WGNHS (Wisconsin Geological and Natural History Society) - Customer Profile

This is the contract information for the Wisconsin Geological and Natural History Society (WGNHS).

WGNHS Overview

Part of the Division of Extension at the University of Wisconsin–Madison, WGNHS provides objective scientific information about the geology, mineral resources, and water resources of Wisconsin.

Organizational Information

Location

Primary

3817 Mineral Point Road

Customer Contacts

Purchasing

 Peter Schoephoester, peter.schoephoester@wisc.edu

Organizational Information

Dept Code

 WGNHS

UDDS

N/A

DoIT #

 None, you must bill out via their UDDS number. Directions are in LastPass.

Contract Information

Contract Name

 WGNHS
Primary Document Owner
Support Owner  Mike Juszczyk

Type

 T&M

Active Directory Information

As of fall 2021 WGNHS is on CAD under the DDS->WGNHS.

Network Information

Subnet(s)
 VLANs

 Building
Hardware FW
Wireless
144.92.125.0/25 1440-CSSC  3817mp PANORAMA Internal Wireless in KeePass
10.128.219.128/25 743-CSSC 3817mp PANORAMA NA
192.168.100.0/24 n/a Mt.Horeb PFsense 216.246.176.77 WGNHS_MH-Departmental

Hosts at WGNHS (min point office) are split between the 144. and 10. subnets.  Ideally we want workstations on 10. and servers on the 144. network, but we have not completed this migration.  We do not clearly define a static and a DCHP range - you'll see reservations made throughout the whole DHCP pool on the 144.92 network.  The 10.128 network shouldn't have any static reservations or host records.  When decommissioning a server with a static IP it is important to remove old firewall rules so the next device with that IP is starting from a clean slate.

VPN access

WGNHS has a manifest group that allows access to RDP on the local subnets.  Users log into the Wisc VPN dynamic pool, but if they are part of the group they will be allowed access.  The manifest group is at https://manifest.services.wisc.edu/Group/Index/e183e7f6096a42808a5dde33e914fc6b. (uw:org:rads:wgnhs:WGNHS_VPN)

DoIT technicians can access the WGNHS networks via DS internal network (144.92.55.1/24)

Unifi Network Hardware

We have 2 unifi sites MoHo and MinPoint.  Both sites devices report to our controller (unifi.wgnhs.wisc.edu).

MoHo Site: 3 Access points.  Set to auto-update on 1st of the month.

MinPoint Site: 2 switches - both located in min point server rack.  Upgrades for these switches should be completed during quarterly server maintenance windows to avoid downtime.

Site-to-site VPN 

  • We have a site to site wireguard VPN link between a PFsense VM at mineral point and a PFSense hardware firewall at Mount Horeb.  Static routes are configured on the MOHO side to route traffic from the MOHO_LAN to select resources on the WGNHS internal network, as well as the campus DC's. 
    • see attached photo for static routes
  • Both pfSense machines automatically backup their configuration via netgate.  Configs can be recovered with hardware ID's and keys in the keepass. 
  • The MoHo pfsense web interface (192.168.100.1) can be reached from the WGNHS internal network provided the workstation has a static route configured for 192.168.100.1/24 via 144.92.125.8.  A route also needs to be added on the MoHo side to enable traffic to the workstation.  The IT workstation WGS-CUTBANK is already configured and is the easiest way to access that firewall. 
  • The moho pfsense firewall is also accessible via SSH.  Information on connecting and SSH keys are in the keepass.

Mount Horeb LAN

  • MoHo LAN is DHCP with the pool at 192.168.100.10-200
  • There is a ToughSwitch POE near the router that powers the 3 access points in the building.
    • NOT controlled via unifi. Login to the switch from WGS-CUTBANK at 192.168.100.5.  Creds in keepass.
    • Check for firmware periodically

Mount Horeb pfSense static routes for wireguard

Static routes for campus DC's and select WGNHS resources.routes

Printer Information

<WGNHS Printers>

Shared Drive Information

WGNHS data is stored primarily on M-S-STORAGE02. GeoBase is stored on WGS-GISDATA.  We utilize a DFS namespace and map network drives from \\ad.wisc.edu\wgnhs.  See the GPO for the current drive mapping.

Project Drives

The P: drive is heavily used by WGNHS.  By default every user has Read-Only access to all project folders.  Each project folder has a corresponding security group that will grant Write permissions to its respective folder.  When handling a P: drive folder creation request you will need to create both a new folder, and a new security group, and assign that group modify permissions on the folder. 

Wisconsin Geological and Natural History Survey (WGNHS)

Drive Letter Description Path
J: Geobase \\ad.wisc.edu\wgnhs\Geobase
K: AdminServices \\ad.wisc.edu\wgnhs\Admin
L: Library \\ad.wisc.edu\wgnhs\Library
O: Hydro \\ad.wisc.edu\wgnhs\Hydro
P: Projects \\ad.wisc.edu\wgnhs\Projects
Q: GIS \\ad.wisc.edu\wgnhs\GIS
R: Pubs \\ad.wisc.edu\wgnhs\Publications
S: Geology \\ad.wisc.edu\wgnhs\Geology
T: GISLib \\ad.wisc.edu\wgnhs\GIS_Library
U: Everyone \\ad.wisc.edu\wgnhs\Everyone
V: DigProd \\ad.wisc.edu\wgnhs\DigitalProducts
W: WCR \\ad.wisc.edu\wgnhs\WCR
X: Annex \\ad.wisc.edu\wgnhs\Annex
Z: Scanner \\ad.wisc.edu\wgnhs\Scanner
A: WCR_PDF_IDL_WORKING \\ad.wisc.edu\wgnhs\WCR_PDF_IDL_Working
Y: Deep Storage \\ad.wisc.edu\wgnhs\DeepStorage

Server Infrastructure

 

WGNHS runs the majority of their own infrastructure on-site. 

Server Network Hardware

We have 2 ubiquiti switches in the server rack at Mineral Point to enable 10GB networking between hypervisors and the backup appliance.  These switches are owned and managed by us. The campus network equipment at the survey building on mineral point is in a cabinet in the basement.

ESXi Infrastructure

We use a VMware essentials license that covers 3 hosts w/ 6 sockets.  We do NOT have the capability to do High Availability, Powered-On V-Motion, or other more advanced features.  vCenter is not domain joined, credentials are in the WGNHS keepass file.  We are running vmWare v7 on all hosts.  The networking is straight forward  - all VM's and iDRAC's live on the 144.92.125.0/25 network and are secured w/ the campus firewall.

ESXi Host IP Info iDRAC
COPPER 144.92.125.94 R750 . https://144.92.125.49/restgui/start.html
GABBRO 144.92.125.11 R730

https://144.92.125.111/login.html
FELDSPAR 144.92.125.18 R740

https://feldspar-idrac.wgnhs.wisc.edu/
vCenter 8 144.92.125.20 vCenter appliance (lives on GABBRO) https://vc8.wgnhs.wisc.edu/

ProxMox Infrastructure

We have 1 proxmox host running M-S-UNIFI, WGS-Petrel and PBS (ProxMox Backup Service)

Host IP Info iDRAC
PEDIMENT.wgnhs.wisc.edu 144.92.125.41 ProxMox 8.x running on R730 https://144.92.125.34/login.html
pbs.wgnhs.wisc.edu 144.92.125.90 PBS is a VM on PEDIMENT.  Backs up via NFS to greenland
WGS-PETREL 144.92.125.108 This is windows 11 instance with a fancy USB key dongle passed through via USB.  Petrel license is on 27000 (27000@wgs-petrel.ad.wisc.edu)
M-S-UNIFI 144.92.125.9 This machine hosts a unifi controller to control the network equipment at MoHo.  You can access the controller at https://unifi.wgnhs.wisc.edu:8443 from the WGNHS internal network.  I use the unifi scripts at https://glennr.nl/ for installing, updating, fail2ban, letsencrypt.  Credentials and more information in KeePass. Utilizes unattended-upgrades package with default config enabled.  Should be updated/rebooted manually periodically as well. https://unifi.wgnhs.wisc.edu:8443

vmWare VMs

All VM's are in vSphere with the exception of M-S-UNIFI, WGS-Petrel and PBS which run on PEDIMENT.  See vCenter for a full list.  Not all of these machines are domain joined - reference the KeePass for credentials if AD creds do not work.

Server Name OS IP Server Info
M-S-Storage02 Windows Server 2019 144.92.125.68 Primary File Share
Basalt Centos 6.8 144.92.125.36 Production web server for wgnhs.wisc.edu.  There are also a number of basalt based clones for development purposes.  All password info stored in KeePass.  DO NOT TRY TO UPDATE THIS SERVER - TRUST ME.  This one is a top priority for retierment.
Cyclone Windows Server 2012 144.92.125.42 Production IIS server containing an Arc web adapter.   We use LetsEncrypt for TLS - see C:\win-acme\letsencrypt.exe (Use A to renew all)
M-S-VPN2 pfSense (BSD based router) 144.92.125.8 This machine keeps a point to point VPN open between the Madison office and the Mount Horeb site.  We have a GPO to add a static route to the MOHO network (192.168.100.0/24).  There is another nearly identical PFSense installation on netgate hardware at the MoHo site.  The configuration files for both pfsense installs are stored in the WGNHS KeePass.  ALWAYS SAVE A CONFIG AND UPLOAD TO KEEPASS AFTER ANY CHANGE
M-S-UNIFI Ubuntu 22.04 144.92.125.9 This machine hosts a unifi controller to control the network equipment at MoHo.  You can access the controller at https://unifi.wgnhs.wisc.edu:8443 from the WGNHS internal network.  I use the unifi scripts at https://glennr.nl/ for installing, updating, fail2ban, letsencrypt.  Credentials and more information in KeePass. Utilizes unattended-upgrades package with default config enabled.  Should be updated/rebooted manually periodically as well.
Cirrus Windows Server 2012 R2 144.92.125.104

Microsoft SQL Server 2014 that houses databases used by the Arc line of products and has databases names after the following: Data Catalog/Pubs/Geobase/GISLib/Springs.
Cumulus Windows Server 2012 R2 144.92.125.24 SSD file storage for GISLib share
M-S-GIS03 Windows Server 2019 144.92.125.12 ArcGIS Server
M-S-Licensing01 Windows Server 2016 144.92.125.74 Global mapper on tcp/27000. ArcGIS licensing (campus license files) on tcp/27001.  WellCAD on tcp/27002.  (Wellcad needs to be installed w/ FLEX installer and use "27002@m-s-licensing01.ad.wgnhs.uwex.edu" for license server)
M-S-UTIL Windows Server 2019 144.92.125.30 Server was created to host namespace shares.
M-S-BACKUP03 Windows Server 2016 144.92.125.58 This server has been decommissioned but is being retained in backups on the off chance we ever have to recover something from a tape backup.  This veeam server was decommed around july 2024.
int-geologic-map boot2docker 144.92.125.51  This does things that Dave Sibley knows about
dev-gateway boot2docker 144.92.125.56 website docker machine
dev-manager1 boot2docker 144.92.125.69 website docker machine
dev-worker1 boot2docker 144.92.125.94 website docker machine
prod-gateway boot2docker 144.92.125.73 website docker machine
prod-manager1 boot2docker 144.92.125.109 website docker machine
prod-worker1 boot2docker 144.92.125.84 website docker machine
Aqueduct Windows Server 2012R2 144.92.125.39 Middleman for processing web-facing content. 
WGNHS_NUT Ubuntu 24.04 144.92.125.112 Runs Network UPS Tools.  Connects to UPS batteries via USB and coordinates safe vmware shutdown on power failure.  Web interface available from WGNHS internal network and ds internal network at nut.wgnhs.wisc.edu.  Local authentication, password in keepass. Utilizes unattended-upgrades package with default config enabled.  Should be updated/rebooted manually periodically as well.
WGSS-GISDATA Server 2019 144.92.125.64 Storage for GIS
M-S-GIS04 Server 2019 144.92.125.60 Built to facilitate upgrade and migration from M-S-GIS03. 
M-S-MSSQL Server 2019 144.92.125.75 Eventual successor to CIRRUS
M-S-IIS Server 2019 144.92.125.121 Eventual successor to CYCLONE
 

Server Backups (Synology Active Backup for Business)

 

Notes

  • Windows client agents can be pushed via bigfix "DS - Deploy - Synology Active Backup for Business Windows Client 2.7.0 (WGNHS ONLY)"
    • Currently we have windows agent backups for WGS-CUTBANK 
    • ABB agent updates can be initiated from console on GREENLAND
  • Web interfaces for greenland and iceland are accessible from DS internal network and WGNHS local network.
  • All vmware VM's and a few windows client backups are backed up with synology backup for business.  Backups are taken daily on greenland and replicated daily to iceland via snapshot replication.  Snapshots on iceland have an immutability period of 12 days.
  • ProxMox Backup server datastore uses PBS directory via NFS and is replicated to Iceland daily.
  • vCenter saves config backups in the vCenterConfig directory and is replicated to Iceland daily.
  • Server Role Hardware Location Authentication
    greenland.wgnhs.wisc.edu Primary backup
    Synology RS2423+
    		 WGNHS server room local creds in wgnhs keepass
    iceland.wgnhs.wisc.edu Replication target
    Synology RS2423+
    		 Colo (doit datacenter team) local creds in wgnhs keepass

    Whenever VM's are moved, created, removed, etc you should make sure to adjust backup jobs on GREENLAND accordingly.  Orphaned VM's in ABB will be removed per retention policy, no need to delete them manually.

Active Backup VM Tasks

  • BACKUP_ARCHIVE
    • This is a backup of the previous veeam server.  Schedule is set to "manual" for archival purposes.  Being retained in case we need to get into a veeam backup for some reason.
  • CIRRUS - 90 Days
    • daily CIRRUS (MSSQL server) backups retained for 90 days
  • COPPER - 30 Days
    • daily backups of all COPPER vm's.  retained 30 days.
  • FELDSPAR - 30 Days
    • Daily backup of FELDSPAR VM's (with exception of M-S-STORAGE02).  Retained 30 days
  • GABBRO - 30 Days
    • Daily backup of GABBRO VM's (with exception of CIRRUS).  Retained 30 days
  • STORAGE
    • Daily backup of primary storage M-S-STORAGE02. 
      • Advanced retention settings:
        • Keep all versions for 1 day
        • Keep latest version of day for 60 days
        • Keep latest version of the week for 52 weeks
        • Keep latest version of the month for 24 months
        • Keep latest version of the year for 5 years
 

Support Information

 
Contract Scope

CLIENT MANAGEMENT
MANAGED SECURITY LAYER
SERVER MANAGEMENT
END USER SUPPORT
DS OWNED HARDWARE

Notes: None
General Support Information

CAMPUS ACTIVE DIRECTORY
BOMGAR BUTTON
DOIT SHARED DRIVE
EAST SUPPORTED (Minority of calls)
RESTRICTED USERS (Minority of Users, <10%)

Notes:

Mike J is primary support.  HDL2 group should have admin using OU creds.

Pete and Dave at  WGNHS both have domain admin as well.
Managed Security Layer

CAMPUS ACTIVE DIRECTORY
IBM ENDPOINT MANAGER
SECUNIA CSI (No scans scheduled
Primary Support Contact

Mike J for infrastructure

GDS Contract Queue for endpoint support
Physical Access

Open M-F 8am to 4:30pm. Building is not alarmed and we do have keys for checkout if needed after hours.

Server room is located in back of hallway Rm 118, Pete has keys for server room.
IT Workstation

WGS-CUTBANK is the IT workstation at the Mineral Point office. 

It is configured to reach the network at Mount Horeb for maintenance purposes.
 

Department-Specific Software

  • ArcGIS Pro Named User License
  • MS SQL ODBC Driver v13

Potentially Legacy Info:

WellCad - if you run into "Sentinel Key Not Found" Restart computer

KeePass should have relevant license and installation info for the majority of software.  There are many software titles that are only used by a small subset of users and may have cumbersome individual licensing to figure out.  When in doubt call the vendor for clarification.

Other WGNHS Information


Keywords:
doit departmental support wgnhs (wisconsin geological and natural history society) 
Doc ID:
140399
Owned by:
Departmental Support in DoIT Departmental Support
Created:
2024-08-13
Updated:
2025-08-13
Sites:
DoIT SEO SIMS-internal, DoITDepartmentalSupport-internal