect PHP7.

The git repository is updated, but if you have an existing install, this will fix it for you

sudo sed -i "s/php5/php7/" /etc/httpd/conf.d/yealink.conf sudo systemctl restart httpd

Scale Down

###################################### ## Save Deployment State (excludes kube,mongo,k8 pods) ###################################### kubectl get deploy -A --no-headers | grep -v -E 'kube|mongo|k8s-api-proxy' > deploy_state_before_scale.txt ###################################### ## Copy Deployment State to GCS Bucket ###################################### gsutil cp deploy_state_before_scale.txt gs://app1 ####################################### ## Scale Deployments to zero ####################################### kubectl get deploy -A --no-headers | grep -v -E 'kube|mongo|k8s-api-proxy' | awk '{print \$1,\$2}' | while read NS DEPLOY; do kubectl scale --replicas=0 deployment/\$DEPLOY -n \$NS; done ####################################### ## Scale Daemons to zero ####################################### kubectl -n <namespace> patch daemonset <name-of-daemon-set> -p '{"spec": {"template": {"spec": {"nodeSelector": {"non-existing": "true"}}}}}' ####################################### ## Turn off Autoscaler on GKE nodepools ####################################### gcloud container clusters update <app1-cluster> --no-enable-autoscaling --region <region> --node-pool <app1nodepool1> gcloud container clusters update <app1-cluster> --no-enable-autoscaling --region <region> --node-pool <app1nodepool2> ####################################### ## Resize Node Pools to zero ####################################### gcloud container clusters update <app1-cluster> --num-nodes 0 --region <region> --node-pool <app1nodepool1> gcloud container clusters update <app1-cluster> --num-nodes 0 --region <region> --node-pool <app1nodepool2>

Scale Up

####################################### ## Resize Node size to 1 for each node pool ####################################### gcloud container clusters update <app1-cluster> --num-nodes 1 --region <region> --node-pool <app1nodepool1> gcloud container clusters update <app1-cluster> --num-nodes 1 --region <region> --node-pool <app1nodepool2> ####################################### ## Turn Autoscaling Back on ####################################### gcloud container clusters update <app1-cluster> --enable-autoscaling --region <region> --node-pool <app1nodepool1> gcloud container clusters update <app1-cluster> --enable-autoscaling --region <region> --node-pool <app1nodepool2> ##################################################### ## Copy Saved Deployment State from GCS bucket ##################################################### gsutil cp gs://<app1>/deploy_state_before_scale.txt . ##################################################### ## Scale deployments using the previously saved state file ##################################################### awk '{print \$1,\$2,\$4}' deploy_state_before_scale.txt | while read NS DEPLOY SCALE; do kubectl scale --replicas=\$SCALE deployment/\$DEPLOY -n \$NS; done ##################################################### ## Scale Daemons back up ##################################################### kubectl -n <namespace> patch daemonset <name-of-daemon-set> --type json -p='[{"op": "remove", "path": "/spec/template/spec/nodeSelector/non-existing"}]'

@jaredbusch said in Restoring a Windows MS SQL Server Database to Linux With Move SQLCMD:

@scottalanmiller I have not had to do that before with a normal backup to a .bak and then restore. Not some an place move like it seems you are doing.

Happens if going to a space with a different storage layout. If you are coming from Linux you are probably fine. But Windows injects the drive letter into the path (obviously) and so going from one machine to another that doesn't keep identical storage path names causes the issue.

Was wondering if anything like NGINX or HAProxy have a suitable solution we could use. Maybe we could point the public DNS entry to HAProxy hosted somewhere in a datacenter and if the traffic is 80/443 protect with WAF, and if any other suitable port allow through.

The paid HAProxy seems to have a WAF. Not sure on the cost though. As long as we keep citrix/back end patched, and keep it behind our MDR platform, and only allow traffic from the proxy, maybe that will be ok.

2530-8G-PoE+ Switch (J9774A)
5355fe2f-0801-4920-b4f2-e1c01a93ee95-image.png

@krzykat around here everyone's using the same bands, so not really an issue, just hook it up, point in the general direction of a tower and it's good to go. Your experience may vary.

@jaredbusch said in beyond bash shell scripting, what language should I use:

@scottalanmiller said in beyond bash shell scripting, what language should I use:

@jaredbusch said in beyond bash shell scripting, what language should I use:

@stacksofplates said in beyond bash shell scripting, what language should I use:

@jaredbusch said in beyond bash shell scripting, what language should I use:

@scottalanmiller said in beyond bash shell scripting, what language should I use:

Go is great as a language. But like Ruby, not installed generally. And fewer resources. If it was a greenfield new OS, yeah, Go for sure. But for practical reasons, Python I think.

As these are systems that I control, there is no reason Go cannot be installed.

Between your comments and prior ones from @stacksofplates I think I might try Go in order to learn it.

You normally wouldn't install it anyway as it's not a scripting language. You'd just compile your binary and ship that to your systems.

I completely misunderstood that about Go. Okay, I will do a bit of checking and decide what I want to do.

oh sorry, I figured you knew. That's why I never look at it, I don't want to deal with binaries in that way. But nothing wrong with that. Write it on your machine at home, compile, ship binary. Works just fine.

As fixed tasks, this is not a bad solution. So I will keep it in mind.

Right, no big deal in this case.

@jaredbusch said in Import a QCOW2 Into Proxmox:

@dashrender said in Import a QCOW2 Into Proxmox:

@scottalanmiller said in Import a QCOW2 Into Proxmox:

@jaredbusch good point, Linux doesn't "detect non-local" like Windows does.

ug.. what a pain that is!

ummm wut?

that windows detects SMB shares as remote.

@dustinb3403 said in Win 11 Home - install with local account:

@dashrender or just don't install Windows 11 Home if you don't plan to give Microsoft more insight into your personal habits.

This in my opinion makes little sense to work around from an end user or implementator standpoint.

With the online account you get better integration to backup systems (OneDrive).which for a home user is a pretty important feature. Among other features.

If you simply don't want these features for.a home device, why bother with Windows 11 at all?

If not already, not a practical thing for a typical home buyer buying a new computer today, because Win 11 comes on the computer.

But you're right - those people likely are better off using those services than not. God know if they buy a mac they are buying into that ecosystem - if they buy a chromebook, they are buying into that ecosystem.... so it's not really any different.

None the less - not many home users are surfing ML - and those that are should be able to find answer like this.

@dbeato said in any zimbra specialists:

also Ubuntu 16.04 and ZImbra 8.8.12 are old and need to be updated.

General system admin rule of thumb.... always update before troubleshooting. There is a high chance that patching alone will resolve issues.

@irj said in Windows 11 auto upgrade?:

Yeah. I have windows 10 on my home pc with auto updates and it only asks me if I want to upgrade. It never forces me or does it without my consent.

But if you do not give consent, it will update without your consent anyway (after some time) 🙂
You just can't stop updates on Windows 10, only delay it for some time.

@dashrender said in SPF records - for all A records?:

This site is pretty good also for checking the whole mailing stack
https://www.checktls.com/TestReceiver

That one was new to me. I'm going to check it out.

Another awesome resource, one that can test your own email from the receiving end is https://www.learndmarc.com/
It just great and will explain what happens.

It's made by uriports. We just started to evaluate their DMARC report monitoring service. Looking good so far.

@dashrender said in Recommendation: Non-Profit Site hosting:

Why do you need WordPress?

Do you need that level of functionality?

We're going to be looking at redoing my company's website this year (I think). it's on WP now, but really, it's completely just static pages, there is no need for on the fly changes - unless they wanted to change the whole theme.

It's more of the feature set... being able to use a WYSIWYG editor for events, announcements and such. In some regard- yes WP is over powered, but it also allows for the tie ins like Calendar, Mailing list, and more.