For basic site filter, would you consider OpenDNS? Then, like Jared said, discipline the employees.

@irj said in Staying at your shitty employer is your fault:

@gjacobse said in Staying at your shitty employer is your fault:

@irj said in Staying at your shitty employer is your fault:

He's referring to total comp in which you get a base of $150-200k

Lol - Guess I'm in the wrong LinkedIn circle as I don't get anything in that base range... And I'm okay with that (twitch).

It's generally based on skillset and experience. 2-3 years cloud experience is super valuable right now. I posted about this in 2019 here.

https://mangolassi.it/topic/19837/you-need-to-get-cloud-certified

I'm 6 years into IT (network admin, sysadmin, security (generalist)) and have my Security+ and am making $70,000 in Wisconsin right now. Is that low/normal/high?

@obsolesce said in Staying at your shitty employer is your fault:

@dave247 said in Staying at your shitty employer is your fault:

@jaredbusch said in Staying at your shitty employer is your fault:

@dave247 said in Staying at your shitty employer is your fault:

Where is everyone searching for quality IT job postings these days?

Word of mouth. I've never gotten a good job from a random posting.

I suppose the correct answer to myself is a wide net of every combination, including word of mouth, job posting sites like Indeed, Monster, etc, direct job postings on the website of the company, LinkedIn, etc.

I managed to get my first IT job using my state's job network website. I got a call-back from HR and had some awesome back and forth and landed a great gig. My friend and past co-worker got an amazing job from a head-hunter on LinkedIn. Another friend got a job from a company website post...

The last several good jobs I was either offered or have started were directly from LinkedIn, and some of them are $300K to $500K jobs.

Can I ask what kind of IT jobs those were and the general requirements? That seems a little hard to believe unless you're talking about jobs in the major US technology hubs... but I have limited knowledge and experience in this area.

@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.

Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?

Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.

Yes, the Sonicwall supports TOPT codes on the connection, thankfully. The VPN connection wouldn't be forced, though users would obviously need a continuous VPN connection to use apps on the local network. We do also have O365 so they aren't dead in the water if the VPN went down for some reason. Yes, I have redundant firewalls, Internet and power, etc. I have as much redundancy and failover as possible/makes sense to. Internet goes down maybe twice a year since I've been there (5+ years) so it's not really a concern at all. Honestly, this is probably the best setup currently for us in our current state.

@JasGot pretty much helped me the most here to solve my problem, which was just something simple I had overlooked.

/thread

@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.

Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?

Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.

No, you cannot use 2FA from within Windows Login screen with Sonicwall NetExtender.

Actually you can. You just click the icon to pull up NetExtender and punch your creds in, then it asks you for the TOTP.

@jaredbusch said in Staying at your shitty employer is your fault:

@dave247 said in Staying at your shitty employer is your fault:

Where is everyone searching for quality IT job postings these days?

Word of mouth. I've never gotten a good job from a random posting.

I suppose the correct answer to myself is a wide net of every combination, including word of mouth, job posting sites like Indeed, Monster, etc, direct job postings on the website of the company, LinkedIn, etc.

I managed to get my first IT job using my state's job network website. I got a call-back from HR and had some awesome back and forth and landed a great gig. My friend and past co-worker got an amazing job from a head-hunter on LinkedIn. Another friend got a job from a company website post...

Where is everyone searching for quality IT job postings these days?

@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dbeato The version I have is 10.2.319 and it doesn't have that option.

There isn't even a 10.2.319 version... you be trollin me! (see https://www.mysonicwall.com/muir/freedownloads)

For the record, the latest version is 10.2.315 and the functionality is there regardless of if you install or upgrade.

If I wanted to troll you, I would have failed very badly. You must know me for a while now that I don't troll. Here it is

This is also provided on the SMA Appliances which also has been posted here
https://www.reddit.com/r/sonicwall/comments/rbrlsv/netextender_102319/

http://www.wehrenberg.ch/remote.html (Downloads are there)

If you try that version it does go away. However in your case using a different version works for you and that's all that matter.

ah, well they must have removed it due to the bug since it's not available for download from Sonicwall's official download sources. I wouldn't get it anywhere else.

@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dbeato The version I have is 10.2.319 and it doesn't have that option.

There isn't even a 10.2.319 version... you be trollin me! (see https://www.mysonicwall.com/muir/freedownloads)

For the record, the latest version is 10.2.315 and the functionality is there regardless of if you install or upgrade.

@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dbeato The version I have is 10.2.319 and it doesn't have that option.

Looks like I'm on 10.2.300. First time connecting it said NetExtender was required to update versions (I had a slightly earlier version on the file share) and it auto-updated with this. I can try updating it and see if the option goes away but I don't understand why they would remove it...

@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 That won't work on the latest Sonicwall NetExtender client. It doesn't allow for that.

Can you elaborate on what won't work? I literally downloaded the most recent NetExtender client and its working fine.

@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@jasgot said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.

I use this exact same setup for all of our clients. It works perfectly.

Tell me. When you start up the Laptop, and once you press <CTRL>-<ALT>-<DEL> to login, BUT BEFORE you authenticate, do you see the extra icon in the lower right corner?

And do you see this NetExtender logon when you click it?

It will bring you here next. Building the VPN BEFORE authenticating to the domain.

This should all work for you without any issues.

Woah! I'm glad I posted here.. I completely missed that for some reason!!!! Its working now as intended... DUDE THANK YOU. You just saved me so much trouble. I owe ya

@jasgot said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.

I use this exact same setup for all of our clients. It works perfectly.

Tell me. When you start up the Laptop, and once you press <CTRL>-<ALT>-<DEL> to login, BUT BEFORE you authenticate, do you see the extra icon in the lower right corner?

And do you see this NetExtender logon when you click it?

It will bring you here next. Building the VPN BEFORE authenticating to the domain.

This should all work for you without any issues.

Woah! I'm glad I posted here.. no I didn't see that icon and I was actually looking for it, but I will check asap... What settings do you have for NetExtender?

@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247

On every Windows PC I've seen setup with VPN, you login in to the PC first, using the domain credentials (which I assume are cached). Then you "manually" connect with the VPN client using MFA.

So maybe you're overcomplicating things.

Yeah I think that's my issue. I was at home when I joined my test system to the domain so it couldn't finish the task and cache my credentials. I will have to play around with stuff a bit more not on the weekend. I think I can get this working the way I want...

Hi all, I'm just looking to get some insight and direction with this as I'm a little stuck here...

I currently have several domain joined laptops that I’m looking set up so that users can take then home to work remote when needed, then bring them back to use as their main PC when on site. My company currently uses a Sonicwall NSA UTM which has SSLVPN, which, along with the NetExtender client, allows remote users to connect into to the network as if they were on-prem.

As a POC phase, I have successfully set up the SSLVPN settings with TOTP for MFA on the connection. I have a domain joined laptop with NetExtender installed and I can connect into the corporate network (full tunnel mode) and be on the domain and access everything just as if I was sitting in my office. That all works fine, except one thing.

The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.

I think there is an option to set it up so the VPN client connects automatically (before Windows login) but the issues with that are:

1. During the times the laptop is on-prem, I don’t want it to connect to the VPN
2. When the user’s password changes, it would stop being able to automatically connect
3. I have TOPT enabled for MFA so I would potentially have to remove that for it to auto-connect

A solution for all those problems would be that I could create local users on the Sonicwall and have NetExtender connect using a super long password that doesn’t expire and without TOPT, but at that point I’m worried I’d be getting a little over-complex and less secure with the solution.

I have also considered VMware Horizon and Citrix Cloud to simply deliver users to their on-prem computers but that would mean an even more complex setup and having two computers for each remote user, their main PC and a laptop acting as a “thin client”.

I think there are other options like Remote Desktop Services / Terminal Services, Always on VPN or per-App VPN but looking on the surface seems like it might be a ton more infrastructure to add. That would be fine if it ended up being necessary, but at the end of the day, I’m just trying to make it so remote users can seamlessly run about only 6 locally installed AD integrated applications along with several Windows file server shares on their computers as if they were on-prem.

@obsolesce said in Any good recommendations for web content filtering and reporting?:

I set up Squid Proxy in the past for a company and it worked really well.

Cool. I've always wanted to try that out. I will have to set up in my lab and check it out.

I'm not happy with our current products. I just need something that is stable and does a good job of reporting on user's web activities. Looking for some suggestions/direction.

@gjacobse you could use Notepad++ with the search and replace function. You might have to do a couple of passes but that is how I've stripped things off of multiple lines of text in the past. You'd just replace whatever text you want to remove with whitespace.

@dbeato said in I've been asked to set up MFA on internal computers and servers:

@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

@dbeato said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.

It's also per-user perpetual licensing

oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.

Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.

Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.

Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/

Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.

OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.

I guess "knowing to unplug the cable" is the second factor?

Also you can disable that setting and it won't let you login at all in Duo.

My main problem with this is that we lose internet connectivity a few times per year and people won't be happy if they can't get into their computers. We have limited providers in our small and rural area. I would do offline codes but apparently that is per/pc and we have quite a bit of computer sharing, which would essentially mean people would have to deal with the offline registration pop-up on every pc and/or have an offline MFA added to the app for multiple computers. If I find a good way around this in time, I will disable MFA bypass when offline.

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

@dbeato said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.

It's also per-user perpetual licensing

oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.

Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.

Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.

Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/

Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.

OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.

Pretty much lol.

Currently it's more of a audit/exam item check box for us. That said, this is just phase 1 of rollout. I'll gradually tweak and tighten things after deployment. Also, the back of our computers are locked so employees can't really get at the network cable.

Additionally, this is just one of many security layers. I have stuff locked down in other places that I feel matter quite a bit more. This is just going to help prevent unauthorized local and RDP logins for internal computers and servers only (users can't even get at servers currently).