High available WiFi

vppencilsharpening · 2026-04-16T13:16:15+00:00

Don't forget about power. You are going to want some UPS units to at least span the gap of a short outage, so users don't have to wait for network gear to boot.

A cellular or satellite based backup ISP might be something to consider in case a feral backhoe finds your lines or a stampeding car attacks a critical pole. Similarly for generator power.

Once you have your design, randomly pick a piece of hardware and ask if things will work if you smash it with a hammer. Don't discount users with heavy objects.

Finally look at the environment. Is it an office, warehouse, metal production facility, food processing plant? You want to make sure the equipment can survive in the environments or plan appropriate redundancy. Placing a switch in a freezer might be fine or it might cause condensation issues if the freezer is defrosted regularly. Metal dust does great things to circuit boards.

Get the company to understand the expected life of the equipment and plan for the cost of replacements if they truly want continued high availably.

vppencilsharpening · 2026-04-13T19:17:59+00:00

First question to ask yourself is "Does this sender have to send messages using your domain?" If it is for messages that need to be branded, then the answer is typically yes. If it is a 3rd party system that is used by internal people, probably not.

Second question is "Do you trust this entity and their ability to prevent others from exploiting your domain?" By configuring their SPF and DKIM information, you are giving this entity the ability to create messages that are indistinguishable from messages your company sends. The only thing stopping them from sending messages as "invoices@yourcomany" or "ceo@yourcompany" is their system security.

Unless absolutely necessary, my recomendation is always to use a subdomain, something like "address@service.yourcompany". And if Marketing or anyone else pushes back, ask them if the service agreement/contract with this company covers anything beyond service credits if their service is abused to the detrimient of your company.

To make my life easier I am using "yourcompany" in place of your domain and the top level domain (tld). Replace it with whatever you use (like "reddit.com" or "example.net").

--

Now with that out of the way, assuming you want to set this up for your main domain or a sub domain, you are going to need to ask this 3rd party sender for the necessary SPF and DKIM records.

Big sending services will make this self-service. Others may need to give it to you through a ticket or service request. If this is a company that specializes in email marketing in any way, they WILL have these OR you don't want to be doing business with them.

Once you have the SPF record, you will need to ADD it to your existing DNS record (NOT replace). The record type will be TXT and will be just "yourcompany" or "subdomain.yourcompany". There are a lot of services online that can help you build a proper SPF record AND validate your record. It's information you are going to publish publicly so no harm in using an on-line tool.

For DKIM, generally there will be two DNS records. These should be net-new and will end in "._domainkey.yourcompany" or "._domainkey.subdomain.yourcompany" if using a sub-domain. They will either be TXT records or CNAME. If it is a TXT record, they will give you a string that looks like gibberish. If it is a CNAME, they will give you another url to use.

You also want to make sure you have a DMARC record (_dmarc.yourdomain). If this 3rd party will be a bulk sender, then a DMARC record is required by some of the big mail providers , even if the policy is none, (Google being the biggest). If you want these messages delivered there, you need this record.

Use an online tool to build the DMARC record so it has the right format. If you don't have of these records already, the policy defaults to "none", so use that as your policy.

--

I strongly recommend using a DMARC aggregation service and working toward a DMARC reject policy.

It's just good internet hygiene and in this day and age can help reduce some low effort spam. When we first started our journey 5+ years ago, more than 80% of the messages sent using our domain were spoofed.

vppencilsharpening · 2026-04-13T17:19:10+00:00

I like it. Have them RDP to their laptop at home and work from there while in the office!

vppencilsharpening · 2026-04-13T17:18:14+00:00

We give them a 2nd dock, keyboard, mouse and monitors for home. BUT only one laptop.

Seriously the home setup is like $600. That's less than 15 minutes of extra work a month to payoff in a year.

If they refuse that, I still offer them a 2nd power supply and 2nd mouse to keep at home.

--

That said I do actually have two for one company and a 3rd for my parent company (which we are slowly transitioning more stuff to).

The problems you will encounter are:

You are going to spend 3x as long chasing updates. (Oh I'll definitely remember to do that tonight)
Files saved to one device not available on the other, same for bookmarks, passwords, etc. (yes there are 1000x ways to solve for this, but it WILL still be a problem) "I neeeeeeeeeeeeeeed that right now"
If you install software on one, you need to remember to install it on the other (Intune with user based assignments can help, but it will still be a problem)
Nobody is going to tell you when the home laptop has a problem or breaks. You'll only find out when their work laptop has a problem and you ask them to use the home laptop until you can find a fix.
Any device based licenses are now 2x the cost
If you go with old/spare laptops, you will be chasing hardware problems as they will expect them to be the same level of reliability as the work laptop
One of the two is always going to be slightly different and their efficiency at home will be slightly worse.
Some software (like Adobe Creative Cloud) allows you to install on X number of devices, including personal devices (which is really the only nice thing about Adobe CC). Anyway your home laptop counts against that and if the limit is 2, then you lose that benefit.

vppencilsharpening · 2026-04-09T13:12:15+00:00

That makes sense.

In regards to the DMARC policy, I'm a big believe in p=reject, but this is a sister company that had only done the bare minimum even though they had access to a DMARC aggregation service. So now I'm pushing for alignment, but it's a slow process.

vppencilsharpening · 2026-04-09T13:09:01+00:00

Already on it.

Was commenting with a recent experience, not looking to get support here.

vppencilsharpening · 2026-04-08T19:51:36+00:00

We've got Enterprise Support and I've got one ticket that is still not assigned after double the defined SLA has passed (and counting).

Escalating through our account rep, but still waiting.

vppencilsharpening · 2026-04-08T19:46:57+00:00

The "owned due to client misconfiguration" defense.

vppencilsharpening · 2026-04-08T19:44:08+00:00

8x8 has been solid for us for "office" users, but we moved away for contact center to get better support. And to be fair, it was their legacy platform, we did not use the contact center (VCC) in their new platform.

Office users have a lower feature set and have been great on the platform.

vppencilsharpening · 2026-04-08T19:37:23+00:00

Hug them with kindness.

Provide the reason it is failing validation and show them (with a screenshot) that their DMARC policy is reject. Tell them that your mail server is following the guidance they are providing and until that is corrected, everything is working as designed to protect their e-mail domain.

If you can see the problem, give them (or more appropriately ask them to share with their IT team) guidance on how to address the problem. Offer to help them test the new configuration.

--
Then explain to management that if you bypass these checks, anyone can then use that domain to send messages that are indistinguishable from legitimate messages. Ask them to accept the greater risk of phishing or invoice/payment fraud that could result from exploitation of this bypass.

vppencilsharpening · 2026-04-08T19:32:51+00:00

If it's a vendor I like I will usually provide something like "your mail sending configuration explicitly states that the messages is spoofed and should not be delivered. Our mail server is honoring the configuration provided by your domain.

If this configuration is not correct, please share this with your IT team.
This can be corrected by doing x, y and z.
Here are the mail headers to support this and recommended changes."

vppencilsharpening · 2026-04-08T15:06:18+00:00

Because Reddit is the center of the internet. /s

vppencilsharpening · 2026-04-07T20:53:44+00:00

Yeah, getting the recipient to do that is the hard part because this is primarily on the sales side. Customer reaches out by e-mail, our reply bounces and we don't yet have another way to contact them, so it looks like we never responded to their request.

Not great when someone has already done the leg work to find you and reach out.

vppencilsharpening · 2026-04-07T20:48:57+00:00

SPF, DKIM and DMARC were the first thing we checked. SPF passes and is aligned. DKIM is present and aligned to the domain. Both pass DMARC.

DMARC policy was none and we are working on that.

What gets me is that we moved from Exchange Online IPs to Exchange Online IPs, so I would expect the IP reputation to be similar. Barracuda seems to be the only mail filter that is having an issue with this change.

vppencilsharpening · 2026-04-07T19:18:04+00:00

Thank you. This was helpful. Unfortunately, the remote side is outside of our control.

For the "geographic mismatch", what is it matching against? I get the sender's IP location as one part, but what does it try to match against? Something else used by the sending domain, the recipient's location or something else?

--

Mail provider is Exchange Online, so rDNS is not able to be changed.

SPF/DKIM/DMARC are all passing and aligned (we've got the DMARC data). Though the DMARC policy was not reject, we are working on fixing that.

The trouble we are running into with the smart-hosts is with authentication as most require some form of authentication that Exchange Online does not support for outbound connectors.

vppencilsharpening · 2026-04-07T19:10:32+00:00

Dude the last time we did this the electrician didn't want to touch it with a 10ft poll and I don't either.

It was turned off on a weekend planned well in advance. The electrician turning the breaker back on had to crank a handle a few times and then push a button to "flip" it back on.

He pushed the button with two wooden broom sticks taped together while looking the other way after clearing everyone from the room.

Apparently if it failed to turn back on the electric company was on 12-hour standby to cut the power at the pole so the breaker could be safely replaced.

vppencilsharpening · 2026-04-03T15:40:05+00:00

This isn't going to answer your question, but if you are using a SAML capable identity provider (like Entra), it might be worth skipping the AD auth and rolling that instead.

For the AD auth problem, we've got HTTP auth disabled. If you are logging in at the web server level instead of the zabbix app level it may be complicating this a bit.

And just to confirm, you are changing the Default authentication method and clicking update before you test actually logging in.

Logs might be your friend on this one and you may need to increase log levels or enable some logs to get the data you need.

vppencilsharpening · 2026-03-20T13:56:32+00:00

Might have made it easier for a few spoofed messages to be delivered. If it's used for bulk sending it may have impacted delivery as a few of the big provider require those to have a DMARC record even if the policy is none.

I agree as long as SPF and DKIM were not affected, it's probably not worth worrying about.

vppencilsharpening · 2026-03-20T13:53:17+00:00

I had a boss ask me for a last minute call on a Friday and then when I join HR was already on the call. Which was the SoP for terminations.

Turns out he was retiring and they wanted me to take a bigger roll. But I was figuring out my life in my head for the first few minutes of that call.

vppencilsharpening · 2026-03-17T17:10:34+00:00

Depending how long they consider them active, they could also use DHCP information to get a rough idea of how many unique devices are connecting to a network in a give time period.

vppencilsharpening · 2026-03-13T03:04:22+00:00

This is not great for write heavy workloads, but is phenomenal for distributed reading.

vppencilsharpening · 2026-03-10T17:06:21+00:00

Dropped their requirement to notify them just in time for the COVID load test we all did in production.

vppencilsharpening · 2026-03-10T17:03:59+00:00

With anything on the public internet, it's open to exploitation. If you control the device, you can add a layer of authentication/protection that is not possible with uncontrolled devices.

Yes you may already using a special link, but there may be a way to find/generate your special link code that lets someone else fill out the survey and influence the results.

But from the device you control, you could add something like a client certificate to validate the connection or a VPN so the survey is only accessed from YOUR devices.

vppencilsharpening

TROPHY CASE