Real projects. Real infrastructure. Built right.

The practice had grown from 4 to 14 staff over three years. Their original network was never designed for that scale. The ISP router was overloaded, Wi-Fi coverage was failing in the examination rooms, and there was zero network segmentation — meaning every device had unrestricted access to every other device.

• —Full network redesign from scratch, including a topology diagram and IP address plan delivered before any hardware was ordered
• —Installation of a Fortinet FortiGate firewall replacing the ISP router as the network gateway
• —Deployment of a managed Cisco switch stack with 4 VLANs: Staff workstations, Medical devices, Guest Wi-Fi, and IP cameras
• —Ubiquiti UniFi access point deployment — 4 APs positioned via RF coverage survey covering all exam rooms, waiting area, and back office
• —Structured Cat6A cabling throughout the practice with labeled patch panel and organized rack
• —Full network documentation package delivered: topology diagram, IP address plan, device inventory, VLAN table, and all credentials in a secure vault

Network instability eliminated. Staff reported immediate improvement in connectivity reliability. Medical devices isolated from guest traffic. Full documentation on file.

The firm had no dedicated IT support. Their 'firewall' was a $80 consumer device purchased at a retail store. The management interface was reachable from the public internet on the default admin password. Remote desktop was open to the world. Three former paralegals still had active VPN credentials.

• —Replaced consumer device with a properly sized Fortinet FortiGate for the environment
• —Configured inbound rules: closed all unnecessary ports, blocked management interface from internet access, restricted RDP to VPN-only
• —Configured outbound filtering: blocked known malicious domains, enabled DNS filtering, configured application control
• —Removed all 5 stale VPN accounts, implemented individual named accounts with certificate-based authentication
• —Enabled IPS (Intrusion Prevention System) with appropriate signature sets for the environment
• —Enabled firewall logging to a local syslog server for 90-day retention
• —Configured site-to-site VPN to connect the firm's two office locations
• —Delivered full firewall documentation: rule set export, VPN config, account inventory, and administrator guide

Attack surface reduced from critical to acceptable. Management interface closed. All remote access now requires VPN authentication with named accounts.

The venue had three distinct connectivity needs: reliable POS terminals for the dining room and bar, staff tablets for order management, and guest Wi-Fi for a capacity crowd on summer weekends. Consumer extenders were causing POS timeouts during peak hours. There was no network separation between a guest's phone and the payment processing system.

• —RF site survey of the full 4,000 sq ft footprint including outdoor deck and basement kitchen
• —Designed 3-SSID, 3-VLAN architecture: POS & payment terminals (isolated, QoS priority), Staff operations, Guest Wi-Fi
• —Deployed 6 Ubiquiti UniFi access points — ceiling mounted with PoE switches, covering all areas with -65dBm or better signal throughout
• —Configured bandwidth limiting on guest SSID (10 Mbps per device) to prevent any single guest from saturating the uplink
• —POS VLAN hardened: no internet browsing, only payment processor IPs allowed outbound
• —Seasonal configuration documented — off-season mode reduces power consumption while maintaining core functionality
• —Full AP placement diagram and config backup delivered

Zero POS timeouts in the first full summer season. Guest Wi-Fi consistently rated in reviews. Payment terminals isolated from guest traffic.

The agency's entire operation — transaction files, contracts, client records, and MLS database exports — lived on a single aging server with no redundancy. The last backup was a manual copy to an external drive that had not been verified in 18 months. Windows Server 2012 had reached end of extended support, meaning no security patches were being issued.

• —Procured and deployed new server hardware with Windows Server 2022, sized for 5-year growth
• —Migrated all data with integrity verification — file count and hash comparison pre and post migration
• —Configured Active Directory with individual user accounts and role-based folder permissions — replaced the shared password that everyone had been using
• —Implemented automated backup: nightly local backup to NAS + daily cloud backup to Azure Blob Storage with 30-day retention
• —Configured backup monitoring with email alerts on failure — first time the agency would know immediately if a backup failed
• —Tested full restore from backup before decommissioning the old server — took 23 minutes for a full restore
• —Deployed UPS with network management card — server shuts down safely on power loss
• —Delivered server documentation: hardware specs, role configuration, backup schedule, restore procedure, and administrator credentials in secure vault

Agency migrated from a single point of failure to a redundant, monitored, documented environment. Backup restore tested and confirmed at 23 minutes.

The group had grown through acquisition — the second location had different hardware, different ISP, and different Wi-Fi equipment from the original location. No one had a complete picture of what was running where. Firmware updates had not been applied at either location in over a year.

• —Full inventory and documentation of both locations — every device, IP, firmware version, and role
• —Deployed monitoring agents on all network infrastructure at both locations via Atera RMM
• —24/7 automated alerts: network device offline, high CPU/memory, connectivity failure
• —Monthly firmware update cycle: all routers, switches, and access points updated and rebooted in maintenance window
• —Firewall log review monthly: unusual traffic patterns flagged and investigated
• —Monthly health report: one-page plain-language summary delivered to practice manager on the 1st of each month — covers uptime, events, maintenance completed, and anything planned for next month
• —Priority remote support: response within 2 hours for any issue at either location
• —Quarterly on-site visit to both locations

Practice manager has full visibility for the first time. Both locations standardized on consistent firmware versions. Zero unplanned downtime in first 6 months of engagement.

Project managers were using a consumer VPN app to access the office file server from job sites — sharing a single set of credentials across the team. The storage yard 8 miles away had its own internet connection with no link to the main office, requiring staff to physically drive files between locations on a USB drive.

• —Designed and deployed FortiClient site-to-site VPN between the main office and storage yard — both locations now on the same private network
• —Deployed client-to-site VPN for project managers using named individual FortiClient accounts with certificate authentication
• —Removed all shared credentials — each of the 8 project managers has an individual VPN account tied to their email
• —Configured split tunneling: only office-bound traffic goes through the VPN, keeping job site internet traffic local
• —MFA configured on all VPN accounts via email-based one-time code
• —Documented full VPN configuration, account inventory, and onboarding procedure for new hires
• —Trained office administrator on how to add/remove VPN accounts — no longer requires a technician for routine user changes

Storage yard connected to main office network. All remote access authenticated individually. USB drive transport eliminated. Admin can manage user accounts independently.

The firm was moving from a home-office and co-working setup to their first dedicated office. The space was raw — no data cabling, no server room, and the landlord's electrician had not yet run any CAT cable. The firm's requirements meant the network could not have any guest or unauthorized devices on the same segment as workstations.

• —Network design produced before any cabling began: full topology, IP plan, VLAN architecture, rack layout
• —24 data drops installed in Cat6A throughout the office — workstations, printer alcove, conference room, and server room
• —Rack assembly: patch panel, UPS, firewall, managed switch, and NAS — all labeled and organized to professional standards
• —Fortinet FortiGate configured as gateway with 3 VLANs: Corporate workstations, Conference room AV, Guest Wi-Fi
• —3 Ubiquiti access points — open office, conference room, and lobby — all managed from single UniFi controller
• —NAS configured with RAID 1 + scheduled cloud backup for business-critical files
• —All configuration documented and provided to the firm before opening day
• —Full walkthrough with office manager: how to add devices, what to do if internet goes down, who to call

Firm opened on schedule. Network fully operational on day one. Full documentation in hand before the first employee sat down.

The POS outage that triggered the assessment turned out to be a symptom — not the root cause. The root cause was a consumer router running at 98% CPU during peak hours because it was also acting as the Wi-Fi AP for 40+ guest devices simultaneously. The assessment of the other two locations revealed similar problems plus factory-default firewall credentials at one site.

• —On-site network assessment at all 3 locations: device inventory, firewall audit, Wi-Fi performance test, cabling inspection
• —Written assessment report for each location: findings ranked Critical / High / Medium / Low with plain-language explanations
• —Remediation executed over 3 weeks across all locations during off-hours to avoid business disruption
• —Location 1: Replaced consumer router with business-grade firewall + dedicated Wi-Fi AP — separated POS from guest traffic
• —Location 2: Changed all default credentials, closed management interface from internet, updated firmware
• —Location 3: Full switch replacement — existing unmanaged switch replaced with managed unit supporting VLANs
• —POS network isolated at all 3 locations — payment terminals on dedicated VLAN with outbound restrictions
• —Standardized Wi-Fi across all locations: same SSID naming, same password rotation schedule
• —Delivered consolidated multi-site documentation package covering all 3 locations

Zero POS-related outages following remediation across all locations. All sites documented for the first time. Factory-default credentials eliminated.