This section is intended to discuss the security involved in Site Manager and show how these features and other features can be configured through the Site Manager interface.
The various forms of network communication in Site Manager have some built in security with options for further configuring them.
Communications between agent and Site Manager server are always encrypted using 256-bit AES encryption. This happens automatically, key generation, negotiation and encryption are all done without any additional configuration. In addition, a passphrase can be set in the Site Manager. This passphrase is set on any successfully connected agent and prevents any other Site Manager taking over that agent unless the new Site Manager has the same passphrase set.
The purpose of this passphrase is for use in high integrity or untrusted environments where a guarantee that only the Site Manager server that has been configured for that agent can access that agent is required.
If a passphrase has been set on an agent, it will fail to connect to a Site Manager which does not have the matching passphrase set. Reinstalling the agent will reset the passphrase.
The agent passphrase can be set in the Agent Security section of the Security settings below.
Web Interface Access
The web interface used to access the Site Manager interface can use HTTP or HTTPS. By default the Site Manager uses HTTP access but is only accessible from the computer it is installed on. This restriction can be removed in the Connection Settings section of the Settings page.
If the interface is exposed to a potentially insecure network or the internet, we recommend using HTTPS. When HTTPS is first enabled, a default self-signed certificate is used. This certificate is not recommended for use outside secure networks as it is shipped with every Site Manager installation. Any certificate in OpenSSL .PEM file format can be used in place of the built in certificate. If you have keys in a different format, the OpenSSL command line utility can convert a variety of formats. See https://www.openssl.org for details.
To configure the settings for Site Manager, access the Settings page from the main menu:
This is divided into a number of sections which are explained in more detail below
The Email section is divided into two subsections - SMTP Configuration for setting up server details and Backup Summary for configuring which emails are sent automatically.
This section allows Email server settings to be configured, including security settings.
|Recipients' Email Addresses||A semicolon separated list of email addresses which status emails will be sent to.|
|Sender's Email Address||The email address the summary emails will be sent from.|
|Subject||Text which should be added to the subject line of each email - this can be used to help differentiate emails from multiple Site Manager installations|
|SMTP Server||The address (DNS or IP) of the SMTP server to use for sending.|
|Connection Type and Port|
The type of connection used by the SMTP server. Supported options are:
The authentication method used by the SMTP server. Supported options are:
|Username and Password||The username and password for the SMTP server. If left blank, no username will be used.|
|Test Email||Sends a test message to the recipients entered in the test box. If there are errors in the send, they will be reported back.|
The summary section allows configuration of daily backup summary emails as below:
The options available are:
|Enable||This toggle can be used to turn summary emails on or off|
|Email Subject||Subject of the email|
|Send Time||The time when the daily email will be sent|
|Select Columns||Which columns should appear in the summary email. Changes to this section are reflected in the email preview underneath|
A preview of the daily email with the selected columns is shown below the
The Management Console supports sending notifications to Slack. Once configured, the types of notifications can be configured in the Notifications section, below.
|Enable||Toggle this to enable/disable Slack notifications.|
|Slack Incoming Webhook URL||Webhook to use to post Slack messages. This can be configured in Slack management by creating a private app. See Slack Webhooks for more information|
|Channel||Here you can specify which channel you wish to post to in Slack. You may wish to create a new channel in Slack for your notifications.|
|Test Notification||This button sends a test message the the slack channel configured above.|
Here you can customize the various security options for the Management Console.
This section is about controlling how permissive Site Manager is with respect to who can access the dashboard and from where. Finer control is provider under the User Permissions section.
Here you have the option to enable/disable the login prompt for new sessions connecting to the Management Console.
Session expiry time can also be set to ensure that if the Site Manager interface is left open in a web browser, it will automatically log out after a specified number of minutes being idle.
|Network Access||Here you can restrict network access to the Site Manager web UI to the server computer only or allow other computers to connect.|
Dialogs to manage login providers and Site Manager access permissions can be accessed here. The provider manager is used to create, configure and delete login providers and the permissions manager is used to set permissions for each provider. For more information see: Access Control.
This section allows you to configure HTTP/HTTPS connection settings for the Management Console. The defaults should be fine for most installations but you may wish to provide your own SSL credentials and possibly alter the ports if they conflict with other applications on your server.
The main choice here is whether you wish to use HTTPS or plain HTTP.
By default, Site Manager supplies a self-signed certificate for HTTPS operation. As this key is shared between all Site Manager installations, it should not be considered secure if the Site Manager server is exposed to the internet or in any sensitive deployment. In these cases, we recommend an alternate key is used.
The keys supplied must be in OpenSSL .PEM format.
|Port||You can change the communication port for both HTTP & HTTPS independently.|
|Certificate path||You may wish to use your company SSL certificate to prevent browser warnings when using HTTPS.|
|Private key path||If you change the SSL certificate you will need to provide the matching Private Key file.|
This section contains additional security settings for Agent communications. It allows an additional passphrase to be set - using a passphrase means that once communication has been established with an agent on a remote computer, the remote computer will only communicate with Site Manager servers which have the same passphrase set. This is intended to prevent any rogue processes emulating a Site Manager server and gaining access to the agent on a remote computer.
If a computer is added after previously having a passphrase set, the computer will be listed as Unauthorized in the computers list. To manage the computer, either the Site Manager server must have the correct passphrase, the passphrase on the agent must be changed (Requires local administrator access to the computer) or a passphrase can be entered on the Site Manager server to allow one-off access.
Here you can select which notifications appear in the User Interface, the Windows Event Log, over Slack or email (if configured).
The options available are:
- Update available - sent when a software update to the Management Console is available.
- Backup Start - sent when a backup has started to run on a managed computer
- Backup Success - sent when a backup has completed successfully on a managed computer
- Backup Fail - sent when a backup has completed unsuccessfully on a managed computer
- Restore Start - sent when a restore has started to run on a managed computer
- Restore Success - sent when a restore has completed successfully on a managed computer
- Restore Fail - sent when a restore has completed unsuccessfully on a managed computer
- Remote Sync Start - sent when a repository starts remote synchronization with another server
- Remote Sync Success - sent when remote synchronization with another server succeeds
- Remote Sync Fail - sent when remote synchronization with another server fails
Additionally, there are options to set whether relevant backup logs should be attached to emails and how many days without a backup should be allowed before the daily summary email warns that a computer is unprotected.
The number of days a computer can go without backups before being added to the dashboard and daily status email as a computer with a warning is configurable here via the Backup expiry period setting.
The system section contains options for modifying the behavior of the overall system. The options available are as follows:
Allows a custom server name to be set. This server name will be shown in the title/tab bar of the browser, at the top of the CMC interface and in email subject lines.
This allows organisations with multiple CMC installs to easily tell them apart. The naming options are:
This section has options for backup up, downloading and restoring the Site Manager configuration:
|Archive||Update the configuration archive on the Site Manager server with the current Site Manager configuration. Once complete, the timestamp shown by the Download configuration option will be updated|
|Import settings||Upload a previously create Site Manager configuration backup and apply the settings to this Site Manager server. The current Site Manager configuration will be overwritten|
|Download configuration||Download the latest created archive in the browser. This can be used to provide a backup of Site Manager settings in case of server hardware error|
This section allows logs (both backup logs and event logs) to be automatically deleted after a number of days. This will only happen if the Keep Logs Forever option is unselected.
The Remote Management section controls integration with Macrium MultiSite. If remote access is enabled and the HTTPS port configured in the Security section is exposed to the internet, the Site Manager can be managed by Macrium MultiSite.
The options in the Remote Management section are as follows:
|Enable||Enables the remote management interface for Macrium MultiSite on the same port used for HTTPS access. This does not affect HTTPS access.|
|API Key||This key is required to authorize MultiSite to access the Site Manager.|
|Copy||Copies the API key to the clipboard to make transferring it easier.|
|Generate New Key||Generates a new API key, replacing the old key. Note that if this Site Manager is managed by Macrium MultiSite, the key must be updated in MultiSite for continued access.|
The MultiSite Connection Status section will only appear if Remote Management is enabled. This section will show the current status of the Site Manager's connection to MultiSite. The Refresh button retries the MultiSite connection if there are issues.
This section controls the per-user configuration of the Site Manager Dashboard and interface
|Reset dashboard layout||This option will restore the dashboard to the default layout, removing all widget layout and notification tile customization. This only applies to the currently logged in user|
|Reset table layouts||This option will remove any changes to the table layouts on all Site Manager pages. This includes moving, hiding or sorting columns. This only applies to the currently logged in user|
|Reset all layouts||Removes all customization for all users and resets Site Manager to default layout settings|
This section controls how Site Manager agents and remote agent installation work
|Install Settings - Quiet Agent Install||Setting this option will change the default install options for the remote agent install to install the agent without creating desktop or start menu shortcuts. Quiet install settings will only be updated on an agent when the remote install feature is used or the agent is upgraded through Site Manager|
|Install Settings - Auto Update||If this option is set, the server will automatically update the agents when a new version is available|
|Maximum Simultaneous Updates||This option specifies the number of updates that will be performed simultaneously|
This option allows you to set credentials which will be used to install remote agents. This is useful if the majority of computers you wish to install agents on are on a domain which is not the same one used to log in to the Site Manager server
|Server Connection Details||To change these fields while agents are connected will cause the server to send the new details to the connected agents. When an agent receives the new details, it will drop the connection and try to reconnect to the server. If the agent is not able to reconnect or if it wasn't connected when the details were changed the details must be manually set on the agent via Agent Config tool or remote install|
|Server Connection Details - Server IP|
Additional IP addresses the Agent should use to communicate with the Site Manager. Any IP addresses here will be tried before DNS name resolution or NetBIOS name resolution is attempted.
|Server Connection Details - Server DNS||Additional DNS names the Agent should use to look up the Site Manager server IP address. Any DNS addresses here will be tried before NetBIOS name resolution is attempted.|
|Server Connection Details - TCP Port||The TCP/IP port used by Site Manager to communicate with Agents. If this is changed, the Site Manager server will update all connected Agents and restart.|
Agent Server Connection
When installed via the Remote Install feature, Agents will automatically be configured with the NetBIOS name of the Site Manager server. The Agent will attempt to resolve the NetBIOS to an IP address and connect to the Site Manager server.
Additional IP addresses or DNS names may be configured to allow Agents to connect. The Agent will try all IPs and names to connect to Site Manager until it finds one which works.
This section contains options controlling how the Site Manager server access the internet.
A proxy server may be configured here. Site Manager will use this for all HTTP/HTTPS requests to the internet.
|No Proxy||Site Manager will access the internet directly|
|Manual Proxy Setup - Proxy Address||This is the address and type of the proxy server to use. The proxy type is selected from a dropdown (HTTP, HTTPS and SOCKS options)|
|Manual Proxy Setup - Proxy Port||Port of the proxy server|
|Manual Proxy Setup - Proxy Username||Username used to authenticate with the proxy server|
|Manual Proxy Setup - Proxy Password||Password used to authenticate with the proxy server|
|Get Proxy Settings From Specific User||If account details for an account on the local domain or computer are entered here, the Site Manager server will attempt to read Internet Explorer proxy information from this user's profile on the Site Manager server.|
This section contains options controlling how Site Manager builds rescue media.
The Working Directory is the folder on the Site Manager server which is used as temporary space for Rescue Media building and to store the Rescue Media ISO images.
The path on the server to use for the Rescue Media working directory. This must be a local filesystem running NTFS.
If this directory is changed, the old directory will be left intact and must be deleted manually.
|Test||Tests that the Rescue Media working directory is accessible and writable.|
Site Manager collects drivers needed to build Rescue Media from connected Agents. These drivers may be exported for use in disaster recovery by using the Export all Drivers or Export Selected Drivers options. This will copy all the drivers to the drivers\export folder in the Rescue Media working directory,
The Group extracted drivers by Agent Rescue Media configuration option places the exported drivers into subfolders based on the relevant Windows PE version for that computer - e.g. all computers which require Rescue Media based on Windows PE 10 64-bit will have their drivers exported to the drivers\export\PE10x64 folder.
This can be useful when extracting drivers to create custom rescue media.