L4ndy

Forum Replies Created

Viewing 30 posts - 1 through 30 (of 2,461 total)
  • Author
    Posts
  • Avatar
    L4ndy
    Member
    in reply to: Daniel Petri Injured In Motorcycle Accident #277193

    I hope Daniel is feeling better and glad he’s recovering

    Avatar
    L4ndy
    Member
    in reply to: Define network connection #277192

    Re: Define network connection

    Windows normally does select this automatically. The LAN adaptor does normally take priority as it has a higher Metric value.

    See if this helps http://www.howtogeek.com/howto/27994/how-to-change-the-priority-of-wiredwireless-network-cards-in-windows/

    ** I have known this not be be very consistent in certain scenarios though.

    Avatar
    L4ndy
    Member
    in reply to: Not able to connect to bl2prd0510.outlook.com server #277191

    Re: Not able to connect to bl2prd0510.outlook.com server

    There doesn’t seem to be an MX record for that.
    Also the IP address you put in there doesn’t correspond to that.
    Check with your service provider.

    Avatar
    L4ndy
    Member
    in reply to: 50/50 DHCP – Load Balance #277190

    Re: 50/50 DHCP – Load Balance

    If you are looking at DHCP failover might be worth looking at windows 2012 and scrap split scopes all together.
    Windows 2012 supports failover partners and you can have it on hot standby mode or load sharing mode.
    As MS puts it “the biggest improvement in DHCP in 15 years”

    Avatar
    L4ndy
    Member
    in reply to: Private school(6-12) network – malicious kids!! #277189

    Re: Private school(6-12) network – malicious kids!!

    “Malicious kids” I think so not..

    Kids at that age are inquisitive by nature. If you have set up your network the way it should be you should not have any problems.
    Can’t stand it when people offload their shortcomings to others sometimes…

    Avatar
    L4ndy
    Member
    in reply to: Firewall considerations for populating an AD forest #277188

    Re: Firewall considerations for populating an AD forest

    First of you’ll need to change the port of that the RPC Endpoint Mapper service uses from a dynamic to a static one.
    Link below on how to do that as well as additional ports needed for AD replication.
    [url]Http://support.microsoft.com/kb/224196[/url]

    Avatar
    L4ndy
    Member
    in reply to: Active X for IE #277187

    Re: Active X for IE

    See if this helps: http://technet.microsoft.com/en-us/library/cc721964(v=ws.10).aspx

    Avatar
    L4ndy
    Member
    in reply to: TMG behind Cisco ASA #277186

    Re: TMG behind Cisco ASA

    samir381988;264575 wrote:
    Hello,
    Do you I have to a create rule for internal DNS Server on TMG ?

    Samir.

    No, providing you have configured properly the internal and External networks and the corresponding network adaptors. just configure the Internal adaptor with the DNS settings.

    samir381988;264577 wrote:
    Furthermore, I dont want allow internal DNS request passing through Cisco ASA.

    Samir

    If you do the above all the DNS traffic will go through the internal DNS (Which will eventually go through the ASA box but that’s how it already should be configured anyway so it’ll use the existing rules.)

    Avatar
    L4ndy
    Member
    in reply to: TMG behind Cisco ASA #277185

    Re: TMG behind Cisco ASA

    a) Just a static NAT roule to TMG external interface
    b) I don’t believe you need to worry about that
    c) Just configure DNS on the internal interface of TMG and let the DNS queries go through your Internal DNS servers.
    d) previous point answers this query.

    Avatar
    L4ndy
    Member
    in reply to: Web Based AD Search #277184

    Re: Web Based AD Search

    Look into AD Web Services but you’ll need a 2008 r2 DC.
    http://technet.microsoft.com/en-us/library/dd391908(v=ws.10).aspx

    Avatar
    L4ndy
    Member
    in reply to: SID Issue – Not Resolving #277183

    Re: SID Issue – Not Resolving

    Another reason could be broken or No longer existing trusts or sid history of migrated objects

    Avatar
    L4ndy
    Member
    in reply to: TMG behind Cisco ASA #277182

    Re: TMG behind Cisco ASA

    cruachan;264529 wrote:
    Completely pointless IMO, if you have spent the money on TMG bin the ASA. The only valid scenario for using 2 devices like this IME is using TMG as a single-NIC reverse proxy, and that is a waste to TMG given how expensive it is.

    Aside from that, you’re looking at 2 layers of NAT between your internal network and the internet, so you can run into VPN issues if you use IPSEC VPNs.

    Well that’s like saying I have a new front door now so I’ll get rid of the gate..
    there is nothing wrong with having the TMG as a back firewall box whilst doing forward or reverse proxying as well. The ASA box can handle VPNs, Natting as well as being a solid hardware firewall.
    As I said, whilst TMG is a more than capable of handling those on its own, why not use the ASA if It’s there?
    There are No two layers of Natting just two different rules..

    Avatar
    L4ndy
    Member
    in reply to: TMG behind Cisco ASA #277181

    Re: TMG behind Cisco ASA

    TMG is a more than capable firewall on its own but if you have an ASA box in front it should still be ok. Just create a 1 to 1 Nat rule to the TMG external interface and restrict the traffic to just port 80 and 443.

    Avatar
    L4ndy
    Member
    in reply to: Blocking specific sites without using any software #277180

    Re: Blocking specific sites without using any software

    I agree that it needs reinforcing from the HR but there are certain excpectations that can be achieved technically to ensure compliance.
    With the wide range of open source proxy servers now (Inc Squid) you should be able to restrict that traffic (even if it’s https).
    You could also create a DNS zone and equivalent firewall rules to block it that way, saving you the management headache of the Hosts file.
    IMO a total ban of facebook wouldn’t worry me despite the freedom of internet argument. It’s becoming a bit of a religion which we could do with less if I am honest.

    Avatar
    L4ndy
    Member
    in reply to: Trying to get current logged in "Active Directory" User #277179

    Re: Trying to get current logged in "Active Directory" User

    Can you give us more info, ie what the VPN concentrator is and how is that configured to authenticate with AD (ie LDAP or Radius).

    Thanks

    Avatar
    L4ndy
    Member
    in reply to: Printing files to printers depending on filename #277178

    Re: Printing files to printers depending on filename

    I haven’t used this in a while to give you any specifics but take a look at PCounter: http://www.pcounter-europe.com/

    There is also a free component it uses called Qcontrol that might be able to help.

    I have dealt with the company in the past and their developement team do address any requirements you may have and include it in the next update.
    Worth a look IMO.

    Avatar
    L4ndy
    Member
    in reply to: New Petri member to be #277177

    Re: New Petri member to be

    A little late on this one but Congratulations mate.

    Avatar
    L4ndy
    Member
    in reply to: Weird DNS Issue #277176

    Re: Weird DNS Issue

    Any Events logged?
    See if this helps : http://technet.microsoft.com/en-us/library/cc735852(v=ws.10).aspx

    Avatar
    L4ndy
    Member
    in reply to: Exchange 2010 email monitoring tool #277175

    Re: Exchange 2010 email monitoring tool

    Not sure what the exact requirements and your setup is but you won’t be able to pro-actively monitor e-mails once they leave your Exchange or before they hit your exchange server.
    For issue related to your exchange org you could use the mailflow tools in EMC
    or you could have an Edge transport server or equivalent third party exchange gateway such as Sophos E-mail appliance to further channel and control E-mail traffic

    Avatar
    L4ndy
    Member
    in reply to: Welcome Ossian – the new forum super mod! #277174

    Re: Welcome Ossian – the new forum super mod!

    Congrats mate. Time to ask for a payrise :)

    Avatar
    L4ndy
    Member
    in reply to: Automatic browser configuration takes too long #277173

    Re: Automatic browser configuration takes too long

    That is normal behaviour but It’s taking slightly longer than normally. It depends on the PAC file. Can you post the file as suggested?

    Avatar
    L4ndy
    Member
    in reply to: Internal mail security – smtp port #277172

    Re: Internal mail security – smtp port

    You can just restrict relaying in your Exchange server.
    In terms of the Sophos mail appliance, that can be just setup as an upstream mail relay server and route e-mail in and out amongst other things.

    Avatar
    L4ndy
    Member
    in reply to: Wireless Access points #277171

    Re: Wireless Access points

    It could be either or none of the above.
    It all depends on our needs and requirements.
    Ie, How many clients, What WNICs are used, etc etc

    Avatar
    L4ndy
    Member

    Re: How migrate Windows 2000 sp4 files server to windows 2008 R2

    Could use robocopy with the /SEC switch and re-share andy apply share permissions again at the destination server.
    Or use a third party tool like Secure Copy (Scriptlogic) which is quite expensive but it does everything on the fly for you.

    Avatar
    L4ndy
    Member
    in reply to: biggles77 – saying goodbye #277169

    Re: biggles77 – saying goodbye

    A Petri forum without Biggles77 – doesn’t make sense.
    I wish you and the family all the best dude.
    Stay in touch. :beer:

    Avatar
    L4ndy
    Member

    Re: Can you update clients Java, Adobe, Firefox through a GPO

    To centrally manage the Patch deployment, you can use any mentioned deployment methods, or you can have a look at LUP (Local Update Publisher) http://www.localupdatepublisher.com/ an Open Source alternative which uses the WSUS API and mechanism to deploy custom packages inc updates for Flash etc.
    Depending on your setup and applications you use, I’d say it’s a good practice to control the Patch update process rather than let them update themselves.

    Avatar
    L4ndy
    Member

    Re: Configure WebReady and Direct File access from different sources

    Well, a few things.
    TMG can be equaly a forward and a proxy.
    UAG hasn’t got any Firewall capabilities, TMG handles that on its behalf.
    TMG firewall rule also determines that UAG only acts as Reverse proxy.
    UAG doesn’t do forward proxying.
    Anyway as we are sidetracking a bit, my query was realy around OWA virtual directories and webready policies. TMG and UAG was mentioned to give you a full picture of the setup but bears Not much importance.

    Avatar
    L4ndy
    Member

    Re: Configure WebReady and Direct File access from different sources

    cruachan;258166 wrote:
    I think this would probably be easier to do if things were the other way round, as TMG has much better firewalling capabilities than UAG but UAG is better at application publishing.

    Hmm, Not sure about that..

    UAG uses TMG as the underlying firewall. Whilst it is fully configurable as a standalone TMG it’s not recommended to be messed with as it is reserved for the rules generated by the UAG request.
    In terms of application publishing, they are both reverse proxies that publish applications slightly different with UAG having some extended capabilities such as endpoint checking.. which doesn’t neccesarily make it better at publishing .. just different.

    This is the scenario we have in here and that’s not changing. It could have been two TMGs side-by side but that’s not the point.

    Quote:
    A sneaky way of doing this might be to send requests for OWA etc from UAG to TMG and use a TMG rule to restrict the traffic. However I think this would only work if WebReady and Direct File Access use different virtual directories in IIS. Come to think of it, I’ve never looked at the feature in IIS7 but IIS6 could be told which IPs were allowed to access which virtual directories, so if they are different from OWA you could just deny access to the UAG IP address.

    I’ll look into the IIS side. Thanks

    Avatar
    L4ndy
    Member
    in reply to: Install Rights #277165

    Re: Install Rights

    That’s a very good question actually but not straight forward to answer imo.

    Because it depends on quite a few factors the most important of which is How is the program coded:
    Most programs are coded to write to various system folders and maybe even registry keys that Non-admin users would not have the write permissions.
    Afaik there is no such thing as “Install rights”, it is just a combination of permissions on those locations that enable a user to be able to install software.

    Some programs are coded so you don’t even need any specific permissions (Think of Portable apps).

    One way of finding out how a specific program is coded to run would be to use ProcMon from Sysinternals and check out for Access denied for directories and registry keys.

    From a security perspective though, imagine the damage a malware would cause if it can have access to key OS locations..

    Avatar
    L4ndy
    Member
    in reply to: Suggestions on Centrally Managed AV/Spyware Products #277163

    Re: Suggestions on Centrally Managed AV/Spyware Products

    I would recommend Sophos. They cater for OSX as well.
    The Endpoint agent includes a Web control option which does web filtering for about 16 categories which you could manage centrally.
    But as you may notice you’ll get various responses based on what folks are used to work with.

Viewing 30 posts - 1 through 30 (of 2,461 total)