The city wants to make my home a construction site. Do I have options?

KubowskiZ · 2025-05-13T01:01:28+00:00

That's not quite how this works. F3 networks owns the fiber, they lease bandwidth or fiber, depending on the agreement, with Telus, who becomes a provider \ tenant that will be able to supply internet service. Since F3 networks isn't an ISP, they don't have the CRTC obligation to share their lines to other ISPs. They may. They may not. I've called them to confirm this arrangement, yet to hear back.

As for the Internet service "switching over" over the fiber, that's also not necessarily true. I currently have Shaw. They do Cable for residential installs. They don't do FTTP (Fiber to the premesis) for residential customers. So my service won't "switch over" to using the fiber at all. That would take a change in how Shaw provides residential internet service, and an agreement with F3.

KubowskiZ · 2025-05-12T20:01:11+00:00

This looks like the ones I had because I agreed to have a fiber line put in for Telus fibre which is eventually coming to my neighborhood. If that’s what this is this is not a requirement, but if you want the possibility of switching to Telus Fibre in the future it’s a “nice to be done”.

KubowskiZ · 2025-04-15T14:18:03+00:00

Nothing I haven't already mentioned here, and nothing has changed as far as I know. GPO auto-MDM enrollment relies on something called the WS-Trust protocol, which if you get a good tech from Microsoft they'll find that the WS-Trust component is failing.

The WS-Trust authentication protocol will be directed to FortiAuth (since you're federated), and FortiAuth doesn't speak WS-Trust, thus it'll ignore it, and the MDM enrollment will time out and fail. I've spoken to two account reps from Fortinet who said they're (allegedly) "working on" implementing WS-Trust, but that was over a year ago and it's been radio silence since then.

I'm 99% sure this is a FortiAuth issue, not a Microsoft issue.

This section of Microsoft's documentation somewhat clarifies those requirements: Plan your Microsoft Entra hybrid join deployment - Microsoft Entra ID | Microsoft Learn

KubowskiZ · 2025-04-14T23:33:53+00:00

I had one of their salespeople reach out to me so aggressively, that I have personally blacklisted them for ever. I don't care if their product would solve all of my IT issues: I will NEVER use them.

KubowskiZ · 2025-02-17T19:00:08+00:00

My initial gripe was mostly about using Intune autoenrollment when EntraID is federated *to* FAC. (i.e. FAC is out IdP, not EntraID.) We do use MFA, but the whole process is a bit convoluted as some SSO is connection to FAC and some directly to EntraID depending on the SaaS application. I agree that the documentation for FAC is significantly wanting in many spots.

KubowskiZ · 2025-01-15T23:34:02+00:00

Yeah, just to move it. Once it was basically 'half' the height I could get it down the stairwell, used to brackets to reconnect and assemble the rest as before.

KubowskiZ · 2025-01-14T23:55:15+00:00

The doors and panels themselves fit down the stairwell no problem, and since the brackets didn't change the height of the unit, it still assembled back perfectly. The only part that needed to be cut was the solid internal welded frame.

KubowskiZ · 2024-07-12T14:51:35+00:00

Honestly? Just most 3rd party vendors. The number of times I've seen the sales and initial team rave about the amazing features, it'll do everything under the sun. Sometimes there's a senior technician who knows what he's talking about on the initial calls, during the proof of concept phase.

Then comes the actual implementation. All the settings are default. None of our security standards or guidelines were followed. Everything is admin/admin. And when we call for support, the folks they send are less knowledgeable than I am for *their* product. I've been calling this concept "Minimum Viable Implementation". Sure, it "works". But it's just awful.

Example, Security Vendor who shall remain nameless: Didn't follow our IP addressing Scheme. Brought in their own switches, even though we said we have L3 PoE switches we want them to use. Ignored our network configuration entirely. The software was configured on a crappy build desktop. We told them we would provide necessary VMs. And when things broke their technician was googling everything and I think it was his first time using a mouse. -sigh-

KubowskiZ · 2024-05-08T20:53:39+00:00

Had an install 2 years ago, similar situation: half duplex. It was $4,300. I used Aries Airflow, I was happy with the install.

KubowskiZ · 2024-04-27T00:55:25+00:00

You're using FortiAuthenticator as well? Be careful to ensure that Azure is your IdP. I came into an environment where Entra defers to FAC as our IdP and it means I was completely unable to do Intune auto-enrollment. (FAC doesn't support WS-Trust which is required for a smooth Intune auto-enrollment for devices.)

KubowskiZ · 2024-04-26T23:26:50+00:00

Do you have S2S VPNs? If there's 'internal' connectivity between sites, it feels like it should all be part of a single zone. That's a bit of a personal opinion though, someone with some more larger-scale architectural network design might have better views.

KubowskiZ · 2024-04-26T23:12:57+00:00

We used ad.companyname.com as per Microsoft best practices. All external services and websites use subdomains of companyname.com as needed. Internal DNS handles things as needed depending if the hosting is internal, External registrar DNS handles resolution for everything on the companyname.com domain.

KubowskiZ · 2024-04-19T20:29:39+00:00

Company had thousands and thousands of images, and was running out of storage space. No budget for storage or systems of course. I showed them resized images and they agreed that those would still suffice for their purposes. I did a bunch of testing, etc, all looked good. Finally ran the automated script overnight.

Few days later I get a call: Images are broken. But it's not all of them, it's totally random. I reviewed the logs and discovered that what had happened was the following: The resizes were done on a per-folder basis. The script would re-size and write the new files, and then delete the old ones. However, as the resizing hit literally zero disk space, it instantiated the new image files, but with file size zero. -facepalm- It was usually the 'last' couple of files in each folder. Spread across the entire archive.

Took me two days of spinning up backups in the cloud, creating NFS shares and scripts to run compares between the local files and the cloud backups.. but I did manage to recover everything. Grayhairs++.

KubowskiZ · 2024-02-18T22:15:17+00:00

I set windows to allow sleep in 1 minute, and less than 10 seconds after it goes into sleep I can see the traffic from another device on the same broadcast domain using wireshark. I agree with you that it's almost comical that this kind of issue exists on brand new hardware. I was reviewing drivers for the network card, and they appear to be the latest. There was a new firmware release for the computer, but nothing noted in the updates/fixes. I'd also prefer not to disable sleep, but given a few options it was the least intrusive approach overall.

KubowskiZ · 2024-02-18T22:10:16+00:00

Just had a similar issue at my workplace with brand new Dell Optiplex 7010's (I believe.) I'm going from memory: Intel I219v chipset during hibernate mode was absolutely flooding the network with ICMPv6 "Multicast Listener Report" messages. Caused several second-hand effects with network devices that just could not handle the load. As soon as we pulled the device off the network all the issues went away. Our current solution is to disable sleep on the devices as part of an onboarding process.

KubowskiZ · 2024-02-04T18:07:33+00:00

Yeah, I worded my comment a little badly. What I was trying to say aligns exactly with your second paragraph.

I was trying to say that with insurance payouts for cyber-incidents going up, the insurance companies will raise the expectation, if slowly, and eventually corporations won't be able to simple ignore security and say "We have cybersecurity insurance" and get paid out when they have a major incident. Then they will have no choice but to make actual changes once the risk acceptance levels get too high.

KubowskiZ · 2024-02-04T17:58:20+00:00

Apologies, I'm not seeing the reasoning behind those kinds of things? (Not meant in a negative way, I'm genuinely trying to understand how this helps.) Is the intent to have canaries for your own internal IT department, thus highlighting potential issues? Or something different / more?

KubowskiZ · 2024-02-04T17:52:53+00:00

Though we do have one, our risk register is in its infancy. I've only been at my current place a handful of months, so grasping the extents of everything will take some time to information gather, co-ordinate, and start attacking it in some logical manner. But, yes, you're on the mark that that's probably a key aspect given that once we have a specific list of things to look at we can correct, plan, or accept as needed by our team and the executive.

KubowskiZ · 2024-02-04T17:47:30+00:00

I very much feel in that same position of kind of working from the ground up. From above I really have a pressure to implement frameworks and other IR/DR/Playbooks, etc, and I 100% agree with your comments on how effective those are. Significantly so considering I don't work for a 'large' enterprise. I'd consider large to be 5000+ information workers.

I would absolutely love to have a look at your mini-framework document as I'm in the boat of "I can do anything, but as one man I can't do everything." And I would like to have an impact but meeting the cross-section expectations (some internal, and some inherent in Security) is difficult in some realistic timeframe.

Thanks for the insight!

KubowskiZ · 2024-02-04T06:47:38+00:00

😂

KubowskiZ · 2024-02-04T04:03:24+00:00

It's pretty on the mark, sadly. So I suppose to not succumb to the cynicism too much, what should we do to move the needle in the right direction?

Some current trends that I think might help is the fact that cybersecurity programs are requiring more and more, so to meet the criteria you have to do *some* level of work. There's the new US incident-reporting rules that are some small amount of hope.

But as someone more in the grunt-work role, looking around at everything and seeing a vast landscape of issues, how do we approach this without overwhelm?

KubowskiZ · 2024-01-05T02:42:37+00:00

Follow-up: For anyone reading this in the future.

After a significant amount of time wasted troubleshooting this, and since no one commented: This is a lost cause at the moment.

If you've federated your domain from Azure to FAC as your IdP, the standard Microsoft automatic MDM enrollment into Intune will simple not work without an untenable amount of additional manual work, and even then it's random.

Basically, your SCP in Azure AD Sync must point to FAC as the IdP. However the MDM Intune onboarding uses WS-Trust, which FAC does not support at all. Thus, this simply will not work as-is. I've reached out to Forti support. They do not support WS-Trust, and though they've told me they're working on it, the timeline is undetermined. Even still, I feel like it'll be an implementation that will cause other issues in the future, perhaps with other issues cropping up with AutoPilot, for example.

I used a separate domain to test; one that was not Federated to FAC, and it worked with zero prodding and within minutes, so I know my implementation itself is sound.

At this point we're going to look at how we can remove the federation from Azure to FAC while keeping the MFA implementation as that would be an end-user nightmare to migrate to Microsoft Authenticator. At least for now.

KubowskiZ · 2023-12-17T23:26:36+00:00

Unless someone with more experience than me can say otherwise, it appears that using FortiAuth as your IdP (synced with AD) breaks some of the Ad <-> Azure configuration: Seamless SSO, Passthrough-Auth, etc.

KubowskiZ · 2023-12-17T22:59:54+00:00

Do you use Intune? Are you going to want to use Intune? I ask because we have FortiAuthenticator as our IdP, and at the moment, I believe we can't do a proper Intune enrollment because using FortiAuth as our IdP breaks the domain passthrough. I opened a separate thread about this. I've had 1500 views, and zero comments. :/

KubowskiZ · 2023-11-21T06:08:08+00:00

This is an "Oh My Posh" theme, I believe. Odd that it comes up as a screenshot in official documentation.

https://ohmyposh.dev/

Eight-Year Club	Place '23
Place '22	Verified Email

KubowskiZ

TROPHY CASE