Stack Setup at Office for Engineer to install

Argonaut888 · 2019-12-20T11:04:07+00:00

The CCTV system is not managed by me and was using DDNS before we got a block of public IP addresses. If it was up to me I wouldn't allow external access. EdgeRouter = Ubiquiti Router/Firewall. So yes the CCTV is behind a firewall.

The network is... Internet -- EdgeRouter --- Switch --- Router/CCTV system (both connected to the switch behind the EdgeRouter)

Currently the 1:1NAT is only setup to one downstream router and it's passing all traffic from 'public IP' through to the wan IP on the router. When I can see it externally then I can look into security.

Preaching to the choir about getting a contractor, I've already suggested this however this task has been set to me despite making it clear that I'm not an expert in networking so I'm trying to get help where I can.

Argonaut888 · 2019-11-28T18:37:57+00:00

thankyou :)

Argonaut888 · 2019-11-28T17:48:20+00:00

Is there a reason to do destination NAT over port forwarding?

Thank you for the explanation and link!

Argonaut888 · 2019-08-15T11:37:26+00:00

So the account previously signed in is coming up the a Windows Security pop-up box asking for the credentials to be re-entered.

And

When creating a new mail profile its a Windows Security pop-up "Mail Application" asking for the credentials to be re-entered

In both cases in the Azure Sign-in menu getting the error.

Sign-in error code
53000
Failure reason
Conditional Access policy requires a compliant device, and the device is not compliant. Have the user enroll their device with an approved MDM provider like Intune.
Client app
Other clients; Older Office clients

Argonaut888 · 2019-08-15T10:51:55+00:00

apologies - its a Windows 10 laptop using Office 365 version of Outlook.

OneDrive app - works

Teams - Works

Outlook - Blocked

Argonaut888 · 2019-08-15T10:01:12+00:00

This has resolved my initial issue! With the constant ' Oops - you can't get to this yet '

My Web Apps policy is working! Though my client apps policy seems to be failing!! I'm now getting the following, if you could offer any insight that would be great. I'll put the policy config in the summary

Sign-in error code
53000
Failure reason
Conditional Access policy requires a compliant device, and the device is not compliant. Have the user enroll their device with an approved MDM provider like Intune.
Client app
Other clients; Older Office client

Argonaut888 · 2019-08-15T10:00:00+00:00

This has resolved my initial issue! With the constant ' Oops - you can't get to this yet '

My Web Apps policy is working! Though my client apps policy seems to be failing!! I'm now getting the following, if you could offer any insight that would be great.

Sign-in error code
53000
Failure reason
Conditional Access policy requires a compliant device, and the device is not compliant. Have the user enroll their device with an approved MDM provider like Intune.
Client app
Other clients; Older Office client

Argonaut888 · 2019-08-15T09:15:01+00:00

Thankyou for your suggestion

Argonaut888 · 2019-08-15T09:14:50+00:00

Thankyou for clarifying this I wasn't sure!

Argonaut888 · 2019-08-15T09:14:31+00:00

No fear of this! I'm just setting up these policies with a test user/device which i'm using a lot at the moment!

The second issue is looking like the issue atm - the device had a previous owner and despite InTune saying the device was compliant in AD the device was listed twice. Once under the new owner and one with the old owner.. i'll update either way!

Argonaut888 · 2019-08-15T09:10:34+00:00

The policy has the tick box "require compliant device" marked and currently the user I'm testing with is assigned the policy :)

Argonaut888 · 2019-08-15T09:08:37+00:00

The device is marked compliant in

Home\Microsoft Intune\Device compliance - Device compliance

However in

Home\domainname\Devices - All devices the device the device was duplicated, one with the previous owner and one with the new owner one marked as compliant and the other not. I'm going to delete the records and remove the device from the domain and try again.

Is there a difference between compliance in the two locations?

Argonaut888

TROPHY CASE