• RE: At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange

    @DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:

    At a prior position they went full tilt "O365/SSO everything" and while it all worked with a LOT of effort the monthly cost was insane per user, something like $42/U/Month for just our 1 location of 160 people.
    Globally they had over 9000, that's a huge burden.

    Except it's not.

    1. It's opex not capex, so it's not dragging down RIOC ratio's for wall street. (big in Mfg and some industries).
    2. It's just dumped into the fully burdened cost of an employee. If your average employee is paid 50K they probably cost another 20K in benefits, training, taxes, office space, utilities and other overhead a year. Paying $42 a user per month at that scale gets you out of:
    3. "owning" versions of Office Suite is great until you end up with 4 different versions of office in the office. Then it becomes a nightmare
    4. Managing Exchange and Sharepoint etc at scale is a full-time job. paying someone else to manage it wins vs. hiring people to do that.
    5. Again it's $42 per user per month. We were spending more than that per employee on drinks and snacks before COVID hit. stocking 14 flavors of le croix, and the thousands of pounds of M&M's and "the good nuts" adds up. For a company with 9000 users, something that people are spending hours a day in, that's just cheap.
    posted in News
  • RE: At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange

    @DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:

    I generally agree with that statement @IRJ except that the long term cost of hosting isn't cost effective as the vendor can price jack the rates any time that they want.

    They can't for us. We signed a EA and have fixed price terms for the length of the contract.

    posted in News
  • RE: Obtaining hardware from terminated remote employee

    @JaredBusch said in Obtaining hardware from terminated remote employee:

    Hardware is not worth the fucking time to get back.

    If the company thinks wasting man hours on that is a good idea the company is insane

    While I largely agree, our R&D laptops are ~2-3K a pop. (fully max spec' MPB or XPS with onsite repair agreements).

    I did hear we have started on the Mac's using DEP, so the device will auto-enroll in MDM even if the device is wiped.
    https://support.apple.com/en-us/HT204142

    posted in IT Discussion
  • RE: Obtaining hardware from terminated remote employee

    @scottalanmiller said in Obtaining hardware from terminated remote employee:

    Can't do that legally for US employees though, in most cases.

    I worked a place that kept your first week's wages as a deposit against hardware (yes, this is weirdly legal at least in Texas).
    Eventually, it got silly as more and more of the office switched to BOYD (The rule dated back to when they issued $600 smart phones and laptops that cost 2K).
    This was technically in the signed work contract but many people angrily found out about it after their first paycheck was kinda "light".

    posted in IT Discussion
  • RE: MPLS alternative

    @Dashrender said in MPLS alternative:

    Nice - sadly not the case with Cox, their gig product has the typical 1 TB cap, which really, if you think about it - if you need the 1 gig, that cap is ridiculous!

    When we move to 5G and we just put a 5G Modem in EVERYTHING eventually it will just be "buy a bucket of xxx TB" and stop paying per device, or per peering connection.

    posted in IT Discussion
  • RE: MPLS alternative

    @Dashrender said in MPLS alternative:

    In that case, the home user upgrades to no cap or to a business connection, at least with Cox that solves the cap problem. On Cox it's about $50/m to go no cap.

    He moved to AT&T Fiber. No caps on their gigabit product.

    posted in IT Discussion
  • RE: MPLS alternative

    @Dashrender said in MPLS alternative:

    you meant that they somehow exposed those AD servers directly to the Internet - which is just crazy. But leaving them in the background behind the RDS/ICA servers should be pretty secure.?

    Normally the RDS/ICA don't sit on the internet at all either and they hide behind reverse proxy's (Netscaler/F5/AVI etc for Citrix as they deprecated CSG) at the scale you'll want something that can do the load balancing and have some awareness of server load (more than just session count).

    posted in IT Discussion
  • RE: MPLS alternative

    @scottalanmiller said in MPLS alternative:

    Right, those would be the options. Obviously the colo approach is cheap and easy and going to AWS/Azure would require the gift of a firstborn child, but technically both work.

    You put VDI in public cloud for a few reasons:

    1. You have some shitty DB2 based app that requires 1ms of latency from the app to the DB and the dataset is in that cloud (and for political/gravity reasons you can't move it)

    2. At a certain scale being able to spin up a Desktop pool for 8 hours then shut it down (and not pay for it) for 16 a day (and roll through regions and follow employees) you can do some wacky things to cut costs.

    3. Microsoft licensing being punitive as hell for some things that are not in Azure, or Oracle kinda forcing people to put things in Oracle Cloud and you want desktops that are "close" to other applications.

    posted in IT Discussion
  • RE: MPLS alternative

    @scottalanmiller said in MPLS alternative:

    Exactly. And once LANless, there is no need for XenApp to sit on your LAN at all. You can move it to colo or cloud whenever you want. Ours is in colo and uses zero LAN resources.

    Xenapp can be thirsty on bandwidth to the home site with certain apps. I've seen someone hit their data transfer allowance with Comcast entirely using Xenapp (Geologist looking at 3D models all day though).

    posted in IT Discussion
  • RE: MPLS alternative

    @scottalanmiller said in MPLS alternative:

    MPLS is the alternative here. MPLS acts identically to a VPN aggregator in a mesh edge VPN gateway design. So on the very, very rare case that you want to replicate MPLS, you simple use the VPN design that MPLS is modeled on.

    So there is one "difference". MPLS as a private line WILL honor your DSCP (QoS Tagging at layer 3) tags over the WAN. Historically for latency-sensitive apps (Voice) you could do stuff like Tag SIP control traffic to EF (Expedited Forwarding) and tag AF31 (priority) to RTP (the voice payload) and the CoS to DSCP mappings at your MPLS router would make sure that that if anything was going to drop or have issues with buffering the Voice traffic would "ride through" with priority. When your alternative was a T1 for 500, paying 800 for a MPLS T1 was "worth it" because to get the equivalent experience you'd probably need a 10Mbps Fiber handoff that back in 200x was going to cost you 8K a month or something insane.

    Now a TON of people who buy MPLS doesn't realize.

    1. You gotta tag your traffic.
    2. you need to CALL YOUR PROVIDER and find out what the priority queues and tags they support and profile look like (or apply one). By default they often just ignore tags.
    3. In most of the world these days it's cheaper to just buy more bandwidth, and aggregate links from multiple providers, and do dynamic traffic shaping with VPN meshes across them. You can also do stuff like inject parity into streams that have packet loss on bulk traffic, and for skinny flows that you need 100% delivery on (Voice) do things like double deliver the packets (If I've got a 64Kbps voice call, sending that down both the Cable Modem and the 5G connection isn't really a big deal).

    What does all these magical things? SD-WAN. SD-WAN is a marketing term for next-generation magic bandwidth massaging router/mesh systems that generally have a really nice central control. Could you do similar things with ISRs and Performance-based routing and DMVPN meshes? (ehhhh, maybe 1/2 of it, but it would cost a fortune and require a damn CCIE to manage)

    My employer is a player in this space (NSX SD-WAN, formerly VeloCloud). There's also Cisco Viptela and a ton of other players (RiverBed, F5 networks, HPE bought someone I'm forgetting).

    A thing to note on SD-WAN is you can "buy it" yourself, but also a lot of Telcos and bandwidth aggregators will sell it to you (Then you just get a CPE box, and they handle the billing and sourcing of backup providers). There are pro-cons to how much ownership you want of this (PacketPushers has had some strong opinions on why you want to own, but given the savings vs. MPLS if you need to get out of a contract now even a MSP managed one is going to be 1000x better than renewing a MPLS line).

    The general trend I'm seeing is people get Fiber if they can, COAX if they can't and then they bolt 2-3 different wireless dongles onto the box and they prioritize the circuits they don't pay per packet on, but have options if things go sideways. 5G having 4 major network operators is going to make wireless be an even player against Fiber and Coax soon enough (AT&T/T-Mobile/Verizon/Dish/cable company in a 5 way bidding war will get fun).

    posted in IT Discussion