claudetools/wiki/clients/dataforth.md

type, name, display_name, last_compiled, compiled_by, sources, backlinks

type	name	display_name	last_compiled	compiled_by	sources	backlinks
client	dataforth	Dataforth Corporation	2026-05-24	DESKTOP-0O8A1RL/claude-main	clients/dataforth/docs/overview.md clients/dataforth/docs/active-directory.md clients/dataforth/docs/workstations.md clients/dataforth/docs/manufacturing.md clients/dataforth/docs/billing-log.md clients/dataforth/docs/SYNC_SCRIPT_UPDATE_SUMMARY.md clients/dataforth/docs/incident-2026-03-27-abuse-report-virtuo.md clients/dataforth/docs/incident-2026-03-27-abuse-report-connectwise.md clients/dataforth/session-logs/2026-03-23-galactic-advisors-report.md clients/dataforth/session-logs/2026-03-27-security-incident-mfa-datasheets.md clients/dataforth/session-logs/SESSION-SUMMARY.md clients/dataforth/session-logs/MEMORY.md clients/dataforth/session-logs/2026-04-12-session.md clients/dataforth/session-logs/2026-04-13-session.md clients/dataforth/session-logs/2026-04-14-session.md clients/dataforth/session-logs/2026-04-23-session.md clients/dataforth/session-logs/2026-05-03-session.md clients/dataforth/session-logs/2026-05-04-lobby-phone-vlan-fix.md clients/dataforth/session-logs/2026-05-06-session.md clients/dataforth/session-logs/2026-05-12-session.md clients/dataforth/session-logs/project_ad2_context.md clients/dataforth/session-logs/project_pipeline_rebuilt.md clients/dataforth/session-logs/project_test_datasheet_pipeline.md clients/dataforth/session-logs/project_new_product_lines.md projects/dataforth-dos/CONTEXT.md .claude/memory/project_dataforth_incident_2026-03-27.md .claude/memory/project_datasheet_pipeline.md .claude/memory/project_neptune_sbr_email_routing.md .claude/memory/reference_dataforth_contact.md .claude/memory/reference_neptune_access_d2testnas.md .claude/memory/feedback_d2testnas_ssh.md .claude/memory/infra_office_network.md	projects/dataforth-dos systems/jupiter

Dataforth Corporation

Signal conditioning / data acquisition manufacturer in Tucson, AZ. Long-standing ACG client. Active managed relationship — monthly prepaid block. Notable for 64 MS-DOS 6.22 test stations, a major security incident in March 2026, and an ongoing test datasheet pipeline modernization project.

---

Profile

• Contract type: Prepaid hour block (monthly replenishment invoice $2,098.87)
• Key contacts:

Name	Username	Role	Email
Dan Center	dcenter	Operations (primary IT contact)	dcenter@dataforth.com
John Lehman	jlehman	Engineering, QB code, test specs	jlehman@dataforth.com
Peter Iliya	pIliya	Applications Engineer	pIliya@dataforth.com
Georg Haubner	ghaubner	Engineering; D: drive on HGHAUBNER has pre-ransomware-attack backup	ghaubner@dataforth.com
Kevin Wackerly	kwackerly	IT/Admin, handles calibration@ account	kwackerly@dataforth.com
Logan Tobey	ltobey	Support/Sales	ltobey@dataforth.com
Ben Wadzinski	bwadzinski	Engineering	—
Lee Payne	lpayne	Engineering	—
Theresa Dean	tdean	Admin	tdean@dataforth.com
Joel Lohr	jlohr	RETIRED 2026-03-31 — account intentionally kept enabled; inbox rule forwards ntirety.com notifications to mike@azcomputerguru.com	jlohr@dataforth.com
Ken Hoffman	khoffman / oemdata	TestDataSheetUploader author, external; also owns Dataforth product API	—

• External distributor: Ginger (gy@quatronix-cn.com) — Quatronix China; receives datasheets
• Billing rate: Prepaid block; all invoices show $0.00 — hours drawn from block
• Hours remaining: 46.5 hrs as of 2026-05-03 (after 1 hr billed that session). Always live-check Syncro before billing — GET /customers/578095.
• Syncro customer ID: 578095

---

Infrastructure

Servers & Services

Host	IP	Role	OS	Notes
AD1	192.168.0.27	Primary DC, DNS, FSMO roles, Engineering share	Windows Server 2016	C:\ at 90% capacity (C:\Engineering = 787 GB) — critical risk. FSMO roles (assumed all).
AD2	192.168.0.6	Secondary DC, TestDataDB service host, NAS mirror, WebShare	Windows Server 2022	Hosts testdatadb Node.js service on :3000. Wiped by crypto attack 2025 — rebuilt. Windows Firewall disabled (all profiles).
FILES-D1	—	File server	—	Sales docs (W:), archive (Y:)
SAGE-SQL	192.168.0.153	Sage ERP (S:), RDS Session Host/Connection Broker/Web Access	Windows Server	RDS licensing grace period was expired (reset 2026-05-06). TSGateway disabled (server not externally exposed). New self-signed RDS cert installed. Bitdefender GravityZone managed AV.
3CX	192.168.0.125	Phone system	—	Last logon Oct 2025 — possibly inactive
DF-HYPERV-B	—	Hyper-V hypervisor	—	—
D2TESTNAS	192.168.0.9	SMB1 bridge for DOS test stations; Neptune Exchange physically colocated	Linux (CachyOS)	Runs rsync daemon on port 873 (module: test, user: rsync). SMB1 only — required for DOS 6.22 stations. SSH: root@192.168.0.9. Also provides Tailscale route for 172.16.0.0/22 to reach ACG office LAN.
ESXi hosts	192.168.0.122, 192.168.0.124	VMware ESXi hypervisors	ESXi	—
UDM Firewall	192.168.0.254	Perimeter firewall/router	UniFi OS	MAC d0:21:f9:6c:11:02. Also responds on 192.168.0.1. SSH key: ~/.ssh/id_ed25519_udm. C2 IPs blocked via iptables (NOT permanent — need to add to UniFi UI).
PBX (3CX/Sangoma)	192.168.100.2 (also .196)	VoIP PBX — production phones on 192.168.100.0/24	—	TFTP provisioning for Cisco SPA502G phones. Access via SSH: sangoma@192.168.100.2. Vault: clients/dataforth/pbx.sops.yaml

Neptune Exchange (ACG infrastructure, physically at Dataforth D2):

• neptune.acghosting.com | internal 172.16.3.11 | external inbound 67.206.163.124 / outbound 67.206.163.122
• Exchange Server 2016, active ACG-hosted mail server for multiple clients
• Physically colocated at Dataforth's D2 facility — NOT on ACG office LAN despite 172.16.x.x IP
• Access requires routing through D2TESTNAS (192.168.0.9): Dataforth UDM has a 172.16.x.x subnet that overlaps ACG office LAN, making direct routing ambiguous
• SNAT rule on Dataforth UDM at /data/on_boot.d/10-neptune-snat.sh should force Neptune outbound to use .124 (not always active — verify)
• Vault: clients/dataforth/neptune-exchange.sops.yaml
• [WARNING] TODO: Resubnet Dataforth UDM to a non-overlapping range to permanently fix Neptune routing

Workstations (summary)

Category	Count	OS	Notable
Engineering	~12	Win 10/11 Pro	HGHAUBNER (192.168.0.148) has pre-attack D: backup. D1-PWRM for PWRM10 test.
Manufacturing/Assembly	~14	Win 10/11 Pro	AS24, AS26 + various assembly/hi-pot stations
Office/Admin	~12	Win 10/11 Pro	DF-GAGETRAK (192.168.0.102) — GAGEtrak calibration host. DF-JOEL2 (192.168.0.174) — compromised 2026-03-27, remediated.
End-of-Life (Win 7)	3	Windows 7 Pro	LABELPC (192.168.0.100), LABELPC2 (192.168.0.98), D2-RCVG-003 (192.168.0.47) — EOL, on network
DOS Test Stations	64	MS-DOS 6.22	TS-1 through TS-30 + variants. Not domain-joined. SMB1 via D2TESTNAS.

Email & Identity

• M365 tenant: dataforth.com | Tenant ID: 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
• Entra ID Sync: Yes — Azure AD Connect from OU=SyncedUsers only
• M365 licenses: 50x Business Premium (39 used), 19x Exchange Online Plan 1 (5 used), 5x SPB (4 used)
• SMTP settings: smtp.office365.com, port 587, STARTTLS — use sysadmin@dataforth.com
• SMTP AUTH status: Tenant-level not disabled; per-mailbox varies. calibration@dataforth.com had SmtpClientAuthentication=true re-enabled 2026-04-23. sysadmin@dataforth.com SMTP AUTH is blocked by Exchange Online default — testdatadb uses Graph API for email (Mail.Send permission granted to Claude-Code-M365 app 2026-05-12).
• DKIM: Both selector1 and selector2 published. Rotated 2026-05-12; cutover to selector2 on 2026-05-16.
  • selector1._domainkey.dataforth.com → selector1-dataforth-com._domainkey.dataforthcom.onmicrosoft.com
  • selector2._domainkey.dataforth.com → selector2-dataforth-com._domainkey.dataforthcom.onmicrosoft.com
• DNS Host: ntirety.com — Dataforth's public DNS zone managed through ntirety's portal (not a standard registrar). DNS change requests go to ntirety, not a domain control panel. Joel Lohr's account retained to receive ntirety.com infrastructure notifications (inbox rule → mike@azcomputerguru.com).
• INKY PhishFence: Active transport rule B859327F-3FBD-4BE7-A47A-97D02F1558A7 fires first and calls StopProcessingRules=true — blocks all subsequent custom transport rules. Use inbox rules for per-user mail routing.
• MFA: 3 Conditional Access policies created 2026-03-27 (initially report-only; enforced 2026-04-04):
  • "ACG - Require MFA for All Users" — skip from office IP 67.206.163.122
  • "ACG - Block Foreign Sign-Ins" — US-only; MFA-Travel-Bypass group for exceptions
  • "ACG - Block Legacy Authentication"
• Named locations: Dataforth Office - Tucson (67.206.163.122/32, trusted), Allowed Countries - US Only
• MFA-Excluded-BreakGlass group: Brian Faires, Dataforth Calibration, Dataforth Notifications, Endcap, Tablet 01
• MFA enrollment (as of 2026-03-27): 19/38 ready, 19 needed setup — deadline April 4, 2026

Network

• Domain: intranet.dataforth.com | Forest/Domain Level: Windows Server 2016
• ISP: fdtnet.net | Public IP: 67.206.163.122 (outbound), 67.206.163.124 (Neptune inbound)
• Firewall/Router: UniFi Dream Machine at 192.168.0.254 (also 192.168.0.1)
• Network: Flat (no VLANs on main LAN — 192.168.0.0/24). Voice/PBX VLAN: 192.168.100.0/24 — production phones live here. UDM default voice VLAN (192.168.1.0/24) not wired to PBX.
• VPN: FortiClient required for remote access to 192.168.0.x. VPN can drop mid-session — save work frequently.
• Drive mappings (GPO): B: (\ad1\itsvc), Q: (\ad2\c-drive), S: (\SAGE-SQL\sage), T: (\ad2\e-drive), W: (\files-d1\sales), X: (\ad2\webshare), Y: (\files-d1\archive). DOS test stations: T: (\D2TESTNAS\test), X: (\D2TESTNAS\datasheets)

GuruRMM Enrollment

• Site name: Dataforth D1 | Site ID: 3a2f6866-26cd-452c-9806-a8df21475c3c
• Site API key: vault clients/dataforth/... [check vault for current entry]
• DF-GAGETRAK enrolled: Agent ID 7626d82c-0736-47a6-8bc6-68e39859caed, device ID win-901ce38b-fb6e-44b8-a577-7c0bdf269a9a — enrolled 2026-04-23
• [WARNING] GuruRMM enrollment workaround: WebSocket auth in ws/mod.rs does not validate enrolled_agents.agent_key_hash. New agent installs must overwrite registry AgentKey with the site API key (not the enrollment AgentKey) and restart service. See Gitea issue #8.

Key Applications

Application	Host	URL/Port	Notes
TestDataDB	AD2	http://192.168.0.6:3000	Node.js + Express, PostgreSQL 18, 469K records. Internal LAN only.
Sage ERP	SAGE-SQL	\SAGE-SQL\sage (S:)	RDS-served RemoteApp
GageTrak	DF-GAGETRAK (192.168.0.102)	—	Calibration tracking. Sends email via calibration@dataforth.com (SMTP). GuruRMM enrolled.
Dataforth Product API	Hoffman's servers	https://www.dataforth.com/api/v1/TestReportDataFiles	OAuth2 client_credentials. Vault: clients/dataforth/api-oauth.sops.yaml
QuickBASIC 4.5 ATE	64 DOS stations	T:\ (\D2TESTNAS\test)	Automated test equipment programs. 1,470+ product model specs.

---

Access

Domain / Server Access

• AD2 SSH: ssh sysadmin@192.168.0.6 (port 22) — vault: clients/dataforth/ad2.sops.yaml → credentials.password — NOTE: stale backslash escape in vault entry; strip with sed 's/\\//g'
• AD1 SSH: ssh sysadmin@192.168.0.27 — vault: clients/dataforth/ad1.sops.yaml
• D2TESTNAS SSH: ssh root@192.168.0.9 — vault: clients/dataforth/d2testnas.sops.yaml. Use root, NOT sysadmin (sysadmin SSH fails on D2TESTNAS). SSH key from acg-guru-5070 authorized.
• UDM SSH: ssh root@192.168.0.254 — SSH key ~/.ssh/id_ed25519_udm (generated 2026-03-27)
• SAGE-SQL SSH: ssh sysadmin@192.168.0.153 — SSH key (C:\ProgramData\ssh\administrators_authorized_keys on SAGE-SQL)
• All server passwords: Paper123!@# (domain admin sysadmin account — stored in individual vault entries per server)
• WinRM (AD2/AD1): port 5985 — pywinrm with NTLM, user INTRANET\sysadmin

M365 / Entra

• M365 admin: sysadmin@dataforth.com — vault: clients/dataforth/m365.sops.yaml
• Tenant ID: 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
• Claude-Code-M365 Entra App: App ID 7a8c0b2e-57fb-4d79-9b5a-4b88d21b1f29, secret expires 2027-12-22 — vault: clients/dataforth/m365.sops.yaml → credentials.entra-app
• MSP Multi-Tenant App (Claude-MSP-Access): MSP tenant ce61461e-81a0-4c84-bb4a-7b354a9a356d, App ID fabb3421-8b34-484b-bc17-e46de9703418 — vault: msp-tools SOPS file
• ComputerGuru tiered apps: All 5 apps consented 2026-04-23. Exchange Operator SP (b43e7342) had Exchange Admin role added manually (gap in onboard-tenant.sh — not auto-assigned for Exch Operator).

Dataforth Product API (Hoffman)

• Vault: clients/dataforth/api-oauth.sops.yaml
• Token URL: https://login.dataforth.com/connect/token
• Grant: client_credentials, Client ID: dataforth.onprem.sync, Scope: dataforth.web
• Token TTL: 1 hour
• Swagger: https://www.dataforth.com/swagger/index.html

ESXi / Hypervisors

• ESXi-122: 192.168.0.122 — vault: clients/dataforth/esxi-122.sops.yaml
• ESXi-124: 192.168.0.124 — vault: clients/dataforth/esxi-124.sops.yaml

PBX

• Vault: clients/dataforth/pbx.sops.yaml

---

Patterns & Known Issues

Active Directory

• No custom security groups — only default Windows groups. Service accounts in OU=ServiceAccounts.
• ClaudeTools-ReadOnly AD account — purpose unclear. Investigate.
• Ken Hoffman has two accounts (khoffman + oemdata) — not consolidated.
• jlohr account retained — post-retirement (2026-03-31), kept enabled specifically to receive ntirety.com infrastructure notifications. Inbox rule forwards to mike@azcomputerguru.com. Do NOT disable.
• Entra sync scope: Only OU=SyncedUsers syncs to Entra. CompanyUsers OU does NOT sync. 38 stale TS-* test station accounts were cleaned from Entra 2026-03-27.

RDS / SAGE-SQL

• RDS licensing: Grace period reset 2026-05-06 by deleting GracePeriod registry key. Grace period expires again without proper CALs. Purchase RDS CALs (Per User mode, LicensingType=4).
• TSGateway: Disabled on SAGE-SQL (server not externally exposed at firewall). Do NOT re-enable without reason.
• SSL cert: Self-signed, subject CN=sage-sql.intranet.dataforth.com. Non-domain machines must manually import to Trusted Root + Trusted Publishers.
• GPO cert distribution: Not completed (AD2 SYSVOL write blocked from non-domain workstation). Pending.
• Bitdefender GravityZone: Managed AV on SAGE-SQL. Can block PowerShell execution — may need temporary disable for admin work.

Voice / Phones

• Production phones VLAN: 192.168.100.0/24. PBX at .196 / .2. All production phones live here.
• Unifi default voice VLAN (192.168.1.0/24): NOT used for production — phones landing here cannot reach PBX. Switch port misconfiguration symptom: phone shows wrong date/time (NTP failure) and no dial tone.
• D1-Server-Room port 1: Controls lobby drop → must stay on VLAN 100. Reverted to default once before (2026-05-04 incident).

Exchange Online / Email

• INKY PhishFence StopProcessingRules: Kills all subsequent transport rules. Use inbox rules for per-mailbox forwarding, NOT transport rules.
• AutoForwarding blocked by default (tenant outbound spam policy). If per-user forwarding needed, create scoped HostedOutboundSpamFilterPolicy for that sender with AutoForwardingMode=On.
• Get-MessageTrace deprecated Sept 2025: Use Get-MessageTraceV2 and Get-MessageTraceDetailV2 in Exchange PowerShell.

GuruRMM Agent Deployment

• WebSocket auth bug (Issue #8): enrolled_agents.agent_key_hash is never checked by ws/mod.rs. Workaround: after MSI install, overwrite registry HKLM:\SOFTWARE\GuruRMM\AgentKey with the site API key (not enrollment AgentKey), then restart service.
• rmm-api.azcomputerguru.com must be grey-clouded (DNS-only, not proxied) — Cloudflare proxy blocks WebSocket. Do NOT re-enable orange cloud. Gitea Issue #9.

Security

• C2 IP blocks are iptables only — do not survive UDM reboot. Must add to permanent UniFi block list via UI. C2 IPs: 80.76.49.18, 45.88.91.99 (AS399486 Virtuo, Montreal).
• AD1 disk 90% full — C:\Engineering = 787 GB of 1023 GB. Risk of replication failures.
• Windows Firewall disabled on AD2 (all profiles) — known risk, not yet remediated.
• 3 Windows 7 machines on network (LABELPC, LABELPC2, D2-RCVG-003) — EOL, unpatched.
• AD1/AD2 on Windows Server 2016 — end of mainstream support. Plan upgrade.
• Entra ID P2 not licensed — IdentityRiskyUser risk check returns 403 even with scope consented. Would need P2 upgrade to enable Identity Protection.
• IdentityRiskyUser.Read.All scope: Consented to Security Investigator app but unusable (no P2 license).

---

Active Work

As of 2026-05-12:

• Test Datasheet Pipeline: Production pipeline healthy. 469K records, 458.5K live on website. Daily task runs 02:30 AM. Email notification deployed but pending SMTP AUTH fix — sysadmin SMTP AUTH disabled in Exchange Online. See projects/dataforth-dos/CONTEXT.md.
• GAGEtrak email (ticket #32142): calibration@ SMTP re-enabled 2026-04-23. GAGEtrak configured (smtp.office365.com:587, calibration@dataforth.com). Kevin Wackerly verifying schedule on DF-GAGETRAK — expected Monday run appears to run Tuesday.
• DKIM rotation: Automatic cutover to selector2 on 2026-05-16 — no action needed; verify signing after that date.
• jlohr forwarding: ntirety.com inbox rule active as of 2026-05-12; confirmed delivering to mike@azcomputerguru.com. Defunct transport rule pending cleanup.
• RDS / SAGE-SQL: RDS grace period reset. GPO cert distribution pending. RDS CALs purchase needed long-term.
• 28 offline machines (at time of 2026-03-27 incident) — rescanned status unknown. These should be verified when available.
• MFA enforcement ongoing — 19 users were still not enrolled as of April 4 enforcement date; current count unverified.

---

History Highlights

Date	Event
2025	Crypto/ransomware attack — AD2 wiped and rebuilt, many files lost. Test datasheet pipeline broken.
2026-01-19	DOS Update System built and deployed — NWTOC/CTONW/UPDATE/DEPLOY BAT files, 39 deployments. Sync-FromNAS updated (DEPLOY.BAT).
2026-03-20	Galactic Advisors security assessment — AD1 C: at 90%, legacy SQL 2008 R2 client noted, 3 computers scanned.
2026-03-23	Galactic Advisors assessment analyzed by ACG.
2026-03-27	Major security incident: DF-JOEL2 compromised via social engineering/ScreenConnect (attacker "Angel Raya", C2 on Virtuo hosting). M365 sign-in from Turkey. Full remediation. 3 CA policies deployed. MFA notice sent. IC3 filed (1c32ade367084be9acd548f23705736f).
2026-03-27–29	Test datasheet pipeline rebuilt — 72/73 Quatronix datasheets generated, new Node.js pipeline replaces VB6 DFWDS + VB.NET uploader.
2026-03-31	Joel Lohr retirement. Brian Faires mailbox converted to shared (5,711 messages preserved). 38 stale Entra TS-* accounts deleted.
2026-04-04	MFA CA policies enforced (switched from report-only).
2026-04-11–12	SCMVAS/SCMHVAS pipeline extension — 27,503 records backfilled, 434 Engineering-Tested .txt files imported.
2026-04-12	TestDataDB PostgreSQL migration verified (2.89M records). Hoffman API discovered (Swagger).
2026-04-13	API architecture discussion with Hoffman — client_credentials grant confirmed for dataforth.onprem.sync client.
2026-04-14	DFWDS logic ported to Node.js (dfwds-process.js). 897 staged datasheets drained. 803 new records created on Hoffman API.
2026-04-15	Major release — DB dedup (2.89M→469K rows), FAIL→PASS retest rule, For_Web filesystem dependency eliminated, 170,984 records bulk-pushed to Hoffman. Dashboard UI upgrades.
2026-04-23	Full Dataforth tenant onboarded to all 5 ComputerGuru tiered apps. calibration@ SMTP AUTH fixed. DF-GAGETRAK GuruRMM agent enrolled (with auth workaround). Syncro ticket #32142 billed.
2026-05-03	jantar@dataforth.com darkweb breach check — no indicators of compromise. eM Client OAuth grant and SP revoked/disabled. 1 hr billed.
2026-05-04	Howard onsite — lobby phone offline (VLAN misconfiguration on D1-Server-Room port 1 → fixed to VLAN 100).
2026-05-06	SAGE-SQL RDS issues resolved — grace period reset, SSL cert replaced, TSGateway disabled, RemoteApp permission prompts fixed.
2026-05-12	Pipeline audit + email notifications implemented (Graph API). jlohr forwarding configured (ntirety.com → mike@). DKIM keys rotated.

---

Backlinks

• projects/dataforth-dos — Active test datasheet pipeline project on AD2
• systems/jupiter — Neptune Exchange physically colocated at Dataforth D2 facility; D2TESTNAS provides Tailscale routing