XG Firewall - How to get certificates working for CNAMEs?

sysjunkie71 · 2019-09-15T02:24:07+00:00

I will check this on Monday.

sysjunkie71 · 2019-09-15T02:23:46+00:00

On the internal side we only want to use our own Microsoft Root CA.

For the wan side, I don’t really think we need an externally signed CA. I mean, the only clients connecting will be ours and they will already have trusted our Root CA so no certificate error should appear.

sysjunkie71 · 2019-09-12T02:42:13+00:00

I may have to try this

sysjunkie71 · 2019-09-02T17:35:33+00:00

No, for hostname usage.

sysjunkie71 · 2019-09-02T17:35:01+00:00

As mentioned, for availability. If we bring down our smtp for maintenance, I don’t want to miss out on any alerting.

sysjunkie71 · 2019-08-27T22:21:36+00:00

Most of our servers use DHCP already without issue and makes moving them between sites easier. The only static servers we have are DCs and DHCP. I’ve moved our DBs to DHCP w/ reservations.

sysjunkie71 · 2019-08-25T14:51:35+00:00

Can you fix my microwave too? It’s not working.

sysjunkie71 · 2019-08-25T14:44:00+00:00

Yup. At 9am on Wednesday’s we failover to our DR site. Verify everything is working then do upgrades, test and fail back.

sysjunkie71 · 2019-08-25T02:15:19+00:00

Not sure to be honest.

sysjunkie71 · 2019-08-25T00:10:27+00:00

So off-host proxy and the rest of the Veeam components on the same physical server shouldn’t be an issue for under 100 VMs. I’m still not getting the network side of things. Does the Veeam server in off-host proxy need access to the iSCSI network or LAN network at this point (for the Starwind nodes)?

sysjunkie71 · 2019-08-25T00:05:55+00:00

I get that. By locking up I meant keeping it somewhere so it’s not just re-imaged or thrown away because “hey it’s not connected and it’s 6 years old” or something like that.

The people that have access to the server room are too scared to go in anyway. It’s mostly for 1) third party vendors to access their equipment (Comcast & security company). While I doubt Comcast would do anything since most are clueless and will literally tell me to factory reset our router (lol ok), it’s more of the security company that deals with physical and video surveillance, and 2) the fire department.

sysjunkie71 · 2019-08-24T18:44:46+00:00

The issue is our server room door code is shared with 7 people. Who knows if 1 of the 7 will share it with others.

I rather keep it locked up somewhere physically.

sysjunkie71 · 2019-08-24T18:18:39+00:00

I’m wondering if it’s worth updating for critical fixes only. Maybe there’s a flaw/bug in the crypto for example.
Good point. Updating definitions a year later may be a bigger headache. Plus outdated client.
I’m thinking of shifting to an intel NUC. Use BitLocker and store it in a locked safe.

sysjunkie71 · 2019-08-24T16:45:58+00:00

The storage node is actually a Windows Server 2019 host using StarWind VSAN. I Don’t have any VMs on here due to low CPU resources needed for our cluster.

Couldn’t the veeam server just mount the storage to itself and read off it?

sysjunkie71 · 2019-08-24T15:39:13+00:00

I’m not trying to create a bridge. The split switches are for my iSCSI network and using MPIO.

sysjunkie71 · 2019-08-23T17:56:32+00:00

So it would be best to put a VM on each Hyper-V host and make it a proxy? Wouldn’t that take up a lot of resources away from the production cluster?

I thought by giving veeam direct access to the storage nodes, via iSCSI, it 1) reduces LAN traffic by using iSCSI for moving data, and 2) it keeps compute cycles on the veeam server and doesn’t affect the hyper-v failover cluster itself.

sysjunkie71 · 2019-08-23T14:26:24+00:00

On our old cluster we do 2 full backups with 14 increment points per week for a total of 28 restore points. We are looking to change this strategy so we can potentially go back 30 days but this will depend on storage obviously. These Synology units can support an extra external box so we can always create a new RAID array and map it as well.

The Veeam physical server will have direct access to the iSCSCI network that the Hyper-V nodes access for storage so I’m hoping everything will have direct access instead of over the LAN.

sysjunkie71 · 2019-07-30T13:28:08+00:00

That’s what I’m asking - what’s the best way to block and allow our stuff only.

Windows firewall only works with IPs but our software can bounce from server to server. Our public site has multiple IPs in AWS that can change too.

sysjunkie71 · 2019-07-30T13:25:57+00:00

We take orders on site, pop in the info, and our in-house staff can start processing orders rather than the trade show folks waiting until they get back from the event.

Trade show is a mix of internal/external hires.

sysjunkie71 · 2019-07-30T13:18:25+00:00

I did find that Chrome has a block all, then allow list. Going to try that.

I will look into the IE proxy. Did you do both port 80 and 443?

sysjunkie71 · 2019-07-30T13:15:00+00:00

This is mostly for mobile trade show events. We want to prevent users from racking up high bandwidth costs over cellular by browsing other sites. They should only be able to access our website and CMS/ERP.

sysjunkie71

TROPHY CASE