azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8d975c1b44648c88f397a8b67ed63049ac8c2b61
claudetools/clients/cascades-tucson/docs/migration/README.md
Howard Enos 8d975c1b44 import: ingested 160 files from C:\Users\howar\Clients 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00

6.8 KiB
Raw Blame History

Cascades Network Migration — Revised Operational Plan

Context

Cascades senior living facility (236 rooms, 6 floors). New MSP takeover from previous company that left environment non-compliant. Core mission: HIPAA remediation and compliance. Synology NAS stores PHI, nurses/medtechs access clinical records via ALIS (cloud), and email may contain resident data. See security/hipaa.md for full gap analysis.

Single 16-year-old server (CS-SERVER, 192.168.2.254) on LAN (192.168.0.0/22) running all roles. Staff PCs currently on WiFi (INTERNAL VLAN 20, 10.0.20.0/24). Printers on LAN. No backups, no GPOs, wide-open firewall, 4 PCs not domain-joined.

Revised approach: Network first. Move all devices to INTERNAL VLAN 20, then lock down. Server and printers move to INTERNAL last — no disruption during transition.

Transitional state: Machines on INTERNAL (10.0.20.0/24) → pfSense firewall bridges → CS-SERVER + printers on LAN (192.168.0.0/22). Everything works cross-subnet until we move the server.

HIPAA drives every phase: Backup (Phase 0) → network isolation (Phase 1) → access control + encryption (Phase 2) → centralized management (Phase 3) → PHI migration with audit trails (Phase 4) → shared account elimination (Phase 5).

Schedule

Session Steps Est. Time Impact
Session 1 (evening) 1 + 2 ~3-4 hours Backup + firewall changes during low usage
Session 2 (coordinated) 3 ~2-3 hours Brief disruption per machine during port change
Session 3 (business hours) 4 ~4-6 hours No user impact — server-side only
Session 4 (coordinated) 5 ~4-6 hours Brief disruption per machine during domain join
Session 5 (business hours) 6 + 8 ~4-5 hours Synology cutover + hardening
Session 6 (TBD) 7 ~3-4 hours Server/printer IP changes — schedule when stable

Total: ~20-28 hours across 6 sessions

Steps

Step Description Runbook Scripts
1 Emergency Backup phase0-safety-net.md phase0-export-configs.ps1, phase0-remote-checks.ps1
2 Firewall & VLAN Setup phase1-network.md Manual (pfSense/UniFi web UI)
3 Identify & Move Switch Ports step3-switch-ports.md Manual (UniFi web UI + on-site)
4 Server Preparation — AD & Shares phase2-server-prep.md phase2-dns-cleanup.ps1, phase2-ad-setup.ps1, phase2-sync-synology.ps1, phase2-file-shares.ps1, phase2-print-server.ps1
5 Domain Join phase3-domain-join.md phase3-pre-join-verify.ps1, phase3-join-domain.ps1, phase3-post-join-verify.ps1
6 Synology Transition phase4-synology.md phase4-archive-synology.ps1
7 Move Server & Printers to INTERNAL step7-server-move.md Manual
8 Hardening & Cleanup phase5-hardening.md Manual + documentation updates

Session Log

Session Date Focus Status
1 2026-03-06 Initial audit, data gathering, documentation buildout Done
2 2026-03-06 Guest WiFi isolation, DNS fixes, firewall aliases Done
3 2026-03-07 Backup setup, config exports, quick fixes session3-2026-03-07.md
4 TBD Firewall aliases, INTERNAL rules, floating rule #4 Planned
5 TBD (onsite) Test isolation, gather device info, Pro upgrade Planned

On-Site Tasks (separate trip)

Task Why
Fix 9 offline APs Physical access to check PoE, cables, re-adopt
Wire 206 printer (ethernet) Cable run
Locate Bizhub C368 Physical walkthrough
Get printer MAC addresses If not in pfSense ARP/DHCP table
Verify switch port assignments Physical trace if UniFi doesn't show clearly

Information Still Needed

  1. Switch port mappings — Which switch port is each hardwired workstation plugged into? Check UniFi → Clients or trace physically. Only CHEF-PC (USW Lite 8 Port 7) is known.
  2. DESKTOP-1ISF081 IP and location — What IP does it have and where is it physically?
  3. MDIRECTOR-PC — Confirm it should move to INTERNAL or stay on LAN (MemCare Director's machine, currently at 192.168.3.20)
  4. Printer MAC addresses — Need for DHCP reservations if not already in pfSense ARP table
  5. Step 7 decision — Move CS-SERVER to INTERNAL, dual-home it, or leave on LAN permanently?

Rollback Procedures

Each step has a rollback section. Key rollbacks:

  • Step 2: Re-enable floating rule #4, revert Guest SSID, restore pfSense XML backup
  • Step 3 (per machine): Revert switch port to native VLAN
  • Step 4: Unlink GPOs from GPMC. DNS records exported in Step 1.
  • Step 5 (per machine): Log in with MSPAdmin local account, Remove-Computer -UnjoinDomainCredential (Get-Credential) -Restart
  • Step 6: Rename archive folder back to SynologyDrive
  • Step 7: Revert printer/server IPs, restore firewall rules

Verification

After each step, confirm:

  • Step 2: INTERNAL machines can reach server + printers through firewall
  • Step 3: Hardwired machines on INTERNAL get correct IPs, reach server + printers
  • Step 4: All shares/groups/GPOs created correctly on CS-SERVER
  • Step 5: Domain-joined machines get GPOs, drive mappings, printers automatically
  • Step 6: Users can access all files via mapped drives (no more Synology Drive Client)
  • Step 7: Server/printers accessible on new IPs from all machines
  • Step 8: Endpoint security deployed, old accounts/shares cleaned up

Issues Resolved

Issue Resolution
Floating rule #4 passes all IPv4 Replaced with scoped rules
Guest WiFi on server LAN Isolated to VLAN 50
No GPOs configured Security baseline, drives, printers, updates, folder redirection
4 PCs not domain-joined All joined
No backup Synology ABB + offsite
Shared/generic AD accounts Replaced with individual accounts
Stale DNS records Cleaned up, scavenging enabled
Room 218 DHCP (single IP) Range end fixed
Timezone mismatch Both set to America/Phoenix
Room 130 dead firewall rule Deleted
VLAN 10 mismatch Deleted from UniFi
5 stale disabled AD accounts Deleted
Synology Sync VM Deleted from Hyper-V
Reference in New Issue View Git Blame Copy Permalink