News Categories
Announcement (9) Amy Babinchak (64) Tips (1) SBS 2011 (6) Windows Essentials 2012 (4) Edwin Sarmiento (28) SQL Server (22) SQL Server 2012 (6) SQL Server Clustering (3) SQL Server Disaster Recovery (6) Windows Server 2008 Clustering (1) log shipping (1) Brian Higgins (3) Uncategorized (42) Hyper-V (67) Virtualization (13) Windows 8 (13) Cisco VPN Client (1) Windows Server 2012 (24) Friend of TT (4) Hangout (2) Office365 (4) DNS (8) Jeremy (7) Cliff Galiher (3) Active Directory (12) ClearOS (4) Linux (4) presentations (2) SQL PASS (6) Chris Matthews (4) Printers (2) SharePoint (8) SQL Server Administration (7) Windows PowerShell (3) recovery model (1) sql server databases (1) Dave Shackelford (7) SMB Nation (1) Steve (1) Boon Tee (5) Kevin Royalty (3) Lee Wilbur (2) Philip Elder (10) SMBKitchen Crew (31) Susan Bradley (15) AlwaysOn (1) AlwaysOn Availability Groups (4) readable secondaries (1) row versioning (1) undocumented (1) The Project (2) Webinar (3) Enterprise for SMB Project (9) Security (25) Remote Desktop Connection for Mac (1) Remote Desktop Services (8) Windows Server 2008 (1) Exchange (15) Powershell (6) Microsoft (15) Performance (7) data types (1) Server 2012 (1) monitoring (1) DevTeach (1) SQL Server High Availability and Disaster Recovery (5) Clusters (44) Hyper-V Server 2012 (2) Business Principles (26) Cost of Doing Business (13) DHCP (7) sbs (15) Windows Server (30) SMBKitchen (26) Windows Server 2008 R2 (4) StorageCraft (1) P2V (1) ShadowProtect (6) StorageCraft ShadowProtect (1) VHDs (1) Intel RAID (2) Intel Server System R2208GZ (1) Intel Server Systems (17) RAID (2) SAS (2) SATA (2) Server Hardware (12) Microsoft Licensing (2) OEM (2) System Builder Tips (4) Intel (5) Intel Channel Partner Program (4) Intel Product Support (10) Intel Server Boards (2) Intel Server Manager (2) Cloud (26) IT Solutions (2) On-Premises (20) SMB (9) WIndows Azure (2) StorageSpaces (1) Error (47) Error Fix (35) Intel Desktop Boards (2) Intel SSDs (2) SSD (2) Business Opportunity (17) Data Security (11) Identity Security (7) Information Security (14) Privacy (2) Intel Modular Server (6) Promise (2) Storage Systems (9) Live ID (2) Microsoft ID (4) User Profiles (2) Articles (2) Building Client Relationships (6) DBCC IND (2) DBCC PAGE (2) filtered indexes (2) SQL Server Index Internals (2) training (11) Adobe (3) Internet Street Smart (8) Intel Storage Systems (2) LSI Corp (2) LSI SAS6160 Switch (2) Storage Spaces (7) Firmware Update (2) Product Support (7) Hybrid Cloud Solutions (3) Server Core (2) MAXDOP (1) SharePoint 2013 (1) SharePoint best practices (1) SQL Server Authentication (1) Family (5) Alternatives (1) SBS 2011 Standard (4) Microsoft Small Business Specialist Community (2) Microsoft Surface (2) SBSC (2) Networking (4) Availability Groups (3) CANITPro (1) HA/DR (1) Step-By-Step: Creating a SQL Server 2012 AlwaysOn Availability Group (1) webcast (1) VMWare (2) Conferences (2) Client Focus (2) Disaster Recovery (6) Error Workaround (8) Troubleshooting (4) Logitech (2) Product Review (7) Windows Features (4) XBox Music (2) SBS 2008 All Editions (4) MDOP (2) Microsoft Desktop Optimization Pack (2) Software Assurance (2) W2012E (6) Windows Server 2012 Essentials (6) Internet Explorer (3) USB 3.0 (2) USB Hard Drive (2) Bug Report (2) Microsoft Office 365 (5) sharepoint online (2) BitLocker (2) Windows (2) Microsoft Update (3) Swing Migration (2) Windows Update (4) Outlook (2) Group Policy (9) WS2012e (2) WSUS (3) Office (3) Microsoft Downloads (5) Microsoft Office (3) DRP (3) Virtual Machines (2) Virtual Server Hardware (2) online course (1) SQL Server learning (7) 2 Factor Authentication (2) 2FA (2) PASS Summit 2013 (4) SQLPASS (5) Contest (1) e-learning (1) Udemy (1) smbtechfest (1) backups (2) PASS Summit First Timers (3) IIS (2) RD Gateway (4) RD RemoteApp (2) RDWeb (4) Remote Desktop Connection (2) Remote Web Access (2) Remote Web Workplace (2) Cryptolocker (6) Backup (4) Restore (2) CryptoLocker (1) AuthAnvil (1) SBS 2003 (1) SBS Migration (1) Windows Server 2012 R2 (9) Documentation (1) IE 11 (4) testimonials (11) SQL Server 2008 (1) Best Practices (1) Support (1) Intel Xeon Processor (1) RemoteApp (1) Android (1) iOS (1) Hyper-V Replica (2) PowerShell (2) SBS (3) Break (1) Business Intelligence (1) Excel 2013 (1) Power Map (1) Power Query (1) PowerBI (1) MultiPoint (2) Surface (1) Net Neutrality (1) Opinion (2) ASP (9) HP (2) Scale-Out File Server (8) SOFS (10) Windows Phone (1) Updates (1) Intel NUC (1) Intuit (1) QuickBooks (1) Office364 (1) Intel Server Systems;Hyper-V (1) Firewall (1) Patching (1) Mobile (1) Mobility (1) sharepoint (1) Microsoft Security (1) Beta (1) Storage Replication (1) outlook (1) Hyper-V Setup (3) JBOD (1) Azure (1) PCI (1) PCI DSS (1) PII (1) POS (1) MicroStaff (2) Catherine Barr (2) Third Tier (1) BeTheCloud (1) BrainExplosion (1) LookAWhale (1) Manuel (1) Rayanne (3) SuperSecretNews (1) TechYourBooks (3) Managed Services (1) Training (1) E-mail (1)
RSS Feed
Cryptolocker Prevention Script Available
Posted by Third Tier on 28 January 2015 01:30 PM

Reader Mitchell Milligan has created a script to automate the deployment of the Cryptolocker Prevention group policies. Do note that Mitchell’s script is putting the policies at the root of the domain rather than at the OU level. This means it will be applied to ALL Machines in the domain. Often times this will be fine but if not then you might want to deploy the policies individually to the OU’s you want.

Mitchell says:

I built a powershell script to create/import/link to domain root for these policies. This automates the process of having to manually create and import these policies. We have decided to just place these restrictions on the entire domain, rather than a specific OU, so this script serves that purpose.

Mitchell requests: The terms I request with the script is that anyone who uses it may do so for free, however they may not modify the contents of the package and then sell it to others.  Some info about the script: the script requires PowerShell v3 in it’s current state and contains a Readme file with specifics on what the script does.

Click here to download the script.

Be sure to read everything that we’ve published about these Crypto viruses. Read all about it They are very common and devastating. Test this script and our policies on yourself in a test environment before you deploy to your clients. Be safe!


Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations.

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN

Read more »

Microsoft Raises Support Costs in a Big Way
Posted by Third Tier on 03 December 2014 01:46 PM

Beginning December 1st, 2014 Microsoft raised it’s support cost for partners from $249 to $499. Pretty much double. They also offer a pack of 5 calls for $1999.

At Third Tier we’ve never thought of ourselves as competing with Microsoft because we see ourselves as providing a much more personal level of support – IT Pro to IT Pro. We want YOU to be great and to be a better IT firm than your competition. Microsoft wants to get you off the phone.

Let’s be clear about one thing though. We aren’t emergency support. If you have a down server right now you might get a faster response from Microsoft and should probably call them. But if you can schedule the issue you’d like to have worked on, then you might want to open a ticket with us instead. If you open the ticket during business hours then someone will pick up your ticket within about 2 hours. Our once off Helpdesk tickets are $175 per hour worked. Our average ticket time is less than 1 hour billed.

My own small business MSP uses Third Tier. We use Third Tier because they work the way we do. We open a ticket with an issue. Someone gets back with us and then we schedule a time that works for both of us to tackle the problem or project. My staff likes it because they aren’t left wondering when “the call” is going to come in nor do they have to plan to be on the phone for the next 8 hours after that call comes in. They are in control of when the issue is going to be worked on and how much Third Tier is going to do and how much they are going to do. Third Tier fits in with our normal work flow.

So you see I’m a customer as well as the owner of Third Tier. This helps me keep Third Tier focused on being great at supporting small IT firms. Besides Helpdesk we do other things too, like MicroStaffing, Tech Your Books, Project Management, and Small Business Solutions.

Learn about us:

Learn about our Service offerings:

Open a ticket:


Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations.

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN

Read more »

As Your Career Turns 1
Posted by Third Tier on 03 December 2014 12:53 PM

There are those moments in your career where you either make the right move or you don’t. Back in 2000, you needed to move from Novell into Microsoft and you needed to know DNS and AD. If you did those things then you found yourself in the right place at the right time and your career went into high gear while the old guard largely faded away.

Between then and now IT Professionals have enjoyed a time of stability where you could build off those early skills. It’s been relatively easy to keep up. But now, RIGHT NOW, we are reaching another career watershed moment. This time it’s about knowing Azure.

Microsoft is turning networking on it’s head. Foundational concepts like Server and Domain Controller are fading into the past. Things that you understood as interwoven and unseperable are being componentized. DNS will come to rule the land, so you’ve got that, but it becomes even more critical to truly understand it as even your disks now have FQDN names in Azure.

If you don’t get started on your Azure skills now, then real soon it’s going to be too late for you to catch up. This train is picking up speed. Last year I wrote an article for the SMBKItchen Project on why you should care about Azure. It’s so out of date already! But yet still relevent so I’ve copied for you below. I hope to see in you Azure. 

Now that a year has passed Third Tier is beginning to released the original SMBKitchen documents. Our members got this information a year ago but now is your chance to catch-up. If you’d like this information along with webinars and chats as it’s created be sure to sign up for our SMBKitchen ASP. You can purchase yours at


Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations.

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN

Azure Who cares?


Azure is the basis of Microsoft’s cloud. Taking a look at the direction that Azure is taking is a glimpse into the future of networking. If you want to be part of the future of IT, then you’d better learn about Azure.

What is Azure?

Recently we did a survey of the SMBKitchen membership to refine the content for the second half of the project and we asked a question about Azure. There was little interest in Azure. Because of that this may be the only article on Azure published in the project, unless the sentiment changes.


On the What is Azure page at you’ll find the above graphic. It’s very clever. The definition of what Azure is changes as you move from tile to tile. The wording is still pretty application development and provisioning centric but look at the categories and drill down into them and you’ll find a solution for building an entire IT infrastructure in the cloud for any size business. Azure has morphed away from competing with Amazon Web Services and now plays on Microsoft’s strength of providing IT infrastructure. Microsoft has put the writing on the wall, in the near future the networks that you manage will reside within Azure.

What does Azure offer the IT Pro?

clip_image004Let’s get real blunt. As IT Pro’s we are the dinosaurs that the Cloud is attempting to make extinct. It is the rise of the Developer and the fall of the IT Pro. I don’t think for a minute that IT will become extinct but I do believe that it will change significantly and there will be a significant change in the IT Pro community as a result. In fact, Microsoft and others are counting on it. They believe that the current crop of IT Pro is part of the problem not part of the solution anymore. The problem they are trying to solve is to eliminate piracy and support costs while increasing user adoption of their product line. To solve this problem they are pulling everything “in-house” where they can retain more control over sales and they hope reduce support costs by controlling the hardware end of things too. In order to not be in the “die off” we need to adapt and in this case it will mean learning Azure because this is how Microsoft intends to deliver products in the future.

The picture on the right is the Azure menu. As you can see Azure isn’t just a place for developers to host their web applications. That was just phase one. Now Azure can be your entire infrastructure or part of it. It can host your website, your Active Directory, your SQL server, your file server, your DNS server, your RDS server, etc. You can setup a site-site VPN between your on-premises network infrastructure and your Azure infrastructure and have a single sign-on experience between them. Or you can have the entire infrastructure exist in the cloud and have the end users open an RDP session to access it. Let’s think about this for a moment. We work remotely. We remote into our clients’ server to perform our tasks. Does it really matter to us whether it’s in Azure datacenter, a local datacenter or sitting in an office somewhere? No our work remains the same.

What does Azure offer SMB Businesses?

Honestly it’s hard to say exactly because we aren’t in the future yet. Applications are moving into the Cloud and are available for subscription. Office 365 is a good example. It provides Office, Exchange, Sharepoint, Lync and SkyDrive Pro. For many SMB’s this is all they have on-premises now. So they go to the Cloud eventually unless they have a legal restriction not to. Microsoft will do everything in their power to make it financially advantageous to do so. This gives them the benefit of eliminating servers in their office and the flexibility to work from anywhere, anytime, any device. If you add in Intune (another Azure application) to manage their BYOD devices then you have a nice simple network. If there are other applications needed those vendors might make them available in Azure or they might offer them as web applications hosted elsewhere. If storage is required outside of Sharepoint, well Azure offers that too. The benefits to small business then are one stop shopping, flexible predictable spending and they don’t have to make any big purchases or figure out where to put the servers. The benefits will only go up from where they are today.

Let’s imagine the future for businesses for a moment. I can imagine as applications become cloud hosted and my clients become used to the idea that when they invest in a new application that it generates a new monthly fee and they access it through the browser or an RDP client. This will eventually become the norm. Now suppose that they find an application that isn’t available in the Cloud. They will need a server. Often when you add a new application to a server it results in the addition of a server or the need for a new server. At this moment your client is probably going to hesitate because purchasing hardware has become out of the norm. When we get to this point in time, Azure is yet again probably where you will turn to add another hosted server for this new application and keep your client from having to buy hardware.

Many of you are already asking for ways to have better control over smaller clients that really don’t want a server locally. Imagine if you could stand up a domain controller in Azure, connect it securely back to local clients. Imagine if you could even provide a remote web access ability, even remote desktops all hosted in Azure. I’m sure that you’re thinking yes but this is going to be a long time away or my clients aren’t going to go to the Cloud. To that I would suggest that it’s going to happen faster than we think and even if your existing clients aren’t going to the Cloud your potential new clients are. As IT Pros we should be ready to deploy this new infrastructure.


In in the picture above you are seeing a Virtual machine of Server 2012 R2, withl the Essentials Experience Role and have RWA on a server that is hosted in Azure. After the virtual machine is installed, you merely RDP into the Azure hosted server to complete the configurations. The future is rapidly approaching.

What should you be doing today?

You’ve got time before your clients all go to the Cloud. But the Cloud is like a snowball gathering snow as it rolls downhill. As it gathers more snow it gets heavier which makes it roll faster down the hill. Meanwhile as the snowball gets bigger it becomes more difficult for you, the IT Pro, to get your arms around. You need to start your training now. Learn it as Microsoft is releasing it and be on the forefront of this new way to deliver technology to your clients.

· Open an Azure 90 day Trial. It’s free and Microsoft doesn’t start charging you automatically when it expires.

· Use your trial to build a lab in the cloud.

· Go through the Azure online training program at It’s free too. You just need to be sure to set aside enough time to get through it in 90 days. Commit to it.

· Think about moving your business into Azure. You need to know what it’s like and gain experience managing it. There’s no better way. Think about your market advantage 2 or 5 years from now when you can say to a potential client, “I’ve had my business in Azure for X years now. ”

· Run a server instance up there for a month. See what the expected price tag will be to run a server in Azure so you get a feel for costs and uses. Remember that these costs may change. At this point web services have been trending dramatically down as service mature.

· Look for more cloud Azure offerings to be included in the Microsoft Action Pack in the November time frame and take advantage of those.

I firmly believe that learning Azure will give you a market advantage somewhere down the line and when you start early you have the opportunity to know the offering in more depth than those that start later.

Read more »

Configuring Access Enforcer
Posted by Third Tier on 19 November 2014 07:21 PM

Now that a year has passed Third Tier is beginning to released the original SMBKitchen documents. Our members got this information a year ago but now is your chance to catch-up. Amy Babinchak wrote this article on configuring an Access Enforcer UTM after you’ve run through the setup wizard. You might want to read it even if you use another UTM device because the concepts will be very similar. If you’d like this information along with webinars and chats as it’s created be sure to sign up for our SMBKitchen ASP. You can purchase yours at


Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations.

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN




By Amy Babinchak Abstract

Running through the basic setup of a UTM firewall like the Calyptix Access Enforcer is not enough to enable proper security. This article will pick up where the setup wizard leaves off. It will provide a suggested configuration however individual situations may vary and different settings may need to be applied to different clients. The presentation here works well for most clients that have anti-spam services hosted offsite and have one or more servers, wireless and devices to protect. The Access Enforcer contains many settings that you may wish to add following

First Things First

The Calyptix Access Enforcer (AE) is classified as a Unified Threat Management (UTM) device. It is built by Calyptix ( and is based on OpenBSD. OpenBSD is generally considered to be one of the most secure operating systems. It has an active community supporting it and tightly controlled development of the kernel and core. Lawrence Teo, is the principal developer of the AE and is very active and well respected in the OpenBSD community. In addition to OpenBSD Calyptix makes use of other open source products to create the AE. However while doing do they still accept full responsibility for supporting the product as a whole and the elements within. When I was shopping for a new firewall the ability to support all of the open source components was a critical part of the discussion. Calyptix has an interesting security blog that can be found at Contributors are members of the development staff at Calyptix. The other piece that was very important to me was dedication to the SMB market space. Calyptix and I both consider this to be the only market that we are interested in. I didn’t want to work with a company that would treat my clients as second best after their enterprise clients or that didn’t treat the small IT firms like mine with respect. Calyptix has exceeded my expectations on all fronts. The quality of the product, dedication to the market space, interaction with partners has been superb.

Setting the Stage

The AE is housed in metal casing and comes in several sizes. Each unit contains the same features. The different between units is form factor, number of network ports and throughput capacity. As you move up in models the processing power increases. It has a unique multiple network feature. As you can see in figure 1, there is a WAN port and a number of other Ethernet ports. The Ethernet ports represent different networks. The AE does not contain a switch as many consumer class firewalls do. Instead each Ethernet port is a discrete network that can be used for an additional WAN, guest wireless, LAN wireless, or any other network purpose. The USB ports are used for backup and recovery.


Figure 1: The Ethernet ports on an AE represent different networks

Once you have unpacked the Calyptix you should first notice that you’ve been given a unique password for each unit. Calyptix does not ship units with a standard password. You can change the password later, however you should document the original passwords in case you need to perform a restore. Once powered on you’ll walk through the setup wizard. The setup wizard will take you through the simple one LAN, one WAN configuration. (TIP: Be sure to use the same DNS forwarders in your AE that you have configured in your internal DNS server. For example if you are using Google DNS then use it all the way through.) Complete this task and you have a working unit. At this point most people look for the Port Forwarding configuration and poke some holes to publish server features such as email. This is where most people stop the configuration. For this paper, it is point at which we are going to begin our configuration.

Before we begin our configuration you’ll want to take notice of two portals that Calyptix offers. is what they call the single pane of glass portal. This portal provides a central location where you will find all of the units that you have purchased for your clients, alerts and the option to remotely access them. Calyptix offers advanced alerting and other services for additional fees. The second is This is the portal where online documentation is kept. This includes both support and marketing materials. This portal is also where you’ll be taken if you press the Help button inside the AE menu. Throughout this paper reference will be made to support documents in this portal. Calyptix provides very nice configuration documents.

Best Practice Analyzer

Calyptix has followed Microsoft’s lead and built in a Best Practice Analyzer (BPA). IT pros should already be familiar with how these work. Launch the BPA and it will run through a series of checks to verify that you’ve performed the basic setup. When you have all Green checks (see Figure 2) you are ready to proceed to customizing the Access Enforcer to meet your client’s security needs.


Figure 2: The Best Practice Analyzer runs through a series of basic configuration checks.

Configuring Active Directory Integration

Active Directory Integration (AD) is a feature that plays a role in several other features. Therefore it is nice to have it setup early in the configuration process. Below is a list of features that make use of the AD integration function.

• Reporting with AD integration provides you and the business owner with user names rather than IP addresses. This makes it easier to identify peoples website viewing habits

• Live Connections. Connections will be identified by username as well as IP address. When troubleshooting traffic problems it makes identification quicker.

• Spam. Although we aren’t going to be configuring the spam features in this paper, the AD integration provides the AE with the list of email addresses in use.

• Time Periods and Web Policies. These features allow you to control when an individual is allowed access to the Internet and to which locations no matter which PC they might log into. These rules could also be applied to AD security group or PC Local Groups.

To setup AD integration requires creating a user account that the AE will use for LDAP queries and reporting. This user needs no special privileges. Create the user account and place it in the Managed Services container of your Active Directory. Set the password to never expire. Then begin your AD configuration following this document found in the Calyptix portal:

Gotchas: The Server and PC’s must have their Windows Firewall ON be in the correct firewall domain for the exception rules to work. You also must be able to push Group Policies to the workstations.

Securing Port Forwarding

Like any NAT device, the AE does port forwarding. However it takes it a further step by providing port security and redirection options.

While setting up your port forwarding rules (these are the services that you want to publish to the outside world) you will want to secure some of them at this level. In particular we always secure any RDP access. Notice the highlighted Lock in Figure 3. This lock indicates that the rule is restricted for access to only the IP addresses listed within it.


Figure 3: You can secure port forwarding rules by only allowing access from a list of known IP addresses

Calyptix reference documents: and

Notice that you can also easily modify ports too. So for example if you wanted to publish two different RDP services then you could specify a different Public IP: Port for each.

Configuring Outbound Filtering

Most people tend to think of Firewalls as preventing bad traffic from getting in but it is just as important that the bad guys have trouble getting traffic out too. Knowing where your data is going to just as important. Calyptix and SANS Security Institute recommend that you block the range of ports show in Figure 4 at a minimum. Setting things up this way will give you a Default Allow policy but will block commonly used data ports from gaining access to the Internet. Use this article to set them up:


Figure 4: Calyptix and SANS Security suggest blocking these ports as the minimum configuration level.

You have another option which it to enable a default deny policy on outbound traffic and then create rules to allow outbound traffic that the business requires only. This is a more secure stance but also requires a close eye on traffic for a while to make sure that you’ve enabled the required ports. Your basic outbound filter would then have these ports open DNS – UDP port 53, HTTP – TCP port 80, HTTPS – TCP port 443, SMTP – TCP port 25, NTP – UDP port 123 plus any additional ones that the business needs.

Using either outbound filtering method you can also choose to create more fine grained rules. For example you may want everyone to have Internet access except for the computers that are attached to CNC or other manufacturing equipment. To create this type of rule you will need to specify the IP address of the computer so be sure to set a DHCP reservation on that PC before you configure this rule. Calyptix provides instructions for creating the rules in the document referenced above.

If you have more than 1 WAN (and more and more businesses do these days) then you will need to prioritize your rules for WAN 1 and WAN 2. The AE offers the option for you to have some traffic go over one WAN and other traffic the other, as is often the case with VOIP systems. As an example, in the case of VOIP you will want the VOIP traffic to travel over the T1 line but the rest of your Internet traffic to travel over the less expensive/greater bandwidth Cable line. Failover is also an option as is hybrid. You can configure all of your rules to choose WAN 1 if it can and WAN 2 if necessary; this is failover. In hybrid you setup some of your rules


TIP: It does take time for the AE to failover. Calyptix says about 20 seconds. It also takes time for it to fail back. Another 20 seconds or so depending on how busy it is. If you have a WAN link that is going up and down this can result in a mess and it may be better to unplug that WAN connection until it has stabilized.

TIP: In the case of failover, be sure to have the proper public DNS entries in place. Otherwise if the WAN link that your MX record points to is down and the AE fails over but there’s no MX record to the secondary location your mail will still fail to deliver.


to failover and others to not. You may choose this route due to bandwidth concerns should the higher bandwidth line be the one to fail. Allowing too much traffic on the lower bandwidth connection could cause more problems than it creates in benefits.

Finally you can also configure load balancing. Calyptix provides an example of load balancing in this article: Load balancing is a somewhat manual process whereby you are able to specify which traffic you want to go over which lines. In this way it is similar to the hybrid approach. The main difference is the reason why you are implementing it. I have a client that has a significant sized CAD department. The CAD department has demands for most of the bandwidth use. A cable line was installed to provide them the best possible throughput. This line is used by the rest of the company as failover only thus providing the CAD department unfettered access to the best bandwidth except in the case of an emergency.

Figure 5 shows a couple of rules created specifically for CAD computers.


Figure 5: Rules create to provide the higher bandwidth WAN connection to CAD PC’s.

Configure Remote Management

Limiting the remote management of your firewall is just as critical as limiting the remote management of your servers or securing RDP access. Figure 6 shows the available options. Two of the options that you should definitely implement are to choose Allow only these hosts to manage the AccessEnforcer and Use a blank login page.

The AE allows you to restrict remote management down to only IP addresses that are known to you. In this box you should enter the IP addresses from which you want to allow administration. Calyptix also offers the option of using a blank login page. The trick to thwarting hackers is to provide them with as little information as possible. When you use a blank login page you make it just that much more difficult for the bad guys to determine what they are trying to break into. Anytime you can make it more difficult you’ve increased the likelihood significantly that they will go elsewhere and bother someone less secure.


Figure 6: The remote management access settings. Choosing the right settings here can decrease the likelihood of mismanagement of your firewall.

Firewall and Intrusion Protection

The Access Enforcer contains an excellent intrusion prevention and protection system. Under the hood it uses Snort. Calyptix has made the configuration and management simple to introduce and manage. The first step in the process is to ensure that your Firewall is configured. It ships pre-configured but you should verify with Figure 7 that everything is enabled. Under the Block Policy setting is an option to notify the source that you blocked them. While this might seem like a neighborly thing to do in practice it is just poking the bear. Poke the wrong bear and you could end up with a denial of service attack against you or worse. Leave the default setting of Drop silently in place. Like-wise leave Filtering Optimization set to Normal unless otherwise instructed by Calyptix support to change it. Under Filtering Options all of them should be selected.


Figure 7: The firewall settings shown here come configured out of the box and should be left in place.

The Access Enforcer offers a staged implementation of Intrusion Prevention. Calyptix recommends that you start with the least protective setting and work your way up white listing the URL’s and IP’s that the client requires as necessary as you go along. As a busy IT consultant I find this difficult to do. While the staged process prevents a lot of blocking from occurring at once, it also drags out the final implementation potentially annoying the end user each time you increase the protection level and leaves the possibility that you will get distracted and leave the configuration in a less protected state than desired.

My recommendation is to take a 2 stage approach instead. Stage 1 is enable Intrusion Detection with Dynamic Blacklisting. Once you have finished tweaking the rules and whitelisting websites that your client needs implement Stage 2 which is to enable Intrusion Protection with Dynamic Blacklisting as in figure 8. When you move to Stage 2 you should not need to do any further configuration changes.


Figure 8: Intrusion Prevention isn’t enabled by default. Configure to the highest level as quickly as possible to reduce end user pain.

The trickiest part of configuring intrusion protection is to know what it looks like to your clients so when they call you immediately know what to do. From the user perspective it looks like the website is having a problem. They were able to get to it before but now they can’t but later they can. This is an indication that the IP address has been placed on the Dynamic Blacklist and you need to whitelist it. (Figure 9) Or they were on the home page but as soon as they attempt to login they get page not found. In this case you’ll need to add the domain to the URL whitelist.

(Figure 10) These are typical of what the end user is going to report to you. It’s best to let them know beforehand that you are about to implement some new security on the firewall and that they should report any issues with reaching or using a website to you immediately. You’ll want to catch the website while it is still list on the Dynamic Blacklist. An IP address will only stay on the dynamic blacklist for short while.


Figure 9: Adding IP’s to the static while is needed when the IP address lands in network alerts.


Figure 10: Whitelisting a domain is needed when parts of a webpage works but others don’t

If you find that certain Intrusion Rules are creating a problem for the users then the rules themselves can be deleted. We have rarely had to do this but it has happened. Initially we had some issues with mobile phones triggering the NMAP rules and so we had to whitelist those, however recently this has not been necessary. If I suspected a rule was causing a problem, I would first call Calyptix support and verify that disabling the rule is the best way to do. The rules are there to protect your network so disabling them should not be done except in extreme circumstances. (Figure 11)


Figure 11: Intrusion Rules can be disabled but do it as a last resort.

Signature Sources

One of my favorite features of the Access Enforcer is its ability to protect unpatched systems. It does this through Snort rules by the Sourcefire Vulnerability Research Team (VRT). These rules contain prevention signatures based upon published information on vulnerabilities. This is one way that you can help protect those PC’s that have missed patches. Calyptix provides a default set of rules but you will need to subscribe and get your own Oinkcode in order to keep them updated. Calyptix has done all of the programming work, all you need is the code.

To get your Oinkcode visit and create an account. Now that you are a registered user you can generate an Oink code and subscribe. To generate an Oinkcode to go My Account, Subscription and Oinkcodes. From here you can sign up for a subscription that for a fee will provide continuous updates. Or you can generate an Oinkcode as a registered user only and get updates on a 30 day delay. Once you have your Oinkcode enter it into the Access Enforcer on the Signature Sources page, as shown in Figure 12.


Figure 12: Once you enter you Oinkcode you’ll see the Sourcefire VRT Rule entry under Current Sources.

I have found that for most small businesses that the 30-day delay code is sufficient but in higher security environments you should subscribe. The subscription will run $499 per year for each Access Enforcer.

Protecting Mail Servers

The Access Enforcer offers a full suite of anti-spam features all of which are detailed and explained very well in These documents will walk you through configuring the spam filter, setting user quarantine pages and managing the system. It is a very complete system and will even bag mail for you should your mail server be unreachable.

The settings that I’d like to point out are applicable to those that will not be using the Access Enforcer for anti-spam services but rather will be hosting those services off-site. These are found on the

Setup/General/Advanced page. This page contains settings that don’t apply to everyone and that Calyptix has not yet built into the other configuration pages. In the SMTP section there are a couple of nice options that you’ll want to configure. In the Only set these comma-separate IP address make outbound SMTP connections: box you should list the internal IP address of your mail server(s). This will tell the Access Enforcer to only allow those machines to send mail and no others. This will prevent any infected PC from suddenly sending spam email out from your network and prevent your client from getting blacklisted. (see

Figure 13 for an example)


Figure 13: SMTP security settings allow you tell the AE which servers’ mail comes from.

In the box, Allow these CIDRs and IP addresses to entirely bypass the SMTP proxy you should enter in the IP address ranges used by your external spam filtering service. Then check the Accept mail only from the above networks box. These settings tell the Access Enforcer to only accept mail from your spam filtering service.

Reports and Web Filtering

As with most products the default report settings are not going to be interesting to your clients. You need to create a customized report for you client. But before you start customizing the report you need to tell the AE to gather web site data. In the Web Filter Settings box use the Monitor: radio button as in Figure 14.


Figure 14: Setting your AE to log web requests enables reports to show websites visited by user.

Notice that this option says that it will log web requests while proxying. The AE is a Proxy. As such it will be caching frequently requested content. I have never had to use it but Calyptix supplies a button on this page that will clear the cache for you should the need arise. (Figure 15)


Figure 15: The AE is also a proxy. If you need to clear the proxy cache there’s a button available in the Web Filtering section.

If you have not implemented Active Directory integration then your reports will be recorded only by the IP address. If you have implemented it then you’ll get the logged on users name along with the website data. The AE contains many advanced features for broad and fine grained web filtering. Great documents already exist for implementing those features here: so we aren’t going to dig deep into that topic.

clip_image028Calyptix calls creating a new report, setting a report schedule.

On the reports tab then you’ll click Add a Report Schedule from the menu on the left side of the screen.

Then give your report a name. Next you will select the data that

you’d like the report to contain. To create a report that will allow management to review the website activity of employees select the items shown on the right: Web Traffic Downloaded by Website,

Web Traffic Downloaded by User/IP and Blocked Web Traffic by User/IP. Finally choose a time period, decide whether you want to generate individual reports or just a group report and who you want to send the reports to. In the PDF setting choose to include Graphs and Show all of the data if you want a list of all websites.

This generates an individual report with at a glance graphs (Figure 16) and web details (Figure 17) for each user and IP address in the company. You might be tempted to only generate reports for usernames but generate a report for IP’s too will capture data from non-domain joined machines, BYOD, Mobile Phones and guests thus giving you a full picture.


Figure 16: At a glance graphics of an individual users activity for the reporting week


Figure 17: Website details for an individual user

Configuring Additional Networks

Another of my favorite features of the AE is its ability to segregate traffic into different networks. In the not too distant past very few of our clients had the need for more than 1 network in their small businesses. But now with the advent of BYOD all of them require trusted and untrusted LANs. Included in BYOD are guest wireless connections and employee owned smartphones so if for a moment there you thought that your clients aren’t involved in the BYOD revolution because they are still purchasing PC’s and Laptops for office user, you might need to rethink. Every business is getting requests for Internet access by untrusted devices.


On the right we see a very common example of a guest wireless setup. Plugged into the port NIC2 port of the AE is a wireless router that it used for guest BYOD users. In this case the guests include employees with smartphones, and guests of the business. The AE provides DHCP, DNS and prevents devices on this untrusted LAN from accessing the trusted LAN.

Each of these LANs can have their own reports, web filtering policy restrictions, etc. You may find that you need additional LANs and you

can make as many as the AE you’ve purchased has available ports.

As we’ve seen the AE has many different security settings. What we’ve gone through in this document is what I consider to be the baseline setup. Individual clients may have needs for more find grained control but the items in this paper provide a good foundation upon which you can configure those additional controls.

Read more »

Heads Up Everyone! Our Helpdesk URL is about to change
Posted by Third Tier on 17 September 2014 04:32 PM

On Friday at 8am GMT our current helpdesk will go offline for a migration to a new host and new URL. The new URL for our helpdesk will be Please make a note of the change and update any bookmarks that you may have.

Why the change? Well we’re growing and I wanted to separate the helpdesk onto a different host from the website and mail system, thus protecting us from multiple service failures and to support future growth. Previously everything resided on a single server host. Now we have two completely different hosts, one in the Eastern USA and the other in the UK. We’ll have better performance too as each system is larger and more powerful than the previous shared system.

So make that note, on Friday you’ll need to start using the new URL


Are you not a member of SMBKitchen ASP? Join up. $300 for new members. Just register for an account then proceed to payments, click buy more support and add the ASP to your cart.  Our goal is to help IT firms be more aware, be better consultants and survive in the new era.

Read more »

Know an IT Guru?
Posted by Third Tier on 10 September 2014 05:45 PM

Third Tier is hiring independent consultants with extreme top end general IT knowledge. If you are the guru that other IT professionals look to when they can’t resolve an issue, then you might be Third Tier. If others work on problems for hours and you can look at it and resolve it in minutes, then you might be Third Tier.

We have over 1,000 IT firms servicing small and medium businesses that look to us to provide help to their staff when they get stuck or have a back log of work. It could be anything from a DNS to a failed cluster, hyper-v performance or AD recovery, SharePoint permissions to failed server migration. Our clients are IT professionals with some smarts.

If you are looking to add a couple of billable hours to your day, we can pay you $131.25 per hour of collected revenue for you work. Send your resume to

Read more »

Help Desk Software by Kayako Fusion