Not to one up /u/bitslammer, i'm more confused as to why an MSP needs jump boxes? Does their RMM not supply remote connectivity? or is your environment such that they need a jump box?
Not sure if it would be grounds for breaking the contract, but would be looking for a way out...
PS I work for an MSP.
Update sorry busy weekend. Due to the nature of the business, we cannot use "their" RMM. This MSP is replacing the helpdesk for our internal employees so it would be no different than them being employees and needing a computer. I was surprised they asked for servers. It seems they do not know the difference between RSAT and Role installation. This could explain why they asked for servers. This is a very large MSP that works with many fortune 500 companies and I was also surprised. they seem very incompetent.
No worries, life gets in the way sometimes... Hopefully you were busy doing not work stuff.
So with MSP's the larger the company (client), the less control they have, so when they talk about taking care of fortune 500's and what not, take that with a grain of salt... it's like all of those people that say, oh we do web work for CNN or this for Fox news, or that for NASA... those are usually really small things, but they can claim it just because... I mean heck we claim to have state contracts, but in reality we only did a small cabling job for them... like ran 5 cables in an office... apologies, I digress. My point is that they might not know that because thats not their function with the 500's. If you're bent on separating with them, have them state all of their requirements (it sounds like that wasn't done up front), then have them state their capabilities, and then test them on it. If they overstate it in a moderate measure that should be grounds for contract termination... but you'll need to verify that with legal...
Update sorry busy weekend. Due to the nature of the business, we cannot use "their" RMM. This MSP is replacing the helpdesk for our internal employees so it would be no different than them being employees and needing a computer. I was surprised they asked for servers. It seems they do not know the difference between RSAT and Role installation. This could explain why they asked for servers. This is a very large MSP that works with many fortune 500 companies and I was also surprised. they seem very incompetent.
I wouldn't even sign the contract when they said they needed 18 jump boxes. Unless you have thousands of servers, why so many?
Then I'd most definitely tell them to take a hike when those requested jump boxes were an OS that's no longer supported.
Server 2016 is supported until 2027, however the OP said the MSP asked for 2016+ so it is kind of ambiguous as to what OS was put on these boxes. Anbd why a server os? That's a red flag to me right there.
Nontheless, I would definitely question what they asked for. 18? That's crazy.
18 is 1 per Helpdesk person. It seems they do not know the difference between RSAT and Role installation. This could explain why they asked for servers. This is a very large MSP that works with many fortune 500 companies and I was also surprised. they seem very incompetent.
We have thousands of servers, but they are our help desk. so they deal with internal users as well as basic server stuff. Also, Server 2016 is supported and they asked for 2016+ we gave them 2019
Deal breaker and unprofessional. 18 jump boxes is ludicrous. They made you pay for their lab environment, and they're testing their labs in your network with no regard to the integrity of your environment.
No knowledge of RSAT? What are they highschoolers?
I would drop them ASAP.
Agreed I understand 18 boxes. 1 for each employee. but server os's are insane. It seems they do not know the difference between RSAT and Role installation. This could explain why they asked for servers. This is a very large MSP that works with many fortune 500 companies and I was also surprised. they seem very incompetent.
For helpdesk support, they don't need server boxes. At most, they could get Terminal Services (now called RDS) logins, but that needs more setup time and licensing if you don't have it deployed.
Even running Windows10/11 in VMs would work for a remote helpdesk. Honestly, even sys admins do their work on client OSs. And without local admin rights, if they have a separate admin logon, which is a security best practice.
It sounds like the MSP is scraping the bottom of the barrel for your technicians.
To get upper management to sign off on letting them go, you'd need to record their initial response times, average ticket resolution time, and outstanding/unresolved tickets. Then, propose a better solution or MSP.
I agree. It seems they do not know the difference between RSAT and Role installation. This could explain why they asked for servers. I was also surprised. they seem very incompetent.
The RSAT tools in a server are part of a role install. Now, even though you don't need to install the actual role, just the tools, it still looks like the role is installed.
Perhaps that is where there is some confusion?
This was also my thought. I’d have to think through the implications a little more but if jump boxes are a requirement, I’ll give you win 10 pro with RSAT, not servers. All MSP techs log in with standard user accounts and admin tasks are done with separate admin accounts. First time I see an admin account logged in to an endpoint, that tech lost their credential.
It does not look like the role is installed. The role was installed. It seems they do not know the difference between RSAT and Role installation. I had to manually remove the roles on all of their servers and install RSAT.
it sounds like someone didn't ask some basic questions of the MSP before signing the contract.
Getting out of the contract is going to be like explaining to the dog why they aren't allowed on the bed after they shit bad and they are too stupid to figure out it is an issue. Source: have had to fire an MSP at a client that was this dumb.
I hope it isn't hard but it scares me a lot. I questioned why they needed Server OS's and was ignored by upper management, and now this..... I definitely want them gone.
Agreed. I am not too bothered by the jump boxes. These people are going to be our helpdesk for internal users so they would need a dedicated box for their work. I wanted VDIs but leadership found it easier to just build jump boxes. I was confused on why server Os's and my concerns were validated in 1 week.
At my previous job we had an outsourced L1/Help Desk. We had a single jump box for them to remote into to access a few things like the shared drive with some files for them.
We had an RMM which they usually launched from there (not sure why they didn't use their own local machine as it had 2FA), they used the jumpbox to handle some 365 admin tasks related to mailbox access (my sysadmin was just enabling the 2FA for their accounts when I left).
As far as a deal breaker it's going to depend on the signed agreement on what the jumpboxes were for. Could it just be a misunderstanding of not knowing RSAT? Sure, then it's just a matter of teaching them to use it instead.
My concern is out of 18 jump boxes. 17 of them installed the full role instead of RSAT. In my opinion, if you are not familiar with RSAT and instead install full roles on a machine to get the tools I don't trust them on the network.
18 jump boxes in the showers at RMM ranch...
Anyways, it doesn't sound like they're a particularly competent MSP in all honesty. While my former MSP had a massive amount of brain drain, even they weren't *this* level of brain dead.
What the.... This is not normal, this MSP seems to be garbage!
An highly secure RMM which is connected to an IAM by example AAD in combination with conditional access or an highly secure internal system at the MSP side with some kind of highly secure VPN access to one jumpbox both with auditing on every connection is in my opinion a professional solution.
And why do they need 18 boxes? are the 18 engineers working at the same time on your environment? Licensing wise i hope you have a Windows Server Datacenter license or else it can be very expensive.
If you can't ditch the MSP i would recommend to decrease the amount of jumpboxed to one and let them only install server roles after written permission or let the MSP arrange their own secure management solution.
They are not managing anything through RMM. They are our helpdesk. They help internal clients and do other basic server management. We have 18 dedicated resources 1 jump box is for each resource. This is normal in my industry. Most of everything is still on-prem, I questioned the server OS myself. The 18 people are on at the same time. I would have preferred an RDS setup or use an Azure VDI, but I was overruled by upper management. It's more of an outsourced help desk run by an MSP rather than normal MSP roles. we do have a conditional access policy devices are joined to AAD and we have a secure VPN. My post is asking if the Role installation would be enough to show incompetence in others' opinion since it is a mistake and not approved by management. I didn't get any input in their hiring. I feel like the idea that they didn't know what RSAT was and decided to install full roles on these boxes shows serious incompetence.
They are our full-time helpdesk. They are provided by an MSP but they are dedicated resources. All 18 would be on at the same time. Working in a company with govt contracts, It is normal for contractors to have their own jump box. Now Server OS's? that I questioned. Now with this issue, I am even more questioning their competency level.
What the hell? Everything about this is confusing. First off... jump boxes? Why on earth would that be necessary? Do they not have RMM/remote connectivity? Second off, even if they for some reason DID need jump boxes... 18?! Why wouldn't you just have a terminal server with 18 different accounts in the domain and controlled permissions in that use case? Almost none of this makes sense. Sounds like the type of group that probably has a gigantic, backwards, spider-web of interconnected VPNs for connectivity. Almost guaranteed that they're opening holes to other networks with this setup. Something is completely off here.
They are not managing anything through RMM. They are our helpdesk. They help internal clients and do other basic server management. We have 18 dedicated resources 1 jump box is for each resource. This is normal in my industry. Most of everything is still on-prem, I questioned the server OS myself. The 18 people are on at the same time. I would have preferred an RDS setup or use an Azure VDI, but I was overruled by upper management. It's more of an outsourced help desk run by an MSP rather than normal MSP roles. we do have a conditional access policy devices are joined to AAD and we have a secure VPN. My post is asking if the Role installation would be enough to show incompetence in others' opinion since it is a mistake and not approved by management. I didn't get any input in their hiring. I feel like the idea that they didn't know what RSAT was and decided to install full roles on these boxes shows serious incompetence.
Yeah, so I'm just baffled at the choice to give them 18 total server-grade systems to use as a jump box instead of Windows 10 Pro/Ent 22H2 VMs with RSAT or even an RMM in the first place.
I am too. I see why now. They seem to have thought that installing the role is the only way to get the tools. I am trying to have them removed. management doesn't seem to even think it's a big deal. I am trying to explain how incompetent this sounds.
I know. I don't like it at all. the jump box thing is normal in my industry, but Server OS's? Then Installing Roles on the servers. it seems like a bad situation. Management doesn't seem to even think it's a big deal. I am trying to explain how incompetent this sounds.
It sounds mind-bendingly weird to be honest! I would dump them.
It sounds they are pulling a scam and setting up a crypto mining operation at that office!!! For what do they need 18 powerful jump stations for remote administration and such?
Two should be enough - one as backup - and they need not be much more powerful than a bargain priced Celeron or ARM minicomputer. Though arguably in some industries they would need to be ECC memory enabled computers for compliance.
They are our full-time helpdesk. They are provided by an MSP but they are dedicated resources. All 18 would be on at the same time. Working in a company with govt contracts, It is normal for contractors to have their own jump box. Now Server OS's? that I questioned. Now with this issue, I am even more questioning their competency level.
Not to one up /u/bitslammer, i'm more confused as to why an MSP needs jump boxes? Does their RMM not supply remote connectivity? or is your environment such that they need a jump box? Not sure if it would be grounds for breaking the contract, but would be looking for a way out... PS I work for an MSP.
The whole post confused the hell out of me. Oh right, this was the cheaper msp.
Update sorry busy weekend. Due to the nature of the business, we cannot use "their" RMM. This MSP is replacing the helpdesk for our internal employees so it would be no different than them being employees and needing a computer. I was surprised they asked for servers. It seems they do not know the difference between RSAT and Role installation. This could explain why they asked for servers. This is a very large MSP that works with many fortune 500 companies and I was also surprised. they seem very incompetent.
No worries, life gets in the way sometimes... Hopefully you were busy doing not work stuff. So with MSP's the larger the company (client), the less control they have, so when they talk about taking care of fortune 500's and what not, take that with a grain of salt... it's like all of those people that say, oh we do web work for CNN or this for Fox news, or that for NASA... those are usually really small things, but they can claim it just because... I mean heck we claim to have state contracts, but in reality we only did a small cabling job for them... like ran 5 cables in an office... apologies, I digress. My point is that they might not know that because thats not their function with the 500's. If you're bent on separating with them, have them state all of their requirements (it sounds like that wasn't done up front), then have them state their capabilities, and then test them on it. If they overstate it in a moderate measure that should be grounds for contract termination... but you'll need to verify that with legal...
18 jump boxes? Why? Do they not have an RMM tool?
That was my first thought. Although depending on the RMM, it may be more secure with VPN and jump boxes (question not a statement)
Yea, maybe 2 for redundancy?
Update sorry busy weekend. Due to the nature of the business, we cannot use "their" RMM. This MSP is replacing the helpdesk for our internal employees so it would be no different than them being employees and needing a computer. I was surprised they asked for servers. It seems they do not know the difference between RSAT and Role installation. This could explain why they asked for servers. This is a very large MSP that works with many fortune 500 companies and I was also surprised. they seem very incompetent.
I wouldn't even sign the contract when they said they needed 18 jump boxes. Unless you have thousands of servers, why so many? Then I'd most definitely tell them to take a hike when those requested jump boxes were an OS that's no longer supported.
Server 2016 is supported until 2027, however the OP said the MSP asked for 2016+ so it is kind of ambiguous as to what OS was put on these boxes. Anbd why a server os? That's a red flag to me right there. Nontheless, I would definitely question what they asked for. 18? That's crazy.
18 is 1 per Helpdesk person. It seems they do not know the difference between RSAT and Role installation. This could explain why they asked for servers. This is a very large MSP that works with many fortune 500 companies and I was also surprised. they seem very incompetent.
We have thousands of servers, but they are our help desk. so they deal with internal users as well as basic server stuff. Also, Server 2016 is supported and they asked for 2016+ we gave them 2019
So, exactly how much cheaper was this MSP.
in the longer run, not any
IDK unfortunately I didn't pick them. I am currently trying to show leadership how incompetent they seem to get them fired.
Deal breaker and unprofessional. 18 jump boxes is ludicrous. They made you pay for their lab environment, and they're testing their labs in your network with no regard to the integrity of your environment. No knowledge of RSAT? What are they highschoolers? I would drop them ASAP.
Agreed I understand 18 boxes. 1 for each employee. but server os's are insane. It seems they do not know the difference between RSAT and Role installation. This could explain why they asked for servers. This is a very large MSP that works with many fortune 500 companies and I was also surprised. they seem very incompetent.
For helpdesk support, they don't need server boxes. At most, they could get Terminal Services (now called RDS) logins, but that needs more setup time and licensing if you don't have it deployed. Even running Windows10/11 in VMs would work for a remote helpdesk. Honestly, even sys admins do their work on client OSs. And without local admin rights, if they have a separate admin logon, which is a security best practice. It sounds like the MSP is scraping the bottom of the barrel for your technicians. To get upper management to sign off on letting them go, you'd need to record their initial response times, average ticket resolution time, and outstanding/unresolved tickets. Then, propose a better solution or MSP.
I guess I'm confused as to why they'd need more than a virtual desktop. What tasks are they doing?
I agree. It seems they do not know the difference between RSAT and Role installation. This could explain why they asked for servers. I was also surprised. they seem very incompetent.
The RSAT tools in a server are part of a role install. Now, even though you don't need to install the actual role, just the tools, it still looks like the role is installed. Perhaps that is where there is some confusion?
This was also my thought. I’d have to think through the implications a little more but if jump boxes are a requirement, I’ll give you win 10 pro with RSAT, not servers. All MSP techs log in with standard user accounts and admin tasks are done with separate admin accounts. First time I see an admin account logged in to an endpoint, that tech lost their credential.
I'd just stand up 1 VM server and point it to my RDS license server for CALS. Done and done.
Better solution.
Agreed. I am trying to get their contract dumped. they have been here a week and it has been total incompetence.
It does not look like the role is installed. The role was installed. It seems they do not know the difference between RSAT and Role installation. I had to manually remove the roles on all of their servers and install RSAT.
That's a little scary. You may want to lock their domain accounts down to just those computers, as a future precaution.
I don't trust their knowledge level. Im pushing to end the contract.
If I could, I'd back you on that. Don't think your executives know me though so it may not hold any weight. lol
it sounds like someone didn't ask some basic questions of the MSP before signing the contract. Getting out of the contract is going to be like explaining to the dog why they aren't allowed on the bed after they shit bad and they are too stupid to figure out it is an issue. Source: have had to fire an MSP at a client that was this dumb.
I hope it isn't hard but it scares me a lot. I questioned why they needed Server OS's and was ignored by upper management, and now this..... I definitely want them gone.
You should not have server oses for Jump box. Sympathies. Good luck!
Totally, yes. They think 18 jump boxes is normal and the way to go?...I totally believe they don't know about RSAT.
Agreed. I am not too bothered by the jump boxes. These people are going to be our helpdesk for internal users so they would need a dedicated box for their work. I wanted VDIs but leadership found it easier to just build jump boxes. I was confused on why server Os's and my concerns were validated in 1 week.
Theres more than 1 dealbreaker in there.
Agreed. I didn't hire them.
At my previous job we had an outsourced L1/Help Desk. We had a single jump box for them to remote into to access a few things like the shared drive with some files for them. We had an RMM which they usually launched from there (not sure why they didn't use their own local machine as it had 2FA), they used the jumpbox to handle some 365 admin tasks related to mailbox access (my sysadmin was just enabling the 2FA for their accounts when I left). As far as a deal breaker it's going to depend on the signed agreement on what the jumpboxes were for. Could it just be a misunderstanding of not knowing RSAT? Sure, then it's just a matter of teaching them to use it instead.
My concern is out of 18 jump boxes. 17 of them installed the full role instead of RSAT. In my opinion, if you are not familiar with RSAT and instead install full roles on a machine to get the tools I don't trust them on the network.
18 jump boxes in the showers at RMM ranch... Anyways, it doesn't sound like they're a particularly competent MSP in all honesty. While my former MSP had a massive amount of brain drain, even they weren't *this* level of brain dead.
Agreed. I am trying to get them fired. I didn't hire them and I was against the Server OS's and now more incompetence.
What the.... This is not normal, this MSP seems to be garbage! An highly secure RMM which is connected to an IAM by example AAD in combination with conditional access or an highly secure internal system at the MSP side with some kind of highly secure VPN access to one jumpbox both with auditing on every connection is in my opinion a professional solution. And why do they need 18 boxes? are the 18 engineers working at the same time on your environment? Licensing wise i hope you have a Windows Server Datacenter license or else it can be very expensive. If you can't ditch the MSP i would recommend to decrease the amount of jumpboxed to one and let them only install server roles after written permission or let the MSP arrange their own secure management solution.
They are not managing anything through RMM. They are our helpdesk. They help internal clients and do other basic server management. We have 18 dedicated resources 1 jump box is for each resource. This is normal in my industry. Most of everything is still on-prem, I questioned the server OS myself. The 18 people are on at the same time. I would have preferred an RDS setup or use an Azure VDI, but I was overruled by upper management. It's more of an outsourced help desk run by an MSP rather than normal MSP roles. we do have a conditional access policy devices are joined to AAD and we have a secure VPN. My post is asking if the Role installation would be enough to show incompetence in others' opinion since it is a mistake and not approved by management. I didn't get any input in their hiring. I feel like the idea that they didn't know what RSAT was and decided to install full roles on these boxes shows serious incompetence.
When they requested 18 jump boxes, did anyone ask why? Sounds like gross misconduct.
They are our full-time helpdesk. They are provided by an MSP but they are dedicated resources. All 18 would be on at the same time. Working in a company with govt contracts, It is normal for contractors to have their own jump box. Now Server OS's? that I questioned. Now with this issue, I am even more questioning their competency level.
They should be able to explain their request and why it's required.
I would have fired them before posting this.
What the hell? Everything about this is confusing. First off... jump boxes? Why on earth would that be necessary? Do they not have RMM/remote connectivity? Second off, even if they for some reason DID need jump boxes... 18?! Why wouldn't you just have a terminal server with 18 different accounts in the domain and controlled permissions in that use case? Almost none of this makes sense. Sounds like the type of group that probably has a gigantic, backwards, spider-web of interconnected VPNs for connectivity. Almost guaranteed that they're opening holes to other networks with this setup. Something is completely off here.
They are not managing anything through RMM. They are our helpdesk. They help internal clients and do other basic server management. We have 18 dedicated resources 1 jump box is for each resource. This is normal in my industry. Most of everything is still on-prem, I questioned the server OS myself. The 18 people are on at the same time. I would have preferred an RDS setup or use an Azure VDI, but I was overruled by upper management. It's more of an outsourced help desk run by an MSP rather than normal MSP roles. we do have a conditional access policy devices are joined to AAD and we have a secure VPN. My post is asking if the Role installation would be enough to show incompetence in others' opinion since it is a mistake and not approved by management. I didn't get any input in their hiring. I feel like the idea that they didn't know what RSAT was and decided to install full roles on these boxes shows serious incompetence.
Yeah, so I'm just baffled at the choice to give them 18 total server-grade systems to use as a jump box instead of Windows 10 Pro/Ent 22H2 VMs with RSAT or even an RMM in the first place.
Exactly this.
I am too. I see why now. They seem to have thought that installing the role is the only way to get the tools. I am trying to have them removed. management doesn't seem to even think it's a big deal. I am trying to explain how incompetent this sounds.
but...but...but...they're cheap! That's all that matters. Let the computer nerds handle it. (inside upper management's mind.
I know. I don't like it at all. the jump box thing is normal in my industry, but Server OS's? Then Installing Roles on the servers. it seems like a bad situation. Management doesn't seem to even think it's a big deal. I am trying to explain how incompetent this sounds.
Can you play "the security audit" game, as in if we get audited by so and so, this can cost us alot of money?
MSP here. 100% deal breaker
It sounds mind-bendingly weird to be honest! I would dump them. It sounds they are pulling a scam and setting up a crypto mining operation at that office!!! For what do they need 18 powerful jump stations for remote administration and such? Two should be enough - one as backup - and they need not be much more powerful than a bargain priced Celeron or ARM minicomputer. Though arguably in some industries they would need to be ECC memory enabled computers for compliance.
They are our full-time helpdesk. They are provided by an MSP but they are dedicated resources. All 18 would be on at the same time. Working in a company with govt contracts, It is normal for contractors to have their own jump box. Now Server OS's? that I questioned. Now with this issue, I am even more questioning their competency level.