Session log: multi-user setup, audit + gap fixes, Howard onboarding package

Two session logs:
- session-logs/2026-04-16-session.md: cross-cutting (multi-user, audit, infrastructure)
- guru-rmm session log appended: MSI installer, Len's Auto Brokerage, Uranus, migration drift

Gap fixes: GrepAI initialized + MCP server added, Ollama models pulling,
settings.json created (bypassPermissions), MCP_SERVERS.md written.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-16 18:55:28 -07:00
parent 749f429734
commit 1c7df5018e
20 changed files with 1617 additions and 3 deletions

View File

@@ -45,8 +45,41 @@ RDWeb (`https://VWP-QBS/RDWeb/Pages/login.aspx`) was exposed to the public inter
- Consider 2FA / Conditional Access on any externally-reachable Windows service
- Rotate `scanner` AD account password (last set 2024-10-17) as hygiene
## 2026-04-16: RemoteApp over VPN (post-gateway) + RDS licensing fix
After the 2026-04-13 public RDWeb port-forward removal, users launching the QuickBooks RemoteApp via VPN hit `0x3000008` (RD Gateway unreachable) because the RDP manifest still routed through the gateway at the (now-firewalled) public IP.
### Changes made
1. **RDS Deployment** (on VWP-QBS, via Server Manager -> RDS -> Edit Deployment Properties -> RD Gateway) set to **"Do not use an RD Gateway server"**. New RDP manifests now write `gatewayusagemethod:i:0` and `full address:s:VWP-QBS.VWP.US` — direct connect, no gateway.
2. **UDM static DNS record** fixed typo `qwp-qbs.vwp.us` -> `vwp-qbs.vwp.us` (UniFi UI: Settings -> Routing -> DNS -> Static DNS Records), still pointing to `172.16.9.169`. Required because `vwp.us` is a real registered domain (resolves publicly to the website) but `vwp-qbs.vwp.us` is only valid internally. VPN clients receive DNS=192.168.4.1 (the UDM) via OpenVPN push, so this override is what lets them find the session host.
3. **RDS licensing configuration** (on VWP-QBS, via `Win32_TerminalServiceSetting` WMI):
- Mode: Per User (LicensingType=4)
- Specified license server: `vwp-qbs.vwp.us` (the same box — RDS-Licensing role was installed and activated but the RDSH was never pointed at it, so users hit "no license servers available")
### Rationale
- **No RD Gateway needed**: VWP users are either on-LAN or VPN-connected. OpenVPN pushes routes for 172.16.9.0/24, 192.168.0.0/24, 192.168.3.0/24. VPN -> LAN firewall policy is ACCEPT-all (`UBIOS_VPN_LAN_USER`). Gateway was only serving the public-access use case which is now intentionally closed.
- **DNS override avoids split-horizon complexity**: rather than pushing internal AD DNS (172.16.9.2) to VPN clients, we use the UDM's dnsmasq for both public and internal names, with overrides for the handful of internal FQDNs clients actually need.
### Current VPN / DNS topology
- OpenVPN server on UDM: pushes `192.168.4.0/24` to clients, routes for the three LAN subnets, DNS=192.168.4.1 (UDM)
- Site-to-site WireGuard peers visible on UDM (`wgsts1001`, `wgsts1003`, `wgsts1005`) — likely UniFi SiteMagic to ACG / other sites
- Static DNS records on UDM (as of 2026-04-16): `vwp-qbs.vwp.us` -> `172.16.9.169`
## RDS CAL purchase (outstanding)
VWP-QBS's RDS License Server is activated and running, but **has no real CALs installed** — only the Windows 2000-era `Built-in TS Per Device CAL` placeholder pack. Once grace period expires (or after the 2026-04-16 pointer fix re-triggers licensing logic), users will either get a fresh grace window or start seeing "license server has no licenses" errors.
**Action item:** purchase a pack of **Windows Server 2022 RDS Per User CALs** sized to the active user count (check VWP-QBS for distinct interactive logon count last 30d to size accurately). Install via `licmgr.msc` on VWP-QBS. Current licensing mode is Per User, matching this purchase path.
## Open items
- Confirm UPnP state on UDM
- Document intended RDWeb access pattern (who connects from where)
- Add Valleywide entry to SOPS vault
- Confirm UPnP state on UDM (2026-04-13 recommendation — still not verified)
- Document intended RDWeb access pattern (who connects from where) — superseded partially by 2026-04-16 VPN-only decision, but formalize
- Add Valleywide entry to SOPS vault (SOPS vault now has `clients/vwp/*` entries: adsrvr, dc1, udm, xenserver, quickbooks-server-idrac — superseded)
- RDS CALs purchase (see above)
- Rotate `scanner` AD account password (carried from 2026-04-13)