@DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:

At a prior position they went full tilt "O365/SSO everything" and while it all worked with a LOT of effort the monthly cost was insane per user, something like $42/U/Month for just our 1 location of 160 people.
Globally they had over 9000, that's a huge burden.

Except it's not.

1. It's opex not capex, so it's not dragging down RIOC ratio's for wall street. (big in Mfg and some industries).
2. It's just dumped into the fully burdened cost of an employee. If your average employee is paid 50K they probably cost another 20K in benefits, training, taxes, office space, utilities and other overhead a year. Paying $42 a user per month at that scale gets you out of:
3. "owning" versions of Office Suite is great until you end up with 4 different versions of office in the office. Then it becomes a nightmare
4. Managing Exchange and Sharepoint etc at scale is a full-time job. paying someone else to manage it wins vs. hiring people to do that.
5. Again it's $42 per user per month. We were spending more than that per employee on drinks and snacks before COVID hit. stocking 14 flavors of le croix, and the thousands of pounds of M&M's and "the good nuts" adds up. For a company with 9000 users, something that people are spending hours a day in, that's just cheap.

@DustinB3403 said in At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Exchange:

I generally agree with that statement @IRJ except that the long term cost of hosting isn't cost effective as the vendor can price jack the rates any time that they want.

They can't for us. We signed a EA and have fixed price terms for the length of the contract.

@JaredBusch said in Obtaining hardware from terminated remote employee:

Hardware is not worth the fucking time to get back.

If the company thinks wasting man hours on that is a good idea the company is insane

While I largely agree, our R&D laptops are ~2-3K a pop. (fully max spec' MPB or XPS with onsite repair agreements).

I did hear we have started on the Mac's using DEP, so the device will auto-enroll in MDM even if the device is wiped.
https://support.apple.com/en-us/HT204142

@scottalanmiller said in Obtaining hardware from terminated remote employee:

Can't do that legally for US employees though, in most cases.

I worked a place that kept your first week's wages as a deposit against hardware (yes, this is weirdly legal at least in Texas).
Eventually, it got silly as more and more of the office switched to BOYD (The rule dated back to when they issued $600 smart phones and laptops that cost 2K).
This was technically in the signed work contract but many people angrily found out about it after their first paycheck was kinda "light".

@Dashrender said in MPLS alternative:

Nice - sadly not the case with Cox, their gig product has the typical 1 TB cap, which really, if you think about it - if you need the 1 gig, that cap is ridiculous!

When we move to 5G and we just put a 5G Modem in EVERYTHING eventually it will just be "buy a bucket of xxx TB" and stop paying per device, or per peering connection.

@Dashrender said in MPLS alternative:

In that case, the home user upgrades to no cap or to a business connection, at least with Cox that solves the cap problem. On Cox it's about $50/m to go no cap.

He moved to AT&T Fiber. No caps on their gigabit product.

@Dashrender said in MPLS alternative:

you meant that they somehow exposed those AD servers directly to the Internet - which is just crazy. But leaving them in the background behind the RDS/ICA servers should be pretty secure.?

Normally the RDS/ICA don't sit on the internet at all either and they hide behind reverse proxy's (Netscaler/F5/AVI etc for Citrix as they deprecated CSG) at the scale you'll want something that can do the load balancing and have some awareness of server load (more than just session count).

@scottalanmiller said in MPLS alternative:

Right, those would be the options. Obviously the colo approach is cheap and easy and going to AWS/Azure would require the gift of a firstborn child, but technically both work.

You put VDI in public cloud for a few reasons:

1. You have some shitty DB2 based app that requires 1ms of latency from the app to the DB and the dataset is in that cloud (and for political/gravity reasons you can't move it)

2. At a certain scale being able to spin up a Desktop pool for 8 hours then shut it down (and not pay for it) for 16 a day (and roll through regions and follow employees) you can do some wacky things to cut costs.

3. Microsoft licensing being punitive as hell for some things that are not in Azure, or Oracle kinda forcing people to put things in Oracle Cloud and you want desktops that are "close" to other applications.

@scottalanmiller said in MPLS alternative:

Exactly. And once LANless, there is no need for XenApp to sit on your LAN at all. You can move it to colo or cloud whenever you want. Ours is in colo and uses zero LAN resources.

Xenapp can be thirsty on bandwidth to the home site with certain apps. I've seen someone hit their data transfer allowance with Comcast entirely using Xenapp (Geologist looking at 3D models all day though).

@scottalanmiller said in MPLS alternative:

MPLS is the alternative here. MPLS acts identically to a VPN aggregator in a mesh edge VPN gateway design. So on the very, very rare case that you want to replicate MPLS, you simple use the VPN design that MPLS is modeled on.

So there is one "difference". MPLS as a private line WILL honor your DSCP (QoS Tagging at layer 3) tags over the WAN. Historically for latency-sensitive apps (Voice) you could do stuff like Tag SIP control traffic to EF (Expedited Forwarding) and tag AF31 (priority) to RTP (the voice payload) and the CoS to DSCP mappings at your MPLS router would make sure that that if anything was going to drop or have issues with buffering the Voice traffic would "ride through" with priority. When your alternative was a T1 for 500, paying 800 for a MPLS T1 was "worth it" because to get the equivalent experience you'd probably need a 10Mbps Fiber handoff that back in 200x was going to cost you 8K a month or something insane.

Now a TON of people who buy MPLS doesn't realize.

1. You gotta tag your traffic.
2. you need to CALL YOUR PROVIDER and find out what the priority queues and tags they support and profile look like (or apply one). By default they often just ignore tags.
3. In most of the world these days it's cheaper to just buy more bandwidth, and aggregate links from multiple providers, and do dynamic traffic shaping with VPN meshes across them. You can also do stuff like inject parity into streams that have packet loss on bulk traffic, and for skinny flows that you need 100% delivery on (Voice) do things like double deliver the packets (If I've got a 64Kbps voice call, sending that down both the Cable Modem and the 5G connection isn't really a big deal).

What does all these magical things? SD-WAN. SD-WAN is a marketing term for next-generation magic bandwidth massaging router/mesh systems that generally have a really nice central control. Could you do similar things with ISRs and Performance-based routing and DMVPN meshes? (ehhhh, maybe 1/2 of it, but it would cost a fortune and require a damn CCIE to manage)

My employer is a player in this space (NSX SD-WAN, formerly VeloCloud). There's also Cisco Viptela and a ton of other players (RiverBed, F5 networks, HPE bought someone I'm forgetting).

A thing to note on SD-WAN is you can "buy it" yourself, but also a lot of Telcos and bandwidth aggregators will sell it to you (Then you just get a CPE box, and they handle the billing and sourcing of backup providers). There are pro-cons to how much ownership you want of this (PacketPushers has had some strong opinions on why you want to own, but given the savings vs. MPLS if you need to get out of a contract now even a MSP managed one is going to be 1000x better than renewing a MPLS line).

The general trend I'm seeing is people get Fiber if they can, COAX if they can't and then they bolt 2-3 different wireless dongles onto the box and they prioritize the circuits they don't pay per packet on, but have options if things go sideways. 5G having 4 major network operators is going to make wireless be an even player against Fiber and Coax soon enough (AT&T/T-Mobile/Verizon/Dish/cable company in a 5 way bidding war will get fun).

@scottalanmiller said in Apple Officially Releases their ARM M1 Powered Lineup:

USB4 is TB3 compatible.

Intel removed licensing for TB3 as part of agreement to make part of USB4 spec.

@Dashrender said in vSAS - Value Serial Attached SCSI:

I'd ask the same about SAS vs NVMe chips... I mean, of course they might not cost different, but then again, they would be wildly apart.

100% of the time a SAS drive needs a SAS HBA or RAID Controller to speak to a CPU (and possibly a SAS expander). In 90% of the NVMe configs you see, a NVMe drive talks straight to the PCI-E bus and the CPU so this is apples/oranges.

@Dashrender said in vSAS - Value Serial Attached SCSI:

Can you hot swap NVMe?

Yes. There's basically 2 ways. Intel VMD, and the NVMe spec for hotswap. It's a work in progress but yes, it's not impossible. Our HCLlists which NVMe drives we support it with

Is their a backplane solution for NVMe?

There are backplanes that can take EITHER NVMe or SAS drives (HPE has them). Note, U.2 generally just plug straight NVMe to PCI-E bus, but there are crossbar solutions (There were a few hundred bucks last I saw, but they exist).

These might be reasons... plus cost is still a reason assuming NMVe's are noticeably more expensive.

There are Cheaper QLC NVMe drives, and there are high endurance eMLC SAS drives that will out perform them on writes. Don't confuse an interface for a drive speed.

@Pete-S said in Apple Officially Releases their ARM M1 Powered Lineup:

For instance, ubuntu has had one or several mobile OS working on some devices. It's all ARM cpus. Have any of these ever worked on any Apple tablet or phone or watch or...?

Apple has API's for Byve. Technically I think we use them for some of our container run time stuff so we can call metal etc. You may never see Linux run bare metal on Macbooks but if it runs in a Virtual Machine that abstracts the hardware (IE in Fusion) do you really care?

@scottalanmiller said in Apple Officially Releases their ARM M1 Powered Lineup:

And on PowerPC before that.

and Motorola before that!

@marcinozga said in Apple Officially Releases their ARM M1 Powered Lineup:

That 16GB RAM limit though.... Previous gen Mac Mini went up to 64GB. And no 10Gbit ethernet

Ehhh USB4 we'll have adapters in no time.

@Pete-S said in How Many HCI Nodes for the SMB:

But if you run a generic benchmark that is not designed to give inflated numbers, the situation is different.

I don't run generic benchmarks in production for a living thankfully
The reality is most CPU intensive stuff takes advantage of at least some of the new offload extensions and libraries. Also memory throughput is often the limiting factor for databases and other intensive IO applications.

@travisdh1 said in How Many HCI Nodes for the SMB:

How many SMBs actually use Oracle RAC or SAP HANA? Can't be many.

I know people with 20 employees and 400 oracle databases FWIW. There's a lot of smaller application providers who do niche SaaS stuff.

SAP is pulling Oracle support, and making everyone move to HANA going forward for their apps.

@scottalanmiller said in How Many HCI Nodes for the SMB:

The implication of two nodes is that it is still N+1. You just buy bigger nodes if necessary to keep it to two nodes.

If your licensing Oracle RAC for 40K per core (list, I know you'll pay less but still) or SAP HANA (where you pay per TB of RAM) then scaling out to a larger cluster has some advantages on N+1 math where 50% vs. 25% on 4 smaller nodes for HA protection comes to play.

@scottalanmiller said in Proxmox install for use with a ceph cluster:

Yes, but it blocks SMART so you never want to do it, it undermines the stability of the JBOD. There's always a standard controller on the MOBO for the JBOD connections.

Also blocks TRIM commands (not that I trust the Linux TRIM driver to ATA drives given how many one off exceptions to disable they've had to write).
Operationally it's messy because on a drive failure you have to go in with PERCLI etc, and rebuild the RAID 0s. We used to run this but it was just a royal pain in the ass.