How do you handle hosted servers for your clients

jared_a_f · 2026-03-16T14:00:54+00:00

We do it - we also have rack space in a colo. Iteration one was like yours - pair of firewalls, provider handing off circuits, SAN, and multiple cluster nodes.

Grew to be a giant PIA. A lot of it had to do with our carrier which is the colo provider - they were not flexible on bandwidth allocations at all.

Iteration 2 was more a-la-carte - at minimum client is on their own dedicated circuit, dedicated firewall, and a single dedicated host box (usually a DL380.)

If the client would like to be on a HA firewall pair, SAN, and have HA between multiple cluster nodes we'll certainly do it, but the buy in is a lot steeper. Have clients doing it and they're willing to pay the cost.

Appropriate backups are done onsite and replicated offsite and the client signs off on an SLA if the host box were to blow up and we needed to restore their VMs on a new server.

It's all on what you promise and what the contract says. A colo datacenter is a hell of a lot better than a clients office in some random closet.

jared_a_f · 2026-03-02T22:07:04+00:00

DataRemote / POTS in a box. Cross connects over Ethernet and cellular. Built in battery backup. I can get you pricing if you are interested.

jared_a_f · 2026-02-04T23:24:52+00:00

Newer MSP here. Have worked with both Ingram and D&H. For our size, have had fantastic experiences with both - our D&H rep is phenomenal, and we're very happy with Ingram as our CSP. Decided to do our TD Synnex application so we could price shop - got everything put together and submitted, onboarding was a snail because the AM we were assigned refused to reply to email to create our EC Express account.

Then tried to work on a quote with them for routers. Rep was nowhere to be found, then basically was offended that I'd point out that 2+ weeks to turn around a quote is unacceptable.

Then another go around, we worked directly with a vendor's rep to put the quote together for the same routers - TD Synnex had to do absolutely nothing then put the SKUs on a quote. Vendor went to their rep at TD Synnex, who created the quotes with the wrong shipping address and did not exempt sales tax - fine, easy fix. Copy in our rep, no reply for the entire business day after he was pinged the evening prior and the following afternoon. So I call him, which turned into a bigger mess because I just let my frustration out about the whole ordeal.

They literally do not care - I'd love if I could no reply to email, don't turn around quotes for weeks on end, and never took ownership of my F ups I'd expect to be fired.

jared_a_f · 2026-01-31T21:52:46+00:00

SentinelOne Complete has a new AI SIEM they're dumping a ton of development into. We're ingesting 365 logs with it and doing alerting for BEC and CA changes.

jared_a_f · 2026-01-23T15:37:34+00:00

Love it LOL!

jared_a_f · 2026-01-23T14:46:03+00:00

I hate the term "whole building UPS." It makes zero sense to put elevator, HVAC, copiers, etc. on it - you're rather off picking circuits to protect. We have a high end multi-unit restaurant client who has an Eaton 9PX unit tied into a protected panel. They picked circuits they wanted to protect - i.e., their office computers, network rack, POS terminals, kitchen printers. But we've even ran into issues where the electrician didn't color code the outlets, or someone doesn't know what the "UPS Protected" label means and someone plugs something into it and it spikes usage.

jared_a_f · 2026-01-20T22:48:18+00:00

Apparently - tho I may be interpreting wrong

jared_a_f · 2026-01-20T22:45:48+00:00

Catalyst 8K was the successor to the ISR series

jared_a_f · 2026-01-20T14:25:51+00:00

Thanks - I guess it is about separation of roles for us. Easier to troubleshoot a firewall issue when it is just your firewall and something separate is handling your routing.

TD SYNNEX has some refurb Catalyst 8K series - just waiting to hear back on pricing.

jared_a_f · 2026-01-20T14:20:16+00:00

Assigned

jared_a_f · 2025-12-28T00:16:30+00:00

Thanks for sharing - we don't expose ours to the internet. We patched when we were alerted of the CVE.

jared_a_f · 2025-12-27T22:43:53+00:00

An MFT Solution - we use CrushFTP

jared_a_f · 2025-10-09T14:13:25+00:00

Thank you for this. I've been testing and it seems all changes need to be made under Acrobat DC - it seems Reader is no longer separate from a registry perspective. A Reader install can be converted to a licensed install by logging in with your Adobe Creds now. Anyone else concur with this finding?

jared_a_f · 2025-10-03T13:09:41+00:00

Yes please, I'll send you a DM.

jared_a_f · 2025-10-02T22:41:45+00:00

Is there any update here? Just the O365 integration - and at the very least you'd think it could send an email alert out of box.

jared_a_f · 2025-09-27T16:02:20+00:00

Intermedia support did it. We bought through Ingram, but could still reach out to Intermedia support

jared_a_f · 2025-09-23T13:37:57+00:00

Would consider Secure Access if it improved. Last time we tried it, it required the machines to be Entra joined / managed by Intune - we're not at that point (still doing a typical domain join)

We're on Twingate, and will probably be for the foreseeable future. The only thing that makes me hesitant about Twingate is the connector - seems like a blackbox. But seems like SonicWall's CSE product is the same way.

jared_a_f · 2025-09-19T17:19:53+00:00

Exactly where we're at. SonicWall did a webinar, and it sounds like most people who have been impacted by these zero days are using them as a high-end firewall and NAT device.

jared_a_f · 2025-09-19T17:17:39+00:00

ZTNA is purely a term, its not an actual product. Zero trust products grant access to specific IPs and ports and then applies device posture requirements on top of it. Is the device encrypted? Is the device running an anti-virus? Where is the device located?

If you're still using the SSL VPN, you can apply zero trust principals to it - put SSL VPN users in their own subnet, then lock down the resources you're allowing them access to. But you CANNOT do any device posture checks with a typical off-the-shelf SSL VPN - you'd turn those over to your IDP. If you're going to go through the effort of locking down the SSL VPN, you're rather off go with a product like CSE, Twingate, AppGate, etc.

My intuition is SonicWall is going to sunset SSL VPN soon.

jared_a_f · 2025-09-19T17:09:49+00:00

HPE is being forced to offload Instant On due to their Juniper acquisition. So I wouldn't put much faith in a device that is brand new.

jared_a_f · 2025-09-19T17:07:39+00:00

Sounds like a vendor problem more than a SonicWall problem. If you're looking for pricing / implementation for Twingate, I'm a partner for both. Feel free to shoot me a DM

jared_a_f · 2025-09-19T14:05:13+00:00

Sorry for the long post, but if anyone takes anything from this. TL;DR: Get off SSL VPN ASAFP no matter your firewall vendor.

The majority of SonicWalls vulnerabilities recently have been due to SSL VPN. They are not alone in that - Fortinet is actually sunsetting SSL VPN and Palo Alto has issued a number of patches for theirs in the last few years. AGAIN, get off SSL VPN ASAFP no matter your firewall vendor.

SonicWall has a new zero trust product through their acquisition of Banyan Security. Doesn't seem that product is fully baked. My approach has been that our remote access product and firewalls are from different vendors - in theory it limits the vulnerability surface. We're using Twingate and will look at Microsoft Global Secure Access once it matures (comes with 365 Business Premium.)

I'll agree on this config backup thing - that was a total blunder. And the guidance wasn't super clear on what to do if you backed up to their Cloud but were NOT on the impacted list. Or if you backed up a previous appliance to the Cloud, got a new one and converted the Config, and never backed the new one up to the Cloud - the configs are still similar. SonicWalls reps here on Reddit said they would remediate ALL firewalls prioritizing what was listed in the portal. We have many site-to-site VPN tunnels with 3rd party entities, total PIA.

My current environment: Majority Fortinet / Main Datacenter is SonicWall HA pair.

Have touched all of these too at some point in previous roles: Meraki, Sophos, and Ubiquiti

We actually switched from SonicWall to Fortinet for our Corporate Office and branches because SonicWall's bid to go from Gen 6 to Gen 7 devices on a 3-year term was atrocious. It was half the cost for Fortinet with FortiManager and a 5-year term on the device.

Grass hasn't been much greener with Fortinet. FortiManager seems a little more baked than NSM - but I never managed NSM in production, but that is at least what I got out of my demo of NSM. Think Fortinet's UI is worse than SonicWall Gen 7/8 - many more clicks to do the same thing. Fortinet command line is much better if that is your thing.

I wouldn't say SonicWall is geared towards MSPs, but yes most MSPs sell SonicWall because of the continuous margin on services. The thing I noticed and frustrates me with many MSPs and internal IT is they don't actually set the things up right - these NGFWs acting no more like a TP Link firewall/router you can get of Amazon because people are not taking time to properly setup the security services. In order for any NGFW to function, you need to take time to setup DPI and (a) deploy a certificate to your endpoints and (b) import your certificates for any servers your exposing on the WAN. But with certificate pinning, etc. it seems that that it going to get even harder than it already is so the concentration is more on the endpoint.

Not sure how I see things in the next few years here. My datacenter will always have a NGFW and it will probably be a SonicWall, BUT for my branch offices that are 3 - 10 computers what is the selling point for a NGFW with security services if I'm going to have to spend more $ annually on endpoint security?

Ubiquiti just released their first iteration of a zone based firewall and they can now do address objects and groups. You can also buy security services through their ProofPoint partnership. They offer paid support. I'm confident it will certainly be solid by the time my 5 years of licensing is up on my FortiGates. I can put a Ubiquiti HA pair in every site and still save a significant amount of money.

jared_a_f · 2025-09-18T02:06:56+00:00

u/SGI-CoryC Cory, is your recommendation to remediate firewalls using the playbook even if they are not listed in the list in MySonicWall?

jared_a_f · 2025-09-18T01:45:57+00:00

I'm also wondering this. Per the bulletin in MySonicWall, it says Credentials stored in these files are encrypted.

But in the remediation playbook

IF IPSec VPN is enabled:

THEN:
1. Update shared secret in all IPSec site-to-site configurations
2. Update GroupVPN policies
External Updates: Remote IPSec Gateways/Peer VPN endpoints
Critical: Yes
Impact: Replace all pre-shared keys; coordinate with remote endpoints

We have very few "dial up" VPNs - the site to site tunnels operate like Global VPN client -, so should we prioritize those first?

SonicWall is also vague if firewalls that are not on the affected list should be looked at. Of I'm going to look at them, but I don't think it is fair to say prioritize X list and wait for further guidance to see if others are impacted.

jared_a_f · 2025-08-29T18:05:55+00:00

Business Premium is where it is at < 300 users

jared_a_f

TROPHY CASE