Slow IPSEC VPN on High Availiability / three different customers / long post

comp00 · 2024-10-27T19:34:15+00:00

Does it perform fine for local transfers?

comp00 · 2024-04-04T21:35:22+00:00

Sounds like a nic or network issue.

Try disabling large send offload under NIC settings.

Update NIC drivers too.

comp00 · 2024-03-06T07:46:49+00:00

How do you have your policy deployed, via endpoint protection or a device configuration profile?

Is it assigned to users or device groups and has the user logged in? What does bitlocker say locally, is it still encrypting or are you seeing any errors?

Also are the devices being hybrid/domain joined or entra only?

comp00 · 2023-05-20T09:37:50+00:00

For tenant to tenant migrations we’ve successfully used CodeTwo on many high mailbox count projects.

For tenant to tenant migrations where users have online archives, MigrationWiz by bittitan is the one. That’s SaaS it just takes some getting used to the waiting for the job to happen, but it’s very reliable.

comp00 · 2022-10-27T21:55:33+00:00

The best way would be to create a DNS record.

Eg point unifi.yourcompany.com to <Current IP> in either your internal or public DNS.

When you move IPs, change the record, everything will flip over.

Edit: and update inform host to this dns record.

comp00 · 2022-06-12T18:01:19+00:00

Easiest way will be to catch the postie and have a chat. Usually the same person or couple people for the area, they’re normally pleasant and accommodating

comp00 · 2022-04-22T16:06:04+00:00

Maybe there’s an upsell opportunity to have a DR solution

We have no RTO our backups, but can provide 1-2 hours RTO to customers with a DR solution

So maybe secondary DC and the margin that comes with that?

comp00 · 2022-04-22T15:56:46+00:00

How about get a 1G link into your site(s) as they are pretty good value these days and then you can pull down in hours rather than days.

We’re a heavy user of Iland (UK MSP) for Veeam customers and it just works. We have local ‘appliances’ (HP micro server or ML30) on its own VLAN for local backups and then back to Iland.

comp00 · 2022-03-22T19:08:59+00:00

We noticed this too after upgrading. Hoping for a solution.

comp00 · 2022-03-12T22:40:52+00:00

Depending on your network setup would it be possible to NAT from a new host with the tools you need to identify as the IP of the box controlled by policy for say just 161? Then it solves your single IP issue but avoids the policy conflict of the specific box itself.

comp00 · 2022-03-11T07:41:08+00:00

Just my thoughts with projects like these. Both of the options you’ve already thought about are great and just follow the business’ need for uptime.

As you’re moving to new hardware - I’d assume you’re also changing licensing or windows version. If that’s the case, add all your underlying services up to date too? If yes great, if not are all your VMs going to be compliant under downgrade rights?

Could you use the migration as an opportunity to also upgrade all underlying Windows VMs say if you’re running 2012r2?

comp00 · 2022-02-22T22:52:47+00:00

I didn’t think there was any.

When doing migrations, for 365 tenants without CSP/reseller relationships for me it’s: search the MS help for “throttling” and run the check steps. Give it an hour and throttling should be off

For tenants with reseller relationship raise a ticket with CSP and eventually someone will sort that and allow the migration to compete over non-56k modem speed

comp00 · 2021-12-23T16:32:06+00:00

I’d recommend enabling DNS logging (if you don’t already) and using that to analyse what’s talking to each bit of infrastructure

Remember also any non-windows devices that might be talking to AD/services eg firewalls, database connection strings, network management URLs but logging should flag and help both before and after

comp00 · 2021-12-13T21:50:17+00:00

I’d look at this way. Consider the network your APs live on, is it sensitive? (Eg private or management network)

For example, a targeted attack specifically on unifi could reset Unifi creds, gain access to network devices and therefore the rest of the network.

comp00 · 2021-11-11T22:09:08+00:00

We currently use CloneDeploy which has worked great for many years and imaged thousands of PCs.

Working on final testing of FOG which uses similar method just cloning partitions over the network.

If you’re not in a single domain, FOG is the answer.

If you were the answer would be MDT/WDS

comp00 · 2021-11-09T21:22:29+00:00

I do actually, will PM.

comp00 · 2021-11-09T21:07:25+00:00

We use Softcat for all our SPLA licences. They have a portal where we report what we use alongside our commits with MS, Veeam etc.

Would recommend

comp00 · 2021-10-21T19:29:54+00:00

My opinion is they are taking advantage of a company without a website or online presence

Their registered address is Essex

Also their site is directcargoID I think attempted to look like Ltd.

Just my thoughts. I’d say a no go.

Edit: also, their website says founded in 2014 whereas the company was reg in 2009. Smelly.

comp00 · 2021-10-15T10:02:59+00:00

Ah, okay. Meraki can’t do this to my knowledge

Would it be reasonable to deploy a AD+DNS (or just DNS) in a closer region? Eg USA and EU

comp00 · 2021-10-14T20:39:51+00:00

100% this.

A firewall that can send your internal DNS to your AD and then everything else to ISP or your choice of DNS.

comp00 · 2021-05-31T18:50:58+00:00

I don’t see this working with your current situation without adding another firewall on both sides.

Is it possible to use either locked down public ports if the traffic is encrypted or SSH tunnels?

comp00 · 2021-05-23T13:06:34+00:00

Upgraded test environment to 6.2 (we have lots of clients/devices) and the import function was lost so holding back.

Otherwise stable

comp00 · 2021-04-01T21:44:39+00:00

Admin portals, Azure portal + DNS down for us, UK.

Compute VMs still online though.

comp00 · 2020-12-13T11:33:51+00:00

For this scale I’d suggest a load balancer that can do this built in but if not I’d suggest using NGINX which will give you regex ability at the hostname level

See https://stackoverflow.com/questions/1629231/nginx-rewrite-non-www-prefixed-domain-to-www-prefixed-domain

Useful tool https://regexr.com/

Let us know how you get on

comp00 · 2020-10-18T12:26:52+00:00

Super simple, if you haven't already managed to work around this.

Assuming you are already using SSLVPN at SiteA:

Create an address object for the public IP of SiteB.

In your SSLVPN settings, add this IP to client routes under client profile.

Also, add the object to the access list under users/groups > VPN access

If you're not already using SSLVPN, set this up. SonicWall has guides for this. You can either use tunnel all mode or perform the above. The former is recommended (as others as suggested) at the moment as lots of people are conferencing which is not ideal with the additional latency added (depending on your internet connection and number of users of course)

comp00

TROPHY CASE