--- type: client name: dataforth display_name: Dataforth Corporation last_compiled: 2026-05-24 compiled_by: DESKTOP-0O8A1RL/claude-main sources: - clients/dataforth/docs/overview.md - clients/dataforth/docs/active-directory.md - clients/dataforth/docs/workstations.md - clients/dataforth/docs/manufacturing.md - clients/dataforth/docs/billing-log.md - clients/dataforth/docs/SYNC_SCRIPT_UPDATE_SUMMARY.md - clients/dataforth/docs/incident-2026-03-27-abuse-report-virtuo.md - clients/dataforth/docs/incident-2026-03-27-abuse-report-connectwise.md - clients/dataforth/session-logs/2026-03-23-galactic-advisors-report.md - clients/dataforth/session-logs/2026-03-27-security-incident-mfa-datasheets.md - clients/dataforth/session-logs/SESSION-SUMMARY.md - clients/dataforth/session-logs/MEMORY.md - clients/dataforth/session-logs/2026-04-12-session.md - clients/dataforth/session-logs/2026-04-13-session.md - clients/dataforth/session-logs/2026-04-14-session.md - clients/dataforth/session-logs/2026-04-23-session.md - clients/dataforth/session-logs/2026-05-03-session.md - clients/dataforth/session-logs/2026-05-04-lobby-phone-vlan-fix.md - clients/dataforth/session-logs/2026-05-06-session.md - clients/dataforth/session-logs/2026-05-12-session.md - clients/dataforth/session-logs/project_ad2_context.md - clients/dataforth/session-logs/project_pipeline_rebuilt.md - clients/dataforth/session-logs/project_test_datasheet_pipeline.md - clients/dataforth/session-logs/project_new_product_lines.md - projects/dataforth-dos/CONTEXT.md - .claude/memory/project_dataforth_incident_2026-03-27.md - .claude/memory/project_datasheet_pipeline.md - .claude/memory/project_neptune_sbr_email_routing.md - .claude/memory/reference_dataforth_contact.md - .claude/memory/reference_neptune_access_d2testnas.md - .claude/memory/feedback_d2testnas_ssh.md - .claude/memory/infra_office_network.md backlinks: - projects/dataforth-dos - systems/jupiter --- # Dataforth Corporation Signal conditioning / data acquisition manufacturer in Tucson, AZ. Long-standing ACG client. Active managed relationship — monthly prepaid block. Notable for 64 MS-DOS 6.22 test stations, a major security incident in March 2026, and an ongoing test datasheet pipeline modernization project. --- ## Profile - **Contract type:** Prepaid hour block (monthly replenishment invoice $2,098.87) - **Key contacts:** | Name | Username | Role | Email | |---|---|---|---| | Dan Center | dcenter | Operations (primary IT contact) | dcenter@dataforth.com | | John Lehman | jlehman | Engineering, QB code, test specs | jlehman@dataforth.com | | Peter Iliya | pIliya | Applications Engineer | pIliya@dataforth.com | | Georg Haubner | ghaubner | Engineering; D: drive on HGHAUBNER has pre-ransomware-attack backup | ghaubner@dataforth.com | | Kevin Wackerly | kwackerly | IT/Admin, handles calibration@ account | kwackerly@dataforth.com | | Logan Tobey | ltobey | Support/Sales | ltobey@dataforth.com | | Ben Wadzinski | bwadzinski | Engineering | — | | Lee Payne | lpayne | Engineering | — | | Theresa Dean | tdean | Admin | tdean@dataforth.com | | Joel Lohr | jlohr | **RETIRED 2026-03-31** — account intentionally kept enabled; inbox rule forwards ntirety.com notifications to mike@azcomputerguru.com | jlohr@dataforth.com | | Ken Hoffman | khoffman / oemdata | TestDataSheetUploader author, external; also owns Dataforth product API | — | - **External distributor:** Ginger (gy@quatronix-cn.com) — Quatronix China; receives datasheets - **Billing rate:** Prepaid block; all invoices show $0.00 — hours drawn from block - **Hours remaining:** 46.5 hrs as of 2026-05-03 (after 1 hr billed that session). Always live-check Syncro before billing — `GET /customers/578095`. - **Syncro customer ID:** 578095 --- ## Infrastructure ### Servers & Services | Host | IP | Role | OS | Notes | |---|---|---|---|---| | AD1 | 192.168.0.27 | Primary DC, DNS, FSMO roles, Engineering share | Windows Server 2016 | C:\ at **90%** capacity (C:\Engineering = 787 GB) — critical risk. FSMO roles (assumed all). | | AD2 | 192.168.0.6 | Secondary DC, TestDataDB service host, NAS mirror, WebShare | Windows Server 2022 | Hosts testdatadb Node.js service on :3000. Wiped by crypto attack 2025 — rebuilt. Windows Firewall disabled (all profiles). | | FILES-D1 | — | File server | — | Sales docs (W:), archive (Y:) | | SAGE-SQL | 192.168.0.153 | Sage ERP (S:), RDS Session Host/Connection Broker/Web Access | Windows Server | RDS licensing grace period was expired (reset 2026-05-06). TSGateway disabled (server not externally exposed). New self-signed RDS cert installed. Bitdefender GravityZone managed AV. | | 3CX | 192.168.0.125 | Phone system | — | Last logon Oct 2025 — possibly inactive | | DF-HYPERV-B | — | Hyper-V hypervisor | — | — | | D2TESTNAS | 192.168.0.9 | SMB1 bridge for DOS test stations; Neptune Exchange physically colocated | Linux (CachyOS) | Runs rsync daemon on port 873 (module: `test`, user: `rsync`). SMB1 only — required for DOS 6.22 stations. SSH: `root@192.168.0.9`. Also provides Tailscale route for 172.16.0.0/22 to reach ACG office LAN. | | ESXi hosts | 192.168.0.122, 192.168.0.124 | VMware ESXi hypervisors | ESXi | — | | UDM Firewall | 192.168.0.254 | Perimeter firewall/router | UniFi OS | MAC d0:21:f9:6c:11:02. Also responds on 192.168.0.1. SSH key: `~/.ssh/id_ed25519_udm`. C2 IPs blocked via iptables (NOT permanent — need to add to UniFi UI). | | PBX (3CX/Sangoma) | 192.168.100.2 (also .196) | VoIP PBX — production phones on 192.168.100.0/24 | — | TFTP provisioning for Cisco SPA502G phones. Access via SSH: `sangoma@192.168.100.2`. Vault: `clients/dataforth/pbx.sops.yaml` | **Neptune Exchange (ACG infrastructure, physically at Dataforth D2):** - `neptune.acghosting.com` | internal `172.16.3.11` | external inbound `67.206.163.124` / outbound `67.206.163.122` - Exchange Server 2016, active ACG-hosted mail server for multiple clients - Physically colocated at Dataforth's D2 facility — NOT on ACG office LAN despite 172.16.x.x IP - Access requires routing through D2TESTNAS (192.168.0.9): Dataforth UDM has a 172.16.x.x subnet that overlaps ACG office LAN, making direct routing ambiguous - SNAT rule on Dataforth UDM at `/data/on_boot.d/10-neptune-snat.sh` should force Neptune outbound to use `.124` (not always active — verify) - Vault: `clients/dataforth/neptune-exchange.sops.yaml` - [WARNING] TODO: Resubnet Dataforth UDM to a non-overlapping range to permanently fix Neptune routing ### Workstations (summary) | Category | Count | OS | Notable | |---|---|---|---| | Engineering | ~12 | Win 10/11 Pro | HGHAUBNER (192.168.0.148) has pre-attack D: backup. D1-PWRM for PWRM10 test. | | Manufacturing/Assembly | ~14 | Win 10/11 Pro | AS24, AS26 + various assembly/hi-pot stations | | Office/Admin | ~12 | Win 10/11 Pro | DF-GAGETRAK (192.168.0.102) — GAGEtrak calibration host. DF-JOEL2 (192.168.0.174) — compromised 2026-03-27, remediated. | | End-of-Life (Win 7) | 3 | Windows 7 Pro | LABELPC (192.168.0.100), LABELPC2 (192.168.0.98), D2-RCVG-003 (192.168.0.47) — EOL, on network | | DOS Test Stations | 64 | MS-DOS 6.22 | TS-1 through TS-30 + variants. Not domain-joined. SMB1 via D2TESTNAS. | ### Email & Identity - **M365 tenant:** dataforth.com | Tenant ID: `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584` - **Entra ID Sync:** Yes — Azure AD Connect from OU=SyncedUsers only - **M365 licenses:** 50x Business Premium (39 used), 19x Exchange Online Plan 1 (5 used), 5x SPB (4 used) - **SMTP settings:** smtp.office365.com, port 587, STARTTLS — use `sysadmin@dataforth.com` - **SMTP AUTH status:** Tenant-level not disabled; per-mailbox varies. `calibration@dataforth.com` had SmtpClientAuthentication=true re-enabled 2026-04-23. `sysadmin@dataforth.com` SMTP AUTH is blocked by Exchange Online default — testdatadb uses Graph API for email (Mail.Send permission granted to Claude-Code-M365 app 2026-05-12). - **DKIM:** Both selector1 and selector2 published. Rotated 2026-05-12; cutover to selector2 on 2026-05-16. - `selector1._domainkey.dataforth.com` → selector1-dataforth-com._domainkey.dataforthcom.onmicrosoft.com - `selector2._domainkey.dataforth.com` → selector2-dataforth-com._domainkey.dataforthcom.onmicrosoft.com - **DNS Host:** ntirety.com — Dataforth's public DNS zone managed through ntirety's portal (not a standard registrar). DNS change requests go to ntirety, not a domain control panel. Joel Lohr's account retained to receive ntirety.com infrastructure notifications (inbox rule → mike@azcomputerguru.com). - **INKY PhishFence:** Active transport rule `B859327F-3FBD-4BE7-A47A-97D02F1558A7` fires first and calls StopProcessingRules=true — blocks all subsequent custom transport rules. Use inbox rules for per-user mail routing. - **MFA:** 3 Conditional Access policies created 2026-03-27 (initially report-only; enforced 2026-04-04): - "ACG - Require MFA for All Users" — skip from office IP 67.206.163.122 - "ACG - Block Foreign Sign-Ins" — US-only; MFA-Travel-Bypass group for exceptions - "ACG - Block Legacy Authentication" - **Named locations:** Dataforth Office - Tucson (67.206.163.122/32, trusted), Allowed Countries - US Only - **MFA-Excluded-BreakGlass group:** Brian Faires, Dataforth Calibration, Dataforth Notifications, Endcap, Tablet 01 - **MFA enrollment (as of 2026-03-27):** 19/38 ready, 19 needed setup — deadline April 4, 2026 ### Network - **Domain:** intranet.dataforth.com | Forest/Domain Level: Windows Server 2016 - **ISP:** fdtnet.net | Public IP: 67.206.163.122 (outbound), 67.206.163.124 (Neptune inbound) - **Firewall/Router:** UniFi Dream Machine at 192.168.0.254 (also 192.168.0.1) - **Network:** Flat (no VLANs on main LAN — 192.168.0.0/24). Voice/PBX VLAN: 192.168.100.0/24 — production phones live here. UDM default voice VLAN (192.168.1.0/24) not wired to PBX. - **VPN:** FortiClient required for remote access to 192.168.0.x. VPN can drop mid-session — save work frequently. - **Drive mappings (GPO):** B: (\\ad1\itsvc), Q: (\\ad2\c-drive), S: (\\SAGE-SQL\sage), T: (\\ad2\e-drive), W: (\\files-d1\sales), X: (\\ad2\webshare), Y: (\\files-d1\archive). DOS test stations: T: (\\D2TESTNAS\test), X: (\\D2TESTNAS\datasheets) ### GuruRMM Enrollment - **Site name:** Dataforth D1 | Site ID: `3a2f6866-26cd-452c-9806-a8df21475c3c` - **Site API key:** vault `clients/dataforth/...` [check vault for current entry] - **DF-GAGETRAK enrolled:** Agent ID `7626d82c-0736-47a6-8bc6-68e39859caed`, device ID `win-901ce38b-fb6e-44b8-a577-7c0bdf269a9a` — enrolled 2026-04-23 - **[WARNING] GuruRMM enrollment workaround:** WebSocket auth in `ws/mod.rs` does not validate `enrolled_agents.agent_key_hash`. New agent installs must overwrite registry AgentKey with the site API key (not the enrollment AgentKey) and restart service. See Gitea issue #8. ### Key Applications | Application | Host | URL/Port | Notes | |---|---|---|---| | TestDataDB | AD2 | http://192.168.0.6:3000 | Node.js + Express, PostgreSQL 18, 469K records. Internal LAN only. | | Sage ERP | SAGE-SQL | \\SAGE-SQL\sage (S:) | RDS-served RemoteApp | | GageTrak | DF-GAGETRAK (192.168.0.102) | — | Calibration tracking. Sends email via calibration@dataforth.com (SMTP). GuruRMM enrolled. | | Dataforth Product API | Hoffman's servers | https://www.dataforth.com/api/v1/TestReportDataFiles | OAuth2 client_credentials. Vault: `clients/dataforth/api-oauth.sops.yaml` | | QuickBASIC 4.5 ATE | 64 DOS stations | T:\ (\\D2TESTNAS\test) | Automated test equipment programs. 1,470+ product model specs. | --- ## Access ### Domain / Server Access - **AD2 SSH:** `ssh sysadmin@192.168.0.6` (port 22) — vault: `clients/dataforth/ad2.sops.yaml` → `credentials.password` — NOTE: stale backslash escape in vault entry; strip with `sed 's/\\//g'` - **AD1 SSH:** `ssh sysadmin@192.168.0.27` — vault: `clients/dataforth/ad1.sops.yaml` - **D2TESTNAS SSH:** `ssh root@192.168.0.9` — vault: `clients/dataforth/d2testnas.sops.yaml`. Use root, NOT sysadmin (sysadmin SSH fails on D2TESTNAS). SSH key from acg-guru-5070 authorized. - **UDM SSH:** `ssh root@192.168.0.254` — SSH key `~/.ssh/id_ed25519_udm` (generated 2026-03-27) - **SAGE-SQL SSH:** `ssh sysadmin@192.168.0.153` — SSH key (`C:\ProgramData\ssh\administrators_authorized_keys` on SAGE-SQL) - **All server passwords:** `Paper123!@#` (domain admin sysadmin account — stored in individual vault entries per server) - **WinRM (AD2/AD1):** port 5985 — pywinrm with NTLM, user `INTRANET\sysadmin` ### M365 / Entra - **M365 admin:** sysadmin@dataforth.com — vault: `clients/dataforth/m365.sops.yaml` - **Tenant ID:** `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584` - **Claude-Code-M365 Entra App:** App ID `7a8c0b2e-57fb-4d79-9b5a-4b88d21b1f29`, secret expires 2027-12-22 — vault: `clients/dataforth/m365.sops.yaml → credentials.entra-app` - **MSP Multi-Tenant App (Claude-MSP-Access):** MSP tenant `ce61461e-81a0-4c84-bb4a-7b354a9a356d`, App ID `fabb3421-8b34-484b-bc17-e46de9703418` — vault: msp-tools SOPS file - **ComputerGuru tiered apps:** All 5 apps consented 2026-04-23. Exchange Operator SP (b43e7342) had Exchange Admin role added manually (gap in onboard-tenant.sh — not auto-assigned for Exch Operator). ### Dataforth Product API (Hoffman) - **Vault:** `clients/dataforth/api-oauth.sops.yaml` - Token URL: `https://login.dataforth.com/connect/token` - Grant: `client_credentials`, Client ID: `dataforth.onprem.sync`, Scope: `dataforth.web` - Token TTL: 1 hour - Swagger: `https://www.dataforth.com/swagger/index.html` ### ESXi / Hypervisors - ESXi-122: 192.168.0.122 — vault: `clients/dataforth/esxi-122.sops.yaml` - ESXi-124: 192.168.0.124 — vault: `clients/dataforth/esxi-124.sops.yaml` ### PBX - Vault: `clients/dataforth/pbx.sops.yaml` --- ## Patterns & Known Issues ### Active Directory - **No custom security groups** — only default Windows groups. Service accounts in OU=ServiceAccounts. - **ClaudeTools-ReadOnly AD account** — purpose unclear. Investigate. - **Ken Hoffman has two accounts** (khoffman + oemdata) — not consolidated. - **jlohr account retained** — post-retirement (2026-03-31), kept enabled specifically to receive ntirety.com infrastructure notifications. Inbox rule forwards to mike@azcomputerguru.com. Do NOT disable. - **Entra sync scope:** Only OU=SyncedUsers syncs to Entra. CompanyUsers OU does NOT sync. 38 stale TS-* test station accounts were cleaned from Entra 2026-03-27. ### RDS / SAGE-SQL - **RDS licensing:** Grace period reset 2026-05-06 by deleting GracePeriod registry key. Grace period expires again without proper CALs. Purchase RDS CALs (Per User mode, LicensingType=4). - **TSGateway:** Disabled on SAGE-SQL (server not externally exposed at firewall). Do NOT re-enable without reason. - **SSL cert:** Self-signed, subject `CN=sage-sql.intranet.dataforth.com`. Non-domain machines must manually import to Trusted Root + Trusted Publishers. - **GPO cert distribution:** Not completed (AD2 SYSVOL write blocked from non-domain workstation). Pending. - **Bitdefender GravityZone:** Managed AV on SAGE-SQL. Can block PowerShell execution — may need temporary disable for admin work. ### Voice / Phones - **Production phones VLAN:** 192.168.100.0/24. PBX at .196 / .2. All production phones live here. - **Unifi default voice VLAN (192.168.1.0/24):** NOT used for production — phones landing here cannot reach PBX. Switch port misconfiguration symptom: phone shows wrong date/time (NTP failure) and no dial tone. - **D1-Server-Room port 1:** Controls lobby drop → must stay on VLAN 100. Reverted to default once before (2026-05-04 incident). ### Exchange Online / Email - **INKY PhishFence StopProcessingRules:** Kills all subsequent transport rules. Use inbox rules for per-mailbox forwarding, NOT transport rules. - **AutoForwarding blocked by default** (tenant outbound spam policy). If per-user forwarding needed, create scoped HostedOutboundSpamFilterPolicy for that sender with AutoForwardingMode=On. - **Get-MessageTrace deprecated Sept 2025:** Use Get-MessageTraceV2 and Get-MessageTraceDetailV2 in Exchange PowerShell. ### GuruRMM Agent Deployment - **WebSocket auth bug (Issue #8):** enrolled_agents.agent_key_hash is never checked by ws/mod.rs. Workaround: after MSI install, overwrite registry `HKLM:\SOFTWARE\GuruRMM\AgentKey` with the site API key (not enrollment AgentKey), then restart service. - **rmm-api.azcomputerguru.com must be grey-clouded** (DNS-only, not proxied) — Cloudflare proxy blocks WebSocket. Do NOT re-enable orange cloud. Gitea Issue #9. ### Security - **C2 IP blocks are iptables only** — do not survive UDM reboot. Must add to permanent UniFi block list via UI. C2 IPs: 80.76.49.18, 45.88.91.99 (AS399486 Virtuo, Montreal). - **AD1 disk 90% full** — C:\Engineering = 787 GB of 1023 GB. Risk of replication failures. - **Windows Firewall disabled on AD2** (all profiles) — known risk, not yet remediated. - **3 Windows 7 machines on network** (LABELPC, LABELPC2, D2-RCVG-003) — EOL, unpatched. - **AD1/AD2 on Windows Server 2016** — end of mainstream support. Plan upgrade. - **Entra ID P2 not licensed** — IdentityRiskyUser risk check returns 403 even with scope consented. Would need P2 upgrade to enable Identity Protection. - **IdentityRiskyUser.Read.All scope:** Consented to Security Investigator app but unusable (no P2 license). --- ## Active Work As of 2026-05-12: - **Test Datasheet Pipeline:** Production pipeline healthy. 469K records, 458.5K live on website. Daily task runs 02:30 AM. Email notification deployed but pending SMTP AUTH fix — sysadmin SMTP AUTH disabled in Exchange Online. See `projects/dataforth-dos/CONTEXT.md`. - **GAGEtrak email (ticket #32142):** calibration@ SMTP re-enabled 2026-04-23. GAGEtrak configured (smtp.office365.com:587, calibration@dataforth.com). Kevin Wackerly verifying schedule on DF-GAGETRAK — expected Monday run appears to run Tuesday. - **DKIM rotation:** Automatic cutover to selector2 on 2026-05-16 — no action needed; verify signing after that date. - **jlohr forwarding:** ntirety.com inbox rule active as of 2026-05-12; confirmed delivering to mike@azcomputerguru.com. Defunct transport rule pending cleanup. - **RDS / SAGE-SQL:** RDS grace period reset. GPO cert distribution pending. RDS CALs purchase needed long-term. - **28 offline machines** (at time of 2026-03-27 incident) — rescanned status unknown. These should be verified when available. - **MFA enforcement ongoing** — 19 users were still not enrolled as of April 4 enforcement date; current count unverified. --- ## History Highlights | Date | Event | |---|---| | 2025 | Crypto/ransomware attack — AD2 wiped and rebuilt, many files lost. Test datasheet pipeline broken. | | 2026-01-19 | DOS Update System built and deployed — NWTOC/CTONW/UPDATE/DEPLOY BAT files, 39 deployments. Sync-FromNAS updated (DEPLOY.BAT). | | 2026-03-20 | Galactic Advisors security assessment — AD1 C: at 90%, legacy SQL 2008 R2 client noted, 3 computers scanned. | | 2026-03-23 | Galactic Advisors assessment analyzed by ACG. | | 2026-03-27 | **Major security incident:** DF-JOEL2 compromised via social engineering/ScreenConnect (attacker "Angel Raya", C2 on Virtuo hosting). M365 sign-in from Turkey. Full remediation. 3 CA policies deployed. MFA notice sent. IC3 filed (1c32ade367084be9acd548f23705736f). | | 2026-03-27–29 | Test datasheet pipeline rebuilt — 72/73 Quatronix datasheets generated, new Node.js pipeline replaces VB6 DFWDS + VB.NET uploader. | | 2026-03-31 | Joel Lohr retirement. Brian Faires mailbox converted to shared (5,711 messages preserved). 38 stale Entra TS-* accounts deleted. | | 2026-04-04 | MFA CA policies enforced (switched from report-only). | | 2026-04-11–12 | SCMVAS/SCMHVAS pipeline extension — 27,503 records backfilled, 434 Engineering-Tested .txt files imported. | | 2026-04-12 | TestDataDB PostgreSQL migration verified (2.89M records). Hoffman API discovered (Swagger). | | 2026-04-13 | API architecture discussion with Hoffman — client_credentials grant confirmed for dataforth.onprem.sync client. | | 2026-04-14 | DFWDS logic ported to Node.js (dfwds-process.js). 897 staged datasheets drained. 803 new records created on Hoffman API. | | 2026-04-15 | Major release — DB dedup (2.89M→469K rows), FAIL→PASS retest rule, For_Web filesystem dependency eliminated, 170,984 records bulk-pushed to Hoffman. Dashboard UI upgrades. | | 2026-04-23 | Full Dataforth tenant onboarded to all 5 ComputerGuru tiered apps. calibration@ SMTP AUTH fixed. DF-GAGETRAK GuruRMM agent enrolled (with auth workaround). Syncro ticket #32142 billed. | | 2026-05-03 | jantar@dataforth.com darkweb breach check — no indicators of compromise. eM Client OAuth grant and SP revoked/disabled. 1 hr billed. | | 2026-05-04 | Howard onsite — lobby phone offline (VLAN misconfiguration on D1-Server-Room port 1 → fixed to VLAN 100). | | 2026-05-06 | SAGE-SQL RDS issues resolved — grace period reset, SSL cert replaced, TSGateway disabled, RemoteApp permission prompts fixed. | | 2026-05-12 | Pipeline audit + email notifications implemented (Graph API). jlohr forwarding configured (ntirety.com → mike@). DKIM keys rotated. | --- ## Backlinks - [[projects/dataforth-dos]] — Active test datasheet pipeline project on AD2 - [[systems/jupiter]] — Neptune Exchange physically colocated at Dataforth D2 facility; D2TESTNAS provides Tailscale routing