Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;) In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

...

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

I agree with what you’re saying. When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that’s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I’d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

...

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

My friend's roommate has a Microtech router; it's actually on the edge; we were so concerned with consistency of hardware (everyone else including me use Ubiquiti routers, which we love), that he never thought of that. I mentioned OpenVPN. But the problem for clients is that it would kick the network down to 10 MBPS. We have about four residential sites (in four different states if that matters) connected to a datacenter infrastructure. Not to mention with different network speeds at each site, so nothing's consistent there. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Friday, August 25, 2017 2:17 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone? Hi Guys, Have any of you tried MikroTik devices? I have their Core Router and Switch. I love their stuff so far. Haven't had time to get into their VPN but it looks to support all that you would ever want. A friend of mine who runs a 100+ 2way radio site system to connect each site uses their stuff for VPN. Thanks, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:45 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone? I agree with what you’re saying. When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that’s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I’d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

...

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

I'm using a Mikrotik hAP AC as a home network router with good results. Chris On Fri, Aug 25, 2017 at 08:54:18PM +0000, Billy Irwin wrote:

Can you elaborate on the 10MBPS issue? Mine are gigabit. It has no limit on the speed or connections.

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: Friday, August 25, 2017 2:37 PM To: 'Blind sysadmins list' <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

My friend's roommate has a Microtech router; it's actually on the edge; we were so concerned with consistency of hardware (everyone else including me use Ubiquiti routers, which we love), that he never thought of that. I mentioned OpenVPN. But the problem for clients is that it would kick the network down to 10 MBPS. We have about four residential sites (in four different states if that matters) connected to a datacenter infrastructure. Not to mention with different network speeds at each site, so nothing's consistent there.

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Friday, August 25, 2017 2:17 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi Guys,

Have any of you tried MikroTik devices? I have their Core Router and Switch. I love their stuff so far. Haven't had time to get into their VPN but it looks to support all that you would ever want. A friend of mine who runs a 100+ 2way radio site system to connect each site uses their stuff for VPN.

Thanks,

Billy

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:45 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I agree with what you???re saying.

When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that???s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I???d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

...

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It???s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn???t meaning you should change. Just commenting that your thread made me count my lucky stars that I don???t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I???m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I???ve tried to work in some of these windows environments and just can???t make it work for me so you both have my respect for putting up with an MS environment.

...

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

This discussion forum thread may be useful: https://superuser.com/questions/472962/increasing-link-speed-on-openvpn-band... where it is claimed that the 10MBPS does not reflect or impose a limit on the actual speed of the VPN connection. Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I'm just going to explain it the way my friend explained it to me, then. He states that when he tested the client-side OpenVPN on the EdgeRouter, all he was able to get was 10 MBPS. Hence everything was running very slowly; says it's a limitation of OpenVPN, not Ubiquiti. If you are able to get client-side OpenVPN going faster than that, then please explain how? Thanks. pulseSecure doesn't work for us in some things, so if we could find another solution that doesn't have people breathing down our necks because they want us to purchase a license ...

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Friday, August 25, 2017 4:54 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Can you elaborate on the 10MBPS issue? Mine are gigabit. It has no limit on the speed or connections.

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: Friday, August 25, 2017 2:37 PM To: 'Blind sysadmins list' <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

My friend's roommate has a Microtech router; it's actually on the edge; we were so concerned with consistency of hardware (everyone else including me use Ubiquiti routers, which we love), that he never thought of that. I mentioned OpenVPN. But the problem for clients is that it would kick the network down to 10 MBPS. We have about four residential sites (in four different states if that matters) connected to a datacenter infrastructure. Not to mention with different network speeds at each site, so nothing's consistent there.

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Friday, August 25, 2017 2:17 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi Guys,

Have any of you tried MikroTik devices? I have their Core Router and Switch. I love their stuff so far. Haven't had time to get into their VPN but it looks to support all that you would ever want. A friend of mine who runs a 100+ 2way radio site system to connect each site uses their stuff for VPN.

Thanks,

Billy

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:45 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I agree with what you’re saying.

When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that’s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I’d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

...

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

...

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Then your friend is s setting it up incorrectly, there’s not a bandwidth limit on open VPN. Sometimes junk hardware won’t forward well but there’s no hard limit. I can push a full GB encrypted via open vpn over my cheap NetGear. I’m suspecting the 10M limit is a forwarding limit imposed by a low end processor but that’s a guess with out seeing the problem first hand.

On Aug 28, 2017, at 8:24 AM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I'm just going to explain it the way my friend explained it to me, then. He states that when he tested the client-side OpenVPN on the EdgeRouter, all he was able to get was 10 MBPS. Hence everything was running very slowly; says it's a limitation of OpenVPN, not Ubiquiti. If you are able to get client-side OpenVPN going faster than that, then please explain how? Thanks. pulseSecure doesn't work for us in some things, so if we could find another solution that doesn't have people breathing down our necks because they want us to purchase a license ...

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Friday, August 25, 2017 4:54 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Can you elaborate on the 10MBPS issue? Mine are gigabit. It has no limit on the speed or connections.

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: Friday, August 25, 2017 2:37 PM To: 'Blind sysadmins list' <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

My friend's roommate has a Microtech router; it's actually on the edge; we were so concerned with consistency of hardware (everyone else including me use Ubiquiti routers, which we love), that he never thought of that. I mentioned OpenVPN. But the problem for clients is that it would kick the network down to 10 MBPS. We have about four residential sites (in four different states if that matters) connected to a datacenter infrastructure. Not to mention with different network speeds at each site, so nothing's consistent there.

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Friday, August 25, 2017 2:17 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi Guys,

Have any of you tried MikroTik devices? I have their Core Router and Switch. I love their stuff so far. Haven't had time to get into their VPN but it looks to support all that you would ever want. A friend of mine who runs a 100+ 2way radio site system to connect each site uses their stuff for VPN.

Thanks,

Billy

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:45 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I agree with what you’re saying.

When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that’s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I’d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

...

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

...

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

I have tried these devices, I am not a fan. They have a clumsy operating system and clumsy CLI. They do have a lot of features and things that are surprising in gear of their price point but they just seemed cheap to me. They are very popular with wireless providers who need routing out on their wireless segments. They used them heavily in the area of Florida where I lived and did so successfully. So, your milage may vary.

On Aug 25, 2017, at 2:16 PM, Billy Irwin <billy.irwin@outlook.com> wrote:

Hi Guys,

Have any of you tried MikroTik devices? I have their Core Router and Switch. I love their stuff so far. Haven't had time to get into their VPN but it looks to support all that you would ever want. A friend of mine who runs a 100+ 2way radio site system to connect each site uses their stuff for VPN.

Thanks,

Billy

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:45 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I agree with what you’re saying.

When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that’s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I’d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

...

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

...

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Hi guys, I had to use Firefox in order to make the interface work. Internet explore started giving me problems a while back and I transition to Firefox. So logging into those routers and switches with Firefox works just fine. Sadly to say there is no truly 100% accessible product. Sent from my iPhone

On Aug 28, 2017, at 10:48, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

What would your recommendation be, then?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Monday, August 28, 2017 10:38 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I have tried these devices, I am not a fan. They have a clumsy operating system and clumsy CLI. They do have a lot of features and things that are surprising in gear of their price point but they just seemed cheap to me. They are very popular with wireless providers who need routing out on their wireless segments. They used them heavily in the area of Florida where I lived and did so successfully. So, your milage may vary.

...

On Aug 25, 2017, at 2:16 PM, Billy Irwin <billy.irwin@outlook.com> wrote:

Hi Guys,

Have any of you tried MikroTik devices? I have their Core Router and Switch. I love their stuff so far. Haven't had time to get into their VPN but it looks to support all that you would ever want. A friend of mine who runs a 100+ 2way radio site system to connect each site uses their stuff for VPN.

Thanks,

Billy

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:45 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I agree with what you’re saying.

When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that’s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I’d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

...

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

...

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

I can think of a lot of truly 100% accessible products.:) Having to use a different web b browser is as much a sited issue as blind as I understand things. (Happy to be corrected). My feeling is though you have adjustments to make regardless of your sensory abilities. Cisco has been very accessible as has Juniper and both companies tend to back this up by their actions and by their resources they make available.

On Aug 28, 2017, at 10:52 AM, Billy Irwin <billy.irwin@outlook.com> wrote:

Hi guys, I had to use Firefox in order to make the interface work. Internet explore started giving me problems a while back and I transition to Firefox. So logging into those routers and switches with Firefox works just fine. Sadly to say there is no truly 100% accessible product.

Sent from my iPhone

...

On Aug 28, 2017, at 10:48, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

What would your recommendation be, then?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Monday, August 28, 2017 10:38 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I have tried these devices, I am not a fan. They have a clumsy operating system and clumsy CLI. They do have a lot of features and things that are surprising in gear of their price point but they just seemed cheap to me. They are very popular with wireless providers who need routing out on their wireless segments. They used them heavily in the area of Florida where I lived and did so successfully. So, your milage may vary.

...

On Aug 25, 2017, at 2:16 PM, Billy Irwin <billy.irwin@outlook.com> wrote:

Hi Guys,

Have any of you tried MikroTik devices? I have their Core Router and Switch. I love their stuff so far. Haven't had time to get into their VPN but it looks to support all that you would ever want. A friend of mine who runs a 100+ 2way radio site system to connect each site uses their stuff for VPN.

Thanks,

Billy

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:45 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I agree with what you’re saying.

When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that’s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I’d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

...

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

...

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

---

Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

You are correct in that Cisco makes accessible products for the most part. However do you stuff on the market is mostly at end of life and I would not want to depend on the security of that hardware as it is no longer supported. I would Heather have something that is updated security wise. That is just my personal preference. I've been trained by Cisco all the way up to the BGP protocol level. At the time that I did that, there was no easy way to get through the certification. It could be that the folks down here in South Carolina did not want to work with us though. Please forgive any errors as I am using dictation right now. Sent from my iPhone

On Aug 28, 2017, at 12:16, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

All of that is interesting ... maybe my friend's roommate's opinion has merit, after all ...

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Monday, August 28, 2017 12:07 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I can think of a lot of truly 100% accessible products.:)

Having to use a different web b browser is as much a sited issue as blind as I understand things. (Happy to be corrected). My feeling is though you have adjustments to make regardless of your sensory abilities. Cisco has been very accessible as has Juniper and both companies tend to back this up by their actions and by their resources they make available.

...

On Aug 28, 2017, at 10:52 AM, Billy Irwin <billy.irwin@outlook.com> wrote:

Hi guys, I had to use Firefox in order to make the interface work. Internet explore started giving me problems a while back and I transition to Firefox. So logging into those routers and switches with Firefox works just fine. Sadly to say there is no truly 100% accessible product.

Sent from my iPhone

...

On Aug 28, 2017, at 10:48, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

What would your recommendation be, then?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Monday, August 28, 2017 10:38 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I have tried these devices, I am not a fan. They have a clumsy operating system and clumsy CLI. They do have a lot of features and things that are surprising in gear of their price point but they just seemed cheap to me. They are very popular with wireless providers who need routing out on their wireless segments. They used them heavily in the area of Florida where I lived and did so successfully. So, your milage may vary.

...

On Aug 25, 2017, at 2:16 PM, Billy Irwin <billy.irwin@outlook.com> wrote:

Hi Guys,

Have any of you tried MikroTik devices? I have their Core Router and Switch. I love their stuff so far. Haven't had time to get into their VPN but it looks to support all that you would ever want. A friend of mine who runs a 100+ 2way radio site system to connect each site uses their stuff for VPN.

Thanks,

Billy

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:45 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I agree with what you’re saying.

When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that’s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I’d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

...

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

> On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote: > > Hi Katherine, > > Having spent the last 6 months battling with our Windows Server > 2016 Domain Controller here, you have my deepest sympathy and > understanding. I feel that we almost have a hotline between > ourselves and Microsoft's support in Delhi or Bombay. > > First, do you have access to, or indeed have anyone who can > handle the > 2016 server itself? I mean in terms of running Server Manager > and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings. > > There are many issues coming to light, and it is vital that these > are resolved first or Direct Access and VPN will fail. > > Happy to chat off list if you'd like to compare notes. > > George W F Bell (MD) > Techno-Vision Systems Ltd. > 76 Bunting Road Ind. Est. > NORTHAMPTON, NN2 6EE > United Kingdom. > > Tel: +44 (0)160 479 2777 > Fax: +44 (0)160 479 2726 > > e-mail: George@techno-vision.co.uk > Web: http://www.techno-vision.co.uk > > > > -----Original Message----- > From: Blind-sysadmins > [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On > Behalf Of Katherine M. Moss > Sent: 24 August 2017 15:50 > To: blind-sysadmins@lists.hodgsonfamily.org > Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone? > > Hi all, > > Has anybody gotten this to work? I want to try; would love to get > my group off of the free version of PulseSecure VPN since it's > obvious that it's broken, and we don't have the networking skills > to fix it, nor the money to buy a license. Plus I want to succeed > in getting a native Windows complex technology working. Everyone > has tried but me, and none can get it going. We have a setup > where the DA server would be behind a NAT, not on the EDGE > (except for the one in the datacenter, but all of the local > internal networks would have their behind a NAT.) We would also > have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. > Any suggestions on a good configuration to connect a few sites? Thanks. > > _______________________________________________ > Blind-sysadmins mailing list > Blind-sysadmins@lists.hodgsonfamily.org > https://lists.hodgsonfamily.org/listinfo/blind-sysadmins > > > _______________________________________________ > Blind-sysadmins mailing list > Blind-sysadmins@lists.hodgsonfamily.org > https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

---

Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

You are correct in that Cisco makes accessible products for the most part. However do you stuff on the market is mostly at end of life and I would not want to depend on the security of that hardware as it is no longer supported. I would Heather have something that is updated security wise. That is just my personal preference. I've been trained by Cisco all the way up to the BGP protocol level. At the time that I did that, there was no easy way to get through the certification. It could be that the folks down here in South Carolina did not want to work with us though. Please forgive any errors as I am using dictation right now. Sent from my iPhone

On Aug 28, 2017, at 12:16, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

All of that is interesting ... maybe my friend's roommate's opinion has merit, after all ...

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Monday, August 28, 2017 12:07 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I can think of a lot of truly 100% accessible products.:)

Having to use a different web b browser is as much a sited issue as blind as I understand things. (Happy to be corrected). My feeling is though you have adjustments to make regardless of your sensory abilities. Cisco has been very accessible as has Juniper and both companies tend to back this up by their actions and by their resources they make available.

...

On Aug 28, 2017, at 10:52 AM, Billy Irwin <billy.irwin@outlook.com> wrote:

Hi guys, I had to use Firefox in order to make the interface work. Internet explore started giving me problems a while back and I transition to Firefox. So logging into those routers and switches with Firefox works just fine. Sadly to say there is no truly 100% accessible product.

Sent from my iPhone

...

On Aug 28, 2017, at 10:48, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

What would your recommendation be, then?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Monday, August 28, 2017 10:38 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I have tried these devices, I am not a fan. They have a clumsy operating system and clumsy CLI. They do have a lot of features and things that are surprising in gear of their price point but they just seemed cheap to me. They are very popular with wireless providers who need routing out on their wireless segments. They used them heavily in the area of Florida where I lived and did so successfully. So, your milage may vary.

...

On Aug 25, 2017, at 2:16 PM, Billy Irwin <billy.irwin@outlook.com> wrote:

Hi Guys,

Have any of you tried MikroTik devices? I have their Core Router and Switch. I love their stuff so far. Haven't had time to get into their VPN but it looks to support all that you would ever want. A friend of mine who runs a 100+ 2way radio site system to connect each site uses their stuff for VPN.

Thanks,

Billy

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:45 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I agree with what you’re saying.

When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that’s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I’d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

...

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

> On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote: > > Hi Katherine, > > Having spent the last 6 months battling with our Windows Server > 2016 Domain Controller here, you have my deepest sympathy and > understanding. I feel that we almost have a hotline between > ourselves and Microsoft's support in Delhi or Bombay. > > First, do you have access to, or indeed have anyone who can > handle the > 2016 server itself? I mean in terms of running Server Manager > and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings. > > There are many issues coming to light, and it is vital that these > are resolved first or Direct Access and VPN will fail. > > Happy to chat off list if you'd like to compare notes. > > George W F Bell (MD) > Techno-Vision Systems Ltd. > 76 Bunting Road Ind. Est. > NORTHAMPTON, NN2 6EE > United Kingdom. > > Tel: +44 (0)160 479 2777 > Fax: +44 (0)160 479 2726 > > e-mail: George@techno-vision.co.uk > Web: http://www.techno-vision.co.uk > > > > -----Original Message----- > From: Blind-sysadmins > [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On > Behalf Of Katherine M. Moss > Sent: 24 August 2017 15:50 > To: blind-sysadmins@lists.hodgsonfamily.org > Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone? > > Hi all, > > Has anybody gotten this to work? I want to try; would love to get > my group off of the free version of PulseSecure VPN since it's > obvious that it's broken, and we don't have the networking skills > to fix it, nor the money to buy a license. Plus I want to succeed > in getting a native Windows complex technology working. Everyone > has tried but me, and none can get it going. We have a setup > where the DA server would be behind a NAT, not on the EDGE > (except for the one in the datacenter, but all of the local > internal networks would have their behind a NAT.) We would also > have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. > Any suggestions on a good configuration to connect a few sites? Thanks. > > _______________________________________________ > Blind-sysadmins mailing list > Blind-sysadmins@lists.hodgsonfamily.org > https://lists.hodgsonfamily.org/listinfo/blind-sysadmins > > > _______________________________________________ > Blind-sysadmins mailing list > Blind-sysadmins@lists.hodgsonfamily.org > https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

---

Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Depends on your price point. They (Microtik) aren’t unacceptable especially for the price point. Just remember you’re going to spend $40 and you’re going to fight with the interface some. It’s not that it is inaccessible it’s more that it’s just an odd layout. Compared to other routers it’s just different. Here’s a mild example. On all routers I’ve worked with if you want to see the value of something you would probably use the show command. Something like show ip bop neighbor a.b.c.d or similar. On Mikrotik you type print and the item so you might do print routes etc. It’s not bad it’s just not intuitive. So it’s hard to beat for the money. Dratech is another, or for the money Sonicwall can do some good things but not quite as cheap. There’s also used gear. Used Cisco can be had from Ebay or fully certifiable and supportable through companies like network hardware resale for pennies on the dollar. Just depends on your spend. If you’re willing to struggle through learning a non intuitive interface go with Mikrotik, they do a lot for the money.

On Aug 28, 2017, at 10:48 AM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

What would your recommendation be, then?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Monday, August 28, 2017 10:38 AM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I have tried these devices, I am not a fan. They have a clumsy operating system and clumsy CLI. They do have a lot of features and things that are surprising in gear of their price point but they just seemed cheap to me. They are very popular with wireless providers who need routing out on their wireless segments. They used them heavily in the area of Florida where I lived and did so successfully. So, your milage may vary.

...

On Aug 25, 2017, at 2:16 PM, Billy Irwin <billy.irwin@outlook.com> wrote:

Hi Guys,

Have any of you tried MikroTik devices? I have their Core Router and Switch. I love their stuff so far. Haven't had time to get into their VPN but it looks to support all that you would ever want. A friend of mine who runs a 100+ 2way radio site system to connect each site uses their stuff for VPN.

Thanks,

Billy

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:45 PM To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

I agree with what you’re saying.

When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that’s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I’d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

...

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

...

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

I was going to suggest/recommend that, but I didn't think it would be something a corporate structure would feel comfortable with using. I manage a server in France with four OpenVPN users in London, midwestern Canada, Peterborough (the one in England, not the one in Canada),and the States, and we've not had any problems with it (knock on wood). On Fri, 25 Aug 2017 17:44:59 +0000, you wrote:

I agree with what you’re saying.

When I said public facing I meant put a windows box on the network exposed directly to the Public internet. You could use a regular firewall of course (would never trust the Microsoft firewall) but the issue there is a firewall can be a choke point for denial of service attacks. I would however and do daily put Linux based boxes on the public internet, no hardware firewall, a well configured I-chains or ip filter, hardening of the services and so forth. If you are looking for a great VPN solution though that’s free to install and just requires a server definitely check out open VPN. I use this extensively in my home projects and love it. Good certificate support, nice big 16K bit keys, encrypted firewall and strong SHA512 hashing. If my demands are greater I’d go with a Pulse VPN or Cisco ASA maybe even a Juniper SRX. All 3 of these options also let you identify attacks and malware on the wire before it transit the security alliance so something like that might be good out front of a Microsoft cluster.

...

On Aug 25, 2017, at 1:34 PM, Mika Pyyhkala <Mika_Pyyhkala@nhp.org> wrote:

I am also thinking maybe you could use a different vpn solution. I don't think I have ever heard of a company that uses the Microsoft vpn. I know Cisco has a cloud solution. Maybe they even have some sort of trial or nonprofit discount.

It does seem like Windows builds in a lot of services that are there, but nobody really uses them in real life; they are just there for the books and the tests :).

Best, Mika @pyyhkala

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:30 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Other than I would never put Microsoft Windows in a network facing roll, especially public facing. It’s to easy to own a windows box. I think the last time I checked on average a windows box will be compromised with in 12 hours of being attached to the network. I have a copy of a defense department manual that states the only acceptable security option for Microsoft based systems is to have them disconnected from the network, locked in a room and powered off.;) Oh and linux interfaces with active directory just fine. You can emulate all windows services and be or join domains etc. Of course, use what works for you I wasn’t meaning you should change. Just commenting that your thread made me count my lucky stars that I don’t live and or work in that MS hell. And in full disclosure, I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and all that). The company I worked for at the time started a migration to Solaris the very next day. So be careful.

...

On Aug 25, 2017, at 1:14 PM, Katherine M. Moss <kmoss@winterhillsolutions.com> wrote:

I thank you for your opinion, but my infrastructure is already set up with active Directory and other things that we specifically want to use. Do you have anything specific networking wise to add to this thread?

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, August 25, 2017 1:09 PM To: george@techno-vision.co.uk; Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: Re: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Wow, this thread makes me happy that I’m a unix man myself and we use Linux across our enterprise.;)

In my last gig we managed about 5000 servers with chef scripts and Open LDAP and it was the bees knees. Especially m making bulk changes. Add puppet to this mix and you could also automatically provision the network hardware. I’ve tried to work in some of these windows environments and just can’t make it work for me so you both have my respect for putting up with an MS environment.

...

On Aug 25, 2017, at 4:39 AM, George Bell <george@techno-vision.co.uk> wrote:

Hi Katherine,

Having spent the last 6 months battling with our Windows Server 2016 Domain Controller here, you have my deepest sympathy and understanding. I feel that we almost have a hotline between ourselves and Microsoft's support in Delhi or Bombay.

First, do you have access to, or indeed have anyone who can handle the 2016 server itself? I mean in terms of running Server Manager and Best Practices Analyzer (BPA) plus reviewing Event Viewer errors and warnings.

There are many issues coming to light, and it is vital that these are resolved first or Direct Access and VPN will fail.

Happy to chat off list if you'd like to compare notes.

George W F Bell (MD) Techno-Vision Systems Ltd. 76 Bunting Road Ind. Est. NORTHAMPTON, NN2 6EE United Kingdom.

Tel: +44 (0)160 479 2777 Fax: +44 (0)160 479 2726

e-mail: George@techno-vision.co.uk Web: http://www.techno-vision.co.uk

-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Katherine M. Moss Sent: 24 August 2017 15:50 To: blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] Direct access Windows server 2016, anyone?

Hi all,

Has anybody gotten this to work? I want to try; would love to get my group off of the free version of PulseSecure VPN since it's obvious that it's broken, and we don't have the networking skills to fix it, nor the money to buy a license. Plus I want to succeed in getting a native Windows complex technology working. Everyone has tried but me, and none can get it going. We have a setup where the DA server would be behind a NAT, not on the EDGE (except for the one in the datacenter, but all of the local internal networks would have their behind a NAT.) We would also have to avoid use of the Teredo protocol, considering we don't have multiple public IP addresses to play with. Any suggestions on a good configuration to connect a few sites? Thanks.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

________________________________

This message contains information from Neighborhood Health Plan that may be confidential or privileged. This message is directed only to the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution, or use of the contents of this email is prohibited. If you have received this email in error, please notify the sender immediately and delete the message and any attachments. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Good grief! On Fri, 25 Aug 2017 17:29:56 +0000, Scott Granados <scott@granados-llc.net> wrote:

I am biased because I have seen first hand (I was in the room) Microsoft Windows kill someone. (As in dead, assumed room temperature, bag him and slab him and >all that).

I'll bet the details of that episode could have made headline news.