This section is intended to discuss the security involved in Site Manager and show how these features and other features can be configured through the Site Manager interface.
Security
The various forms of network communication in Site Manager have some built in security with options for further configuring them.
Agent Communications
Communications between agent and Site Manager server are always encrypted using 256-bit AES encryption. This happens automatically, key generation, negotiation and encryption are all done without any additional configuration. In addition, a passphrase can be set in the Site Manager. This passphrase is set on any successfully connected agent and prevents any other Site Manager taking over that agent unless the new Site Manager has the same passphrase set.
The purpose of this passphrase is for use in high integrity or untrusted environments where a guarantee that only the Site Manager server that has been configured for that agent can access that agent is required.
If a passphrase has been set on an agent, it will fail to connect to a Site Manager which does not have the matching passphrase set. Reinstalling the agent will reset the passphrase.
The agent passphrase can be set in the Agent Security section of the Security settings below.
Web Interface Access
The web interface used to access the Site Manager interface can use HTTP or HTTPS. By default the Site Manager uses HTTP access but is only accessible from the computer it is installed on. This restriction can be removed in the Connection Settings section of the Settings page.
If the interface is exposed to a potentially insecure network or the internet, we recommend using HTTPS. When HTTPS is first enabled, a default self-signed certificate is used. This certificate is not recommended for use outside secure networks as it is shipped with every Site Manager installation. Any certificate in OpenSSL .PEM file format can be used in place of the built in certificate. If you have keys in a different format, the OpenSSL command line utility can convert a variety of formats. See https://www.openssl.org for details.
Configuration
To configure the settings for Site Manager, access the Settings page from the main menu:
This is divided into a number of sections which are explained in more detail below.
User Settings - User Interface
This section controls the logged in users configuration of the Site Manager Dashboard and interface.
| Option | Description |
|---|---|
| Reset dashboard layout | This option will restore the dashboard to the default layout, removing all widget layout and notification tile customization. This only applies to the currently logged in user |
| Reset table layouts | This option will remove any changes to the table layouts on all Site Manager pages. This includes moving, hiding or sorting columns. This only applies to the currently logged in user |
Systems Settings - User Interface
This section controls the configuration of the Site Manager Dashboard and interface for all users.
| Option | Description |
|---|---|
| Reset all layouts | Removes all customization for all users and resets Site Manager to default layout settings |
The Email section is divided into three subsections - SMTP Configuration for setting up server details, Notification Email for configuring where notifications (Backup start, end and others) are sent to and Backup Summary for configuring daily status emails.
SMTP Configuration
This section allows Email server settings to be configured, including security settings.
| Option | Description |
|---|---|
| Sender's Email Address | The email address the summary emails will be sent from. |
| SMTP Server | The address (DNS or IP) of the SMTP server to use for sending. |
| Connection Type and Port | The type of connection used by the SMTP server. Supported options are:
|
| Authentication | The authentication method used by the SMTP server. Supported options are:
|
| Username and Password | The username and password for the SMTP server. If left blank, no username will be used. |
| Test Email | Sends a test message to the recipients entered in the test box. If there are errors in the send, they will be reported back. |
Notification Email
This section allows the recipients and subject to be specified for notification emails. These setting are applied to any notification emails sent according to the Settings → Notifications section.
| Option | Description |
|---|---|
| Recipients' Email Addresses | Email addresses to send notification emails - may be a semicolon separated list |
| Email Subject | Subject to be set on notification emails with optional variable input |
The Email Subject can be specified using replaceable parameters.
Replaceable parameters are specified by starting them with a dollar character (and optionally surrounding them in curly braces) - {$example}. Available parameters are:
| Parameter | Description |
|---|---|
{$servername} | Name of the Site Manager server as specified in Settings → System |
{$date} | The date in YYYYMMDD format |
{$isodate} | ISO 8601 timestamp of the date - YYYY-MM-DD |
{$notificationtype} | The type of notification. Possible types are:
|
{$agent} | Name of the Agent that triggered the notification. |
{$definitionname} | Name of the backup definition which triggered the notification. |
{$schedulename} | Name of the schedule which triggered the notification. |
{$reponame} | Name of the repository being used. |
{$backuplevel} | The backup level. Can be one of the following:
|
{$backuptype} | The type of operating being performed. Can be:
|
If a variable doesn't expand to anything and it's in a curly brace section, the whole curly brace section will be omitted. This can be used to hide extra spacing and text. For example, if the variable string
Notification - $notificationtype{ on computer $agent}
is used, it will expand to "Notification - Backup Started on computer MYCOMPUTER" for a backup start notification and "Notification - Disk Space Low" for a disk space low notification.
Backup Summary
The summary section allows configuration of daily backup summary emails as below:
The options available are:
| Option | Description | |
|---|---|---|
| Enable | This toggle can be used to turn summary emails on or off | |
| Recipients' Email Addresses | Email addresses to send notification emails - may be a semicolon separated list | |
| Send Time | The time when the daily email will be sent | |
| Email Subject | Subject of the email with optional variable input | |
| Days To Send | The days when an email will be sent | |
| Select Columns | Which columns should appear in the summary email. Changes to this section are reflected in the email preview underneath | |
| Select Options | Additional options to appear in the summary email. Changes to this section are reflected in the email preview underneath | |
| Update Available | The email will state whether a Site Manager server update is available or not | |
| Remote Sync | Inserts an additional section and table summarising Remote Sync activity | |
| Unsuccessful Backup Details Only | The backup details table will only show information for failed backups. Successful backups are briefly summarised instead | |
| Computer Warnings | Additional section detailing all computer warning information available. | |
A preview of the daily email with the selected columns is shown below the settings.
The Email Subject can be specified using replaceable parameters.
Replaceable parameters are specified by starting them with a dollar character (and optionally surrounding them in curly braces) - {$example}. Available parameters are:
| Parameter | Description |
|---|---|
{$servername} | Name of the Site Manager server as specified in Settings → System |
{$date} | The date in YYYYMMDD format |
{$isodate} | ISO 8601 timestamp of the date - YYYY-MM-DD |
{$notificationtype} | This will be Backup Summary |
Slack
The Management Console supports sending notifications to Slack. Once configured, the types of notifications can be configured in the Notifications section, below.
| Option | Description |
|---|---|
| Enable | Toggle this to enable/disable Slack notifications. |
| Slack Incoming Webhook URL | Webhook to use to post Slack messages. This can be configured in Slack management by creating a private app. See Slack Webhooks for more information |
| Channel | Here you can specify which channel you wish to post to in Slack. You may wish to create a new channel in Slack for your notifications. |
| Test Notification | This button sends a test message the the slack channel configured above. |
Security
Here you can customize the various security options for the Management Console.
Access Restriction
This section controls general access settings to Site Manager - which network interfaces the Site Manager UI is available on and whether user login is required.. Finer control is provider under the User Permissions section.
| Option | Description |
|---|---|
| Allow Access to Site Manager without login | If enabled, any new connections to Site Manager will allow direct access without a login. This may allow unauthenticated users access to configuration and contents of backups and should only be used in a secure environment. |
| Session will expire after X minutes | Session expiry time can be set so that if the Site Manager interface is left open in a web browser, it will automatically log out after a specified number of minutes being idle. |
| Network Access | Setting this to Site Manager accessible only from localhost will make the Site Manager interface only accessible from a web browser running on the server itself. Otherwise the interface is available from any IP address. |
User Permissions
Dialogs to manage login providers and Site Manager access permissions can be accessed here. The provider manager is used to create, configure and delete login providers and the permissions manager is used to set role based user and group permissions for each provider. For more information see: Access Control.
Connection Settings
This section allows you to configure HTTP/HTTPS connection settings for the Management Console. The defaults should be fine for most installations but you may wish to provide your own SSL credentials and possibly alter the ports if they conflict with other applications on your server.
By default, Site Manager supplies a self-signed certificate for HTTPS operation. As this key is shared between all Site Manager installations, it should not be considered secure if the Site Manager server is exposed to the internet or in any sensitive deployment. In these cases, we recommend an alternate key is used.
The keys supplied must be in OpenSSL .PEM format.
Different certificate management systems and providers use different names and file extensions to identify certificate files. The Site Manager server requires files using PEM format, under any file extension. These files can be identified by opening them in a text editor:
- Valid certificate files will contain a Base64 encoded certificate in a section denoted by
-----BEGIN CERTIFICATE----- - Valid private key files will contain a Base64 encoded key in a section denoted by
-----BEGIN PRIVATE KEY----- - If both the certificate and key are in the same file, the same file should be specified for both fields in Site Manager configuration
| Option | Description |
|---|---|
| Port | The port used by the Site Manager HTTP and HTTPS servers |
| Certificate path | The public certificate to be used by the internal Site Manager HTTPS server |
| Private key path | The private key which matches the certificate specified in the Certificate path |
| Private key passphrase | If the private key file requires a passphrase to use, it can be set here |
Agent Security
This section contains additional security settings for Agent communications. It allows an additional passphrase to be set - using a passphrase means that once communication has been established with an agent on a remote computer, the remote computer will only communicate with Site Manager servers which have the same passphrase set. This is intended to prevent any rogue processes emulating a Site Manager server and gaining access to the agent on a remote computer.
If a computer is added after previously having a passphrase set, the computer will be listed as Unauthorized in the computers list. To manage the computer, either the Site Manager server must have the correct passphrase, the passphrase on the agent must be changed (Requires local administrator access to the computer) or a passphrase can be entered on the Site Manager server to allow one-off access.
Notifications
Here you can select which notifications appear in the User Interface, the Windows Event Log, over Slack or email (if configured).
Notification types
| Event | |
|---|---|
| Update Available | Sent when a software update to the Management Console is available |
| Backup | |
| Backup Start | Sent when a backup has started to run on a managed computer |
| Backup Success | Sent when a backup has completed successfully on a managed computer |
| Include Stealth Intra-daily backups | This controls whether backup success emails should include intra-daily backups with the stealth option set. These backups do not create normal log files unless an error is encountered |
Backup Fail | Sent when a backup has completed unsuccessfully on a managed computer |
| Restore | |
| Restore Start | Sent when a restore has started to run on a managed computer |
| Restore Success | Sent when a restore has completed successfully on a managed computer |
| Restore Fail | Sent when a restore has completed unsuccessfully on a managed computer |
| Remote Sync | |
| Remote Sync Start | Sent when a repository starts remote synchronization with another server |
| Remote Sync Success | Sent when remote synchronization with another server succeeds |
| Remote Sync Fail | Sent when remote synchronization with another server fails |
| Repository | |
| Low Repository Disk Space | Sent when a repository has reached a low disk space |
| Repository Uncontactable | Sent when a repository isn't available to Site Manager |
Additionally, there are options to set whether relevant backup logs should be attached to emails and how many days without a backup should be allowed before the daily summary email warns that a computer is unprotected.
Warnings
The number of days a computer can go without backups before being flagged as having an error in the dashboard, computers page and daily status email is configurable here via the Backup expiry period setting.
System
The system section contains options for modifying the behavior of the overall system. The options available are as follows:
Server Name
| Option | Description |
|---|---|
| Server Name | Allows a custom server name to be set. This server name will be shown in the title/tab bar of the browser, at the top of the Site Manager interface and in email subject lines. This allows organizations with multiple Site Manager installs to easily tell them apart. The naming options are:
|
Configuration Transfer
This section has options for backup up, downloading and restoring the Site Manager configuration:
| Option | Description |
|---|---|
| Archive | Update the configuration archive on the Site Manager server with the current Site Manager configuration. Once complete, the timestamp shown by the Download configuration option will be updated |
| Import settings | Upload a previously create Site Manager configuration backup and apply the settings to this Site Manager server. The current Site Manager configuration will be overwritten |
| Download configuration | Download the latest created archive in the browser. This can be used to provide a backup of Site Manager settings in case of server hardware error |
Log Retention
This section allows logs (both backup logs and event logs) to be automatically deleted after a number of days. This will only happen if the Keep Logs Forever option is unselected. This option will affect both the backup logs and event logs. An agent computer's copy of the backup logs will also be permanently deleted.
Any permanent deletion action on the agent back logs will occur either at mid-night (local time) or on Site Manager service restart. This is to reduce accidental changes applying instantly.
Support Information
This section allows gathering of support information and upload to Macrium servers or download as a zip file. It should only be used under the direction of Macrium Support.
Macrium Image Guardian
This section provides convenient access to the Macrium Image Guardian installers. The installers can be used to install Macrium Image Guardian on Windows computers that host repositories separately to the Site Manager server.
MultiSite
The MultiSite section controls integration with Macrium MultiSite for remote management of Site Manager. If MultiSite is enabled and the HTTPS port configured in the Security section is exposed to the internet, Site Manager can be managed by Macrium MultiSite.
The options in the MultiSite section are as follows:
| Option | Description |
|---|---|
| Enable | Enables the interface for Macrium MultiSite on the same port used for HTTPS access. This does not affect HTTPS access. |
| API Key | This key is required to authorize MultiSite to access Site Manager. |
| Copy | Copies the API key to the clipboard to make transferring it easier. |
| Generate New Key | Generates a new API key, replacing the old key. Note that if this Site Manager is managed by Macrium MultiSite, the key must be updated in MultiSite for continued access. |
The MultiSite Connection Status section will only appear if MultiSite is enabled. This section will show the current status of the Site Manager's connection to MultiSite. The Refresh button retries the MultiSite connection if there are issues.
Agent
This section controls how Site Manager agents and remote agent installation work.
Option | Description |
|---|---|
| Install Settings - Quiet Agent Install | Setting this option will change the default install options for the remote agent install to install the agent without creating desktop or start menu shortcuts. Quiet install settings will only be updated on an agent when the remote install feature is used or the agent is upgraded through Site Manager |
| Install Settings - Auto Add Agents | Site Manager will automatically add agents to the computers table (Site Configuration -> Computers) on an agents first established connection to Site Manager. Previously removed agents will not be auto added. |
| Install Settings - Auto Update | If this option is set, the server will automatically update the agents when a new version is available |
| Maximum Simultaneous Updates | This option specifies the number of updates that will be performed simultaneously |
| Install Credentials | This option allows you to set credentials which will be used to install remote agents. This is useful if the majority of computers you wish to install agents on are on a domain which is not the same one used to log in to the Site Manager server |
| Server Connection Details | To change these fields while agents are connected will cause the server to send the new details to the connected agents. When an agent receives the new details, it will drop the connection and try to reconnect to the server. If the agent is not able to reconnect or if it wasn't connected when the details were changed the details must be manually set on the agent via Agent Config tool or remote install |
| Server Connection Details - Server IP | Additional IP addresses the Agent should use to communicate with the Site Manager. Any IP addresses here will be tried before DNS name resolution or NetBIOS name resolution is attempted. |
| Server Connection Details - Server DNS | Additional DNS names the Agent should use to look up the Site Manager server IP address. Any DNS addresses here will be tried before NetBIOS name resolution is attempted. |
| Server Connection Details - TCP Port | The TCP/IP port used by Site Manager to communicate with Agents. If this is changed, the Site Manager server will update all connected Agents and restart. |
| Migrate Agents | This section allows Agents to be moved from one Site Manager server to another - the selected Agents will attempt to connect to the server using the NetBIOS, DNS or IP addresses specified and if successful, the Agent will connect to the new server and drop into the disconnected status on the current server. If the Agent cannot contact a Site Manager server using the entered network details, they will remain connected to the current Site Manager server. |
Agent Server Connection
When installed via the Remote Install feature, Agents will automatically be configured with the NetBIOS name of the Site Manager server, plus any details configured here. The Agent will try all connection details to connect to a Site Manager server.
Network
This section contains options controlling how the Site Manager server access the internet.
Proxy Settings
A proxy server may be configured here. Site Manager will use this for all HTTP/HTTPS requests to the internet.
| Option | Description |
|---|---|
| No Proxy | Site Manager will access the internet directly |
| Manual Proxy Setup - Proxy Address | This is the address and type of the proxy server to use. The proxy type is selected from a dropdown (HTTP, HTTPS and SOCKS options) |
| Manual Proxy Setup - Proxy Port | Port of the proxy server |
| Manual Proxy Setup - Proxy Username | Username used to authenticate with the proxy server |
| Manual Proxy Setup - Proxy Password | Password used to authenticate with the proxy server |
| Get Proxy Settings From Specific User | If account details for an account on the local domain or computer are entered here, the Site Manager server will attempt to read Internet Explorer proxy information from this user's profile on the Site Manager server. |
Rescue Media
This section contains options controlling how Site Manager builds rescue media.
Working Directory
The Working Directory is the folder on the Site Manager server which is used as temporary space for Rescue Media building and to store the Rescue Media ISO images.
| Option | Description |
|---|---|
| Working Directory | The path on the server to use for the Rescue Media working directory. This must be a local filesystem running NTFS. If this directory is changed, the old directory will be left intact and must be deleted manually. |
| Test | Tests that the Rescue Media working directory is accessible and writable. |
Export Drivers
Site Manager collects drivers needed to build Rescue Media from connected Agents. These drivers may be exported for use in disaster recovery by using the Export all Drivers or Export Selected Drivers options. This will copy all the drivers to the drivers\export folder in the Rescue Media working directory,
The Group extracted drivers by Agent Rescue Media configuration option places the exported drivers into subfolders based on the relevant Windows PE version for that computer - e.g. all computers which require Rescue Media based on Windows PE 10 64-bit will have their drivers exported to the drivers\export\PE10x64 folder.
This can be useful when extracting drivers to create custom rescue media.
Daily Data Export
This section controls Site Manager's creation of a number of CSV files that can be exported on a daily basis to assist in auditing, third-party integration or custom scripting.
The initial options allow the types of export to be selected and the export time. The export types are:
| Export Type | Description |
|---|---|
| Repository Contents | A list of backup images stored in each repository, along with type, path and size information |
| Repository Usage | This generates two files - one with an overview of each repository, including status, path, free space and space used by backups. The other file contains a breakdown of space used on each repository broken down by computer, including number of backups and disk space usage changes since last export. |
| Computers | A list of agent computers, along with status, last backup time and other information from the Computers page. |
| Backup Data | A list of backups attempted in the last 24-hours, including success or failure |
| Event Log | The last 24 hours of the event log |
This section configures the file and folder information for the export. The credentials used to write the files can be controlled by specifying a username, password and domain for the account. If left blank, the SYSTEM account on the Site Manager server is used.
The folder and file paths can be specified here using replaceable parameters - this allows a number of configurations, including creating each day's exports in the same place (overwriting old files), giving each day's export file a name based on the date, or placing each day's exports into a different subfolder.
Replaceable parameters are specified by starting them with a dollar character (and optionally surrounding them in curly braces) - {$example}. Available parameters are:
| Parameter | Description |
|---|---|
{$date} | The date in YYYYMMDD format |
{$time} | The time in hhmm format |
{$isodate} | ISO 8601 timestamp of the export time - YYYY-MM-DDThhmmss |
{$servername} | Name of the Site Manager server as specified in Settings → System |
{$exporttype} | Type of export. When exporting multiple export types, this should be used to prevent each export type overwriting the other. Possible values are:
|
{$increment} | If a file already exists with the name generated, the export will overwrite the old file with the new one unless increment is used. Increment is a simple number that is incremented to create a unique file name for the export. For example, if the filename field is set to |