WordPress security is important to think about. When you install wordpress on your site, it comes with a built-in firewall that helps protect against malicious attacks, but usually, that’s not enough so you’d probably install a tool such as our Shield Security Free or Pro plugin. However, any unused themes or plugins will make your wordpress vulnerable. This blog post is going to go over 10 different ways to clean up and secure your wordpress site!
10 Tips and Tricks to Reduce Overload and Secure Your WordPress Website:
Delete any unused themes or plugins from your wordpress site in order to clean it up and reduce vulnerabilities from attacks on your site’s security.
Deactivate all unused themes and plugins instead of just deleting them so they’re still available if you ever need them again.
Remove spam comments that are clogging up your site and taking up valuable server space.
If you have any inactive users, delete their accounts to clean up your wordpress site.
Review the wordpress security settings on your website and make sure they’re as tight as possible.
Update wordpress, themes, and plugins regularly so that you’re using the latest versions which come with security enhancements.
Use a caching plugin to help speed up your website – this will not only improve user experience but also SEO performance.
Minimize the use of third-party scripts (such as social media sharing buttons) on your wordpress site as these can slow it down and make it more vulnerable to hacking.
Optimize your wordpress site for web performance by compressing images, minifying CSS and JavaScript files, enabling browser caching, etc. so that your website loads faster which is great for SEO purposes – install a wordpress backup plugin such as BackWPup (all plans) or VaultPress (paid plan).
It’s also important to review wordpress setup and make sure there isn’t any room for improvement
There’s a lot in this list, we know. That’s why we’ve included a checklist in our Free or Pro version with links to the settings you need to have for securing your site and applying most of the optimization listed above.
If you’re an admin of an account, then you should probably stop using admin as your username. It turns out that this is one of 3 big security mistakes that users make when it comes to WordPress security. In today’s post, we’ll go over why admin usernames are not a good idea and the best practices for choosing a new username in order to keep your site safe from hackers!
Why is choosing the admin username bad for my WordPress website’s security?
If you are the admin of an account, then you might think that using admin as your username is a great idea. However, this isn’t exactly true! When it comes to security on WordPress websites and choosing usernames for admin accounts, there are quite a few things that can go wrong if you use admin as your username.
The first reason why having the admin username is bad for security purposes has to do with brute force attacks. Brute force attacks are when hackers try different combinations in order to gain access to passwords or private information about users on any given website. Because so many people choose admin as their password due to its simple structure (admin), these kinds of hacker attacks tend to be very successful because they essentially have everything they need to gain access to a site right from the start.
In addition to being vulnerable to brute force attacks, admin usernames are also very susceptible to social engineering scams. Social engineering scams are when hackers try to get unsuspecting users to give away personal information like passwords or log-in credentials by posing as someone that the user trusts. For example, if you receive an email from your bank asking for updated login information, and you’re not sure whether the email is legitimate or not, it’s best to call customer service and ask them about the message before taking any further action.
Since admin is such an easily guessed username, it makes it much easier for scammers to try and scam people into giving away their personal log-in details. So, if you’re using admin as your username, it’s not only bad for security reasons but also makes you more susceptible to scams.
Tips For Choosing A Secure Username
If you want to be extra careful with how you choose usernames moving forward, there are two things that we would recommend doing. The first thing is to check if any other accounts have been made on your website or blog with similar names (e.g., administrator, support, helpdesk ). If you find any, change them to something more unique, like a special term, a department name, a person’s name. That way, even if someone tries to hack into your account, they’ll be met with a login error.
The second thing you can do is use a password manager to create and store strong passwords for all of your accounts (including admin ). This will help make sure that no one ever gains access to your site by guessing or cracking your password. If you’re not familiar with password managers, I’d recommend checking out LastPass or Dashlane. They both offer free and paid versions, so you can choose the one that’s best for you.
What are some safer alternatives to using admin as my WordPress website username?
If you’re looking for a more secure alternative to the admin username, then there are quite a few options that you can choose from. Here are some of our favorites:
– Username: YourFirstName + YourLastName – This is a great option because it’s unique and easy to remember.
– Username: CompanyName_UserName – This is another good option if you want to use your company name as your login credentials.
– Username: Password123! – This might not be the most secure option, but it’s definitely better than using admin as your username.
– Username: randomword123 – This is a good option if you want to create a unique username that isn’t easily guessed by hackers.
Whatever username you choose, be sure to make it something that you can remember and that isn’t easily guessed by hackers. And, most importantly, never use admin as your login credentials! Choosing a more secure alternative will help keep your WordPress website safe from unwanted intrusions.
The holidays are a time for sharing, giving, and family. However, cybersecurity experts warn that cybercriminals also take advantage of this special time to spread malicious software or steal credit card information. In order to reduce the risk of becoming a victim during the holiday season, we’ve compiled cybersecurity tips you can follow to stay safe online.
P.S. This is not just any blog post on cybersecurity; it’s our top 10 list!
Tip #1: Be Cautious of Phishing Emails
One of the most common ways cyber criminals attempt to steal your personal information is by sending phishing emails. These emails often look like they’re from a legitimate company or organization, but in reality, they’re from cybercriminals trying to trick you into giving up your personal information. To protect yourself, be cautious of any email that asks for sensitive information such as your credit card number or password, and never click on links or open attachments in suspicious emails.
Tip #2: Use Strong Passwords
Another way cybercriminals can gain access to your personal information is by stealing your passwords. In order to protect yourself, use strong passwords that are difficult to guess. You can create strong passwords by using a combination of letters, numbers, and symbols. Also, be sure to never use the same password for multiple accounts.
Tip #3: Keep Your Devices Protected
One of the best ways to protect your devices from cybercriminals is by keeping them protected with antivirus software. Antivirus software can help protect your devices from malware and other types of malicious software. In addition, it’s important to keep your operating system and applications up-to-date as this can also help protect you from cybersecurity threats.
Tip #4: Be Cautious When Using Public Wi-Fi Networks
Public Wi-Fi networks are a convenient way to stay connected when you’re out and about, but they can also be a hotspot for cybercriminals. These networks are often unsecured, which means your data is vulnerable to being stolen by hackers. To protect yourself when using public Wi-Fi networks, make sure you use a VPN and be careful not to enter any sensitive information such as your credit card number or passwords.
Tip #5: Avoid Shopping Online on Unsecured Websites
When shopping online, it’s important to only visit websites that are secure. Secure websites have a web address that starts with “HTTPS” instead of “HTTP” and they will usually have a lock symbol next to their web address. Cybercriminals often create fraudulent websites that look identical to secure websites in order to trick you into entering your personal information. When shopping online, always make sure the website is secure before entering any sensitive information.
Tip #6: Use a Password Manager App
Using strong passwords can be difficult when trying to remember them all. To help protect yourself, use password manager apps that are designed for this purpose. These apps create complex and unique passwords for every account on your devices so you don’t have to worry about it! Plus they automatically log you in with these saved passwords whenever needed, making it even easier too!
Tip #7: Turn On Two-Factor Authentication Whenever Possible
Two-factor authentication provides an extra layer of security by requiring two different forms of authentication before you can log in to your account. This could be something as simple as a code sent to your phone or a one-time password that is generated by an app. By turning on two-factor authentication, you can help protect yourself from cybercriminals who may try to steal your login credentials.
Tip #8: Check Your Credit Report Regularly
One way to help protect yourself from identity theft is by checking your credit report regularly. You can get a free copy of your credit report once a year from each of the three major credit reporting agencies. Checking your credit report can help you identify any suspicious activity and take action if necessary.
Tip #9: Be Wary of Social Media Scams
Social media scams are a common way for cybercriminals to steal your personal information. These scams often involve fake posts or messages from friends asking you to click on links or download files. Always be wary of any posts or messages that seem suspicious and never click on any links or download any files without verifying the source first.
Tip #10: Back Up Your Data
One of the best ways to protect your data from being lost or stolen is by backing it up regularly. By backing up your data, you can ensure that if your device is ever lost or stolen, you will still have a copy of all your important files. There are many different ways to back up your data, so find one that works best for you and stick with it!
These are just a few of the many cybersecurity tips that you can use to help protect yourself during the holiday season. Even though there are real risks out there, we wish you all the best during this festive time! Stay safe and enjoy your time with family and friends! 🙂
DNS tunneling is a technique that encodes data of other programs and protocols in DNS queries, including data payloads that can be used to control a remote server and applications. Because of this, DNS tunneling – and DNS exfiltration associated with it by threat actors – is of great concern to many IT and SecOps teams. Fortunately, new developments in the Cisco Umbrella DNS cache system allow for faster and more reliable detection of DNS tunneling and exfiltration events.
How Does DNS Tunneling Work?
DNS tunneling revolves around the transfer of data. So, if we have:
Input Data data – Name: Alice, Age: 25, SSN: 123-45-678
Using DNS exfiltration, we can encode and send this data placed in several subdomains of the domain under our control as a single entry:
Or, we can use multiple entries using multiple queries to large numbers of domains:
jzqw2.zj2if.my.tunnel.com
wgsy3.ffraw.my.tunnel.com
ozj2g.i2syu.my.tunnel.com
2tjy5.dcmrt.my.tunnel.com
Users can abuse this technique – as seen in Fig. 1 below – by installing a free DNS tunneling tool to bypass IT policies and/or monitoring. They can also use this technique to bypass network authorization to obtain free internet access in hotels and airports.
Fig. 1
Attackers can use outbound DNS requests to send encoded exfiltrated data to their infrastructure – as seen in Fig. 2 below – or use DNS responses to send commands to compromised systems and manage infected devices remotely.
Fig. 2
Improvements to DNS Tunneling Realtime Detection
Today, we’re thrilled to announce that organizations have a powerful new ally to protect against data exfiltration and unauthorized DNS tunnels in their networks. Cisco Umbrella has developed a new proprietary cache within our DNS resolvers to work alongside our machine learning modules. Our newest machine learning module is tuned to detect data exfiltration and DNS tunneling events.
This new module monitors DNS traffic for behavioral patterns and traffic exfiltrating data, efficiently building enough information to detect and block data exfiltration. And, in the event circumstances and domain reputations change, this module will correct itself and let traffic through.
We made this update because, over the past couple of years, we’ve seen organizations more productive and more connected amidst the new reality of working digitally during the pandemic. The explosion of logins and bandwidth, though, has at times come with reductions in digital security. Data exfiltration has become a new reality, and one hole attackers punch is in the DNS.
Powering Improvements With a Revolutionary DNS Cache
The technology stack powering Cisco Umbrella’s DNS resolvers handles blistering loads of DNS traffic from ISPs, global organizations, municipalities, schools, and homes. Building on this, we’ve hacked the heart of the DNS resolver – the cache. And while we dig into the details of this new functionality in our DNS tunneling solution brief, we also want to provide you with an overview here.
The cache of a DNS resolver enables serving the swell of global traffic without fault, outage, and ease. It also insulates the backbone of the internet from being overwhelmed with identical queries. Caches store data locally so that it can be served quicker.
Tunneling Cache
The tunneling cache enables us to glue together a sequence of queries that are otherwise distinct atomic events. With proprietary key and data fields, we seamlessly incorporate rapid cache updates unbeknownst to web surfers. We maintain lightning speed throughout by merging incoming data fields using tricks found in probabilistic algorithms. Gluing together each individual’s DNS queries provides access to a rich amount of information, otherwise hidden. Organizations can now get personalized DNS tunneling monitoring, detection, and enforcement in real time.
Encryption Payloads
We pair the new DNS cache with a lexical engine highly trained at identifying encrypted messages. Our researchers dug into various encryption protocols and created a stateful algorithm capable of churning through every character transition in a domain name and identifying encryption payloads with high fidelity.
Take DNS-Layer Security to the Next Level
Cisco Umbrella analyzes internet activity to uncover known and emergent threats in order to protect users anywhere they go. Together, these capabilities power Umbrella to predict and prevent DNS tunneling attacks before they happen. Enabling this security category reduces the risk of DNS tunneling and potential data loss. Organizations can choose to block users from using DNS tunneling VPN services, or they can monitor the results in reports, providing flexibility to determine what is suitable given their risk tolerance.
Address your DNS blind spot by enforcing security over port 53 both on and off the corporate network. Request a personalized demo of Cisco Umbrella today to explore how this exciting new feature can help protect your enterprise.
Last year threw a lot at cybersecurity teams, from the emergence of several high-profile cyberattacks to the revelation of widespread vulnerabilities. As we all move into 2022, odds are your team is re-thinking your cybersecurity strategy to help make your organization more resilient and flexible. This should involve an evaluation of your cybersecurity solutions, as they impact the implementation and effectiveness of any strategies your team creates.
In our ebook 7 ways to strengthen your security in 2022 and beyond, we discuss the different ways you can amplify and extend your cybersecurity stack this year using Cisco Umbrella. But if you’re looking for some tips to get you started, here are three things to keep in mind as you plot out your cybersecurity strategy:
1. Make Sure Your Cybersecurity Solutions Don’t Impact Network Speeds
The use of internet resources and cloud services was on the rise before the COVID-19 pandemic. Now that employees have spread out – collaborating with coworkers and performing business-critical tasks from anywhere they have internet access – cloud-based tools have become more critical than ever.
This means that an effective cybersecurity strategy needs to balance the implementation of strong protections against the need for minimal latency on the company network. From a business perspective, cyber safety can’t come at the expense of speed.
In order to maintain this balance, take a look at your cybersecurity solutions and evaluate the following:
Routing Algorithms – Frequently, having fast and secure internet access comes down to a cybersecurity vendor’s data center network and routing algorithms. Make sure your cybersecurity solutions come backed by a robust global data center network and transparent routing protocols with automated failover to the fastest available servers. This minimizes latency, regardless of where users on your network are located.
Peering Relationships – Peering relationships allow cybersecurity vendors to minimize latency without compromising on security. As you reevaluate your cybersecurity strategy in the coming year, make sure your vendors have peering relationships with large cloud service providers your organization relies on. This allows employees to easily access the tools they need without introducing added latency.
Keeping network speeds in mind while you refine your cybersecurity strategy for the upcoming year can improve employee satisfaction, affect executive buy-in, and have an impact on your organization’s bottom line.
2. Strengthen Cybersecurity Infrastructure to Reduce Disruptions
Last year, we all experienced more than our fair share of network disruptions, outages, and downtime. Several of these events were impactful enough to make it into the news cycle. And while an outage isn’t the same thing as a cyberattack, your cybersecurity strategy should include finding solutions that are designed to reduce downtime instead of causing it.
Take some time to review the track record of your vendors. For example, do they have a proven record of resiliency and uptime? Better yet, can they handle infrastructure disruptions without passing those disruptions onto your users? For example, the unique DNS logging features included in Cisco Umbrella DNS-layer security can be used during certain events – like the 2021 Akamai outage – to keep users connected to business-critical cloud tools despite provider outages.
3. Make Sure Your Cybersecurity Strategy Includes Guest WiFi Considerations
Between the move to a hybrid work model and the gradual reopening of public spaces, odds are you’ll find more employees and clients using your guest WiFi in the coming year. So, it’s essential to make sure that both your private and guest WiFi networks have the speed users desire and the protection you need.
Does your suite of cybersecurity solutions provide your team with the ability to filter content and enforce security protocols over your guest WiFi network? Does your security stack allow you to maintain a single IP address for your entire enterprise, streamlining the management of guest WiFi security policies? Finally, can your cybersecurity solutions handle the uptick in user traffic that guest WiFi causes without increasing latency? If the answer to any of these questions is “no,” it may be time to think about adjusting your security stack.
Looking for More Ways to Strengthen Your Cybersecurity Strategy?
Outlook for Microsoft 365 Outlook for Microsoft 365 for Mac Microsoft 365 for home More…
Most email apps like Outlook are able to automatically configure email server settings. If you need server settings or help finding your server settings, click on one of the links below:
If you’re connecting to an Exchange mailbox and not using Microsoft 365 email, or if you aren’t sure if you’re using Microsoft 365 email, do the following to look up your settings:
In Outlook Web App, on the toolbar, select Settings > Mail > POP and IMAP.
The POP3, IMAP4, and SMTP server name and other settings you may need to enter are listed on the POP and IMAP settings page.
What server settings do I need from my email provider?
To help you get the info you need, we’ve put together a handy chart of the email server settings you should ask for. You will most likely have to set up your email as an IMAP or POP account as well. What are POP and IMAP? Check with your provider if you’re not sure which to use.
Note: When you use an IMAP or POP account, only your email will sync to your device. Any calendar or contacts associated with that account will be stored only on your local computer.
Follow these instructions to get your email settings:
Print out this page and keep it within reach.
Call your email provider and ask them about the settings in the chart below.
Write down the corresponding email server settings in the empty column.
Return to your email app and enter the information to complete your email setup.
Note: You may only need some of the settings on this list. Find out from your email provider what you will need to access your email on your mobile device.
General Email Settings
Setting
Description
Write Your Setting Here
Example
Email Address
The email address you want to set up.
yourname@contoso.com
Password
The password associated with your email account.
——–
Display Name
The name you want your email recipients to see.
Mike Rosoft
Description
Add a description of your email account.
Personal, work, etc.
Incoming Mail Server Settings
These settings are for sending email to your email provider’s mail server.
Setting
Description
Write Your Setting Here
Example
Host Name
Your incoming mail server name.
outlook.office365.com
Username
The email address you want to set up.
yourname@contoso.com
Port
The port number your incoming mail server uses.
Most use 143 or 993 for IMAP, or 110 or 995 for POP.
Server or Domain
This is your email provider.
yourprovider.com, gmail.com, etc.
SSL?
Is your email encrypted using SSL?(SSL is enabled by default in the Outlook mobile app)
SSL Enabled
Outgoing Mail Server Settings (SMTP)
These settings are for sending email to your email provider’s mail server.
Setting
Description
Write Your Setting Here
Example
SMTP Host Name
Outgoing mail server name. Most often smtp.yourprovider.com
smtp.office365.com
SMTP Username
The email address you want to set up.
yourname@contoso.com
SMTP Password
The password associated with your email account.
——–
SSL?
Is your email encrypted using SSL?(SSL is enabled by default in the Outlook mobile app)
If you have a work or school account that uses Microsoft 365 for business or Exchange-based accounts, talk to your Microsoft 365 admin or technical support.
If you value your security and privacy, then a VPN is an absolute necessity. A VPN, or virtual private network, stops others (even your internet service provider) from snooping on your online activity by routing all your internet traffic through a secure, encrypted tunnel. VPNs work especially well for guaranteeing that you’re protected even when using unsecured public Wi-Fi networks, too.
And nowadays, with all of us using our mobile devices more than ever before to get online, it is essential that our cell phones are equipped with a VPN so we can be fully protected on the go.
How can I set up a VPN on my iPhone?
There are two ways to accomplish this. The first method — and the one that will be most suitable for the majority of people — is to choose a VPN provider and then download and install its app from the Apple App Store. In general, the process will be super easy and the installer will guide you through any settings that you may need to configure.
Take VPN Proxy One Pro for example. The setup process simply couldn’t be any easier. Within minutes of downloading the app from the App Store (click here to do this, by the way), your iPhone will be protected by world-leading encryption and you’ll be free to connect to the internet safely, even on public Wi-Fi networks.
The second method, which is outlined below, is only recommended for those who are a little more tech-savvy. This option is perfect for people who want more control over their VPN experience and don’t mind putting in the extra time and effort to get it. This method allows you to choose which protocol you use as well as customize other settings, but it does require some additional knowledge.
But before we explain the second method, we need to quickly talk about VPN protocols…
What are the VPN protocols natively supported by iOS?
Before you can manually set up a VPN on your iPhone, you’ll need to select which VPN protocol you wish to use. Here are the ones that natively work with iOS:
L2TP
L2TP (Layer 2 Tunneling Protocol) is a type of tunneling protocol. Because L2TP does not offer any encryption on its own, it is normally paired with IPSec (see below). The two technologies form an excellent partnership and together provide great security. It is not as fast as some other options, however.
IKEv2
Just like L2TP, IKEv2 (Internet Key Exchange version 2) also doesn’t offer any encryption of its own, so must also be paired with IPSec. It is faster than L2TP and works particularly well with mobile devices because it can easily move between connection types (Wi-Fi to a cellular network, for example). Although it was jointly developed by Microsoft and Cisco, it is still natively supported by iOS.
IPSec
IPSec (Internet Protocol Security) is also natively supported by iOS and can be used on its own as a VPN protocol.
How to manually set up a VPN on iPhone
Once you’ve decided on which protocol to use, to manually configure a VPN on iOS, go to Settings > General > VPN > Add VPN Configuration > Type. From here, you can select either IKEv2, IPSec, or L2TP (which actually comes with IPSec, even though it isn’t made clear).
After selecting the VPN protocol type, you will need to fill out the other details. Most of the additional information should be available on the VPN provider’s website, either in your account settings or in the online documentation, but if you are unsure of where to find anything, it is best to contact them directly.
Once you’ve filled in all the required information, click Done in the right-hand corner and you’re good to go!
Stay connected, stay secure
If you, like most of us, rely on your mobile device to stay connected, then the value that a VPN offers simply cannot be understated. With everyone using their mobile devices for so much these days — email, social media, online shopping, etc. —when it comes to protecting our sensitive data and safeguarding our privacy, VPNs are effectively essential.
Regardless of how you go about setting up your VPN on your iPhone — whether you choose to just quickly download and install the app or configure each of the settings individually, VPN Proxy One Pro is a truly excellent choice. Click the button below to read more about it.
Blue and White status LEDs apply to all our UniFi access points, routers, switches and the UDM (base model) with the exception of the legacy devices: UAP, UAP-LR, UAP-Outdoor5.
Legacy UAPs have Amber and Green LED on the front of the unit. See this section for legacy AP LED patterns.
The animations are for illustrative purposes – the speed of the flashing or strobing patterns below might differ slightly with that of the device.
While the LED patterns below are shown for Access Points, the rest of the UniFi device LED patterns have the same meaning.
Flashing White / Off every 1/2s
The device is initializing and booting up
Steady White
The device is awaiting Adoption
Slow flashing Blue (UDM only)
A client device is connected to the UDM via Bluetooth
Steady Blue
The device is adopted and is in normal operating mode
The device firmware is currently being upgraded – do not interrupt the process!
(UDM will flash only white during an upgrade)
Blue and flashing Off every 5s
Access Point has lost network connectivity and is searching for wireless uplink
Rapid flashing Blue / Off
The device “Locate” feature was activated in the UniFi Network application
Flashing White-Blue-Off
The device is in TFTP mode.
To enable this mode:
Hold the reset button before applying power
Continue to hold the reset button until this LED sequence appears
If this wasn’t intentional, please check if the device’s reset button isn’t jammed (it should click when pushed).
LED Off
The device is offline.
Verify the Power, POE, and Ethernet cables to troubleshoot.
UniFi Bridge to Bridge (UBB)
Aside from the statuses described above, the UBB has two additional ones:
Red with Circulating Blue LED
The 60 GHz link cannot be established or has dropped due to bad weather. If the UBB fails over to 5 GHz, the LED will remain red. When the 60 GHz link is re-established, the LED will turn blue or the custom color you selected in the UniFi Network application.
Note: If the other bridge device is within range and the UBB LED is red, we recommend adjusting the UBB’s position to enhance the signal strength.
Green
If the Alignment Tool enabled in the UniFi Network application, a green LED means the UBB devices are properly aligned.
Note: If the other bridge device is within range and the UBB LED is green and red, we recommend adjusting the UBB’s position until the LED is green.
Legacy Amber and Green LED patterns
Applies to: UAP, UAP-LR, UAP-Outdoor5.
Flashing Amber / Off every 1/2s: The AP is initializing and booting up
Steady Amber: The AP is awaiting adoption
Steady Green: The AP is adopted and is in normal operating mode (AP is broadcasting SSIDs)
Strobing Amber / Off: If this happens, power cycle the AP and reach out to our support team if it doesn’t change the LED pattern
Quickly flashing Amber / Green: The AP firmware is currently being upgraded – do not interrupt the process!
Green and flashing Off every 5s: AP has lost network connectivity and is searching for wireless uplink
Rapid flashing Green / Off: The device “Locate” feature was activated in the UniFi Network application
Flashing Amber-Green-Off: The device is in TFTP mode. To enable this mode, hold the reset button before applying the power and continue to hold it until this LED sequence appears. If this wasn’t intentional, please check if the device’s reset button isn’t jammed (it should click when pushed).
LED Off: The device is offline. Verify the Power, PoE, and Ethernet cables to troubleshoot.
LED patterns for ports
The ports of UniFi Security Gateways and UniFi Switches have a different type, number, and location.
Please make sure to reference your specific device model’s Quick Start Guide (QSG) for the exact location and description of its ports.
Console Port’s right LED (in the applicable devices):
LED Off: Power Off
LED Green: Power On
Speed/Link/Act (right LED ports other than Console):
LED Off: No Link
LED Amber: Link Established at 10/100 Mbps
LED Flashing Amber: Link Activity at 10/100 Mbps
LED Green: Link Established at 1000 Mbps
LED Flashing Green: Link Activity at 1000 Mbps
PoE (left LED on ports of applicable devices):
LED Off: No PoE
LED Amber: IEEE 802.3af/802.3at
LED Green: 24V Passive
SFP (in the applicable devices):
LED Off: No Link
LED Green: Link Established at 1 Gbps
LED Flashing Green: Link activity at 1 Gbps
See specific port LED information in the Hardware Overview section (between pages 5 and 6) of the Quick Start Guides (QSG). You can find the QSGs in the Documentation section of our UniFi Downloads page, by searching for the device in question in the left hand menu.
LED patterns for PoE Adapters
LED is Off: PoE is Off.
LED is On and steady: PoE is functioning as it should.
LED is blinking: this is not a configured state, this may indicate that the device is not connected properly, or that something is wrong with the cable.
How to disable device LEDs
The device status LEDs can be disabled for all the site, or only for specific UniFi devices.
To enable/disable status LEDs throughout a site, go to to Settings > Site on the UniFi Network application and edit the LED feature in the Services section.
To configure specific devices individually:
Go to the Devices section and click on the device you wish to edit to bring up the Properties panel
Go to Config > General > LED and switch the Site Settings to On or Off.
This article describes how to access the emergency recovery user interface (UI) and recover a UniFi Cloud Key or a UniFi Cloud Key Gen 2 (UCK-G2-PLUS and UCK-G2 models). From this recovery UI you can reset it to factory defaults, reboot it, power it off and upgrade the firmware.NOTES & REQUIREMENTS:
To upgrade the firmware, you will need to download a firmware file (.bin) for the Cloud Key found in our Downloads page. Use the left hand menu to select the correct Cloud Key model and find the newest firmware available.
To access this interface you will need to know the IP address of the Cloud Key (visible in the device screen).
For second generation Cloud Keys (UCK-G2 and UCK-G2-PLUS) follow these steps to access the Emergency Recovery UI:
Power off the system.
Press and hold the reset button and then power on the Cloud Key by connecting it to the power source.
Cloudkey G2:
CloudKey G2 Plus
Keep the reset button pressed for about 10 seconds, or until you see the recovery LED pattern in a loop (blue – off – white). The LCD screen on the front panel will also read “RECOVERY MODE.”
Once the LED is flashing in the recovery mode pattern, open your browser and type the IP address for the Cloud Key, visible on the device’s screen. The IP address comes from your DHCP server, if you can’t access DHCP, the fallback IP will work: 192.168.1.30. However, keep in mind that if your Cloud Key does have a IP address assigned by the DHCP server, the fallback IP will not work.
You should be taken to the Recovery Mode screen. From here you can reset, reboot, power off and most importantly you can upload an updated firmware bin file.
To update the firmware, go to the Downloads page, find the correct Cloud Key model on the left hand menu and then click on the download button, read and accept information, and then download the firmware file to your computer to upload in the Recovery Mode UI. Once it is uploaded you will have to reboot the Cloud Key to complete the firmware upgrade.
The LED will flash white while upgrading and then a steady white when it is ready.
Cloud Key Gen 1 Emergency Recovery
For first generation Cloud Keys follow these steps to access the Emergency Recovery UI:
Power off the system.
Press and hold the reset button and then power on the Cloud Key by connecting it to the power source.
Keep the reset button pressed for about 10 seconds, or until you see the recovery LED pattern in a loop (blue – off – white).
Once the LED is flashing in the recovery mode pattern, open your browser and type the IP address for the Cloud Key. The IP address comes from your DHCP server, if you can’t access DHCP, the fallback IP will work: 192.168.1.30. However, keep in mind that if your Cloud Key does have a IP address assigned by the DHCP server, the fallback IP will not work. If you are using a Gen 2 Cloud Key you will see its IP address on the device screen.User Tip: If you don’t know your Cloud Key’s IP address, you can use thearp -a SSH command or software such as nmap to find the IP address.
You should be taken to the Recovery Mode screen. From here you can reset, reboot, power off and most importantly you can upload an updated firmware bin file.
To update the firmware, go to the Downloads page, find the correct Cloud Key model on the left hand menu and then click on the download button, read and accept information, and then download the firmware file to your computer to upload in the Recovery Mode UI. Once it is uploaded you will have to reboot the Cloud Key to complete the firmware upgrade.
Once it is uploaded you will have to reboot the Cloud Key to complete the firmware upgrade.
The LED will flash white while upgrading and then a steady white when it is ready.
In this article, we’re going to look at Virtual Private Networks in Azure and how you can use them. As you may know, a Virtual Private Network or VPN is an encrypted tunnel over the Internet or other shared networks, for example, a telco provider network.
VPNs use different technologies to encrypt the traffic, the most common ones are IPSec and OpenVPN SSL.
VPNs can connect branches (“sites”), and/or clients devices to a corporate network. Branch and Site VPN connections are most called Site-to-Site or S2S VPNs and are generally permanently connected. User and Device VPN tunnels are called Point-to-Site or P2S VPNs and are normally initiated by the user or automatically by an application but are disconnected after they’re no longer in use.
In Azure, you can have and use both types of VPNs but depending on the solution of choice it can be a different setup.
Let us first explore the VPN Service and Device Options you have in Azure.
VPN Services and Devices
In Azure there are three different options to build VPNs:
Using Virtual Network Gateways
Using Azure Virtual WAN
Using Network Virtual Appliances
All of them are capable of both Point-to-Site and Site-to-Site connections but they have different infrastructures underneath each of them.
Virtual Network Gateway
Virtual Network Gateways are a classic approach, that many network architects are familiar with. You deploy one VPN Virtual Network Gateway Service within a Virtual Network. That service combines Point-to-Site and Site-to-Site Gateways and can be deployed in different sizes.
Here’s a list of different VPN Gateway SKUs:
VPN Gateway Generation
SKU
S2S/VNet-to-VNet Tunnels
P2S SSTP Connections
P2S IKEv2/OpenVPN Connections
Aggregate Throughput Benchmark
BGP
Zone-redundant
Generation1
Basic
Max. 10
Max. 128
Not Supported
100 Mbps
Not Supported
No
Generation1
VpnGw1
Max. 30*
Max. 128
Max. 250
650 Mbps
Supported
No
Generation1
VpnGw2
Max. 30*
Max. 128
Max. 500
1 Gbps
Supported
No
Generation1
VpnGw3
Max. 30*
Max. 128
Max. 1000
1.25 Gbps
Supported
No
Generation1
VpnGw1AZ
Max. 30*
Max. 128
Max. 250
650 Mbps
Supported
Yes
Generation1
VpnGw2AZ
Max. 30*
Max. 128
Max. 500
1 Gbps
Supported
Yes
Generation1
VpnGw3AZ
Max. 30*
Max. 128
Max. 1000
1.25 Gbps
Supported
Yes
Generation2
VpnGw2
Max. 30*
Max. 128
Max. 500
1.25 Gbps
Supported
No
Generation2
VpnGw3
Max. 30*
Max. 128
Max. 1000
2.5 Gbps
Supported
No
Generation2
VpnGw4
Max. 30*
Max. 128
Max. 5000
5 Gbps
Supported
No
Generation2
VpnGw5
Max. 30*
Max. 128
Max. 10000
10 Gbps
Supported
No
Generation2
VpnGw2AZ
Max. 30*
Max. 128
Max. 500
1.25 Gbps
Supported
Yes
Generation2
VpnGw3AZ
Max. 30*
Max. 128
Max. 1000
2.5 Gbps
Supported
Yes
Generation2
VpnGw4AZ
Max. 30*
Max. 128
Max. 5000
5 Gbps
Supported
Yes
Generation2
VpnGw5AZ
Max. 30*
Max. 128
Max. 10000
10 Gbps
Supported
Yes
As you can see, picking the right size depends on several factors, including the expected number of connected users/sites as well as your aggregate bandwidth internet connections.
Depending on the SKU, gateways are deployed with different sets of features. Normally Virtual Network Gateways are deployed in a pair, in an active/standby configuration without using Availability Zones in Azure. To use Availability Zones, you need to use a SKU with AZ at the end. If you want to switch from one SKU to another, that will require a 45-minute downtime. A switch from non-Availability Zone to Availability Zone will require a complete redeployment of the Virtual Network Gateway, which can take up to 2 hours.
Azure Virtual Network Gateway supports the following encryption standards for Site-to-Site tunnels.
If you want to use Point-to-Site it supports OpenVPN (SSL/TLS-based), Secure Sockets Tunneling Protocol (SSTP) or IKEv2 VPN, more information is available here:
Azure Virtual Network Gateways are a traditional and proven way to deploy VPN solutions Azure, but they are not as flexible as other solutions.
Virtual WAN
In comparison to Azure Virtual Network Gateways, Virtual WAN Gateways work differently. The first major difference is that Virtual WAN makes a distinction between Point-to-Site Gateways and Site-to-Site Gateways. While in Azure Virtual Network Gateways both Gateways are one service, in Virtual WAN you have different Gateways for each use case.
Another major difference is that Azure Virtual WAN Gateways are deployed in scale units. These units can be scaled up and down on-demand, without any service interruption.
Another great feature is, that Virtual WAN Network Gateways are always deployed as highly available as possible. These Gateways are deployed in Virtual Machine Scale Sets and are by default deployed in Availability Zones if the Azure Region supports them. If an Azure Region does not yet support Azure Availability Zones, the Virtual Network Gateways are deployed in Availability Sets and as soon as the region supports Availability Zones, the backend is updated automatically.
Azure Virtual WAN Site-to-Site Gateways supports the following IPSec encryption standards.
You can have up to 200 Scale units supporting 100,000 clients. The payment model for Virtual WAN Point-to-Site Clients is by connected users per minute. So, it’s completely paid as you go per connected user plus the amount of Gateway Scale Units.
With Virtual WAN, there is another very important point, routing between Site-to-Site VPN, Point-to-Site VPN and ExpressRoute Gateways is enabled by default without any additional efforts by the customer. You can get more details via the link below.
Network Virtual Appliances are Virtual Machines running in a classical Virtual Network or Azure Virtual WAN. Those Appliances are third party and are available via the Microsoft Azure Marketplace.
Those appliances are harder to integrate and make highly available. The configuration is completely the responsibility of the customer, but for certain scenarios, they can offer major benefits for customers. One major selling point is if your organization has already standardized on a particular vendor/appliance, using the same one in Azure will ensure consistency and lower the learning curve for your network engineers.
Those appliances are mostly supporting additional features like Quality of Service, special encryption protocols or VPN Client tunnel optimization. For example, Barracuda Networks uses its own VPN Tunnel and encryption protocol TINA between their appliances and devices.
Then there are appliance partners who offer great VPN clients with additional features like filtering, split tunnelling by service or traffic optimization. Examples are Palo Alto Global Protect or FortiGate FortiClient.
Those appliances are much harder to integrate into a classic hub and spoke environment, with Virtual WAN the process of deployment is more automated. If you use those NVAs, you also have additional license costs for the appliances, which must be paid to the OEM.
As already mentioned, feature sets of those Network Virtual Appliances are often much richer than with bare Azure Virtual Network Gateways and Virtual WAN Gateways.
How to Deploy a VPN
Let me guide you on how to deploy a VPN Tunnel with the different service offerings. As the nature of the three solutions is completely different, I will split them up into three separate parts.
Virtual Network Gateway
As there is already a lot of deployment documentation out there, I will not create a new one. Let me just point you to the right resources, so that you can start and deploy according to Microsoft best practices.
As an additional option, you can pick a Network Virtual Appliance, if the Appliance of your choice is available in Virtual WAN. I would encourage you to make use of the more PaaS like the approach of Azure Virtual WAN.
The deployment of VPN Connections with Network Virtual Appliances is pretty diverse and depends on the vendor itself. Before I can point you to some example documentation, start with the documentation on how to deploy NVAs.
This documentation describes how to deploy an NVA in Azure.
You should follow that guide to ensure that the NVA is deployed according to supported standards. As there are a lot of partners out there, please contact the vendor of your choice to get additional guidance.
Palo Alto
The first vendor with very good documentation on the deployment is Palo Alto. You can find their guides below.
Barracuda is not that common among enterprise customers in Europe but offers a great portfolio of features including their own tunnelling protocol. Please find their docs below.
Within the Troubleshooting part, I will only concentrate on the troubleshooting guides for Azure Services, as the troubleshooting on NVA is extremely specific to the vendor.
For Azure Virtual Network Gateways, there are two good troubleshooting guides available in Microsoft’s Documentation.
One focuses on connections to Azure Virtual Network Gateways dropping or being unable to connect.
When looking into Azure Virtual WAN is more difficult, as you may not have access to the Monitoring and Troubleshooting logs. So, if you have the need for deeper troubleshooting, it makes sense to engage with Microsoft Support. In any case, you should have good monitoring in place according to documentation.
Sometimes Customers can confuse Azure VPN with other services available. Most commonly customers confuse Virtual Network Peering and Azure ExpressRoute with VPN Solutions.
Virtual Network Peering
Azure Virtual Network Peering is “only” a peering connection via the Microsoft Global Network between two Virtual Networks in Azure. It uses Software Defined Network technologies to connect the two networks and there is no Virtual Gateway necessary to do so. Virtual Network Peering is only used for interconnecting Virtual Networks within Azure and there is no option to use Virtual Network Peering to connect to the world outside of Microsoft Azure.
To learn more about peering, please visit the documentation below.
Microsoft Azure ExpressRoute is like VPN a connection to networks outside of the Microsoft Global Network. Its build to connect Customer Networks with the Microsoft PaaS Network via Peering or the Customer Private IaaS infrastructure using peering and private gateways.
The difference between Azure ExpressRoute and VPN is the fact that ExpressRoute is not leveraging internet connections or shared networks. With ExpressRoute you get a private end to end connection from your on-premises location to the Microsoft Global Network.
Those connections are more expensive but can offer more bandwidth or better Service Level Agreements, depending on your location and network service provider. ExpressRoute is not always better than VPN, always check your use case and your needs.
To be honest, Network Providers like to sell ExpressRoute due to better margins than with premium Internet connections. If you are interested in more information about that topic, you can visit some other articles here on the DOJO.
As is often the case with Microsoft’s service offerings there are several ways to achieve the same goal, here’s a flowchart I use when talking to customers about this.
That chart should help, at least for the initial discussion and understanding, which solution is best for your situation.
Conclusion
The “right” solution depends on what you want to achieve with your architecture. Often, it’s a decision driven by costs and features. Please also take complexity and maybe newer security requirements and approaches into account.
For example, if you’re searching for RADIUS integration, and the only solution might be costly, maybe it’s better to reconsider the requirement and check if you can achieve the same security requirements with Azure Active Directory Authentication instead.
> Mail > POP and IMAP.
