Ajay
Angdembe
IT professional with 5+ years of hands-on experience across healthcare, education, and managed service environments backed by nearly a decade of technical foundation. Progressed from break/fix and network troubleshooting to university desktop support, MSP network operations, and healthcare infrastructure management. I build secure, scalable systems for HIPAA-regulated clinics, multi-site school districts, and enterprise environments. Skilled in documentation, zero-trust architecture, and designing infrastructure that survives beyond any single administrator.
System Administration
Sole System Administrator for a 24/7 healthcare organization managing 80 staff, 4 locations, and 300+ endpoints. Administered Active Directory, Exchange Online, and VMware environments while enforcing HIPAA-aligned security controls based on NIST frameworks. Migrated 4-site file servers to SharePoint in 4 months with zero data loss. Built enterprise-grade home lab with VLAN segmentation and VPN failover—maintained since 2017.
Completed migrations and deployments that sat untouched for years. Reduced M365 costs through strategic licensing redesign. Executed infrastructure upgrades with zero downtime. Every project balanced technical requirements with budget reality.
NIST and HIPAA-aligned security controls including MFA, conditional access, and zero-trust network segmentation. Exchange transport rules for email encryption. VLAN design with firewall rule enforcement following DoD baseline practices. Backup operations with regular recovery testing. PowerShell automation to reduce manual overhead.
Healthcare: Sole IT at Project Turnabout managing servers, cloud admin, and executive advising. MSP: Supported 120+ clients with 45-minute SLA at Mankato Computer Technology. Education: Tier 1-2 support and imaging at Minnesota State University.
Projects completed. Costs reduced. Systems documented. Infrastructure stable. Next admin starts ahead, not from zero.
What I Delivered
HIPAA License Optimization
Audited Microsoft 365 licensing across 4 healthcare sites and redesigned tier assignments — basic licenses for nurses and HSTs, E3/E5 for managers with external email access. Reduced licensing costs while tightening HIPAA compliance by aligning access controls to actual role requirements.
Solo SharePoint Migration | 4 Sites
Migrated all 4 clinic locations from legacy mapped drives to SharePoint Online in 4 months with zero data loss and no clinical disruption. Completed a project previously untouched for years, working independently through planning, execution, and user transition.
Procurement and Budget Analysis
Led hardware and software procurement research including EOL specs, vendor negotiation, ISP carrier comparisons, and licensing alternatives. Identified cost-saving options that aligned technical requirements with business goals and consistently passed executive-level budget review.
AP Deployment | Mankato Vine Faith
Planned and executed wireless infrastructure overhaul across 3 floors, replacing end-of-life Aruba and Cisco access points with new Aruba hardware. Coordinated directly with Aruba engineers for configuration validation and signal coverage optimization with zero service interruption.
Home Lab | Active Since 2017
Designed and maintained enterprise-grade home lab with 6-segment VLAN architecture, dual WireGuard VPN failover, pfSense firewall, Suricata IDS, and 802.1Q trunking. Continuously updated to mirror current enterprise security practices including zero-trust segmentation and kill-switch enforcement.
What I Do
IT Support and Troubleshooting
- Managed Tier 1–3 support across 300+ endpoints in healthcare, education, and MSP environments with strict SLA adherence
- Resolved Windows Server, Active Directory, and M365 incidents while maintaining asset inventory
- Created SOPs and staff-facing documentation to reduce repeat tickets and improve handoff quality
Identity and Access Management
- Administered Active Directory, Azure AD, and Entra ID across hybrid environments
- Enforced MFA, conditional access, and RBAC policies for HIPAA-regulated clinical staff
- Managed Azure AD Connect synchronization and automated user provisioning workflows using PowerShell
Endpoint Deployment and Imaging
- Executed mass Windows deployments using Autopilot, SCCM, and Intune across 300+ devices
- Standardized PXE imaging workflows for lab and classroom environments
- Managed remote patching cycles through RMM tooling and coordinated device refresh projects from procurement through secure decommissioning
Microsoft 365 Ecosystem Admin
- Administered full M365 tenant operations across 4 healthcare sites including E3/E5 licensing optimization
- Configured ZixEncrypt email encryption and enforced Microsoft Defender policies
- Migrated file servers to SharePoint Online and managed Teams governance for clinical collaboration
Infrastructure Monitoring and Server Ops
- Monitored Defender alerts, Azure AD sign-in activity, and ConnectWise logs in real time to flag risks before escalation
- Administered DNS, DHCP, and file share operations on Windows Server
- Scheduled patching cycles to maintain uptime and correlated Event Viewer logs for root-cause analysis
Backup, Recovery, and Automation
- Configured Veeam, Acronis, and Dropsuite backup operations with regular recoverability testing
- Developed DR playbooks for business continuity and wrote PowerShell scripts for user provisioning and cleanup tasks
- Built RMM automation modules to enforce compliance and reduce manual overhead
Documentation and Process Standards
- Created SOPs for onboarding, patching, MFA rollout, and device imaging workflows
- Built internal knowledge bases and user guides accessible to all staff levels
- Developed handoff packets and team checklists to capture tribal knowledge for seamless transitions
Network and Wireless Engineering
- Designed 6-segment VLAN architecture with 802.1Q trunking and pfSense firewall rule management
- Deployed Aruba and Cisco access points coordinated with vendor engineers for optimal coverage
- Configured WireGuard and OpenVPN tunnels with failover groups and conducted site surveys for wireless infrastructure planning
System Architecture
Secure VPN Tunnel
Mullvad WireGuard with automatic gateway failover. Zero WAN exposure when tunnels drop — kill switch enforced.
Lateral Movement Blocking
Firewall rules enforce hard isolation between IoT peripherals and production segments — no cross-VLAN traffic without explicit permit.
Defense-in-Depth
5-layer kill switch: Zero WAN NAT, DoH/DoT blocking, IPv6 block, DNS enforcement, RFC1918 inter-VLAN isolation.
Remote Management
Tailscale subnet routing for secure remote access to the management VLAN from any location.
- Evaluating Protectli FW6 upgrade to 2.5GbE mini PC with more RAM.
- Planning centralized logging via rsyslog or Graylog for firewall, IDS, and DNS logs.
- Grafana + InfluxDB dashboards for traffic visualization.
- Automated pfSense config backups with encrypted storage.
- SIEM-lite correlated alerting across Suricata, pfBlockerNG, and firewall.
- Automated Suricata rule updates via cron.
- Quarterly firewall rule audit cadence.
- Evaluating 802.1X with freeRADIUS for identity-based VLAN assignment.
- Added Tailscale for remote network management.
- Replaced generic Wi-Fi router with dedicated AP mode.
- Updated outbound NAT and VLAN firewall rules.
- Zero exposed management ports to the internet.
- WireGuard-based identity auth eliminates VPN credential leaks.
- AP mode removes redundant NAT layer and reduces attack surface.
- Added Suricata IDS with ET Open ruleset across 5 interfaces.
- Installed pfBlockerNG-devel for geo-blocking and Nmap for network scanning.
- Expanded firewall rules across all VLANs.
- Tuned Suricata alerts and suppressed false positives.
- Internal scan baseline documented with known services mapped.
- Configured dual Mullvad WireGuard tunnels with automatic gateway failover groups.
- Updated all VLAN firewall rules.
- Added temporary MGMT rule (disabled by default).
- Full firewall rule audit removed stale rules.
- Rule naming convention standardized for audit trail.
- Implemented DNS leak prevention.
- Blocked DoH/DoT bypass, enforced DNS through pfSense.
- Zero DNS leakage verified.
- Devices attempting DNS bypass logged and flagged.
- DNS filtering layers: Unbound to pfBlockerNG to upstream Mullvad/Quad9.
- Added Mullvad WireGuard VPN tunnels for encrypted outbound traffic.
- Configured NAT rules for VPN-only routing.
- Policy-based routing sends selected VLANs through VPN.
- Kill switch via firewall denies traffic if VPN drops.
- WireGuard chosen over OpenVPN for lower overhead and modern crypto.
- Initial network build.
- Established segmented VLAN architecture with pfSense firewall on Protectli hardware and Netgear managed switching.
- Added VLAN 50 for isolated lab experimentation.
- UPS added for power resilience.
- Port forwarding tightened.
- Firewall rule documentation started with descriptions on every rule.
- Configured pfSense DNS Resolver (Unbound) as network-wide DNS.
- All VLANs forced to use pfSense for DNS via DHCP and firewall redirect.
- Installed pfBlockerNG for ad blocking and malware domain filtering.
- Blocked DoH/DoT bypass on port 853 and known provider IPs.
- Expanded firewall logging for denied traffic analysis.
- Finalized VLAN architecture: VLAN 10 Management, VLAN 20 Trusted, VLAN 30 IoT, VLAN 40 Guest.
- Static DHCP reservations for critical devices.
- Alias-based firewall rules for maintainability.
- Guest network fully isolated to internet only.
- IoT VLAN restricted to outbound only with no lateral movement.
- Management VLAN locked to admin endpoints.
- Deployed Protectli Vault FW6 with 6x Intel NICs and AES-NI.
- Installed pfSense CE as full UTM firewall.
- Added Netgear managed switch with 802.1Q VLAN trunking.
- Set ISP modem to bridge mode.
- Designed initial VLAN architecture for management, trusted, IoT, and guest segments.
- Stateful firewall replaced consumer NAT with inter-VLAN traffic denied by default.
- ISP modem/router combo with consumer Wi-Fi router.
- No managed switching, single broadcast domain.
- Flat topology with all devices on one subnet.
- DHCP from ISP router with no static assignments.
- No VLANs, no segmentation, no firewall rules.
- WPA2-PSK as the only defense.
- ISP DNS with no filtering or encryption.
- No logging, monitoring, or IDS.
How I Operate
Document Everything
Every fix, every decision, every process gets written down. SOPs, KBs, and handoff packets are not optional — they are how knowledge survives beyond any single person and how teams scale without chaos.
Security is Not an Add-On
HIPAA compliance, zero-trust segmentation, and least-privilege access are built in from day one — not bolted on after a breach. I design systems where security and usability coexist, not compete.
Budget Is a Tool, Not a Limit
I read vendor contracts, research alternatives, and challenge default licensing assumptions. Whether it is tiering M365 licenses or sourcing EOL hardware replacements, I find solutions that match both technical and business goals.
Build It Like You Will Not Be There
Runbooks, escalation paths, and automation scripts exist so that the next person — or the next incident at 2am — does not start from zero. Systems should outlast the people who build them.
Let's Work Together
Looking for a System Administrator, Network Engineer, or Sr Desktop Engineer who builds systems that last.
Based in Marshall, MN. Open to local, remote, and hybrid roles. Available for immediate conversation.
Open to System Administrator, Network Engineer, and Sr Desktop Engineer roles. 12 years of experience across Healthcare, Education, and MSP environments. Brings both technical depth and budget-conscious thinking to every role.
7 Cisco Networking Academy badges earned. CCNA and CompTIA Security+ actively in progress. Home lab running since 2017.