👋 I’m Alfred

Overview Delivering remote applications seamlessly requires more than just opening an RDP port. In a modern Managed Service Provider (MSP) landscape, exposing internal servers directly to the internet is a critical security failure. This guide breaks down the architecture required to build a highly available, secure TS Plus environment that guarantees uptime while strictly controlling access via a centralized gateway and external MFA. The Architecture A resilient TS Plus deployment separates the access layer from the execution layer. This ensures that a spike in user traffic or a targeted attack on the gateway does not crash the underlying application servers. ...

Overview Managing Apple devices in a predominantly Windows-centric MSP environment is often treated as an afterthought. However, relying on basic MDM profiles is no longer sufficient. To achieve true Zero-Trust, macOS fleets require the same stringent Endpoint Detection and Response (EDR) and identity controls as their Windows counterparts. This guide details the architectural implementation of enforcing Zero-Trust on macOS using Jamf Pro for orchestration, SentinelOne for threat hunting, and Keeper for MFA-backed identity management. ...

Overview In a Managed Service Provider (MSP) environment, manual offboarding is a massive liability. Missing a step when revoking access can lead to data breaches, compliance violations, and wasted licensing costs. This guide outlines an architectural approach to “Zero-Touch” offboarding, leveraging a self-hosted n8n instance running in Docker to trigger a robust PowerShell workflow that interacts directly with the Microsoft Graph API. The Architecture Relying on technicians to manually run scripts on their local machines creates bottlenecks. By containerizing the automation engine, we achieve predictable, auditable execution. ...

A strategic diagnostic approach to cut through the noise of L2 escalations by distinguishing between User Identity and System Platform domains.

The Scenario A Tier 1 technician spends 45 minutes “trying things” to fix a recurring application crash or a VPN disconnect without success. In an MSP environment, time is the most expensive resource. To resolve L2 escalations effectively, you have to stop guessing and start looking for the “smoking gun” in the logs. As an escalation engineer, I use a targeted triage map to cut through the noise and identify root causes in seconds, not hours. ...

The Scenario A client reports that their new VoIP system has “one-way audio,” or perhaps a remote worker is unable to establish a stable VPN tunnel. In the MSP world, these tickets often land on the escalation desk when standard troubleshooting fails. The culprit is frequently a misunderstanding of how Network Address Translation (NAT) is handling traffic between the private LAN and the public internet. The Technical Deep-Dive NAT was designed as a temporary solution to IPv4 address exhaustion, but it has become a permanent pillar of networking. It allows thousands of internal devices with private IPs to communicate with the world using a single Public IP address. ...

The Scenario A remote user connects to the VPN and the client status shows “Connected.” Curiously, while the user can successfully ping an internal file server at 192.168.1.50, they are unable to map network drives, DNS resolution fails, and internal web applications refuse to load. In an MSP environment, this “Ping Paradox” often leads Tier 1 technicians to believe the tunnel is healthy. However, as an escalation engineer, I recognize these as the classic symptoms of an IP Subnet Collision. ...

You can have the most expensive, lightning-fast immutable backup array in the world, but if your lead engineer is panicking and your documentation is trapped inside the server that just went down, your architecture has failed. In my experience as an L2 Escalation specialist, I’ve seen that the “Human Element” is the most unpredictable variable in any Disaster Recovery (DR) plan. 1. The Paradox of Digital Documentation Many teams store their “How-to-Recover” guides on the very infrastructure they are trying to recover. If the SAN is dead, your recovery PDF is dead too. The Fix: I advocate for “Out-of-Band” documentation—secure, offline, or cloud-native copies (like an encrypted Git repository or a physical “Break-Glass” binder) that are accessible even when the primary network is dark. ...

In modern infrastructure, “Backup” is not a task—it is a foundational pillar of security. For an MSP managing hundreds of endpoints, a simple file-copy isn’t enough. Here is how I architect systems to survive ransomware and site-wide disasters. 1. The 3-2-1-1 Framework I advocate for an evolved version of the classic 3-2-1 rule, specifically designed for remote-first workforces: 3 Copies of Data: Primary, local secondary, and offsite tertiary. 2 Different Media: Utilizing localized NAS storage for fast LAN recovery and cloud-native repositories. 1 Offsite Location: Ensuring data is physically separated from the primary site. 1 Immutable Copy: Utilizing S3 Object Lock or Air-gapping to ensure backups cannot be deleted by compromised credentials. 2. The Infrastructure Stack My preferred approach utilizes a unified management plane to reduce “Shadow Data”: ...

Most portfolios live on shared hosting—cheap, easy, but restricted. For my infrastructure, I chose a Virtual Private Server (VPS). Here’s why a Systems Engineer treats their “home on the web” like a production environment. 1. The Isolation Advantage On shared hosting, you are at the mercy of your “neighbors.” If another site on the same IP gets hit with a DDoS or runs a malicious script, your site slows down or goes dark. On my VPS, my vCPU and RAM are mine alone. ...