Yes, on a VLAN for each network.

If it's highly sensitive or for compliance, separate switches are needed for these networks to avoid vlan hopping or misconfigured switches that allow access to restricted network assets. Normally it's not needed though.

A separate firewall also sounds like it's not needed unless you have some serious security concerns.

ZeroTier doesn't sound like the best tool for the job though.

Something like OpenVPN with certificates and perhaps with added OTP is much better suited.

You want to give access to people on a time-limited basis. Certificates have expiration so that is great. OTP ensures that knowing passwords and having a certificate is not enough.

When clients log in they are put in a specific IP and you control their network access to their VLANs through your firewall's rules..

That way you have something that can grow. VPN provides access and security is handled in your firewall.

If you want something hosted (like ZeroTier is), I'd look into Cloudflare Access. They use wireguard for the VPN access and their network controls access.

@mr-jones said in "Site not secure" | Self-signed Certificate?:

@pete-s said in "Site not secure" | Self-signed Certificate?:

I'm not sure how you set up CA on Windows AD but I believe you can. Don't know if you can use that for non-Windows appliances.

I ended up using this approach. As usual, it took a bit of reading and research along with poking at the server, but I was able to use this approach.

Awesome! Yeah, I bet it took a bit of research to get it up and running.

@fredtx

If you are considering having clients download updates from Microsoft directly then that means that you are going to apply all updates, doesn't it?

If that is the case, what functionality does WSUS bring to the table?

@scottalanmiller said in How Can I Upgrade Ubuntu 20.10 to 21.10?:

@pete-s said in How Can I Upgrade Ubuntu 20.10 to 21.10?:

@scottalanmiller said in How Can I Upgrade Ubuntu 20.10 to 21.10?:

I have a user that kept their laptop offline until the upgrade window was past. They are remote only and non-technical. The upgrade path is not supported and the in-between release is gone. So there is no Ubuntu provided upgrade option.

I tried this tool: https://askubuntu.com/questions/1361262/how-upgrade-ubuntu-20-10-after-its-eol

But it is graphical only and doesn't work. It just throws GTK errors.

As a service provider you really should have your own repository mirror. Mirror official repository as well as any 3rd party you use.

We mirror debian and I think it's only about 70GB or something like that for all 50000 (?) packages in the amd64 architecture. Ubuntu is likely less.

Point is that it doesn't take up much space and your mirror could have copies of all the LTS releases and in between.

It's not really a point as a service provider. No customer has an issue. This is a home user that only reached out for help because they kept their personal machine from updating for a long time. Service provider customers we don't need this kind of thing. For home users, yeah this one is Ubuntu, but it could have been just anything.

OK, I thought it was a business customer.

Anyway, there are a couple of special cases where distros that goes EOL without old repositories could be troublesome. For example when things are only power up intermittently, such as laptops or VMs, or when you have servers or workstations on isolated LANs or when you have embedded systems that doesn't always have a network connection.

@scottalanmiller said in How Can I Upgrade Ubuntu 20.10 to 21.10?:

I have a user that kept their laptop offline until the upgrade window was past. They are remote only and non-technical. The upgrade path is not supported and the in-between release is gone. So there is no Ubuntu provided upgrade option.

I tried this tool: https://askubuntu.com/questions/1361262/how-upgrade-ubuntu-20-10-after-its-eol

But it is graphical only and doesn't work. It just throws GTK errors.

As a service provider you really should have your own repository mirror. Mirror official repository as well as any 3rd party you use.

We mirror debian and I think it's only about 70GB or something like that for all 50000 (?) packages in the amd64 architecture. Ubuntu is likely less.

Point is that it doesn't take up much space and your mirror could have copies of all the LTS releases and in between.

@scottalanmiller said in "Site not secure" | Self-signed Certificate?:

@pete-s said in "Site not secure" | Self-signed Certificate?:

You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs

We get them. It's just more effort.

Please elaborate Scott!

@mr-jones said in "Site not secure" | Self-signed Certificate?:

Can you prevent the formentioned error when visiting a domain server from a domain computer with a self-signed certificate? i.e. https://server:8080

Yes, but it's a little difficult.

1. Either you add the self-signed certificate for every server to all your computers. That's impractical though.

2. Or you set up your own CA and add that to all your computers. Then you issue your own server certificates with your own CA and they will be trusted automatically.

You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs.

Option 2 is what you are supposed to do. We've been planning to do it at work (linux infrastructure) but we haven't started on it yet.

I'm not sure how you set up CA on Windows AD but I believe you can. Don't know if you can use that for non-Windows appliances.

@killmasta93 said in Issue with NGINX passthough TLS:

@pete-s
correct, whats odd is that it works perfectly fine on HA proxy on pfSense its just that i want to move better to a virtual machine and not depend on pfSense
Im not sure howcome it works on HA proxy and not on NGINX

I don't know but why not install HAproxy instead of nginx in your VM?
You could access pfsense over ssh and look at the HAproxy config files directly for inspiration.

BTW, it's quite possible that haproxy uses the tcp session just as a router would. Not looking at it as a series of http requests but as a series of packets. That means the backend will get the IP.

Since haproxy is a load balancer it makes sense that it can work on the router layer (L4) while nginx works at the application layer (L7).

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

To find out how to configure a proxy server just search for forward proxy:
https://duckduckgo.com/?q=forward+proxy+nginx
https://duckduckgo.com/?q=forward+proxy+apache

You'll find more info on how to set up reverse proxies because that is what everybody does all the time. But a forward proxy is just a matter of a slightly different configuration with the same software.

Thanks. I hope I can avoid all this horse pucky... but I appreciate the info.

No problem. I wanted to share some info on proxies since it sounds more complicated than it is and it's a staple in the enterprise space. And proxies are available as services too.

To find out how to configure a proxy server just search for forward proxy:
https://duckduckgo.com/?q=forward+proxy+nginx
https://duckduckgo.com/?q=forward+proxy+apache

You'll find more info on how to set up reverse proxies because that is what everybody does all the time. But a forward proxy is just a matter of a slightly different configuration with the same software.

The proxy file will look something like this:

function FindProxyForURL(url, host)
{
   if (dnsDomainIs(host, ".saas.com")) 
      return "PROXY yourproxy:443";
   else 
      return "DIRECT";
 }

You can host it on your proxy server if you use apache or nginx. Or github or where ever.
If you want to change something in the client's proxy settings, you only need to change this file.

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.

I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?

Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.

OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.

Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.

I've only ever setup a proxy for the same network that I'm on.

In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.

I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)

Though I assume there are other ways to do this as well.
Thoughts - recommendations?

You don't need a VPN because https is a VPN.

A proxy on a LAN works exactly like a proxy on another server outside the LAN.

So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websites

In your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websites

It's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.

The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.

I'm looking for the name of a proxy in this case - what product to use?

Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.

I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.

yeah - I have no real idea how to make your suggestion work.

I know browsers can be setup to use a proxy - so I could setup Chrome (or Windows 10 itself) to use a proxy only for a given site, there a lot of heaving lifting for me on that.

Since proxies are in heavy use in enterprise environments, all browsers and OSes have good support for setting up proxies.

If we're talking windows I think the normal way is to use GPO to push out setting. Usually there is a proxy auto configuration (pac) url/file that contains the settings and the client is told to look for that.

You could do it manually as well of course.

No GPO in this company. No onsite Windows Servers.
They do have O365, but only the lowest level - so no Intune either. All manual work at this point.

Well, doing it manually you search for proxy settings in Windows 10. And add an URL. That URL contains a script that tells your client when to use a proxy and when not.

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.

I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?

Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.

OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.

Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.

I've only ever setup a proxy for the same network that I'm on.

In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.

I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)

Though I assume there are other ways to do this as well.
Thoughts - recommendations?

You don't need a VPN because https is a VPN.

A proxy on a LAN works exactly like a proxy on another server outside the LAN.

So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websites

In your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websites

It's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.

The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.

I'm looking for the name of a proxy in this case - what product to use?

Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.

I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.

yeah - I have no real idea how to make your suggestion work.

I know browsers can be setup to use a proxy - so I could setup Chrome (or Windows 10 itself) to use a proxy only for a given site, there a lot of heaving lifting for me on that.

Since proxies are in heavy use in enterprise environments, all browsers and OSes have good support for setting up proxies.

If we're talking windows I think the normal way is to use GPO to push out setting. Usually there is a proxy auto configuration (pac) url/file that contains the settings and the client is told to look for that.

You could do it manually as well of course.

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.

I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?

Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.

OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.

Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.

I've only ever setup a proxy for the same network that I'm on.

In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.

I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)

Though I assume there are other ways to do this as well.
Thoughts - recommendations?

You don't need a VPN because https is a VPN.

A proxy on a LAN works exactly like a proxy on another server outside the LAN.

So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websites

In your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websites

It's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.

The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.

I'm looking for the name of a proxy in this case - what product to use?

Oh, you could use anything that can proxy if you want to host it yourself. Apache, nginx, haproxy to name a few.

I haven't set up exactly what you need so can't say what would work best. Use what's most familiar to you.

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.

I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?

Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.

OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.

Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.

I've only ever setup a proxy for the same network that I'm on.

In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.

I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)

Though I assume there are other ways to do this as well.
Thoughts - recommendations?

You don't need a VPN because https is a VPN.

A proxy on a LAN works exactly like a proxy on another server outside the LAN.

So classic LAN based forward proxy would be:
LAN user -> LAN proxy -> internet -> websites

In your case:
Mobile user -> internet -> your proxy -> saas
and
Mobile user -> internet -> other websites

It's the proxy settings on the client that determines what traffic goes over the proxy and what goes direct.

The only thing is that your proxy shouldn't be open to everyone so you need some auth here, IP/FQDN or username/password etc. Can be transparent for the user.

@dashrender said in Why Hyperconverged For Small Business:

@pete-s said in Why Hyperconverged For Small Business:

@carnival-boy said in Why Hyperconverged For Small Business:

I'm not talking about HA. Just plain old non-HA environments.

However, with the ability to run some, or all, environments on a single host if another host fails. But you don't need to double the resources, as it is generally acceptable to run a slower environment for a few days.

That's manual HA with caveats.

Sure, it might be the best thing is some cases. Overconsolidating and putting all your eggs in one basket is not always the best.

But even if you get away with less than double the hardware you still need more than with just one host. So the hardware is going to be more expensive, the licensing of hosts and guest VMs is going to be more and energy is going to cost more.

I recall previous discussions around the eggs one basket thing. It doesn't really apply to most Small Businesses - why? because all of these services are generally needed. If one is down, the business is down, or at least crippled so much that those remaining don't matter. So putting everything on a single server isn't this huge risk that some think it is, because if the main app is dead, who cares about the rest.

Maybe, maybe not. The idea would be that you can run the main app on the other host and stop some of those less critical apps if needed to make space for the important stuff.

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.

I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?

Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.

OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.

Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.

@carnival-boy said in Why Hyperconverged For Small Business:

I'm not talking about HA. Just plain old non-HA environments.

However, with the ability to run some, or all, environments on a single host if another host fails. But you don't need to double the resources, as it is generally acceptable to run a slower environment for a few days.

That's manual HA with caveats.

Sure, it might be the best thing is some cases. Overconsolidating and putting all your eggs in one basket is not always the best.

But even if you get away with less than double the hardware you still need more than with just one host. So the hardware is going to be more expensive, the licensing of hosts and guest VMs is going to be more and energy is going to cost more.

@carnival-boy said in Why Hyperconverged For Small Business:

And I'm not sure the costs of two hosts are significantly higher - you're still looking at the same amount of processing power, memory and storage, which are the main costs. Plus licensing, but that is variable depending on what you're running.

It's twice the cost actually.

If you set up HA then you must have a total 100% more RAM and storage compared to one host.

It's because with two hosts, each host needs to have the capacity to run all workloads if the other host fails.

With three hosts you need the same amount of spare capacity but you can spread it out on three hosts. If one host fails you have two hosts that can share the workloads. The math is basically the same as RAID-5.

@dashrender said in appear to come from an IP:

@pete-s said in appear to come from an IP:

Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.

I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?

Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.