# Cascades Network Migration — Revised Operational Plan

## Context

Cascades senior living facility (236 rooms, 6 floors). New MSP takeover from previous company that left environment non-compliant. **Core mission: HIPAA remediation and compliance.** Synology NAS stores PHI, nurses/medtechs access clinical records via ALIS (cloud), and email may contain resident data. See `security/hipaa.md` for full gap analysis.

Single 16-year-old server (CS-SERVER, 192.168.2.254) on LAN (192.168.0.0/22) running all roles. Staff PCs currently on WiFi (INTERNAL VLAN 20, 10.0.20.0/24). Printers on LAN. No backups, no GPOs, wide-open firewall, 4 PCs not domain-joined.

**Revised approach:** Network first. Move all devices to INTERNAL VLAN 20, then lock down. Server and printers move to INTERNAL **last** — no disruption during transition.

**Transitional state:** Machines on INTERNAL (10.0.20.0/24) → pfSense firewall bridges → CS-SERVER + printers on LAN (192.168.0.0/22). Everything works cross-subnet until we move the server.

**HIPAA drives every phase:** Backup (Phase 0) → network isolation (Phase 1) → access control + encryption (Phase 2) → centralized management (Phase 3) → PHI migration with audit trails (Phase 4) → shared account elimination (Phase 5).

---

## Schedule

| Session | Steps | Est. Time | Impact |
|---------|-------|-----------|--------|
| Session 1 (evening) | 1 + 2 | ~3-4 hours | Backup + firewall changes during low usage |
| Session 2 (coordinated) | 3 | ~2-3 hours | Brief disruption per machine during port change |
| Session 3 (business hours) | 4 | ~4-6 hours | No user impact — server-side only |
| Session 4 (coordinated) | 5 | ~4-6 hours | Brief disruption per machine during domain join |
| Session 5 (business hours) | 6 + 8 | ~4-5 hours | Synology cutover + hardening |
| Session 6 (TBD) | 7 | ~3-4 hours | Server/printer IP changes — schedule when stable |

**Total: ~20-28 hours across 6 sessions**

---

## Steps

| Step | Description | Runbook | Scripts |
|------|-------------|---------|---------|
| 1 | Emergency Backup | [phase0-safety-net.md](phase0-safety-net.md) | [phase0-export-configs.ps1](scripts/phase0-export-configs.ps1), [phase0-remote-checks.ps1](scripts/phase0-remote-checks.ps1) |
| 2 | Firewall & VLAN Setup | [phase1-network.md](phase1-network.md) | Manual (pfSense/UniFi web UI) |
| 3 | Identify & Move Switch Ports | [step3-switch-ports.md](step3-switch-ports.md) | Manual (UniFi web UI + on-site) |
| 4 | Server Preparation — AD & Shares | [phase2-server-prep.md](phase2-server-prep.md) | [phase2-dns-cleanup.ps1](scripts/phase2-dns-cleanup.ps1), [phase2-ad-setup.ps1](scripts/phase2-ad-setup.ps1), [phase2-sync-synology.ps1](scripts/phase2-sync-synology.ps1), [phase2-file-shares.ps1](scripts/phase2-file-shares.ps1), [phase2-print-server.ps1](scripts/phase2-print-server.ps1) |
| 5 | Domain Join | [phase3-domain-join.md](phase3-domain-join.md) | [phase3-pre-join-verify.ps1](scripts/phase3-pre-join-verify.ps1), [phase3-join-domain.ps1](scripts/phase3-join-domain.ps1), [phase3-post-join-verify.ps1](scripts/phase3-post-join-verify.ps1) |
| 6 | Synology Transition | [phase4-synology.md](phase4-synology.md) | [phase4-archive-synology.ps1](scripts/phase4-archive-synology.ps1) |
| 7 | Move Server & Printers to INTERNAL | [step7-server-move.md](step7-server-move.md) | Manual |
| 8 | Hardening & Cleanup | [phase5-hardening.md](phase5-hardening.md) | Manual + documentation updates |

---

## Session Log

| Session | Date | Focus | Status |
|---------|------|-------|--------|
| 1 | 2026-03-06 | Initial audit, data gathering, documentation buildout | Done |
| 2 | 2026-03-06 | Guest WiFi isolation, DNS fixes, firewall aliases | Done |
| 3 | 2026-03-07 | Backup setup, config exports, quick fixes | [session3-2026-03-07.md](session3-2026-03-07.md) |
| 4 | TBD | Firewall aliases, INTERNAL rules, floating rule #4 | Planned |
| 5 | TBD (onsite) | Test isolation, gather device info, Pro upgrade | Planned |

---

## On-Site Tasks (separate trip)

| Task | Why |
|------|-----|
| Fix 9 offline APs | Physical access to check PoE, cables, re-adopt |
| Wire 206 printer (ethernet) | Cable run |
| Locate Bizhub C368 | Physical walkthrough |
| Get printer MAC addresses | If not in pfSense ARP/DHCP table |
| Verify switch port assignments | Physical trace if UniFi doesn't show clearly |

---

## Information Still Needed

1. **Switch port mappings** — Which switch port is each hardwired workstation plugged into? Check UniFi → Clients or trace physically. Only CHEF-PC (USW Lite 8 Port 7) is known.
2. **DESKTOP-1ISF081 IP and location** — What IP does it have and where is it physically?
3. **MDIRECTOR-PC** — Confirm it should move to INTERNAL or stay on LAN (MemCare Director's machine, currently at 192.168.3.20)
4. **Printer MAC addresses** — Need for DHCP reservations if not already in pfSense ARP table
5. **Step 7 decision** — Move CS-SERVER to INTERNAL, dual-home it, or leave on LAN permanently?

---

## Rollback Procedures

Each step has a rollback section. Key rollbacks:
- **Step 2:** Re-enable floating rule #4, revert Guest SSID, restore pfSense XML backup
- **Step 3 (per machine):** Revert switch port to native VLAN
- **Step 4:** Unlink GPOs from GPMC. DNS records exported in Step 1.
- **Step 5 (per machine):** Log in with MSPAdmin local account, `Remove-Computer -UnjoinDomainCredential (Get-Credential) -Restart`
- **Step 6:** Rename archive folder back to SynologyDrive
- **Step 7:** Revert printer/server IPs, restore firewall rules

---

## Verification

After each step, confirm:
- **Step 2:** INTERNAL machines can reach server + printers through firewall
- **Step 3:** Hardwired machines on INTERNAL get correct IPs, reach server + printers
- **Step 4:** All shares/groups/GPOs created correctly on CS-SERVER
- **Step 5:** Domain-joined machines get GPOs, drive mappings, printers automatically
- **Step 6:** Users can access all files via mapped drives (no more Synology Drive Client)
- **Step 7:** Server/printers accessible on new IPs from all machines
- **Step 8:** Endpoint security deployed, old accounts/shares cleaned up

---

## Issues Resolved

| Issue | Resolution |
|-------|-----------|
| Floating rule #4 passes all IPv4 | Replaced with scoped rules |
| Guest WiFi on server LAN | Isolated to VLAN 50 |
| No GPOs configured | Security baseline, drives, printers, updates, folder redirection |
| 4 PCs not domain-joined | All joined |
| No backup | Synology ABB + offsite |
| Shared/generic AD accounts | Replaced with individual accounts |
| Stale DNS records | Cleaned up, scavenging enabled |
| Room 218 DHCP (single IP) | Range end fixed |
| Timezone mismatch | Both set to America/Phoenix |
| Room 130 dead firewall rule | Deleted |
| VLAN 10 mismatch | Deleted from UniFi |
| 5 stale disabled AD accounts | Deleted |
| Synology Sync VM | Deleted from Hyper-V |