Howard Enos
8d975c1b44
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:
Clients (structured MSP docs under clients/<name>/docs/):
- anaise (NEW) - 13 files
- cascades-tucson - 47 files merged (existing had only reports/)
- dataforth - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa (NEW) - 22 files, multi-site (camden, river)
- kittle (NEW) - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template - 13-file scaffold for new clients
MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/ - clean_printer_ports, win11_upgrade,
screenconnect-toolbox-commands
Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
no other credentials found
Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
(identical duplicates of msp-audit-scripts versions)
Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)
Session log: session-logs/2026-04-16-howard-client-docs-import.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
123 lines
6.8 KiB
Markdown
123 lines
6.8 KiB
Markdown
# Cascades Network Migration — Revised Operational Plan
|
|
|
|
## Context
|
|
|
|
Cascades senior living facility (236 rooms, 6 floors). New MSP takeover from previous company that left environment non-compliant. **Core mission: HIPAA remediation and compliance.** Synology NAS stores PHI, nurses/medtechs access clinical records via ALIS (cloud), and email may contain resident data. See `security/hipaa.md` for full gap analysis.
|
|
|
|
Single 16-year-old server (CS-SERVER, 192.168.2.254) on LAN (192.168.0.0/22) running all roles. Staff PCs currently on WiFi (INTERNAL VLAN 20, 10.0.20.0/24). Printers on LAN. No backups, no GPOs, wide-open firewall, 4 PCs not domain-joined.
|
|
|
|
**Revised approach:** Network first. Move all devices to INTERNAL VLAN 20, then lock down. Server and printers move to INTERNAL **last** — no disruption during transition.
|
|
|
|
**Transitional state:** Machines on INTERNAL (10.0.20.0/24) → pfSense firewall bridges → CS-SERVER + printers on LAN (192.168.0.0/22). Everything works cross-subnet until we move the server.
|
|
|
|
**HIPAA drives every phase:** Backup (Phase 0) → network isolation (Phase 1) → access control + encryption (Phase 2) → centralized management (Phase 3) → PHI migration with audit trails (Phase 4) → shared account elimination (Phase 5).
|
|
|
|
---
|
|
|
|
## Schedule
|
|
|
|
| Session | Steps | Est. Time | Impact |
|
|
|---------|-------|-----------|--------|
|
|
| Session 1 (evening) | 1 + 2 | ~3-4 hours | Backup + firewall changes during low usage |
|
|
| Session 2 (coordinated) | 3 | ~2-3 hours | Brief disruption per machine during port change |
|
|
| Session 3 (business hours) | 4 | ~4-6 hours | No user impact — server-side only |
|
|
| Session 4 (coordinated) | 5 | ~4-6 hours | Brief disruption per machine during domain join |
|
|
| Session 5 (business hours) | 6 + 8 | ~4-5 hours | Synology cutover + hardening |
|
|
| Session 6 (TBD) | 7 | ~3-4 hours | Server/printer IP changes — schedule when stable |
|
|
|
|
**Total: ~20-28 hours across 6 sessions**
|
|
|
|
---
|
|
|
|
## Steps
|
|
|
|
| Step | Description | Runbook | Scripts |
|
|
|------|-------------|---------|---------|
|
|
| 1 | Emergency Backup | [phase0-safety-net.md](phase0-safety-net.md) | [phase0-export-configs.ps1](scripts/phase0-export-configs.ps1), [phase0-remote-checks.ps1](scripts/phase0-remote-checks.ps1) |
|
|
| 2 | Firewall & VLAN Setup | [phase1-network.md](phase1-network.md) | Manual (pfSense/UniFi web UI) |
|
|
| 3 | Identify & Move Switch Ports | [step3-switch-ports.md](step3-switch-ports.md) | Manual (UniFi web UI + on-site) |
|
|
| 4 | Server Preparation — AD & Shares | [phase2-server-prep.md](phase2-server-prep.md) | [phase2-dns-cleanup.ps1](scripts/phase2-dns-cleanup.ps1), [phase2-ad-setup.ps1](scripts/phase2-ad-setup.ps1), [phase2-sync-synology.ps1](scripts/phase2-sync-synology.ps1), [phase2-file-shares.ps1](scripts/phase2-file-shares.ps1), [phase2-print-server.ps1](scripts/phase2-print-server.ps1) |
|
|
| 5 | Domain Join | [phase3-domain-join.md](phase3-domain-join.md) | [phase3-pre-join-verify.ps1](scripts/phase3-pre-join-verify.ps1), [phase3-join-domain.ps1](scripts/phase3-join-domain.ps1), [phase3-post-join-verify.ps1](scripts/phase3-post-join-verify.ps1) |
|
|
| 6 | Synology Transition | [phase4-synology.md](phase4-synology.md) | [phase4-archive-synology.ps1](scripts/phase4-archive-synology.ps1) |
|
|
| 7 | Move Server & Printers to INTERNAL | [step7-server-move.md](step7-server-move.md) | Manual |
|
|
| 8 | Hardening & Cleanup | [phase5-hardening.md](phase5-hardening.md) | Manual + documentation updates |
|
|
|
|
---
|
|
|
|
## Session Log
|
|
|
|
| Session | Date | Focus | Status |
|
|
|---------|------|-------|--------|
|
|
| 1 | 2026-03-06 | Initial audit, data gathering, documentation buildout | Done |
|
|
| 2 | 2026-03-06 | Guest WiFi isolation, DNS fixes, firewall aliases | Done |
|
|
| 3 | 2026-03-07 | Backup setup, config exports, quick fixes | [session3-2026-03-07.md](session3-2026-03-07.md) |
|
|
| 4 | TBD | Firewall aliases, INTERNAL rules, floating rule #4 | Planned |
|
|
| 5 | TBD (onsite) | Test isolation, gather device info, Pro upgrade | Planned |
|
|
|
|
---
|
|
|
|
## On-Site Tasks (separate trip)
|
|
|
|
| Task | Why |
|
|
|------|-----|
|
|
| Fix 9 offline APs | Physical access to check PoE, cables, re-adopt |
|
|
| Wire 206 printer (ethernet) | Cable run |
|
|
| Locate Bizhub C368 | Physical walkthrough |
|
|
| Get printer MAC addresses | If not in pfSense ARP/DHCP table |
|
|
| Verify switch port assignments | Physical trace if UniFi doesn't show clearly |
|
|
|
|
---
|
|
|
|
## Information Still Needed
|
|
|
|
1. **Switch port mappings** — Which switch port is each hardwired workstation plugged into? Check UniFi → Clients or trace physically. Only CHEF-PC (USW Lite 8 Port 7) is known.
|
|
2. **DESKTOP-1ISF081 IP and location** — What IP does it have and where is it physically?
|
|
3. **MDIRECTOR-PC** — Confirm it should move to INTERNAL or stay on LAN (MemCare Director's machine, currently at 192.168.3.20)
|
|
4. **Printer MAC addresses** — Need for DHCP reservations if not already in pfSense ARP table
|
|
5. **Step 7 decision** — Move CS-SERVER to INTERNAL, dual-home it, or leave on LAN permanently?
|
|
|
|
---
|
|
|
|
## Rollback Procedures
|
|
|
|
Each step has a rollback section. Key rollbacks:
|
|
- **Step 2:** Re-enable floating rule #4, revert Guest SSID, restore pfSense XML backup
|
|
- **Step 3 (per machine):** Revert switch port to native VLAN
|
|
- **Step 4:** Unlink GPOs from GPMC. DNS records exported in Step 1.
|
|
- **Step 5 (per machine):** Log in with MSPAdmin local account, `Remove-Computer -UnjoinDomainCredential (Get-Credential) -Restart`
|
|
- **Step 6:** Rename archive folder back to SynologyDrive
|
|
- **Step 7:** Revert printer/server IPs, restore firewall rules
|
|
|
|
---
|
|
|
|
## Verification
|
|
|
|
After each step, confirm:
|
|
- **Step 2:** INTERNAL machines can reach server + printers through firewall
|
|
- **Step 3:** Hardwired machines on INTERNAL get correct IPs, reach server + printers
|
|
- **Step 4:** All shares/groups/GPOs created correctly on CS-SERVER
|
|
- **Step 5:** Domain-joined machines get GPOs, drive mappings, printers automatically
|
|
- **Step 6:** Users can access all files via mapped drives (no more Synology Drive Client)
|
|
- **Step 7:** Server/printers accessible on new IPs from all machines
|
|
- **Step 8:** Endpoint security deployed, old accounts/shares cleaned up
|
|
|
|
---
|
|
|
|
## Issues Resolved
|
|
|
|
| Issue | Resolution |
|
|
|-------|-----------|
|
|
| Floating rule #4 passes all IPv4 | Replaced with scoped rules |
|
|
| Guest WiFi on server LAN | Isolated to VLAN 50 |
|
|
| No GPOs configured | Security baseline, drives, printers, updates, folder redirection |
|
|
| 4 PCs not domain-joined | All joined |
|
|
| No backup | Synology ABB + offsite |
|
|
| Shared/generic AD accounts | Replaced with individual accounts |
|
|
| Stale DNS records | Cleaned up, scavenging enabled |
|
|
| Room 218 DHCP (single IP) | Range end fixed |
|
|
| Timezone mismatch | Both set to America/Phoenix |
|
|
| Room 130 dead firewall rule | Deleted |
|
|
| VLAN 10 mismatch | Deleted from UniFi |
|
|
| 5 stale disabled AD accounts | Deleted |
|
|
| Synology Sync VM | Deleted from Hyper-V |
|