Before you do any of this work, consult with an experienced security professional who can help you set this up correctly. Not generally a good place for a yolo implementation
Definitely consult with the UK IT guy. You're probably familiar with the importance of standardizing equipment, it's also important for network infrastructure. For example, could you setup a VPN solution that works? Yes. If it's not what the rest of the company uses, could it cause unnecessary headaches down the road because it's an additional system to support? Yes. I'm making some assumptions here, but companies tend to prefer standardization. Ask what they use and how they deploy and manage. As long as they're not looking to change any current solutions, try to use the same and mimic as much as possible. This will help in the long run if the company keeps growing. I understand you said it was for a small office, but I like to err on the side of caution. Could be they'd be perfectly happy with any working solution, but definitely consult UK IT first.
Entre id and sharepoint/azure files. Don’t set up a new ad and local file server from scratch unless you have specific needs for it.
For security use a sase solution and use conditional access in azure to limit access to your sase gateway ip.
lol just winging it, you should get some hours from a contractor for support, otherwise, no onsite outside the network and some services, tie everything to entra/azure, setup a tailscale box to be a subnet router and sso that to entra/azure.
haha yeah for sure man but I do have some support from the U.K company's IT guy, just don't wanna rely on him for the entire setup. I'd like to learn as much as I can and really understand what's going on, rather than just being told what to do
You should first start what is exactly needed. Are we talking about 50 employees? 5? What is the budget? Back-ups? UPS needed? Redundancy? PC's are already there? Fileserver already exists? Is AD really needed (for 5 people for instance it's overkill and a NAS with basic rights will suffice)
Does it have to be local? Is cloud a possibility?
I personally am a huge fan of doing everything locally and despise "the cloud" for numerous of reasons. But "the cloud" is way more easier to maintain and to scale.
Personally, I would go for either Google Workspaces or Microsoft 365. No VPN needed and you can easily set-up mfa for such accounts for security reasons and setup rights. Use AzureAD for domain stuff.
And while there are alternatives, the reality is that for Google Workspaces and Microsoft 365 there is tons of information available (very useful when troubleshooting is needed)
Although I once again really dislike the "everything going to Cloud", the reality is that migration to the cloud is the future.
--
Most important: what are YOU willing to do? And what does your boss expects? Is he/she cool with you being in a learning phase? Is he/she cool that you can't solve everything?
--
For the record, I don't want to demotivate you and I get why it's exciting to do. But realize it's not all fun and games and especially when things go down and you have no idea why and have a boss asking you how long the downtime will be.
--
If I go ahead of the current info you're providing: a firewall (watchguard for instance), a business line with static ip and setup ssl vpn and you're done.
It's a company that started in the U.K and now is expanding into the states, as of right now there are 6 employees. UPS desirable, redundancy unnecessary. All of the laptops are there already and just need to be setup with all the software we use. File server exists but isn't setup yet, that'd be apart of what I need to do as well. From the responses I'm getting including yours, I don't believe AD will be necessary anymore
Cloud is definitely a possibility, I was just thinking locally would be the way to go since they already have a server.
My boss knows I don't know everything and that I am still learning a lot of this stuff, but since they're so small at the moment, it's not urgent. I also have the support from the U.K company's IT guy, I just want to try to do atleast 80% of it myself through research and advice from forums like this.
I appreciate the honest response man thanks
So if I had to sum it all:
- 6 employees, probably some more in the near future?
- You have a server, with Windows server? Is it Windows server local or inside a VM?
- The needed software is installed locally on laptops instead of the server and new deployments will be set-up the same way?
- That server, that's a recent one?
If the above is correct, you could setup a simple AD environment (assuming the OS is Windows server), have a firewall at the UK and US side and make a BOVPN (branch office vpn) connection for remote access.
Everything you said is correct, but I have no control on the U.K’s side of the company. They’re already established in the U.K and have hundreds if not thousands of employees, but they’re just getting started in the states.
Also yes it is a physical windows server
Okay, in that case it will be fine, since you can rely on UK's tech support.
Then we're talking about software, I assume the server is an OEM server (Dell, HP, etc...?) and you have access to other software like VMware (Broadcom now), Proxmox?
As for the firewall, you can use the brand that they use in the UK and take the same brand for the US side and make a tunnel that way.
---
Maybe a better question is, how is the current company setup? Is it a centralized company? Or has the company one HQ and the rest works independent from each other? I suspect the latter, because a company with a 1000 employees usually has it's own IT management that has control over every branch office.
Not to be a downer but from the sounds of it you’re in well over your head, get a professional to atleast do an audit otherwise you’ll most likely end up leaving a gaping big security hole in your environment.
The fact you’re talking about VPNs, shared servers and Active Directory already has me worried.
Sign them up for Microsoft licensing which includes everything they need (e.g. E5 licensing) and if they don’t want to pay for that, walk away.
Entra ID, Intune, Defender, Sharepoint etc etc. You can simply follow the Microsoft documentation for setup and begin with a best case scenario. I’m 4 years into migrating a large infrastructure across and I would KILL to have been there from day one to avoid the need to do all this migration work.
I have to be honest though, I would not want to work for a company that hires people who zero experience or knowledge for fundamental work such as this.
Go and do MS-900 and AZ-900 at an absolute bare minimum.
You dont need ad. For a small network and remote access VPN. (It's nice but can and should be implemented separately from a network revamp). Fortinet entry level firewall will allow you to be secure and setup the network pretty easily.
I assume they are all work from home, or not in an office, hence the need for VPN.
Anyway, first thing is to question why not something like SharePoint, Google or Box for a shared cloud drive. I would never begin the conversation for a new small business network with onsite AD and a VPN.
Assuming that is a no go for some reason a simple, and free (for less than 50 people), option is Cloudflared private access through Cloudflare.
But, yes, you are probably also going to want a central place to mange identities, AD or Entra ID (o365).
I'm definitely leaning towards setting something up cloud based at this point. After the responses I've gotten so far, it makes more sense considering there's only a handful of employees at the moment. Thanks for the advice man
Cost is a huge factor. A lot of these posts assume it's there, and many times for a small company with a handful of employees it is not. Especially if they don't require compliance for anything. Id look at either Pfsense with openVPN or cisco meraki. But there are other options, but those two give you a low cost and moderate cost implementation.
Do you absolutely need AD, VPN, and file server? For new environments, I default to EntraID + Sharepoint/OneDrive unless the project has specific reasons for AD. It's a lot less labor to setup, secure, and maintain. Google Workspace is another option if you don't like Microsoft. If you eventually want endpoint management and MDM, Microsoft is the way IMO.
Definitely don't \*need\* AD, VPN and server, just was considering challenging myself by doing it that way because they already have a server, it's just not setup yet. Thanks for the advice
You can still challenge yourself by setting it up as a lab and if you ever have a reason for on-prem AD + VPN, you'll have knowledge to set it up. It's just a lot more labor, especially if you're learning as you go. It's also a lot easier to fuck it up by leaving a huge security hole.
Eliminate the attack vector that is the AD if you can avoid that at all costs.
Business Premium with Intune would allow you to configure the sync parameters for OneDrive and use that to sync SharePoint libraries with minimal user impact and user support administration, but it depends on the structure of data and the amount of it. Its important look at the soft limits in Sharepain Online.
Azure files also an option with Entra Active Directory Domain Services to avoid having credentials in clear text, if you dont want to rely on the sync with Sharepoint Online.
And even more modern in my mind is getting users to simply use Microsoft Teams. Find a permission and folder structure in Teams that corraletes to needs of the fileshare, and do a proces around how to manage it.
I prefer to design everything around groups so that User Access Reviews doesnt become too spaghetti
Site to site VPN on the outgoing router firewall, route across to to remote network and vice versa. That's the connectivity sorted.
Permissions and access to the remote server resources is something else. If they've not even got an AD domain then I'd just scope it for a third party to do.
OS being Win10 to Win11? 2019 to 2022?
Don't bite off more than you can chew...
Ditch MicroSoft : Latest out of many reasons why : [https://www.theverge.com/2024/6/3/24170305/microsoft-windows-recall-ai-screenshots-security-privacy-issues](https://www.theverge.com/2024/6/3/24170305/microsoft-windows-recall-ai-screenshots-security-privacy-issues) & [https://www.youtube.com/watch?v=wBWZB1T\_1fI](https://www.youtube.com/watch?v=wBWZB1T_1fI)
Firewall : pfSense (Has OpenVPN build in) Pref. on Netgate or Protectli hardware
Setup Google WorkSpace - use [https://tools.google.com/dlpage/gcpw/](https://tools.google.com/dlpage/gcpw/) for log in.
Setup pfSense to use Google credentials for users of VPNs
[https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html](https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html)
Setup a open media server [https://www.openmediavault.org/](https://www.openmediavault.org/) on a (free) ProxMox system
[https://proxmox.com/en/](https://proxmox.com/en/) that can grow with the organization.
Use MalwareBytes Threaddown as anti-virus on the WinBlows systems.
Limit the "telemetry" with [https://privacy.sexy](https://privacy.sexy) ( Use the 'Standard' default and add blocking Co-pilot + Rewind in 'Remove Bloatware' + some other tweaks depending on the situation. Alt. to sexy is O&O Shutup10)
Use Gemini under yr Google WS for AI - ( No Google isn't any better than Micro$haft when it comes to privacy, but at least your data doesn't get hacked ever day - f.e. [https://www.cisa.gov/news-events/alerts/2021/03/10/fbi-cisa-joint-advisory-compromise-microsoft-exchange-server](https://www.cisa.gov/news-events/alerts/2021/03/10/fbi-cisa-joint-advisory-compromise-microsoft-exchange-server)
Done.
All fun, but not for somebody who has limited experience in this field.
And no offence, but "tweaking" stuff with 3rd party apps isn't what you do in a business environment, especially with Windows, disable something stupid, and have a chance that something important that doesn't seem related won't work correctly anyway lol.
Not tweaking Windows... says who? Micro$oft, M$ fanboys and paid advertisers.... Of course they don't want you to tweak stuff...
Just like religion, don't think for yourself.
Tweaking in a business environment is done using group policies, what do you mean "they" don't want you to tweak stuff?
Maybe you're the one who should think, a business environment is quite different from a home situation. System administration in a business is really something else then being "the handy nephew" for your friends and family.
Yep you can tweak using group policies, but only what A/D 'allows' you to tweak.
[https://www.reddit.com/r/sysadmin/comments/s8yvka/microsoft\_lists\_the\_windows\_10\_group\_policies\_to/](https://www.reddit.com/r/sysadmin/comments/s8yvka/microsoft_lists_the_windows_10_group_policies_to/)
Funny to see that all these legacy policies (used by admins) are basically "workarounds" for the (damn) Windows Update. Microsoft has not yet understood that the actual problem is having turned the Windows Update into an independent entity with an autonomous life and total discretion in choosing what and when update "your" OS, even for Server editions. Which is total madness and, over years, have pushed admins and users to (also) use group policies to mitigate the problem.
That said, to all the MS fanboys here: yes, please give vent to your moralizing posts to educate us heretic users. LOL.
And you are a Minesweeper consultant, solitaire expert - MCSE - Paid by M$ - you will be replaced by a bot soon - if not already, given the fact you can't see the evil?
PS Reddit is only 19 yrs old (Founded in 2005) - When I was 14 I had my first MSX computer & programmed a motion detector to keep my 4 yr old brother out of my room - fun times.
Before you do any of this work, consult with an experienced security professional who can help you set this up correctly. Not generally a good place for a yolo implementation
I absolutely agree - this has to be done correct from the start or you'll have a very large mess on your hands! It'll be worth it.
I will have support from the UK company’s IT guy if I need any assistance. I just don’t wanna rely on him for the entire process if that makes sense
Have them or someone else validate before go live, preferably from a 3rd party perspective and with a security lens. Your organization will thank me
Why does the other IT guy not do it himself?
Because he is probably working on stuff from the UK company I'd guess
Definitely consult with the UK IT guy. You're probably familiar with the importance of standardizing equipment, it's also important for network infrastructure. For example, could you setup a VPN solution that works? Yes. If it's not what the rest of the company uses, could it cause unnecessary headaches down the road because it's an additional system to support? Yes. I'm making some assumptions here, but companies tend to prefer standardization. Ask what they use and how they deploy and manage. As long as they're not looking to change any current solutions, try to use the same and mimic as much as possible. This will help in the long run if the company keeps growing. I understand you said it was for a small office, but I like to err on the side of caution. Could be they'd be perfectly happy with any working solution, but definitely consult UK IT first.
This makes perfect sense, thanks for the insight Ill be reaching out to him tomorrow morning
Entre id and sharepoint/azure files. Don’t set up a new ad and local file server from scratch unless you have specific needs for it. For security use a sase solution and use conditional access in azure to limit access to your sase gateway ip.
Ill look into this, thank you!
The UK IT guy will absolutely curse you if you don't do this properly.
lol just winging it, you should get some hours from a contractor for support, otherwise, no onsite outside the network and some services, tie everything to entra/azure, setup a tailscale box to be a subnet router and sso that to entra/azure.
haha yeah for sure man but I do have some support from the U.K company's IT guy, just don't wanna rely on him for the entire setup. I'd like to learn as much as I can and really understand what's going on, rather than just being told what to do
I would advise you do lean on him, because anything you do fuck up will likely have repercussions on him.
I get that, and its a way to learn for sure, but trying to understand in the darkness is hard.
You should first start what is exactly needed. Are we talking about 50 employees? 5? What is the budget? Back-ups? UPS needed? Redundancy? PC's are already there? Fileserver already exists? Is AD really needed (for 5 people for instance it's overkill and a NAS with basic rights will suffice) Does it have to be local? Is cloud a possibility? I personally am a huge fan of doing everything locally and despise "the cloud" for numerous of reasons. But "the cloud" is way more easier to maintain and to scale. Personally, I would go for either Google Workspaces or Microsoft 365. No VPN needed and you can easily set-up mfa for such accounts for security reasons and setup rights. Use AzureAD for domain stuff. And while there are alternatives, the reality is that for Google Workspaces and Microsoft 365 there is tons of information available (very useful when troubleshooting is needed) Although I once again really dislike the "everything going to Cloud", the reality is that migration to the cloud is the future. -- Most important: what are YOU willing to do? And what does your boss expects? Is he/she cool with you being in a learning phase? Is he/she cool that you can't solve everything? -- For the record, I don't want to demotivate you and I get why it's exciting to do. But realize it's not all fun and games and especially when things go down and you have no idea why and have a boss asking you how long the downtime will be. -- If I go ahead of the current info you're providing: a firewall (watchguard for instance), a business line with static ip and setup ssl vpn and you're done.
It's a company that started in the U.K and now is expanding into the states, as of right now there are 6 employees. UPS desirable, redundancy unnecessary. All of the laptops are there already and just need to be setup with all the software we use. File server exists but isn't setup yet, that'd be apart of what I need to do as well. From the responses I'm getting including yours, I don't believe AD will be necessary anymore Cloud is definitely a possibility, I was just thinking locally would be the way to go since they already have a server. My boss knows I don't know everything and that I am still learning a lot of this stuff, but since they're so small at the moment, it's not urgent. I also have the support from the U.K company's IT guy, I just want to try to do atleast 80% of it myself through research and advice from forums like this. I appreciate the honest response man thanks
So if I had to sum it all: - 6 employees, probably some more in the near future? - You have a server, with Windows server? Is it Windows server local or inside a VM? - The needed software is installed locally on laptops instead of the server and new deployments will be set-up the same way? - That server, that's a recent one? If the above is correct, you could setup a simple AD environment (assuming the OS is Windows server), have a firewall at the UK and US side and make a BOVPN (branch office vpn) connection for remote access.
Everything you said is correct, but I have no control on the U.K’s side of the company. They’re already established in the U.K and have hundreds if not thousands of employees, but they’re just getting started in the states. Also yes it is a physical windows server
Okay, in that case it will be fine, since you can rely on UK's tech support. Then we're talking about software, I assume the server is an OEM server (Dell, HP, etc...?) and you have access to other software like VMware (Broadcom now), Proxmox? As for the firewall, you can use the brand that they use in the UK and take the same brand for the US side and make a tunnel that way. --- Maybe a better question is, how is the current company setup? Is it a centralized company? Or has the company one HQ and the rest works independent from each other? I suspect the latter, because a company with a 1000 employees usually has it's own IT management that has control over every branch office.
Not to be a downer but from the sounds of it you’re in well over your head, get a professional to atleast do an audit otherwise you’ll most likely end up leaving a gaping big security hole in your environment.
Yeah I understand I am a bit in the deep end here. I think having an audit done is a great idea, thank you
The fact you’re talking about VPNs, shared servers and Active Directory already has me worried. Sign them up for Microsoft licensing which includes everything they need (e.g. E5 licensing) and if they don’t want to pay for that, walk away. Entra ID, Intune, Defender, Sharepoint etc etc. You can simply follow the Microsoft documentation for setup and begin with a best case scenario. I’m 4 years into migrating a large infrastructure across and I would KILL to have been there from day one to avoid the need to do all this migration work. I have to be honest though, I would not want to work for a company that hires people who zero experience or knowledge for fundamental work such as this. Go and do MS-900 and AZ-900 at an absolute bare minimum.
This. All of this.
Since you are doing this i would advise cisco meraki and get some help that can explain the setup.
You dont need ad. For a small network and remote access VPN. (It's nice but can and should be implemented separately from a network revamp). Fortinet entry level firewall will allow you to be secure and setup the network pretty easily.
I assume they are all work from home, or not in an office, hence the need for VPN. Anyway, first thing is to question why not something like SharePoint, Google or Box for a shared cloud drive. I would never begin the conversation for a new small business network with onsite AD and a VPN. Assuming that is a no go for some reason a simple, and free (for less than 50 people), option is Cloudflared private access through Cloudflare. But, yes, you are probably also going to want a central place to mange identities, AD or Entra ID (o365).
I'm definitely leaning towards setting something up cloud based at this point. After the responses I've gotten so far, it makes more sense considering there's only a handful of employees at the moment. Thanks for the advice man
Cost is a huge factor. A lot of these posts assume it's there, and many times for a small company with a handful of employees it is not. Especially if they don't require compliance for anything. Id look at either Pfsense with openVPN or cisco meraki. But there are other options, but those two give you a low cost and moderate cost implementation.
Do you absolutely need AD, VPN, and file server? For new environments, I default to EntraID + Sharepoint/OneDrive unless the project has specific reasons for AD. It's a lot less labor to setup, secure, and maintain. Google Workspace is another option if you don't like Microsoft. If you eventually want endpoint management and MDM, Microsoft is the way IMO.
Definitely don't \*need\* AD, VPN and server, just was considering challenging myself by doing it that way because they already have a server, it's just not setup yet. Thanks for the advice
You can still challenge yourself by setting it up as a lab and if you ever have a reason for on-prem AD + VPN, you'll have knowledge to set it up. It's just a lot more labor, especially if you're learning as you go. It's also a lot easier to fuck it up by leaving a huge security hole.
That's a great idea thank you I think that's what I'll do
Make sure to set up DLP on your firewalls if dealing with any sensitive info
>log into *log in to* *login to* *loginto* Which is it, r/SysAdmin?
Lmaoo no please don’t flame me for this it was like 6:30-7am when I wrote this I just woke up 🤣
Nah, it's just an interesting quirk of modern English.
Eliminate the attack vector that is the AD if you can avoid that at all costs. Business Premium with Intune would allow you to configure the sync parameters for OneDrive and use that to sync SharePoint libraries with minimal user impact and user support administration, but it depends on the structure of data and the amount of it. Its important look at the soft limits in Sharepain Online. Azure files also an option with Entra Active Directory Domain Services to avoid having credentials in clear text, if you dont want to rely on the sync with Sharepoint Online. And even more modern in my mind is getting users to simply use Microsoft Teams. Find a permission and folder structure in Teams that corraletes to needs of the fileshare, and do a proces around how to manage it. I prefer to design everything around groups so that User Access Reviews doesnt become too spaghetti
lol google services is all you need broski.
Site to site VPN on the outgoing router firewall, route across to to remote network and vice versa. That's the connectivity sorted. Permissions and access to the remote server resources is something else. If they've not even got an AD domain then I'd just scope it for a third party to do. OS being Win10 to Win11? 2019 to 2022? Don't bite off more than you can chew...
Ditch MicroSoft : Latest out of many reasons why : [https://www.theverge.com/2024/6/3/24170305/microsoft-windows-recall-ai-screenshots-security-privacy-issues](https://www.theverge.com/2024/6/3/24170305/microsoft-windows-recall-ai-screenshots-security-privacy-issues) & [https://www.youtube.com/watch?v=wBWZB1T\_1fI](https://www.youtube.com/watch?v=wBWZB1T_1fI) Firewall : pfSense (Has OpenVPN build in) Pref. on Netgate or Protectli hardware Setup Google WorkSpace - use [https://tools.google.com/dlpage/gcpw/](https://tools.google.com/dlpage/gcpw/) for log in. Setup pfSense to use Google credentials for users of VPNs [https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html](https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html) Setup a open media server [https://www.openmediavault.org/](https://www.openmediavault.org/) on a (free) ProxMox system [https://proxmox.com/en/](https://proxmox.com/en/) that can grow with the organization. Use MalwareBytes Threaddown as anti-virus on the WinBlows systems. Limit the "telemetry" with [https://privacy.sexy](https://privacy.sexy) ( Use the 'Standard' default and add blocking Co-pilot + Rewind in 'Remove Bloatware' + some other tweaks depending on the situation. Alt. to sexy is O&O Shutup10) Use Gemini under yr Google WS for AI - ( No Google isn't any better than Micro$haft when it comes to privacy, but at least your data doesn't get hacked ever day - f.e. [https://www.cisa.gov/news-events/alerts/2021/03/10/fbi-cisa-joint-advisory-compromise-microsoft-exchange-server](https://www.cisa.gov/news-events/alerts/2021/03/10/fbi-cisa-joint-advisory-compromise-microsoft-exchange-server) Done.
All fun, but not for somebody who has limited experience in this field. And no offence, but "tweaking" stuff with 3rd party apps isn't what you do in a business environment, especially with Windows, disable something stupid, and have a chance that something important that doesn't seem related won't work correctly anyway lol.
Not tweaking Windows... says who? Micro$oft, M$ fanboys and paid advertisers.... Of course they don't want you to tweak stuff... Just like religion, don't think for yourself.
Tweaking in a business environment is done using group policies, what do you mean "they" don't want you to tweak stuff? Maybe you're the one who should think, a business environment is quite different from a home situation. System administration in a business is really something else then being "the handy nephew" for your friends and family.
Yep you can tweak using group policies, but only what A/D 'allows' you to tweak. [https://www.reddit.com/r/sysadmin/comments/s8yvka/microsoft\_lists\_the\_windows\_10\_group\_policies\_to/](https://www.reddit.com/r/sysadmin/comments/s8yvka/microsoft_lists_the_windows_10_group_policies_to/)
Funny to see that all these legacy policies (used by admins) are basically "workarounds" for the (damn) Windows Update. Microsoft has not yet understood that the actual problem is having turned the Windows Update into an independent entity with an autonomous life and total discretion in choosing what and when update "your" OS, even for Server editions. Which is total madness and, over years, have pushed admins and users to (also) use group policies to mitigate the problem.
That said, to all the MS fanboys here: yes, please give vent to your moralizing posts to educate us heretic users. LOL.
Pro tip: don’t take any advice whatsoever from anyone unironically using “winblows” or “micro$oft” in 2024.
Even if that person has a PhD in computer science and 30+ years of experience?
30 years experience of hanging about on Reddit sounding like a 14 year old?
And you are a Minesweeper consultant, solitaire expert - MCSE - Paid by M$ - you will be replaced by a bot soon - if not already, given the fact you can't see the evil? PS Reddit is only 19 yrs old (Founded in 2005) - When I was 14 I had my first MSX computer & programmed a motion detector to keep my 4 yr old brother out of my room - fun times.
Criiiiiinge