- July 5th, 2018Read More
Fortinet FortiGates are stateful firewalls that permit or deny access based on firewall policies. Firewall policies define what to do with traffic that matches specified criteria. These rules consist of information found in traffic flows, along with various other items.
Firewall policies are processed in a top down fashion. The first matching item will be applied to the traffic. These actions can be permit, deny, NAT, authentication, and various other powerful options. There is an implicit deny at the bottom of the list that will drop any traffic not matching policies higher in the list. Logging should be enabled for your firewall policies for monitoring and troubleshooting purposes (allowed and violating traffic).
The policies will use various objects such as schedules, NAT rules, service definitions, interface, address, device, users, etc. These objects are used in the policies as matching criteria for applying various actions. You can match on schedule (recurring or one-time), ingress/egress interfaces, source IP, originating user, device ID, destination IP or service, etc. Policies require the source and destination interfaces to be specified, but “any” is an acceptable choice for one or both fields. Flows must match the source and destination designations to be considered a match.
Sources can be specified as a subnet, fully qualified domain name (requires DNS), IP address or range of IPs, Internet Service DB, or geographic location. You can also specify a user or device as a source in addition to at least one of the aforementioned source items. Users can be found in the local FortiGate database, remote authentication server (i.e.; RADIUS or LDAP), certificate, or Fortinet Single Sign-on. Source user can be used for authentication prior to permitting network access as well.
The FortiClient application is an agent based option for device identification. Various traffic types can be used for agentless device identification (like TCP fingerprinting, LLDP, SSDP, DHCP, etc.). You will not be able to use an address in the source field if an ISDB is set as source. The ISDB is upgraded at periodic intervals to ensure accuracy of the objects contained within.
Your policies can also match on destination information, such as fully qualified domain name (requires DNS), Internet service database (ISDB) objects, geographic location, IP address or range, subnet. You cannot use user or devices as destinations since they are identified on the ingress interface. ISDB objects consist of IP addresses, port numbers, and protocols that are used by Internet services.
Policies come in many different types such as rate limiting, multicast, local aka FortiGate traffic (the actual Fortinet device is the source or destination), IPv4 and IPv6, etc.
The deny action drops packets and prevents further processing, while accept will administer deeper processing (if configured), or further actions such as NAT. Further processing could be antivirus scanning or web filtering for instance.
There is a Learning mode for firewall policies that allow you to essentially deploy the FortiGate in a monitor only mode. Logging is enabled for all traffic and you will be able to see the data gathered about all flows traversing the device. All packets are permitted in this mode. The Learning Reports page will display all logs to assist in building your firewall policies.
Please be mindful that policy/object deletions and changes are applied immediately. This can cause outages if not properly tested and implemented during a maintenance window. All of your modifications should be carefully planned and tested before implementation.
FortiGate devices are powerful firewalls that offer traditional as well as next generation features that can help secure your network.
- July 5th, 2018Read More
As interest in the benefits of Software-Defined Wide-Area Networks (SD-WAN) has grown in the past 18 months, we at H.A. see more and more questions from customers about the best way to consume SD-WAN. In this post, I will discuss some of the decision points that may help businesses determine where they fall on the SD-WAN “Buy” vs. “Build” spectrum.
If you need a primer on SD-WAN technology, H.A.’s Jason Bishop wrote a great SD-WAN 101 article previously on this blog.
Early in the emergence of SD-WAN, most people thought of SD-WAN as a thing an enterprise would own. That the enterprise’s architects would research and select an SD-WAN platform and then procure and deploy the components internally (possibly with the help of a VAR). This means the enterprise moves away from service provider lock-in; it gives them the ability to build their own WAN over any network transport. In fact, that’s the exact story most SD-WAN solutions tell. Some even explicitly point out that SD-WAN becomes a good way to strong arm your existing Service Providers (SPs) into lower service rates by reminding them of your ability to ditch them completely and roll your own WAN with whatever low-cost circuits you can get.
As SD-WAN started to come into the marketplace, most traditional WAN providers immediately identified it as a potential threat to their value-add WAN offerings. After all, if SD-WAN provides enterprises the ability to swap underlays (WAN circuits) out at will without impacting the overlays that the business’ data runs over, this puts WAN SPs into a position where their services become a pure race-to-the-bottom to avoid being swapped out at any time.
In response, most SPs and have begun offering a managed SD-WAN solution where they provide customer-premises equipment that provides the SD-WAN functionality over circuits the SP provides (either directly or through their own agreement with a third-party provider).
This got me thinking about the pros and cons of a managed SD-WAN approach versus running your own SD-WAN from an end-user enterprise’s perspective, particularly through the lens of whether managing a WAN (whether traditional or software-defined) is really a “core competency” of any enterprise.
Managed SD-WAN Pros:
- One throat to choke – It’s on the SP to own, manage, and maintain all the transports they may be using for your SD-WAN.
- Speed of deployment – SD-WAN is hot and everyone wants to know how to get there. Taking the “Buy” path and letting someone else own/operate/manage the solution will certainly be one of the fastest ways to leverage SD-WAN benefits with limited retraining of operations staff.
- Insulation from market consolidations – If an enterprise selects a service provider for a managed SD-WANaaS solution and the SD-WAN technology vendor the SP chooses does not survive the inevitable market consolidation, that is the SP’s problem, not the enterprise’s.
- For enterprises with strong strategic partnerships with an SP that previously had difficulty getting circuits into some locales, an SD-WANaaS model may make it easier to keep remote sites “on net” even with no SP-owned/leased transport.
Managed SD-WAN Cons:
- If you are concerned about locking-in with an SP and letting them get more ingrained in your environment, managed SD-WAN is clearly not for you.
- Data Privacy concerns come to mind – recently we’ve seen much less trust in the SP, with many enterprises choosing to encrypt data even over a “private” WAN. Managed SD-WAN and the application-level traffic routing and advanced analytics puts a lot of information into the SP’s hands, and potentially the hands of any actor or agency with hooks into them.
- Pricing – Clearly, service providers’ interest in managed SD-WAN offerings stem from concerns about their existing profits eroding in an age of SD-WANs built out of low-cost broadband connections. Will an SP-managed service hold the same pricing advantages of a self-managed one? I would have my doubts.
On the other hand, a self-managed SD-WAN solution purchased and operated by the enterprise may be a better fit in some cases.
Self-Deployed SD-WAN Pros:
- Flexibility to select exactly the right product for your needs. Each SD-WAN vendor has some unique features and value propositions, and choosing your own SD-WAN vendor allows you to prioritize those features differently than an SP may have.
- Aggressive feature deployment: If a solution has new features in software that matter for your business, you can probably get them deployed quicker if you run your own SD-WAN solution. SPs may be less aggressive with rolling out new features.
- Control: The topology, underlays, and security are completely under control of your business and can be configured however needed.
- Freedom from service providers – much like “cutting the cord” with your home cable, keeping the circuit providers as a commodity service with no value-add makes it easier to swap them out or go in a different direction if a situation or site requires it.
Self-Deployed SD-WAN Cons:
- Product selection: You must select a vendor for your solution. Few, if any, are interoperable so mixing vendors isn’t really a feasible option at this stage. A couple years ago, this was a riskier proposition, but in recent months some market consolidation of the most notable startups (such as Viptela and VeloCloud) have occurred as they are acquired by incumbent IT vendors (such as Cisco and VMware).
- Training: SD-WAN uses newer, sometimes proprietary, encapsulations and routing methods, new terminology, and underlay/overlay concepts. You will need to be comfortable with these topics to reliably manage your own SD-WAN. This may require engineers to be trained or have access to lab environments.
Whether you are interested in building your own SD-WAN or purchasing SD-WAN services from a service provider, the benefits of the technology make it very compelling in today’s IT environment. High Availability works with several vendors of SD-WAN solutions, so contact your account manager today to discuss options and let us help find the solution that best fits your organization.
High Availability, Inc. Named NetApp East “Emerging” Partner of the Year at Second Annual Channel Connect ConferenceJune 29th, 2018Read More
High Availability, Inc. receives NetApp accolade for outstanding achievements in supporting NetApp products in 2018.
Audubon, PA, June 29th, 2018 - High Availability, Inc. has been named the NetApp East “Emerging” Partner of the Year for its overall FY18 revenue, year over year growth, key account wins and participation in regional partnership activities.
Over the last decade, High Availability, Inc. has built a strong relationship with every facet of NetApp. As a NetApp Platinum Partner, a NetApp Professional Services Certified Partner, a NetApp FlexPod Premium Partner, a NetApp Cloud Service Provider, and as a member of NetApp Partner CTO Advisory Board; the team at High Availability, Inc. puts a great deal of focus and time into their ever-growing partnership with NetApp.
"The Channel Partners recognized today have gone above and beyond to support our joint customers in digital transformation,” said Jeff McCullough, vice president, Channel Sales, NetApp. “It’s my honor to congratulate High Availability, Inc. on being named as our East “Emerging” Partner of the Year. NetApp looks forward to continuing to work with you to support our joint customers in their digital transformation.”
“We are honored to be recognized by NetApp and we are excited about our growing partnership,” said Randy Kirsch, High Availability, Inc. Executive Vice President. “This award reflects our strong partnership with NetApp and their channel team to deliver innovative solutions and leverage emerging technologies to our mutual clients.”
The 2018 Americas Partner Awards were announced on stage at NetApp’s inaugural Channel Connect Conference (C3) where strategic partner executives from across the Americas region gathered to hear about NetApp’s strategic vision and engage with NetApp executives.
- June 19th, 2018Read More
High Availability, Inc. Named NetApp Overall Partner of the Year
High Availability, Inc. receives NetApp accolade for outstanding commitment and partnership.
Audubon, PA, June 19th, 2018 - High Availability. Inc, announced today that NetApp, one of our most strategic technology partners, has named High Availability, Inc. as the NetApp Overall Partner of the Year – PA/DE District for FY18. The award was given for outstanding services, partnering, and commitment. This is High Availability, Inc.’s sixth consecutive year receiving this accolade from NetApp
“Another year, another top recognition for an awesome partner and team at High Availability Inc., a NetApp partner since their inception in 2000,” said Dan Repka, Channel Development Manager for NetApp. “Over the past years, the team at High Availability has built a strong, growing and well-regarded data management practice and expanded into all areas of the data center helping customers implement varied integrated solutions. This partner is all in with NetApp as a Platinum partner, a Professional Services Certified partner, a FlexPod Premium partner, a NetApp Cloud Service Provider and a member of our Partner CTO Advisory Board. While the company overall continues to grow at double digits for the past 8 years, their NetApp business has followed that trend by driving transformative solutions within their installed base and new accounts in the commercial, enterprise, SLED and healthcare market segments. The team are experts at implementing NetApp data driven solutions leveraging our entire portfolio of flash, converged, hyperconverged, and cloud integrated solutions to empower our mutual customers to change the world with data. Congratulations!” added Repka.
- June 18th, 2018Read More
Audubon, PA, June 11th, 2018 - High Availability. Inc, announced today that COSTARS, Pennsylvania’s cooperative purchasing program for eligible public procurement units and state affiliated entities, has officially named High Availability, Inc. as an official vendor. The COSTARS program offers members the chance to obtain more competitive pricing for professional services.
COSTARS was created in 2004 by the Department of General Services (DGS) to increase the cooperative purchasing options for local public procurement units (LPPUs’) and state-affiliated entities. Initially, the DGS limited the LPPUs’ to only certain statewide contracts, but this quickly changed so members could obtain the best and most beneficial contracts for their organizations. In fact, DGS estimates that more than 10,000 entities within the Commonwealth of Pennsylvania are eligible to become COSTARS
members. Several thousand of these have already registered as COSTARS members,
and the list of registered members continues to grow.
“We are thrilled to be given the opportunity to serve even more state affiliated entities through our newly acquired COSTARS contracts,” said Randy Kirsch, Executive Vice President of High Availability, Inc. “This allows us to vastly expand our network in the state of Pennsylvania!” Kirsch added.
To learn more about the COSTARS program please visit http://www.dgs.pa.gov
- June 8th, 2018Read More
High Availability, Inc. Named to CRN’s 2018 Solution Provider 500 List
CRN's 2018 Solution Provider 500 list ranks the top integrators, service providers and IT consultants in North America by services revenue.
Audubon, PA, June 4th, 2018 - High Availability, Inc. announced today that CRN®, a brand of The Channel Company, has named High Availability, Inc. to its 2018 Solution Provider 500 list. The Solution Provider 500 is CRN’s annual ranking of the largest technology integrators, solution providers and IT consultants in North America by revenue.
The Solution Provider 500 is CRN’s predominant channel partner award list, serving as the industry standard for recognition of the most successful solution provider companies in the channel since 1995. The complete list will be published on CRN.com, making it readily available to vendors seeking out top solution providers to partner with.
CRN has also released its 2018 Solution Provider 500: Newcomers list, recognizing 26 companies making their debut in the Solution Provider 500 ranking this year.
“We could not be more excited to be recognized on CRN’s Solution Provider 500 for the 6th year in a row,” said Steve Eisenhart, Chief Executive Officer of High Availability, Inc. "We exceeded our own expectations by jumping 49 spots to #239. This achievement is a tribute to our dedicated and talented employees, loyal customers and supportive business partners. We will continue to make investments in the right people, the right partners and the right technologies to advance as an organization and improve our position on this list in the future." Eisenhart added.
“CRN’s Solution Provider 500 list spotlights the North American IT channel partner organizations that have earned the highest revenue over the past year, providing a valuable resource to vendors looking for top solution providers to partner with,” said Bob Skelley, CEO of The Channel Company. “The companies on this year’s list represent an incredible, combined revenue of $320 billion, a sum that attests to their success in staying ahead of rapidly changing market demands. We extend our sincerest congratulations to each of these top-performing solution providers and look forward to their future pursuits and successes.”
The complete 2018 Solution Provider 500 list will be available online at www.crn.com/sp500 and a sample from the list will be featured in the June issue of CRN Magazine.
- May 31st, 2018Read More
Being the superhero of IT is not an easy job. Fighting crime, helping citizens, keeping peace, all in a day's work. Avoiding disaster is one of the IT superhero's duties that can be quiet, and behind the scenes. It can also be costly and risky, hard to budget and hard to plan.
Two of DR's arch enemies - Cost and Risk!
Fortunately, moving your DR into the cloud can fight cost and fight risk. Let's look at some of the top reasons a cloud-based DR solution can help save money and leap tall pitfalls.
Managing a DR Location
Cost: Buying or leasing a secondary IT location can be a huge infrastructure undertaking. Moving to the cloud often requires little infrastructure purchasing, as space, power, cooling and connectivity can all be rolled up into a single lower expense.
Risk: Cloud based data centers are designed with risk avoidance in mind. Redundant power and internet into the datacenter can achieve nearly 100% uptime.
Cost: Purchasing DR equipment can be a costly and shocking endeavor. Replicating production equipment that has its own maintenance costs and software licensing cost is many times difficult to justify the huge Capital Expenditure from a budget perspective. Cloud space, with its potential for co-location and virtualization of hardware make total economic sense. Entire DR solutions can be leased from month to month, making an easier to justify Operational Expense.
Risk: Many times, due to budget, space, internet speed, or other factors, legacy DR solutions can have shortcuts created to avoid some of these challenges. Every time a shortcut is introduces, a risk is created. Having a cloud based Operational Expensed design allows for design and implementation for a complete solution, without cutting corners.
Cost: Hiring additional resources to manage DR equipment, and connections can be pricey. Having a cloud provider manage the DR solution can offload the need to hire staff or have staff make frequent trips to and from a legacy DR location.
Risk: Having the expertise of dedicated DR professionals at the ready eliminates the risks of using internal staff that may not be comfortable with the design and implementation of maintaining a true DR solution.
Cost: Designing a legacy DR solution means creating, deploying and maintaining a replica of a full production environment. Staff must coordinate with multiple hardware vendors, software vendors, and internet providers to maintain the DR environment. Having a DR test plan and conducting test can be a coordination nightmare. Having a single cloud service provider design, implement and maintain the full DR environment means a single vendor can be tasked with disaster testing and plan validation.
Risk: Relying on many partners in the event of a disaster presents challenges and risks in recovery, timing, tasks and ownership if an event should occur. Having a single provider that can "flip the DR switch" and fail over a production environment to the DR location.
Being a superhero can be as simple as making a call and finding a partner up in the clouds.
- May 23rd, 2018Read More
These are various options when it comes to installing Cisco Unified Communication (UC) applications. I have summarized these options with pros and cons of each:
Business Edition (BE) 7000- BE7K or Business Edition (BE) 6000- BE6K
- What is it?
- The Cisco BE6K/BE7K is built on a virtualized UCS that ships ready-for-use with a pre-installed virtualization hypervisor and application installation files. The BE6K/BE7K is a UCS TRC in that UC applications have been explicitly tested on its specific UCS configuration
- Easy to order- one SKU. That SKU includes everything including VMware license
- All OVA templates and ISO Images are preloaded with server
- There is no flexibility to choose hardware and software from
UC on Cisco Tested Reference Configuration (TRC) servers
- What is it?
- UCS TRCs are specific hardware configurations of UCS server components. These components include CPU, memory, hard disks (in the case of local storage), RAID controllers, and power supplies
- Ordering process involve more than BE7K but it is simple compare to Spec based solution- that is check TRC specification against the actual hardware including CPU, memory, hard drive, VMware etc.
- Provide more flexibility compare to BE6K and BE7k in terms of choosing hardware/software
- There are still less options to choose hardware/ software from
- Client or partner still has to manually obtain and upload OVA template ISO image for each UC applications
- Require ordering VMware foundation or VMware standard license
UC on Spec Based servers
- What is it?
- Specifications-based UCS hardware configurations are not explicitly validated with UC applications. Therefore, no prediction or assurance of UC application virtual machine performance is made when the applications are installed on UCS specs-based hardware. In those cases, Cisco provides guidance only, and ownership of assuring that the pre-sales hardware design provides the performance required by UC applications is the responsibility of the customer
- Can leverage existing compute infrastructure, including 3rd party hardware
- Provide the most flexibility in terms of hardware/software options to choose from
- Ordering equipment’s based on Spec-based requires more upfront planning, validation and potential pre-testing
- Requires VMware Vcenter
UC on Cisco HyperFlex
What is it?
- UC on Cisco HyperFlex is available as TRC
- Same as TRC servers
- Provide more robust and scalable solution
- This could be expensive solution, unless it is part of larger Hyperflex deployment
- Requires VMware Vcenter
Who should be looking for UC on HCI (HyperFlex)?
- Server team with incumbent 3rd-party compute looking for alternative storage
- Voice/video team seeking HCI alternative to BE6K or BE7K appliance for UC
- UCS that is not BExK, one team in charge of everything, wants HCI instead of other approaches
- UCS that is not BExK, separation of duties where server team owns VMware/compute/storage, server team looking for HCI
High Level Solution
The Hyperflex bundle comes with four (4) HX240C nodes and pair of Cisco 6248 Fiber Interconnect. The system is managed by HyperFlex (HX) software running on Cisco 6248.
Following applications are supported by TRC (Tested Reference Configuration) on HyperFlex
- (CUCM) Unified Communications Manager
- (IMP) Unified Communications Manager – IM & Presence
- Expressway C & Expressway E
- (CER) Emergency Responder
- (PCP) Prime Collaboration Provisioning
- (PCA) Prime Collaboration Assurance
- (PCD) Prime Collaboration Deployment
- (PLM) Prime License Manager (standalone)
- (CUC) Unity Connection
- (UCCX) Unified Contact Center Express
- (TMS) Telepresence Management Suite
- Minimum system using HX240c M4SX TRC#1, HX 1.8.1.
- 4x HX nodes, each with VMware vSphere ESXi 6.0
- 2x 6200 FI switches
- VMware vCenter 6.0 for management
SAN/NAS Best Practices
Adapters for storage access must follow supported hardware rules
- Cisco UC apps use a 4-kilobyte block size to determine bandwidth needs.
- Design your deployment in accordance with the UCS High Availability guidelines
- 10GbE networks for NFS, FCoE or iSCSI storage access should be configured using Cisco Platinum Class QOS for the storage traffic.
- Ethernet ports for LAN access and ethernet ports for storage access may be separate or shared. Separate ports may be desired for redundancy purposes. It is the customer's responsibility to ensure external LAN and storage access networks meet UC app latency, performance and capacity requirements
- In absence of UCS 6100/6200, normal QoS (L3 and L2 marking) can be used starting from the first upstream switch to the storage array.
- With UCS 6100/6200
- FC or FCoE: no additional requirements. Automatically handled by Fabric Interconnect switch.
- iSCSI or NFS: Follow these best practices:
- Use a L2 CoS between the chassis and the upstream switch.
- For the storage traffic, recommend a Platinum class QoS, CoS=5, no drop (Fiber Channel Equivalent)
- L3 DSCP is optional between the chassis and the first upstream switch.
- From the first upstream switch to the storage array, use the normal QoS (L3 and L2 marking). Note that iSCSI or NFS traffic is typically assigned a separate VLAN.
- iSCSI or NFS: Ensure that the traffic is prioritized to provide the right IOPS. For a configuration example, see the FlexPod Secure Multi-Tenant (SMT) documentation (http://www.imaginevirtuallyanything.com/us/).
- The storage array vendor may have additional best practices as well.
- if disk oversubscription or storage thin provisioning are used, note that UC apps are designed to use 100% of their allocated vDisk, either for UC features (such as Unity Connection message store or Contact Center reporting databases) or critical operations (such as spikes during upgrades, backups or statistics writes). While thin provisioning does not introduce a performance penalty, not having physical disk space available when the app needs it can have the following harmful effects
- degrade UC app performance, crash the UC app and/or corrupt the vDisk contents.
- lock up all UC VMs on the same LUN in a SAN
Link Provisioning and High Availability
Consider the following example to determine the number of physical Fiber Channel (FC) or 10Gig Ethernet links required between your storage array (such as the EMC Clariion CX4 series or NetApp FAS 3000 Series) and SAN switch for example, Nexus or MDS Series SAN Switches), and between your SAN switch and the UCS Fabric Interconnect Switch. This example is presented to give a general idea of the design considerations involved. You should contact your storage vendor to determine the exact requirement.
Assume that the storage array has a total capacity of 28,000 Input/output Operations Per Second (IOPS). Enterprise grade SAN Storage Arrays have at least two service processors (SPs) or controllers for redundancy and load balancing. That means 14,000 IOPS per controller or service processor. With the capacity of 28,000 IOPS, and assuming a 4 KByte block size, we can calculate the throughput per storage array controller as follows:
- 14,000 I/O per second * (4000 Byte block size * 8) bits = 448,000,000 bits per second
- 448,000,000/1024 = 437,500 Kbits per second
- 437,500/1024 = ~428 Mbits per second
Adding more overhead, one controller can support a throughput rate of roughly 600 Mbps. Based on this calculation, it is clear that a 4 Gbps FC interface is enough to handle the entire capacity of one Storage Array. Therefore, Cisco recommends putting four FC interfaces between the storage array and storage switch, as shown in the following image, to provide high availability.
Note: Cisco provides storage networking and switching products that are based on industry standards and that work with storage array providers such as EMC, NetApp, and so forth. Virtualized Unified Communications is supported on any storage access and storage array products that are supported by Cisco UCS and VMware. For more details on storage networking, see http://www.cisco.com/en/US/netsol/ns747/networking_solutions_sub_program_home.html.
- What is it?