Posts Tagged ‘sysadmin’

Talking to your IT admins

21 June 2008 – 16:02 CDT

Looking for thoughts/ideas on how to talk to an IT admin. Started a job a few weeks ago where basically everything outbound except http and https are blocked. This means that ssh tunneling does not work. The traffic is packet inspected by the firewall and the http proxy requires authentication, so just moving ssh to port 443 doesn’t work either. The web traffic is filtered, so many things are blocked including gmail.

I’ve looked into solutions like corkscrew but it looks like it is going to take me a combination of ssh-over-https-proxies to get through it, because some of the tools only support Basic auth and the ISA server only accepts NTLM, Kerberos, and something else. It would be much easier to get to my box at home with its “library of files and tools” if they would just open up port 22.

I’m looking for anyone with ideas on how to talk to the IT admin staff about this. I’ve emailed them several times, and am not getting any response at all. I even included my MAC addresses and suggested they just unblock those. I’ve talked to my supervisor, and so far no luck – they mostly just don’t know what to do about it and the answers provided by the IT team range from the absurd to just dumb. Unfortunately, this is the same IT staff who:

– don’t know that terminal services is running on one of the windows 2003 servers I need access to (or insist that it isn’t running on the system at all)
– apparently when their company bought our company, dismantled the VPN because it was “insecure”
– set up a remote terminal services system exposed to the internet with the entire thing locked down (only one app is available, and the start menu is useless) as a solution for VPN/remote access.
– block gmail because it “has viruses”
– refuse to give the software developers, including those writing drivers, admin rights to their windows box

I don’t know who is responsible for these guys or who made up these “policies” but it seems like they just do whatever they want. My impression is that this team (who work out of the parent company’s office) is led by a guy who only cares that giving local admin rights to anyone would supposedly cause him to have to do more work to fix broken systems. Obviously that means that he is actively interfering with the business process of the org, but since no one seems to know what to do about it I’m throwing it out there to the three readers of this journal 🙂

How would you talk to your IT administrators about opening up port 22? Unblocking gmail? Putting the VPN back up? The only way the developers have admin rights on their own computers is the local VPs have domain admin rights to log in and let us reconfigure our own boxes – but this is not something we discuss with or even talk to the IT people about, which I don’t think is right, but we don’t seem to have much choice because they’re basically uncooperative. The local folks can’t modify the network or add new services like VPN though.

So how would you talk to windows sysadmins and convince them that they’re being unreasonable?


31 May 2006 – 18:26 CDT

Well, remember kids – taking down the physical ethernet interface with

# ifdown eth0

will also take the virtual interfaces such as eth0:1 down with it. And if you don’t have any other network enabled interfaces available – you’ve just taken your server offline 🙂