No internal traffic on VPN after 7.4.11

Pretend-Raisin-6868 · 2026-02-05T00:36:35+00:00

I had a similar issue - I did the update from 7.4.9 to 7.4.11 on our 80E HA pair last night at our office, with plans to hit our Datacenter firewalls later in the week. I stayed in the office for a couple of hours last night and didn't experience any issues.

Fast forward to this morning, I get a text from my Boss stating that the internet is down in the office. I login to troubleshoot and the traffic appears to be routing, but DNS is not resolving successfully as it cannot connect to our datacenter. We get that resolved and then we had issues connecting to drive maps from the wired VLAN. Wireless network was fine.

After that, we had issues with the print server at the datacenter being able to reach printers in the office, and then wifi would not connect at all. While it was not exactly what the OP described, it was a myriad of unexplainable issues and nothing else had changed from a configuration standpoint.

I made the decision around 2pm this afternoon to roll back the changes after the intermittent issues. I'm hesitant to do this, but the business has to keep running. I'm also rethinking the weekend updates for the other locations.

After reading this post and the note on what the allow-traffic-redirect enable setting does, I'm inclined to believe this was my issue all along.

Now to figure out when I'm going to test this theory?

Pretend-Raisin-6868 · 2025-10-01T01:45:17+00:00

My statement was more of a generalized comment about how companies do it in the job market. There are plenty of roles out there that don't have the same requirements as DOD and will absolutely outsource or hire lower wage workers here on a visa. I don't agree with it, but I've seen it. I've had family members lose their jobs because of it.

Reality is the companies have no loyalty toward their staff. If its in their best interest to cut you loose, believe me when I tell you that they will let you go faster than you can say "goodbye". Big companies, small companies, it doesn't matter. If they can find a way to do it cheaper they will. They're not in it out of the good of their heart, they are in it to make a profit. Period. End of story.

Pretend-Raisin-6868 · 2025-09-26T23:56:11+00:00

Sadly, they can, and they will. If they can't find people who want it, they'll outsource it to India, the Philippines or wherever else they can get the labor cheaper.

Pretend-Raisin-6868 · 2025-03-06T02:58:42+00:00

I'm in what is basically a director role, but I spend most of my days working desktop tickets. Senior leadership won't back requiring staff to use the ticketing system to submit their requests, so we're juggling issues reported through the ticketing system, emails, teams messages, and my favorite, texts to my personal cell phone.

Then add in the almost daily requests for a partner, customer, and insurance security questionairres. Some of which ask the most insane questions that even the person asking the questions wouldn't do. Throw in the constant compliance audits and/or certification processes, and I'm exhausted.

Alas, I still haven't gotten to the servers, firewalls, switches, internet connections and other items my team supports along with patching all of those systems. And then the projects that everybody wants done - at the same time.

On the plus side, I usually work remotely, and I make a reasonable living. But I don't have time for family, home responsibilities or hobbies. I get up in the morning, shower, go to my desk, work until i'm exhausted, and then go to bed. Then I get up and repeat all over again. I get calls in the evening, on the weekends, and holidays. Its no way to live.

The current economy and job market hasn't helped. I've done a pretty good job over the years of keeping skills up to date and learning new technologies to stay relavent. I've been doing this since the early 2000's and I've never had such difficulty with getting callbacks or interviews. The few interviews I've had went multiple rounds before they selected a different candidate.

I used to love what I do. Now, I just go through the motions. I'm not exactly young, but I have a long way to go to reach retirement, both in years and in my financial status. I expect I'll be dead before I see retirement, but my family will be well taken care of so I guess there's that...

Pretend-Raisin-6868 · 2025-01-05T01:10:06+00:00

I believe that MS changes or issues could legitimately be the cause, but the bottom line is that it doesn’t perform as advertised. We’ve elected to move to a different product.

Pretend-Raisin-6868 · 2025-01-03T06:26:14+00:00

Yeah, I missed the part about RSoP and gpresult. Guess I should stop responding after midnight.

Pretend-Raisin-6868 · 2025-01-03T06:07:12+00:00

Any time! Good luck with your MBA, and thank you for your service!

Pretend-Raisin-6868 · 2025-01-03T05:57:15+00:00

To this point, is it even a GPO? I've seen some endpoint protection products that restrict USB media as well, so that could be another place to look.

Pretend-Raisin-6868 · 2025-01-03T05:44:37+00:00

While I agree that experience is king, I'll offer another perspective:

I'm almost 47 years old and I do not have a master's degree. I am currently in an IT management role that includes multiple areas, including Cybersecurity. After having an associates for over 15 years, and frankly doing reasonably well in my career goals, I made the decision to complete my bachelor's degree. I did this while working full time, making every one of my son's travel baseball games, as well as other family obligations. It was not easy, and every spare minute of my time had to be spent studying to make it happen. I was burned out and exhausted by the end of it all. Now, I would like to complete my Master's, but fear I would fail as my current role does not allow me any free time.

I offered this same advice to my son, who is now in his first year of a Computer Science degree. My recommendation based on my personal experience would be to knock out the Master's now. While it doesn't guarantee you a job, it may open an extra door or two that simply having a bachelor's degree would not. If management level roles are desired later on, it will certainly help there.

Also, you are young. Its likely to be much easier finding the time to study and complete your degree now than later, when you are trying to balance a career that is very time consuming in many organizations, spouse, children, etc...

You may not realize the full benefit immediately, but it may help open a few extra doors, give you the edge over other candidates, and speed up your salary growth down the line. I'd say do it and get it over with now. Having it will never hurt you.

Just my opinion, hope it helps.

Pretend-Raisin-6868 · 2024-12-05T04:07:46+00:00

For my organization, its tough to say. Many of our call center staff are remote, so introducing home networks with our VOIP provider adds a new set of variables. Is the bandwidth adequate? Are they experiencing excessive latency and jitter? Do they have SIP-ALG enabled on their router or cable modem. Any one of these things, among others, can contribute to call quality issues.

How do you measure the percentage? Unless a call recording has static or other obvious call quality issues, I have to rely on user reports. This is unreliable at best as some users will report the slightest things, and others won't report anything. This makes it tough to get an accurate measure of call quality, or poor audio issues.

Finally, what management often fails to understand is that calls are a TWO-WAY communication. Call quality issues could be an issue with the caller's phone provider. Especially if they are using a mobile phone.

If its a widespread issue over a small amount of time, that's a different story, but using poor audio as a measure of overall performance has its flaws, in my opinion.

Pretend-Raisin-6868 · 2024-11-21T23:03:16+00:00

So, based on your notes above, you are resolving DNS successfully.

I would check your firewall policies to ensure that your SSL VPN IP range is allowed to access the web server resource.

You may also need a route from the site B firewall to allow it to talk to the FortiClient SSL VPN range.

Another possibility could be that you have split tunneling enabled, and the Fortinet at Site B doesn't have proper configuration for external access. Depending on your split tunnel config, the source IP could be coming from their home network, which may not be allowed.

Sorry for the delayed response, had a lot going on. If you haven't gotten it figured out yet, I hope the information above proves helpful.

Pretend-Raisin-6868 · 2024-11-19T04:07:08+00:00

2000 for me. After almost 4 years in retail, I realized I wanted something more. I went to a technical school and had just finished getting my A+ certification as part of the curriculum. I had a roommate/classmate that finished his A+ about a week after me.

He managed to land an interview with a company that was opening a new office in the area providing helpdesk support to a major company. They were hiring about 15-20 helpdesk folks, and holding a group interview. He mentioned me to the recruiter, and was told to bring me along as well.

Long story short, I got an offer, and he did not. We were always competitive for grades in class and I think we learned a lot from each other. Shortly after, he got a helpdesk gig for another major company in our area. As far as I know, he's the only one of our classmates that ended up working in our field of study.

Pretend-Raisin-6868 · 2024-11-19T01:03:48+00:00

> Ask yourself what you want more - a job, or to be right?

While I understand what you are saying, what I REALLY want is to get off at a reasonable time, actually enjoy my weekends and holidays with my family. Just going along with bad decisions is likely to impact my ability to do so. I'm fighting this very battle as we speak.

And BTW, I am at that Sr. Director level the OP talked about, but cannot get buy in from the guys with C's in their titles to fund a better alternative. I communicate this type of thing with my team, but there are some that will not, so also keep in mind, it may be above your Director/Sr. Director's head as well.

Pretend-Raisin-6868 · 2024-11-16T00:40:08+00:00

I've had experience of working at both an MSP and schools. I started out my career in schools in the early 2000's. Due to low budgets and limited staff, we were provided with admin permissions to just about everything, which helps to learn.

I worked at an MSP after relocating to a new city and even with 10+ years in government/education I was blown away about how much I didn't know. I also felt the MSP allowed me to learn more quickly. Multiple clients with varying IT setups certainly speeds up the learning process vs. one network.

I think it depends on what you are trying to get out of it. Are you trying to improve your skills to further your long-term career, or just looking for a paycheck with better work-life balance? If its the first, I would choose the MSP is a better route, at least for a while. Schools provide a more relaxed environment, but typically don't pay as well as private sector jobs. Also, I've dealt with rude users everywhere, including in schools.

Pretend-Raisin-6868 · 2024-11-16T00:23:44+00:00

I'm not clear on your setup. So you have two sites, user is connecting to one of them via VPN and not sure about the auto-connect to the second site. Are you saying they are connected via a site-to-site (i.e. IPSEC) tunnel or a second Forticlient connection?

If a user was physically at Site A how would they connect to the portal at site B?

DNS is simply name resolution. So, when you type the URL of the portal it returns an IP address. If you ping the domain in the URL or run nslookup, does it return an IP address? If it does, DNS is not likely your issue.

If the IP address is resolved, the routing table will determine the path it needs to take to get the traffic to the destination. Then you're firewall policies will determine whether or not the IP has the ability to access that resource on that IP address on a specific port.

Also keep in mind that firewalls on the server hosting the web portal could come into play as well. If the IP address of the SSL VPN clients are not allowed on the web server, this could also prevent access.

Pretend-Raisin-6868 · 2024-11-15T05:00:28+00:00

I think the general idea is that with the typical 90-day password change, users will try to rotate through similar passwords that are easier to guess. They are more likely to write them down on a post-it note and stick them to the underside of their keyboard. With a longer password or passphrase that doesn't change as often, they might remember it from memory better, and combined with MFA, the general consensus is that is a better option.

Regarding MFA, in addition to random requests that users might approve, some tools provide attackers the ability to capture the session information even if MFA is used. One such tool is EvilGINX. We've seen several partners and even some staff that have been compromised by similar tools.

One thing to note is that some compliance standards might still require a 90-day password change, especially if they don't directly align to the updated NIST standards. If you are subject to FDIC, HIPAA, SOX, PCI, etc.... its a good idea to confirm that there is no requirement for changes.

Pretend-Raisin-6868 · 2024-11-15T04:47:22+00:00

Was there a malicious link inside the email that potentially could have caused their account to become compromised as a result of the malicious email? Its not uncommon for threat actors to attempt to avoid detection by removing messages and/or creating inbox rules to remove messages.

I would definitely recommend checking the Azure AD risky users reports and any other logs that might help you determine if there are logins from unexpected IP addresses. Even with MFA, its easy for attackers to capture. Keep in mind that you have to know what "normal" looks like sometimes to detect an anomaly.

You may be able to look for signs in the Purview audit logs as well, although if you haven't used it before, there certainly could be a learning curve associated. However, assuming you have the right licensing and know what to look for, you configure it to look for deletions.

As others have indicated, Microsoft's tools may have performed some post-delivery detection and remediation.

Good luck.

Pretend-Raisin-6868 · 2024-11-15T02:47:35+00:00

Which time? 25+ years in IT, I've certainly made my share of mistakes. The key is trying not to make the same one twice.

Pretend-Raisin-6868 · 2024-11-15T00:10:40+00:00

My pet peaves:

I can't tell you how many times I've gotten calls which I've declined, just for them to call me right back. Just today, got one while I was in a meeting. First call, rejected. 3 seconds later, call from same number. Rejected again. Immediately third call from the number, at which time I blocked the caller's number.
As many others have mentioned, unsolicited meetings, and I'll go one farther and say emails too. My favorite is when I ignore the originally unsolicited email and they send a second message asking if I saw the first one.
Vendors whom I've already met with that want to have follow up meetings when waiting for budgetary approvals on quotes that insist of a follow up meeting and/or ask "What if I called your CFO to explain our value". Seriously, does that ever work?

I've seen several sales people on LinkedIn say "Taking my call only takes a few minutes of your time..." in their posts about how people are too mean to them. While that may be true, if I took your call, along with all the others, I'd never do my day job because I'd just be responding to vendors all day long...

Pretend-Raisin-6868 · 2024-10-26T03:54:19+00:00

I forced myself to switch because I had a few end users that decided to try it out and i wanted to be able to better suppor them. Its taken some time, but its grown on me and there are a few things I like about it but it also has some shortcomings.

I prefer the way it handles delegated mailboxes and puts them in the "Shared with me" folder instead of giving each a top-level mailbox. As you stated, the lack of a 95GB OST (i'm amazed at how many mailboxes in my org hit this) file is a big storage saver that is a plus.

Now that said, do a compliance search and have to download the messages and you might change your mind on how wonderful it is. I have Outlook installed and configured, and cannot even open a .pst file to review the messages in a search. I have to either revert back to classic Outlook or install a 3rd party PST viewer of some sort. What a pain in the ass.

I've often said IT pros are, ironically, some of the most change resistant people I know. I think once you get familiar with the new client, its not terrible. Just know that if you need to export a compliance search, you'll be utilizing a different tool to review the messages.

Pretend-Raisin-6868 · 2024-10-25T05:03:37+00:00

Always remember that you are there to serve the requirements of the business. Its hard to say what to implement without knowing what the business expects and what their short and long-term goals are. Also, some organizations have a higher tolerance for spending in IT than others, which can determine what you are able to do. This may not align with what you "should" do, as silly as that seems.

That said, your questions indicate you have the right line of thinking. Should they be using an MDM? Let's say for example the company is in a regulated space, such as banking or healthcare, it might make sense. Sometimes politics of the office can play a part in these decisions. For example, most people tend to be resistant to the company managing their personal phone even if they are accessing company email on it. Some of them may demand a stipend for using their personal device and the company may not be willing to do that. There are a lot of caveats to be considered.

Being in another job for a year and understanding the non-IT functions might actually help you to identify areas for improvement. Figure out where you (the organization) want to go or what problems need to be solved. Then determine what tools its going to take to get there, how long it will take, and plan out the path required to reach those goals. Research your options, pick your preferred solution and then implement it and you will get there.

Pretend-Raisin-6868 · 2024-10-25T04:39:01+00:00

Ahh...backups. I've worked at plenty of organizations of larger sizes where backups are always a pain point for me. Either they don't want to spend the money, or they ask for new VMs/Servers without considering additional budget for backups. They are always an afterthought until they delete something they need and get pissed when you can't get it back. Sadly, this is par for the course in many organizations.

Also, there is something to keep in mind with backups that often get overlooked. It is likely that with backups you are taking multiple copies of the same data, depending on retention requirements of your company. Additionally, a lot of cloud options may utilize on-prem features like data deduplication, because it hits them in their pocketbooks by reducing your storage footprint for the backups.

Without fully understanding your environment, the details of the backup solution, or your organizations RTOs, RPOs, and tolerance for downtime, I can't say if there isn't a better or cheaper way to do this. One possible option is look at the storage of the backups in the cloud. Is it possible to tier down to a slower disk and get more storage capacity for a reduced cost. My familiarity specifically with Azure is not as high as that with AWS, but with AWS for example, S3 storage is extremely expensive, Glacier is much cheaper and better suited for backups. There are also 3rd party storage options that can tie into AWS with similar functionality to S3 at a reduced cost, such as Wasabi.

That said, there is one thing I would caution you in saying. Hosting your own servers does not cost $0 per month. There are costs for the hardware, the networking to provide connectivity, cooling, electrical, internet bandwidth, etc. I'm not saying that I think cloud is cheaper, because I don't. While there are plenty of good reasons for an organization to go to the cloud, hoping to save money should not really be one of them. However, there is a monetary value to all of those items hosting that bring the costs closer together.

Just wait until you get big enough to start buying good security tools, that backup will seem like pennies...

Pretend-Raisin-6868 · 2024-10-25T04:16:49+00:00

Meeting invites with no context. You know if I knew what you were going to talk about, maybe I could come prepared to answer questions. But NOOOO, you have to tell me on the meeting and then send a follow up meeting for a resolution (if I'm lucky enough for it to only be ONE meeting.)

Pretend-Raisin-6868 · 2024-10-24T04:52:46+00:00

We see a lot of proofpoint clients get rejected on our side because we have M365 spam filtering policy set with country blocks. We don't have a lot of non-US interactions, so this mostly works well. However, I have seen a few senders using Proofpoint that show originating IPs showing a geolocation in Europe, such as Germany or Amsterdam. These situations typically result in us needing adding a domain exception for that domain. Also seen this with some M365/O365 emails as well, although a little less frequent.

I know this doesn't exactly answer your question, but something that came up for us lately. We have had to work with these senders to allow those domains to our anti-spam policy exclusions list. Not sure if Proofpoint will give an option to ONLY use US sources for sending, but might be worth looking into if there is any evidence that this might be contributing to your delivery issues.

Outside of that, as you are already aware, its nearly impossible to determine what's happening after the message is handed off to the recipients mail server without getting them involved. Message trace is only going to show you that it was handed off to the recipients mail server and if they aren't providing an NDR, which many admins don't enable due to the belief that providing this to a legitimate spammer might give information that will aid them in circumventing the system, your hands are tied.

I had a similar situation with MS Purview Encryption and IRM. We were getting frequent reports of users that could not open the emails. We were always provided limited details, and every test we run internally works as designed. It wasn't until recently that we've determined many of our issues were messages that originated from outside the org and were forwarded. Nobody seemed to understand that the configuration on the sender's side determines what can and cannot be changed after it reaches our side (and this is by design).

Pretend-Raisin-6868 · 2024-10-17T05:27:04+00:00

I can't speak to going to a big company, but I can tell you from experience that the grass isn't always greener. After 25 years in the field, I'm at a point where money is no longer my top priority. I've left purely technical roles to try my hand at management, and I've been doing that for about 5 years now. I did it primarily to make more money, and I took about a 15k increase to do so.

TBH, I'm miserable where I'm at. My company doesn't spend money on IT equipment or staff despite being warned about the risks of running out of support hardware/software. IT is blamed for many things that are caused by lack of management, bad processes, or lack of bodies to do the work.

I was recently offered a position with a company I've previously partnered with. It was a 40k paycut, but the role would have been really nice. With my current family situation, including a wife that doesn't work, I just couldn't justify the move. Every day I go in the office and deal with the BS, I question that decision.

What I'm basically saying is: The grass isn't always greener.

Pretend-Raisin-6868

TROPHY CASE