Posts made by hobbit666

@Dashrender said in MPLS alternative:

Basically if Hobbit is going to do this - he needs to get management to buy into a completely new paradigm of the design. which would be great, but a hard sell.

^^This 100%

When you say your file less. Is using OD4B and the desktop apps of word/excel still classed as this? As I'm still using One Drive.
Or am I only truly getting to "file" less if everything is online? Like zoho or Google docs

@scottalanmiller said in MPLS alternative:

... what's the function of the XenApp farm? Most companies only do this to deal with LANbased assets. So that becomes more of the onion - one LANbased requirement on top of another.

It hosts dynamics GP
We run it over Citrix as installing the "Fat" client on all the machines and then updating them when module updates/license updates come in. It's simpler to do this on 15 servers not 300 devices. also means only 15 machines are accessing SQL

@scottalanmiller said in MPLS alternative:

going to AWS/Azure would require the gift of a firstborn child, but technically both work.

Yeah whenever i've looked at "Cloud" for VM's we run i've always just closed the browser tab.

@scottalanmiller said in MPLS alternative:

Exactly. And once LANless, there is no need for XenApp to sit on your LAN at all. You can move it to colo or cloud whenever you want. Ours is in colo and uses zero LAN resources.

When you say move XenApp that's our servers with the 15VMs into a Co-Lo hosts or spin up 15 VM's in AWS/AZure etc?

Printing LANless / Zero Trust
I'll tackle that another day

So in a way thinking about just Citrix, we would drop AD and move the devices to local users.

Then either create a "New Local AD" with the users credentials just for Citrix use?
Or use one of those 3rd party VPN things (AppGate)
We have 600+ devices out there, but only 300 odd need Citrix Access.

This would make Citrix LANless/Zero Trust as the user will need to authorize them selves via the "Local AD" credentials or that AppGate thing?

@scottalanmiller said in MPLS alternative:

What's doing it today? Not the MPLS, because that has zero security. So what's doing it now for you?

We log into citrix workspace with our AD credentials

@scottalanmiller said in MPLS alternative:

So this is already LANless, and requires no MPLS or VPN already. This only seems complex because it's already been made complex. But if you just deploy Citrix XenApp, it "just works". It's already functional with nothing more needed.

I know, because we do this here. This is another "it works by default", you have to break its default to have the issue.

How are they logging in? What authenticating the users?

@scottalanmiller said in MPLS alternative:

Another example of LANbased vs LANless thinking or approach...

Old Days: Log into your desktop and the desktop gives you immediate access to files, applications, etc.

Modern Way: Log into desktop, then log into applications so that the applications are not trusting the device but authenticate the user.

So how to you handle the "log into dekstop"? AzureAD or local user?
Then if we are using Office 365 Desktop apps like Word Excel can we use Single Sign On from AzureAD or would it be best to get the users to log in everytime? Same with OneDrive

@scottalanmiller said in MPLS alternative:

@hobbit666 said in MPLS alternative:

Think more reading and seeing some examples might help my little head compute it all might help

Two simple examples...

LANbased Legacy User Management: Active Directory
LANless Alternative: JumpCloud, AzureAD

LANbased Legacy File Management: SMB or NFS Mapped Drives / Shares
LANless Alternatives: OneDrive, NextCloud, Google Drive, DropBox

Those i get, but what about printing to office printers, or accessing the Citrix farm.
As i said E-mails and files are getting slowly moved to o365 and OD4B

BTW watched that Magolassi video on Lanless design. Also been looking at some Zero Trust stuff.......... i'm still confused

Think more reading and seeing some examples might help my little head compute it all might help

@scottalanmiller said in MPLS alternative:

No, not a leased line. Leased line means that the connection goes from site to site rather than site to the Internet. It's a cheaper Internet line rather than a leased line.

Still the same physical fiber, but when you go to the Internet it stops being leased.

Why is the word "leased" used to be "private site to private site", heaven only knows. But that's what the term means. A private fiber line that you install between you and the Internet is not called leased, even though there is no more or less logic to this name.

Think this is where the terminology comes in, for me (for the last 20+ years) "Leased Line" has always meant to me as a dedicated "internet" fibre line that connects your building to the internet or MPLS or switching product.
So when i say we have 3 sites with leased lines they are fibre to the Exchange

@scottalanmiller said in MPLS alternative:

Sure, but it doesn't have to be a private line, it can be an Internet line. I didn't say you didn't have to pay more than ADSL, just saying you don't need private lines that don't go to the Internet because any line that can be private, can be Internet.

OK miss read that one

@Dashrender said in MPLS alternative:

Now we move forward and look at the MPLS component of the lease line contract, can you ditch it?

Yes if we ditch the MPLS, but what will we replace it with that's the big question

@Dashrender said in MPLS alternative:

Look at the full convisation.
I said we had some site with 100Mb leased lines.

He then asked

Why would you ever want a leased line? Leased lines essentially only exist today to make MPLS possible. They are costly and risky.

Which i explained

Because we "couldn't" get a line above 5mb so Replication to the DR site would be impossible. Also handling the traffic from all the sites, like print servers, smb shares etc

he then said

Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.

Which lead me to explain we can only get ADSL with no bandwidth or Leased line for MPLS OR Internet access.

I'd guess we still would want a Firewall of some sorts at each site?

@Dashrender said in MPLS alternative:

Yeah, What you mention is doable sharepoint/OD4B.

Yeah we moving more to this everyday, especially when replacing machines/deploying new ones.

I’m not sure if RDS/Citrix can use AAD, but that could be an option for your central Authentication.

Why AAD instead of on site AD? As i thought you didn't want AD doing the central point for security/authentication?
Or is AAD a better choice as it's protected in the cloud?

@Dashrender said in MPLS alternative:

What is your Citrix environment providing you? What are you deploying using it?

We use MS Dynamics GP. So instead of installing this on 300+ computers (then having to update 300+ computers when updated keys and modules come out) we have 15 Citrix Xen Desktop servers that these computers access to get onto the GP stuff. They've always used Citrix instead of RDS as "apparently" ICA protocol uses less bandwidth.

@Dashrender said in MPLS alternative:

Is your internet charge a different charge on top of the MPLS?

No, we get charged for the line and service as one.

If so you should be able to get leased lines with internet for the same or less cost, because they are dropping the MPLS component.

Yes if we dropped the MPLS side and just had them as "Internet" it would be cheaper. But still x10 the cost of ADSL/FTTC.

My point was to Scott's comment

Anything you can get in a leased line you can get in an Internet line for the same or cheaper. Leased lines aren't magic, they are just the same lines without Internet access.

We can't in the UK it's either copper line or Fibre, copper has speed limits the further from the BT exchanges you get. If that's not good enough then your only option (well it was until 4G came along, but coverage not great) is install fibre. We had a quote for one site was £12K+.
I think we may be getting terminology mixed from US and UK. To us a leased line is a direct Fibre connection to the BT Exchange this then gives you internet access and what ever speed you pay for.