@Jason said:

Oh, they have competitors but they suck too. Not in customer service like Comcast does. Verizon has great customer service but the dsl speeds here only go up to 2mbits.

???

VADI has 7Mbps profiles on their legacy DSLAMs, with their standard at 3Mbps. I know of no rate that will give you 2Mbps, even the 1.5 profile locks in at 1768-ish. Getting only 2Mbps means that line really sucks ass and per their policy would reject the line or you have shitty wiring inside and they have no idea about it.

As for Comcast, check your tap and see if they actually fired it up. Comcast is one of the few cable providers that does soft disconnects from the node versus physical chokes on the pedestal. The only thing you have to do is make sure your inside wiring is fired up correctly.

If you are going to do it, do it right.

https://www.forcepoint.com/product/content-security/websense-web-filter-security

AD integration, transparent, and damn near impossible to avoid. Nothing says "Get back to work drone!" than a block with their name, the reason why they are blocked, and no way around it. And now they are part of Raytheon, you can threaten them with Patriot missiles.

@scottalanmiller said:

@PSX_Defector said:

Samba is NOT AD. AD is a complete architecture including LDAP, DNS, and various other items. Samba functions in the old "Domain Controller" method, a single list of usernames and passwords in which to authenticate against. In AD, there is no DC, there are Global Catalogs. Domain controller emulation, a part of the FSMO roles, is not necessary to run and is only there for backwards compatibility. In an AD environment, Samba can function as a PDC emulator, but it cannot hold other GC roles, so it becomes kind of useless.

To the end user, they are functionally the same. To the admin, they are very different.

Are you thinking of Samba from long ago before AD was implemented? Samba used to be that way, but Windows used to be that way too. Samba is full AD and has been for quite a long time now. LDAP, Kerberos, DNS, all there. (DNS is handled externally, of course, just like on Windows.)

Yes, I know what 4 introduced, but it's still not functionally AD. It can be put in as a member controller, but god help you if you try to move FSMO roles to it. At best, it can be considered pseudo-Active Directory. If you only have Samba controllers, hell it might work. Never tried it by itself with multiple controllers functioning like AD. Although I can't imagine it is that indifferent than standard LDAP. I just know better than to mix the types together.

@JaredBusch said:

@Dashrender said:

@scottalanmiller said:

@JaredBusch said:

@DustinB3403 said:

@JaredBusch there is a battery in the units that the customer takes with them in the car?

I've never seen where those units come apart to provide a new battery.

They don't. You have to replace them.

How long do they last? I feel like ours is over a decade.

Yeah - years .. I have no idea how many. I have one for my yearly trips to Chicago. It's at least 5 years old now. I expect to have to replace it at any random time in the future now.

Illinois uses I-Pass and is a separate network than EZPass but the units are compatible.

I-Pass units have an expiration date clearly printed on the units themselves for this reason.

I have the same tag from NTTA for the past 19 years, usually goes into the car that I have first. If I buy a second car or third, I get a new one which is a passive device and essentially just a sticker.

Our tags have always been passive. My original tag is kind of beefy, but it doesn't have a battery. They also used to have a license plate frame for some cars with some window coating, mostly GM 90's models like their minivans and full size cars, so they are very much passive. So a tag shouldn't need any battery, just that someone picked a loser of a technology. When I used to go back and forth to Chicago a while ago, I forgot how bad the Illinois Tollway was behind compared to the NTTA. Wasn't it around 2004 they even offered any kind of electronic toll collection?

A nice article about how our system works:

http://tollroadsnews.com/news/texas-turnpike-now-ntta-recognized-as-pioneer-in-transponder-tolling-history

@scottalanmiller said:

@Our-Tech-Team said:

I've never used or worked with Samba so dont know anything about it. The AD I thought was great for them as they want to have more 'control' over users, add more security to the network and manage permissions on folders much better. I'm familiar with AD so thought it would suit them well.

Samba is just as much AD as Microsoft's DC is. Both are AD, just one is done from an open source project and one from Microsoft. It's not that Samba is not AD as well.

Samba is NOT AD. AD is a complete architecture including LDAP, DNS, and various other items. Samba functions in the old "Domain Controller" method, a single list of usernames and passwords in which to authenticate against. In AD, there is no DC, there are Global Catalogs. Domain controller emulation, a part of the FSMO roles, is not necessary to run and is only there for backwards compatibility. In an AD environment, Samba can function as a PDC emulator, but it cannot hold other GC roles, so it becomes kind of useless.

To the end user, they are functionally the same. To the admin, they are very different.

@JaredBusch said:

@brianlittlejohn said:

With only 15 users, personally, I would spend a weekend and reset up my AD environment just to avoid issues in the future.

I would agree with @brianlittlejohn here. You had no AD at all prior too few days ago.

Just remove all the machines from the domain. Nuke your DC and start over.

As someone who does this a lot, even with more users than that, it's pretty simple.

I keep a few templates ready to go to deploy a base AD environment. Takes me ~3 minutes per end point to unjoin to the domain, about 2 hours to rebuild AD from template to completed environment, then ~3 minute per endpoint to rejoin. With that in mind, a 15 users environment, I could have it done in an afternoon while drinking beer.

Shit like this is easy as hell. Although I would be investigating the cost/benefit of having an AD environment for that few of users. Unless you have a case for it, Samba will do the job of authentication just fine. And a Samba domain is just as quick to deploy. Save quite a few bucks in the process. AD is great, I made my career around it, but it's not a need.

Quite frankly I would just stick with Vmware. It's mature, well designed, and you are fairly up to date on the license if you are using 5.5. EOL for it is ~2018.

P2V all those other boxes immediately. Hell, you don't even have to worry about losing stuff. Just do it during a downtime window, spin down old and fire up the new, hope it doesn't break. If it does, then failback to the physical.

@JaredBusch said:

@NetworkNerd said:

They did provide specifics. They said open UDP 1024 - 65535 for RTP traffic specifically but UDP 5060 for SIP.

No, stating 1024-65535 is NOT specifics. It is a cop out.

At that point, why not just completely make it unsecured and put in an any/any rule.

I would silo that shit pronto, so when the inevitable pwnage happens it doesn't infect the rest of the network.

@JaredBusch said:

@Jason said:

@PSX_Defector said:

@art_of_shred said:

@PSX_Defector said:

@Jason said:

@PSX_Defector said:

Drop the MTU from 1492 to 1484 then 1476. See if it works then.

That's what I was thinking.

The question is, do you know why?

I don't, but I'd like to. Why the "8" drops?

Time for class folks.

We know the site is up and running, as we can access it via other places. We know it's on Azure because of the trace. The trace tells us another interesting tidbit though. I'm wondering if anyone can see it.

my thought was it was odd that a hop inside the ISP network did not reply. Microsoft not replying is expected.

I was concerned about the 10.X.X.X showing in a trace. The site is on 10.204.10.0/24 and I have routes across VPN tunnels to 10.1.1.0/24, a few 10.204.X.0/24 and 10.254.103.0/24 as well.

But the site on the other end of that VPN tunnel also has all that and works fine.

Ahh, the plot thickens!

I thought it was strange that I couldn't get the same trace, but since you mention that, it makes more sense. The reason I say something about MTU is that I know there is sometimes fun when attempting to access certain sites if they are behind carrier NAT. Remember when SBC flipped over some PoPs to NAT for various stuff between BRAS and edge? I saw wacky routes, slow sites, all kinds of things. Most of it was because idiots were double NAT'ed. But on occasion, I would find a site that would not work without the MTU being 1500.

Now with the VPN tunnel tidbit, we need to make sure we are good. I thought it might have been a problem, but I didn't see it in your screenshots. The scope should be sufficiently small enough to not encompass any of the hops you are hitting. But I would double check that.

This is why I use 172.16.0.0/24 on my network at home. I never see funny shit like this.

@art_of_shred said:

@PSX_Defector said:

@Jason said:

@PSX_Defector said:

Drop the MTU from 1492 to 1484 then 1476. See if it works then.

That's what I was thinking.

The question is, do you know why?

I don't, but I'd like to. Why the "8" drops?

And the drop in 8's is because it's a base8 world. The MTU is the size of the packet in bytes. Odd byte numbers make for a bad time.

Which brings another item. Does anyone know why I went straight for MTU?

@art_of_shred said:

@PSX_Defector said:

@Jason said:

@PSX_Defector said:

Drop the MTU from 1492 to 1484 then 1476. See if it works then.

That's what I was thinking.

The question is, do you know why?

I don't, but I'd like to. Why the "8" drops?

Time for class folks.

We know the site is up and running, as we can access it via other places. We know it's on Azure because of the trace. The trace tells us another interesting tidbit though. I'm wondering if anyone can see it.

@Jason said:

@PSX_Defector said:

Drop the MTU from 1492 to 1484 then 1476. See if it works then.

That's what I was thinking.

The question is, do you know why?

Drop the MTU from 1492 to 1484 then 1476. See if it works then.

@gjacobse said:

@Dashrender said:

Alright, the ISO from gjacobse worked.

Currently downloading and installing SP1 and SP2 - this is a RTM disk. many hours of waiting ahead of me.

Glad it worked. It's been a while since I installed Vista,.. could you not skip SP1 and go to SP2?

Yes, you can. No need to install a previous service pack. The most recent is sufficient. You could do that on NT4.

Gateway was bought up by eMachines which in turn was bought up by Acer.

@scottalanmiller said:

@JaredBusch said:

@scottalanmiller said:

@Dashrender tons of people can send from home on port 25. It's very common.

Actually, no it is not. Many providers have blocked outbound port 25 for years on their residential services. AT&T implemented the block in like 2004 or 2005.

Many providers have blocked, but many have not. While it is not surprising to be blocked, it is not surprising at all to not be blocked.

Only provider I can think of off the top of my head would be Frontier, on their original network. Not the ones they bought up recently, because their networks are still integrated into the rest of the original ones. And I'm not even sure on that, as I don't touch Frontier home circuits often.

Every cable provider from Comcast down to Mediacom block 25. AT&T and Verizon did it years ago. Hell, CenturyLink and Windstream do it. If you got an ISP that opens 25 outbound to the world, it's a very, very, very small minority.

@gjacobse said:

@Dashrender said:

@gjacobse said:

Found it.

You sir, are the man!

Up until a few short months ago,.. I still had Windowds 95... and I'm sure 3.11..

Let me see about piping a ISO and let you know.

I've got all of those in some dark corner of my repo.

But of all things, I actually didn't have a Microsoft Vista ISO. Need a Win7/8/8.1 disk? How about XP/2000, even god forbid ME? Got ya covered.

@scottalanmiller said:

That's weird. I've had a lot of Verizon phones and the SIM card was always optional. I've had them and only added SIM cards later, remove them when not needed. Never affected how it worked in the US.

It was part of the change with moving over to LTE.

"Technically" you can use an AT&T SIM on a Verizon phone to access AT&T's LTE service, depending on the device and if it can hit the right channels. The base services are still CDMA for voice and other data services, but get info from the SIM for registration versus the old school IMEI info. There are registration issues and various other things that make it not work, but LTE follows GSM encoding so in theory it will work.

Devices designed around GSM usually can't talk CDMA, but since CMDA is a limited market most of their devices also speak GSM. All under one SIM.

@scottalanmiller said:

I might not have followed this correctly but... PTR (Reverse DNS) records have to be done at the IP Address point, not with your DNS provider. Whoever does your A and MX records can't be the company with the PTR record. Your ISP has to do the PTR record. The ISP at which your MX record points.

Incorrect. It can be the same one, but someone has to have delegation to perform it.

https://www.arin.net/resources/request/reversedns.html
https://www.apnic.net/services/services-apnic-provides/registration-services/reverse-dns
https://www.ripe.net/manage-ips-and-asns/db/support/configuring-reverse-dns
http://www.lacnic.net/en/web/lacnic/guia-de-sistema-04
https://www.afrinic.net/library/corporate-documents/216-how-to-request-reverse-delegation-in-afrinic-region

And for the most part, most ISPs, especially home ISPs, do not delegate out permissions.

@Ambarishrh said:

Is it a good practice to have a firewall first between internet and WFE servers and then between WFE and Application Servers? I am looking for a design diagram for such a setup

Depends on your needs. For a small setup, probably unnecessary. For compliance, potentially required.

We use firewalls against every single device on our network at the VM level. Communication in and out is always monitored and we have procedures on allowing traffic through. This provides compliance and proper lockdown between machines.

Don't think of the firewall as another device. If you have a single device, additional subnets with it inspecting the traffic is sufficient.