A WINS Server is Required



  • At Inedo, our "server stuff" has been handled by me and the other devs; in the interest of finding someone who actually knows how to do "server stuff", as well as free up dev resources, we decided to hire a managed IT services firm. There are a lot of companies out there, and after interviewing six of the top companies (with all the certifications, of a reasonable size, competent initial conversations, etc), we finally selected one.

    The seemed to set up a few workstations and help transition our email to OFfice365, so I thought it was time to have them help in our actual internal network.

    First... they immediately recommended we switch from a consumer-grade DD-WRT router to a Cisco Meraki. Good advice, that's exactly the sort of thing I was hoping to hear. Of course, changing routers means changing VPN configuration, and that means we need to carefully time and prepare for it, as to not cause outages for our remote staff. They understood that, and assured me they know how to do this... it's pretty easy, so I trusted them and delegated.

    It didn't go so well. Maybe I should have CANCELED ORDER after first failed switchover attempt, but after the third failed switchover, I sent a rather pointed email trying to understand why something so simple caused such disruption and hassle for everyone (not to mention billable hours).

    As The Experts, they were quite defensive and said it was all Inedo's fault. This is what they wrote about failed attempt #2:

    We assumed the user was having trouble accessing server resources via the short name or netbios name when I saw a WINS server was not configured in the Meraki VPN settings. To access server resources via short name over a Meraki VPN, WINS needs to be installed on the server and referenced in the VPN configuration. We added WINS to the domain controller and configured in the Meraki VPN settings. WINS has a very small footprint and I don't foresee any issues with WINS running on the server even with limited hardware resources. The user stated they still could not access network resources and they reverted back to the old firewall again.

    As you can see we’ve had to repair items not properly setup by your team.

    :wtf: :facepalm:

    I pointed him to the Windows 2000 docs, where they talked about how WINS is now deprecated in favor of DNS, as well as how to configure a Meraki router to use DNS suffixes for "short names". I haven't heard back yet... but I don't suspect they're going to be our IT vendor any longer.

    The first failed attempt, by the way, was a result of users being unable to authenticate. Meraki requires a SSL certificate to authenticate with our domain controller. Usually not a big deal, except they decided to install IIS on our domain controller to generate a cert. That didn't work so well, since our DC is a five-year old rubbish server that we were hoping some IT person could replace for us.

    And yes, the real WTF here is me. If only there was some site that warned me that finding competent IT people wasn't so easy...


  • Impossible Mission Players - A

    @apapadimoulis said in A WINS Server is Required:

    some site that warned me that finding competent IT people wasn't so easy...

    StackOverflow.com ?


  • Winner of the 2016 Presidential Election

    @tsaukpaetra said in A WINS Server is Required:

    @apapadimoulis said in A WINS Server is Required:

    some site that warned me that finding competent IT people wasn't so easy...

    StackOverflow.com ?

    Eh, I think a daily reminder would be better. It would need to be something that makes you go WTF!? too...


  • Winner of the 2016 Presidential Election

    @apapadimoulis said in A WINS Server is Required:

    We assumed the user was having trouble accessing server resources via the short name or netbios name

    @apapadimoulis said in A WINS Server is Required:

    The user stated they still could not access network resources and they reverted back to the old firewall again.

    So they assumed something, installed something on the crappy DC server, didn't fix anything, and blame the client? Classy!



  • WINS? That will go great with their planned upgrade of your network transport to IPX/SPX :trollface:

    We looked at Cisco Meraki stuff but the ongoing subscription costs were extremely high, plus there was some grumblings about performance from the community. The Meraki AP I tested was fine though, performance wasn't outstanding but more than acceptable and seemed stable.

    Edit: The fact that you lose all access to the devices, even locally, if you stop paying the subscription fee rubbed me the wrong way as well.



  • Well since apparently this will be my job again, any suggestions to replace a consumer grade DDWRT router? It's worked amazingly well thus far...


  • Impossible Mission Players - A

    @apapadimoulis said in A WINS Server is Required:

    Well since apparently this will be my job again, any suggestions to replace a consumer grade DDWRT router? It's worked amazingly well thus far...

    Get a business grade ddwrt router?

    Unless you want to build yourself a Tomato, but that's usually not worth the effort...



  • @apapadimoulis said in A WINS Server is Required:

    Well since apparently this will be my job again, any suggestions to replace a consumer grade DDWRT router? It's worked amazingly well thus far...

    I really love our pfSense box.

    It's pretty much plug-and-go if you only want basic stuff (NAT to an internet connection and firewall features). If you want to start getting a bit more involved with intersubnet /interVLAN routing, multiple public IPs, IDS, web caching, filtering etc... then there is a bit of a learning curve but it's fairly well designed and sensible.
    It has been rock-solid stable too which is nice. Especially as I have it doing pretty much everything it's capable of on a FTTP connection.

    I use the free community edition on an IBM X3850 but there are pre-built servers available with commercial software support from Netgate if you want.

    You could install it on a desktop machine and it would probably work acceptably for a quick try-out. Our install does exercise the X3850 though so it needs some decent hardware for deployment.


  • Discourse touched me in a no-no place

    @apapadimoulis said in A WINS Server is Required:

    any suggestions to replace a consumer grade DDWRT router? It's worked amazingly well thus far...

    Beyond the questionable (in light of their apparent abilities) advice - is there any pressing need to actually replace it?



  • @cursorkeys said in A WINS Server is Required:

    WINS? That will go great with their planned upgrade of your network transport to IPX/SPX NetBEUI over token ring :trollface:



  • @pjh said in A WINS Server is Required:

    @apapadimoulis said in A WINS Server is Required:

    any suggestions to replace a consumer grade DDWRT router? It's worked amazingly well thus far...

    Beyond the questionable (in light of their apparent abilities) advice - is there any pressing need to actually replace it?

    I don't think DDWRT supports any kind of IDS/IPS, I'd say this is pretty essential for a business these days. Snort has saved our bacon a few times by blocking all sorts of things, including ransomware second-stage payloads.
    Plus our SIP lines get hammered 24/7. It should be secure but it's nice to see the attacks just get safely eaten rather than get as far as the PABX.

    Of course you can just add a NIPS box to your existing network but it might make sense to upgrade to a more powerful complete solution instead.


  • Grade A Premium Asshole

    Off topic, but since OP mentioned Cisco Meraki and I don't know shit about networking, I googled it to see what it was. Found the website... and found this quote on it:

    0_1502105263994_cisco-meraki-retard.png

    WHY THE FUCK WOULD YOU EVER DO THAT?! AAAAHHHHHHH!


  • sockdevs

    @blek said in A WINS Server is Required:

    WHY THE FUCK WOULD YOU EVER DO THAT?!

    i'm going to go with "because they're a public location, probably a coffee bar or similar, that wants to attract customers by providing "free" wifi, and that they'll use the facebook login information to mine their customers for as much saleable data as possible, data they will then sell as many times as possible before it becomes worthless, at which point they'll add some data that they had collected that wasn't saleable because it was private, and they'll sell that data set on the dark web. Then they'll repeat the whole dance next month, and the next month, and the next month....."


  • I survived the hour long Uno hand

    @blek said in A WINS Server is Required:

    Off topic, but since OP mentioned Cisco Meraki and I don't know shit about networking, I googled it to see what it was. Found the website... and found this quote on it:

    0_1502105263994_cisco-meraki-retard.png

    WHY THE FUCK WOULD YOU EVER DO THAT?! AAAAHHHHHHH!

    So you can find the fucker who keeps stealing your bandwidth and murder him.


  • Winner of the 2016 Presidential Election

    @yamikuronue said in A WINS Server is Required:

    So you can find the fucker who keeps stealing your bandwidth and murder him.

    Did you, by any chance, have lunch with @Lorne-Kates in the last few hours?


  • I survived the hour long Uno hand

    @asdf Why would I do that? Better if we're not seen together. There's no link that way.





  • This post is deleted!

  • I survived the hour long Uno hand

    @timebandit
    Having had to go in and clean up the pieces from several Untangle installations, I would recommend avoiding that solution.

    @apapadimoulis
    If you're interested in looking for a different MSP, let me know - that's my day job, and we have about a third of our staff working remotely, so I like to think we do a pretty good job of supporting "remote work" setups. Of course, it could be our remote staff don't work, and just don't tell me so they don't ruin a good thing, but.... :shrug:


  • Grade A Premium Asshole

    @apapadimoulis said in A WINS Server is Required:

    Well since apparently this will be my job again, any suggestions to replace a consumer grade DDWRT router? It's worked amazingly well thus far...

    First off, why are you wanting to replace it? Also, what is your budget to do so? Are you wanting another roll-your-own solution? What features do you need? What do you need out of your firewall?

    I own a managed IT services firm. If I were closer to you I would want to throw my hat in the ring. Given the distance that is an impossibility. I would be happy to help you choose a service in any way that I can though.



  • @apapadimoulis said in A WINS Server is Required:

    The seemed to set up a few workstations and help transition our email to OFfice365,

    You should have verified that they actually did it instead of just seeming to do it.

    @apapadimoulis said in A WINS Server is Required:

    First... they immediately recommended we switch from a consumer-grade DD-WRT router to a Cisco Meraki. Good advice,

    ... no it's not. Cisco stuff is garbage. Maybe if you're AT&T you're operating at the scale where you'd require Cisco expertise, but if you're anything smaller Cisco's crappy configuration is going to be more of a burden than a help. (Basically, if you're going Cisco, you need a guy who full-time does nothing but Cisco. Because their shit is so awful to learn and use.)

    @apapadimoulis said in A WINS Server is Required:

    The first failed attempt, by the way, was a result of users being unable to authenticate. Meraki requires a SSL certificate to authenticate with our domain controller. Usually not a big deal, except they decided to install IIS on our domain controller to generate a cert. That didn't work so well, since our DC is a five-year old rubbish server that we were hoping some IT person could replace for us.

    Not sure why the age or rubbish-ness of the server is relevant to generating certificates...?


  • Grade A Premium Asshole

    Also, Meraki is total shit. Our SOP is to ditch it as soon as possible when we take on new clients that run any of their equipment. Return it while the window is still open. Ditch it. If you need good, affordable, firewall software that is suitable for the SMB space we prefer to build our own using Nethserver. We have been using it for ~2 years without any major hiccups.



  • @blakeyrat I haven't done any of this type of work in like 8 years, but I can recommend the Barracuda brand, and they have a small business VPN product they'll willing to give you a free trial of: https://www.barracuda.com/landing/pages/firewall/secure-vpn-access


  • Grade A Premium Asshole

    @blakeyrat said in A WINS Server is Required:

    I haven't done any of this type of work in like 8 years, but I can recommend the Barracuda brand

    I can't. It is slightly less shit than Cisco.

    Also, as he is a huge Windows guy and dislikes Linux I would suggest he upgrade the aged server, move to Server 2016 and have that handle the VPN duties.



  • @polygeekery said in A WINS Server is Required:

    I would suggest he upgrade the aged server, move to Server 2016 and have that handle the VPN duties.

    Wouldn't you still want something between it and the 'nets, though? I'd think you would.



  • @polygeekery said in A WINS Server is Required:

    @blakeyrat said in A WINS Server is Required:

    I haven't done any of this type of work in like 8 years, but I can recommend the Barracuda brand

    I can't. It is slightly less shit than Cisco.

    Also, they bought their competitor in the email filtering space and then declared 80% of my paid-up-front yearly subscription had vanished into the ether as they were immediately dropping all the competitors product lines. No refunds either, which was apparently still somehow legal.
    They offered me a deal on transferring my license to one of their appliances for, no joke, about 10x more than I was paying.

    Fuck Barracuda.


  • Grade A Premium Asshole

    @blakeyrat said in A WINS Server is Required:

    @polygeekery said in A WINS Server is Required:

    I would suggest he upgrade the aged server, move to Server 2016 and have that handle the VPN duties.

    Wouldn't you still want something between it and the 'nets, though? I'd think you would.

    You would. A Nethserver box to handle firewall and other duties, forward VPN ports to the Server 2016 box.



  • @cursorkeys Ok, lesson learned. Like I said, I havent done this shit in a long time.



  • @blakeyrat said in A WINS Server is Required:

    Wouldn't you still want something between it and the 'nets, though? I'd think you would.

    Of course, since connecting a Windows box directly to the Internet is asking for trouble.

    You need a crappy-open-source™ Linux box in front of it, even if it's not supposed to be more secure.


  • Fake News

    What, Banyan VINES over Token Ring doesn't work for you either?


  • Grade A Premium Asshole

    @izzion said in A WINS Server is Required:

    Having had to go in and clean up the pieces from several Untangle installations, I would recommend avoiding that solution.

    Untangle used to be a good solution. It was what we used before Nethserver.

    In the open source firewall software sphere there seems to be a timeline of evolution for them.

    They start out free and open source and are pretty good at what they do and are good solutions for advanced home power users and small businesses who really have to watch the bottom line.

    Then they move on to offering paid add-ons and the money they bring in is used to improve the products and they get a little better.

    Then they start taking functionality that used to be in the free tier and making people pay for it. This is usually the start of their decline. Meanwhile, other softwares that are up and coming and in the first stage of evolution are offering this functionality for free.

    After that point, they turn completely to shit. Some go out of business at this point, others get bought out and some start their own "enterprise" offerings.



  • @lolwhat said in A WINS Server is Required:

    What, Banyan VINES over Token Ring doesn't work for you either?

    Hard to connect that to the AppleTalk network you need for file sharing.


    What I don't get is companies like this, have they ever successfully completed setting up a VPN? Or is it like the company was founded by one guy who did but since then he's hired on incompetent "help", and also doesn't bother to train or even talk to them? It's hard to imagine how such companies even exist.

    Or since they're charging by the hour apparently, do they just expect to fail but hope to drag out the charging as long as possible before the client realizes they're useless? Hm.



  • @blakeyrat said in A WINS Server is Required:

    Not sure why the age or rubbish-ness of the server is relevant to generating certificates...?

    Certificate requests from OSes of that vintage default to SHA-1, which Windows private CAs will honor and issue, even though no current browser, OS, or public CA will accept them.


  • I survived the hour long Uno hand

    @polygeekery
    Yeah, ultimately all firewalls (like anti-viruses) have their realms of shit. Since, after all, the raison d'etre of a firewall is to prevent your computer from doing stuff so that it doesn't get harmed. Personally, as much as I don't spend the extra $$$$$$$$ for Cisco/Meraki on my home stuff, I recommend it over ${OPENSOURCESOLUTION} for the businesses I support, because ultimately I want to sell something to someone that they can find a different provider to support if they need to move on without me for whatever reason. Well, that and no one got fired for buying IBM.

    I've worked with SonicWALL in the past, and it's serviceable as long as you maintain the support subscription and actually install the software updates... as long as you aren't trying to maintain a SIP phone system with remote endpoints. For whatever reason, SonicWALL is just 100% non-functional when it's passing more than one or two SIP connections through the firewall. Current versions have helped with SIP support some, but it's still not something I would recommend.

    I haven't really worked with other major firewall/VPN endpoint solutions in much detail. I've worked a little with a Pulse Secure box, and I'm not really impressed with the administrator configuration side of it, but I haven't done enough of the client side support with it to provide an opinion on overall usefulness of the Pulse Secure solution.

    So, of the ones I've worked with, Cisco ASA or Meraki are the least bad of the "major manufacturer" solutions that allow for a wide selection of potential partners who can support them in the future.



  • Huh, well... guess I should have just asked here first.

    This was the goal:

    • have IT Services handle workstation tech support (i.e. "my printer doesn't work')
    • work with internal point of contact that's not technical/dev
    • replace consumer-grade network hardware with commercial-grade if needed
    • eventually assist with managing our domain, improving our practices, etc.
    • develop IT policies, etc

    Basically going from a setup a bunch of devs hacked together over the years to something that we (devs) don't have to own, maintain, or worry about. I don't think hiring "a single ops engineer" is a good idea, i'd rather have access to a part-time (especially for tech support).

    @izzion @Polygeekery always open to advice, help -- feel free to email me direct. i really can't figure out how I went wrong here in finding a firm. I don't want to repeat the process, because at this point, I could have just done everything myself. Obviously that's not scalable.



  • @blakeyrat said in A WINS Server is Required:

    ... no it's not. Cisco stuff is garbage. Maybe if you're AT&T you're operating at the scale where you'd require Cisco expertise, but if you're anything smaller Cisco's crappy configuration is going to be more of a burden than a help.

    This was my original opinion, but they assured me Meraki was easy to set-up and is why Cisco bought them. Obviously I question everything from this firm now.

    Not sure why the age or rubbish-ness of the server is relevant to generating certificates...?

    Old, underpowered domain controllers don't like having IIS installed on them. And without the "IIS Certificate Wizard" how else could you possibly generate a certificate!


  • I survived the hour long Uno hand

    @apapadimoulis said in A WINS Server is Required:

    Meraki was easy to set-upconfigured via a web interface that doesn't require seven certifications to understand and is why Cisco bought them

    They were at least not completely wrong as far as that statement. I would guess they're just more used to greenfield deployments (or deployments where they're allowed to rip out so much that it might as well be greenfield), and just blame any problems with brownfield deploys on the customer's old/remaining equipment until they get to rip everything out and "do it right" (read as: their way).


  • Grade A Premium Asshole

    @izzion said in A WINS Server is Required:

    I've worked with SonicWALL in the past, and it's serviceable as long as you maintain the support subscription and actually install the software updates... as long as you aren't trying to maintain a SIP phone system with remote endpoints. For whatever reason, SonicWALL is just 100% non-functional when it's passing more than one or two SIP connections through the firewall. Current versions have helped with SIP support some, but it's still not something I would recommend.

    I positively hate Sonicwall. Their user interface and workflows are entirely unintuitive. One thing that drives me batshit crazy about Sonicwall is that if you want to forward a port you have to forward the port and open the port at multiple locations in the UI. If I forward it, I want to open it also. A forwarded port that is not open is useless.

    Their entire interface for port forwarding is messed up and a :wtf: all on its own. I have a half dozen of them on the shelf that we have pulled from client locations. They are all shit.


  • I survived the hour long Uno hand

    @polygeekery said in A WINS Server is Required:

    One thing that drives me batshit crazy about Sonicwall is that if you want to forward a port you have to forward the port and open the port at multiple locations in the UI. If I forward it, I want to open it also. A forwarded port that is not open is useless.

    Uh, unless they changed things in the past 2 years, their Wizard works really really well for (simple) port forwards. And once you've gotten the simple one done, you can just add extra ports to the service groups it created and then you send the bill.


  • Grade A Premium Asshole

    @izzion said in A WINS Server is Required:

    @polygeekery said in A WINS Server is Required:

    One thing that drives me batshit crazy about Sonicwall is that if you want to forward a port you have to forward the port and open the port at multiple locations in the UI. If I forward it, I want to open it also. A forwarded port that is not open is useless.

    Uh, unless they changed things in the past 2 years, their Wizard works really really well for (simple) port forwards. And once you've gotten the simple one done, you can just add extra ports to the service groups it created and then you send the bill.

    If I want to forward a port why is it more complicated than forwarding port X to IP address Y? Why would one need a wizard for such a simple operation? It is hardly magic.


  • I survived the hour long Uno hand

    @polygeekery
    Because (and this is one thing that SW does much better than Cisco ASAs) the SW wizard is going through and setting up the hairpin NAT rule so that you don't have to fuck around with split-brain DNS, or remembering to set up the hairpin NAT as well, or wondering why mywebsite.cooldomain.net doesn't work from inside the office firewall.

    Edit: Also, the SW (and ASA) is set up for situations where a company has several different Public IPs that can be forwarded to the inside, so the wizard is accommodating that IP A Port X could go to Address Y, but IP B Port X needs to go to Address Z.



  • @apapadimoulis said in A WINS Server is Required:

    This was my original opinion, but they assured me Meraki was easy to set-up and is why Cisco bought them.

    Well like I said, I'm out of date, but when I was doing networking stuff the thought that Cisco would make anything "easy to set-up" was simply laughable. They didn't have "easy" in their DNA.

    (That was, however, before they bought Linksys.)



  • @blakeyrat said in A WINS Server is Required:

    Well like I said, I'm out of date, but when I was doing networking stuff the thought that Cisco would make anything "easy to set-up" was simply laughable. They didn't have "easy" in their DNA.

    (That was, however, before they bought Linksys.)

    Fully agree, I remember following a tutorial for a "PIX Firewall" once, and it was absurd. But, anyway, it's a difficult position to be in... do you trust someone who claims to know more than you do about the topic, especially given your knowledge is so outdated?

    I'm starting to think no. They need to really make a strong and convincing case to me for why I need to change my mind. Not that I'm unwilling to change my mind, I just don't trust that they're competent.

    Puts good perspective on devs trying to sell their boss on "the right way".



  • @apapadimoulis No, you should not trust anything I say, the responses to my posts about Barracuda demonstrate that.

    Also do not trust my taste in movies or TV shows, unless you love watching Canadians wander around in front of blue screens. Which is amazing. Especially when Walter Koenig guest stars.


  • Grade A Premium Asshole

    @izzion said in A WINS Server is Required:

    Because (and this is one thing that SW does much better than Cisco ASAs) the SW wizard is going through and setting up the hairpin NAT rule so that you don't have to fuck around with split-brain DNS, or remembering to set up the hairpin NAT as well, or wondering why mywebsite.cooldomain.net doesn't work from inside the office firewall.

    Meh, not really a big concern for our clients. None of them are running enough public facing servers from their location to worry about it. Split brain DNS is not that difficult to manage at that scale.

    @izzion said in A WINS Server is Required:

    Edit: Also, the SW (and ASA) is set up for situations where a company has several different Public IPs that can be forwarded to the inside, so the wizard is accommodating that IP A Port X could go to Address Y, but IP B Port X needs to go to Address Z.

    Nethserver handles that without any more difficulty than managing a single public IP. You can set it up to have multiple virtualized interfaces and then choose which interface the forward applies to when you set it. Nothing difficult about it. No confusion. Easy to manage.

    I would rather manage iptables rules with vim than to manage a Sonicwall. To each their own though. Perhaps it all makes perfect sense to some people. I am not one of those people.


  • Fake News

    Apropos:



  • @apapadimoulis said in A WINS Server is Required:

    domain controllers don't like having should never have IIS installed

    If you're installing IIS and/or a CA on a DC then you're totally :doing_it_wrong:


  • Impossible Mission Players - A

    @no_1 said in A WINS Server is Required:

    @apapadimoulis said in A WINS Server is Required:

    domain controllers don't like having should never have IIS installed

    If you're installing IIS and/or a CA on a DC then you're totally :doing_it_wrong:

    Easier than paying another grand plus for licensing...



  • @cursorkeys said in A WINS Server is Required:

    WINS? That will go great with their planned upgrade of your network transport to IPX/SPX :trollface:

    Btw, if their "reason' provided is they need to enable NetBIOS over TCP/IP, I'd somehow be impressed because that's needed if there is no DNS server on the network and all peers are merely sharing folder without joining domain. And I remember some router's built in firewall have default configuration that blocks it from routing pass VPN.



  • @no_1 said in A WINS Server is Required:

    @apapadimoulis said in A WINS Server is Required:

    domain controllers don't like having should never have IIS installed

    If you're installing IIS and/or a CA on a DC then you're totally :doing_it_wrong:

    SBS, and you get Exchange and SQL Server thrown in too!

    I liked SBS, it's a shame they killed it. Worked well enough at what it was supposed to do.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.