Best posts made by Dashrender

@gjacobse said in Will faxes ever die - cheapest way to forward a DID:

@dashrender said in Will faxes ever die - cheapest way to forward a DID:

What is etherFax?

Founded in 2009,  etherFAX offers a secure document delivery platform and suite of applications widely used across a broad range of industries to digitize workflows and optimize business processes. As a leading provider of hybrid-cloud fax solutions supporting healthcare enterprises, etherFAX securely transmits protected health information and high-resolution, color documents  directly to  applications and devices  with end-to-end encryption and ultra-fast transmission speeds.

We have set FORCE TLS on all of our outgoing email. This ensures that we only send email over encrypted connections.

if your management would accept that - then you too could do the same.

The issue is getting the other side to have a process for dealing with receiving emails instead of faxes.

We have M365 - I use power automate to watch a shared mailbox - and when an attachment comes in - it pulls it out and saves it to a folder in sharepoint. that folder is mapped into OneDrive for Business for those who need it. Works pretty slick.

@eleceng said in Will faxes ever die - cheapest way to forward a DID:

Move to a Virtual Inbound and Outbound fax service. Much cheaper than real fax and much more flexible

I have been looking at that for years, and it's Never been true.

We accept more than 700 faxes a month - this normally amounts to something like $600+/m for most services I've looked at.

it's significantly cheaper to have a local fax machine, local provided dial tone (from Cox is $35/m) saving to a network share.

Now days we have a SIP trunk delivering to a FreePBX server which emails to our O365 account where a power automate script grabs the file and saves it to Sharepoint for anyone to access.

funny - I was thinking about the second and third options, I hadn't thought about the first.. nice add.

@pete-s said in appear to come from an IP:

@dashrender Where does the IP whitelisting happen and how do the users connect?

Is it a SaaS provider or a hosted solution of some kind that is doing the whitelisting?

Are we talking about one IP or a subnet or just that it has to one or several static IP ranges?

This is a SaaS solution. They are the ones who manage the whitelist.
The level one techs are claiming that their system will only accept IP addresses, not hosts in the whitelist. Of course we've all seen systems like that - 20 years ago. And as I just got done telling Scott - RX vendors rarely update their solutions - and unrelated vendor is actively deploying a version of xming from 2006, even though there is active development in 2022.

I now believe that they lock down to IP because the rest of their security is so bad.

I agree with everyone else here - That's a setup that's overkill in hardware already (most likely) and potentially underkill in hypervisor (assuming ESXi Essentials).

Today you'd likely be fine with a single host running ProxMox, Xen or KVM and good backups.

The question is - how much down time can the company really handle?
When I first started here, I was told we could handle 7+ days of down time (we do everything on paper). At this point we're shooting for well under 1 business day. Of course since we using SaaS as our primary app is web based - if our ISP goes out - we are just hostage until that gets fixed... we're currently investigating cellular data backup.

One thing I haven't seen asked/talked about in this entire thread is - does the client still actually need their own servers? Can they put this in VPS? Like Vultr, etc?

@pete-s said in Why Hyperconverged For Small Business:

@dashrender said in Why Hyperconverged For Small Business:

@pete-s said in Why Hyperconverged For Small Business:

@carnival-boy said in Why Hyperconverged For Small Business:

I'm not talking about HA. Just plain old non-HA environments.

However, with the ability to run some, or all, environments on a single host if another host fails. But you don't need to double the resources, as it is generally acceptable to run a slower environment for a few days.

That's manual HA with caveats.

Sure, it might be the best thing is some cases. Overconsolidating and putting all your eggs in one basket is not always the best.

But even if you get away with less than double the hardware you still need more than with just one host. So the hardware is going to be more expensive, the licensing of hosts and guest VMs is going to be more and energy is going to cost more.

I recall previous discussions around the eggs one basket thing. It doesn't really apply to most Small Businesses - why? because all of these services are generally needed. If one is down, the business is down, or at least crippled so much that those remaining don't matter. So putting everything on a single server isn't this huge risk that some think it is, because if the main app is dead, who cares about the rest.

Maybe, maybe not. The idea would be that you can run the main app on the other host and stop some of those less critical apps if needed to make space for the important stuff.

So you have two servers.
1- main app
2 - other less important stuff

1 dies - now what? restore from backup on 2 and launch it? or have the main app always replicated to 1?

These are definitely options, but you need to look at the total costs of those to make sure it's business worthy.

If you're already going to the point of having two hosts - chances are that the extra RAM/storage isn't really that much to just make a sudo-HA setup (i.e. replicate VMs between hosts, manually power on in case of host failure)

@pete-s said in appear to come from an IP:

To find out how to configure a proxy server just search for forward proxy:
https://duckduckgo.com/?q=forward+proxy+nginx
https://duckduckgo.com/?q=forward+proxy+apache

You'll find more info on how to set up reverse proxies because that is what everybody does all the time. But a forward proxy is just a matter of a slightly different configuration with the same software.

Thanks. I hope I can avoid all this horse pucky... but I appreciate the info.

@pete-s said in Wsus for remote vpn and on-premise users:

@fredtx said in Wsus for remote vpn and on-premise users:

@dashrender said in Wsus for remote vpn and on-premise users:

What is the goal here? to keep the servers up to date? Do you really want WSUS to update your servers 'whenever'? Most people don't, could lead to an unexpected reboot in the middle of the day.

Of course I would not want the servers to reboot in the middle of the day. I would have to discuss with management on maintenance windows of downtime, since this is a manufacture business where some sites run 24/7.

The goal is to improve and simplify how patching is handled for both servers and workstations. Currently there is no kind of process in place.

We do some of that and the most mission critical servers are handled manually. Patched, rebooted and verified that everything works.

Basically there are different categories of servers and workstation and each category is handled differently depending on how mission critical it is.

Exactly my point - I'm guessing at least some if not all of your servers will still be manual - and are you really looking at having WSUS push to workstations? If you are because you want to know their patch status because of reports from WSUS - great (hope there is budget for someone to manage this) if not, then just turn on automatic updates and be done with it.

depending on your needs - you might not need a relay.

I have all of my AIO devices sending email directly to O365 without an issue. I had to create a rule in O365 allowing this, but it was pretty easy.

@fredtx said in Wsus for remote vpn and on-premise users:

@scottalanmiller said in Wsus for remote vpn and on-premise users:

If you have any hesitation to that policy, it means you are running a platform you don't trust in production. That's valid as a concern. But your IT has committed its trust to Windows, so either you need to embrace that decision or you need to convince them to change.

With me being in this new role for 2 weeks (first system admin role), and the majority of the computers/servers on Windows, I will have to stick with this solution for now.

Currently there is no central management for patching, and currently they are logging on each server and running updates that way and hope that workstations are getting patched through the GPO they have in place.

What is the goal here? to keep the servers up to date? Do you really want WSUS to update your servers 'whenever'? Most people don't, could lead to an unexpected reboot in the middle of the day.

@fredtx said in Wsus for remote vpn and on-premise users:

@dashrender said in Wsus for remote vpn and on-premise users:

I'm guessing at least some if not all of your servers will still be manual - and are you really looking at having WSUS push to workstations? If you are because you want to know their patch status because of reports from WSUS - great (hope there is budget for someone to manage this) if not, then just turn on automatic updates and be done with it.

Is logging in the console of windows servers the best way to install patches? What if there was 100 servers? That seems like a lot of overhead.

And yes, I'm looking at getting the report features for patch status for workstations, and was hoping for servers too.

This is a great question to which I have zero answers.

I'm sure you can run update via PowerShell - so for 100's of servers, I'm guessing that's how they would do them. Additionally, if uptime is that big of deal - then it's likely they have multiple servers running the same loads allowing them to take some of those servers offline while not affecting the service in general.

@jaredbusch said in Locking down vendors:

@scottalanmiller said in Locking down vendors:

@dashrender said in Locking down vendors:

They MIGHT have an internal team for this, but since we have our own IT department, my management has decide to take the costs internal versus paying the new vendor to set up remote access for themselves.

That doesn't really make sense as this is all questions about THEIR IT. All your team can do is get in the way

Right, I have no idea WTF you think you are doing here @Dashrender.

The most you should do is setup a VLAN or actual separate LAN with no access to your network. The other company can deal with putting something on this shit old device that reaches to their support infrastructure.

No one on there side has even breathed a word about something like that.

As I previously mentioned - the old HVAC vendor did all of their own management - I only provided them an internet connection, they managed everything else.
I can see the advantages of that - time to toss this at the new vendor similarly.

@jasgot said in Dymo vs. other print servers:

@ccwtech said in Dymo vs. other print servers:

Is there any particular advantage or reason to use their print server over just another vendors print server?

What did you end up doing? I need to make a Dymo a networked printer and I have learned the Dymo printer server does not handle multiple subnets. I don't know why, just a common complaint.

I would like to toss any old usb printer server at it and have it work.

I've been using Dymo print servers across subnets for 3+ years, no issues that I'm aware of.

@Pete-S said in What do you use as an identity provider?:

@Dashrender said in What do you use as an identity provider?:

@Pete-S said in What do you use as an identity provider?:

I don't know if Azure AD would make sense as a standalone service, without users being on M365 or having Windows infrastructure in general.

I'll agree with you there - which is why I said - IF you have M365 or Google Workspace already....

If you don't, yeah, I likely wouldn't look to them as a basis for an identity provider, but if you already have them.... As I've done zero research - I have no clue what OKTA or DUO, etc bring to the table.

What do you guys do at your place?

Have no type of SSO.

All systems are separate.

That said, I'm trying to work us toward being rid of AD (on-premise or otherwise) and primarily use AAD as part of our M365 subscription for ID management.

I know our EMR can tie into AAD for SSO, but I have no idea what they will charge us for doing that.

After that there's 3-4 hospital systems that we could investigate setting up federation with - though I hold little hope for that to actually go anywhere.

@Pete-S said in What do you use as an identity provider?:

@Dashrender said in What do you use as an identity provider?:

Have no type of SSO.
All systems are separate.

I think that is pretty common too.

A lot of SaaS apps also requires that you have signed up for the enterprise tier to be able to do SSO. From what I've seen legacy on-prem software usually needs AD and then from there you can sync to an identity provider.

We don't have any on-premise software that ties to AD. We have only one on-premise software, the accounting software. So they tell me - next year is the year to replace it - hopefully something cloud based. Considering only 3 maybe 5 people in the whole company would ever log into it - if there is a cost involved in setting up SSO for that, I doubt we would do it.

I definitely don't see what anyone's saving by splitting those two groups of devices.

Hopefully they have guest wifi split.

We currently have a single network share for users.  There is a small amount of permissions setup (no where near enough) limiting some people's access to specific folders.
Additionally, access based enumeration prevents some users from even seeing folders they don't have access to.This second part, access based enumeration, has lead to people creating new locations for things to be saved because they were unaware a place for such files even existed.  Yes, I know - well, you might ask - why wasn't that user given access to that location, it appears it's part of their job.  To which I reply - IT wasn't notified of this person's new role, therefore it was never added.

All of this leads me to my real question: We are looking to migrate away from Windows shares to SharePoint Online (M365).  Assuming we create separate SharePoint Sites for each group - how do you enable user discovery of different sites, they may or may not have access to?
I'm enumerating our current share, and it looks like I'll have at least 16 SharePoint sites.  This is a huge swing from just going to one location for everything.

I figured I'd start a slightly more generic business migration thread that will likely still primarily focus on Windows based devices.

@jt1001001 and I are both looking to migrate away from Microsoft Active Directory.

Here are my current known needs:
any user can log into any business owned PC
file storage available to nearly any device from anywhere on the internet
deployment of apps to PC
deployment of settings to PC
print from company PC to company printers
remote troubleshooting of PC

@d-cunnings said in User Profile migration Problem AAD -> AD:

Customer pulling in smaller firm running Windows clean Azure.

I am to get those users off their Azure and onto the On-prem domain and have been given the task to move not only their data but also their current user account experience.

What specifically about the experience are you trying to ensure?

Can you not use user state migration to backup the profile, backup all data, rebuild the PC - join your domain, log into the newly created AD account - restore the profile, etc..

Of course, the user won't have their O365 account associated, If you have O365 as part of your setup, you can do whatever you're doing to bring that to bare.