Skip to end of metadata
Go to start of metadata

This section is intended to discuss the security involved in Site Manager and show how these features and other features can be configured through the Site Manager interface.


The various forms of network communication in Site Manager have some built in security with options for further configuring them. 

Agent Communications

Communications between agent and Site Manager server are always encrypted using 256-bit AES encryption. This happens automatically, key generation, negotiation and encryption are all done without any additional configuration. In addition, a passphrase can be set in the Site Manager. This passphrase is set on any successfully connected agent and prevents any other Site Manager taking over that agent unless the new Site Manager has the same passphrase set. 

The purpose of this passphrase is for use in high integrity or untrusted environments where a guarantee that only the Site Manager server that has been configured for that agent can access that agent is required.

If a passphrase has been set on an agent, it will fail to connect to a Site Manager which does not have the matching passphrase set. Reinstalling the agent will reset the passphrase.

The agent passphrase can be set in the Agent Security section of the Security settings below.

Web Interface Access

The web interface used to access the Site Manager interface can use HTTP or HTTPS. By default the Site Manager uses HTTP access but is only accessible from the computer it is installed on. This restriction can be removed in the Connection Settings section of the Settings page. 

If the interface is exposed to a potentially insecure network or the internet, we recommend using HTTPS. When HTTPS is first enabled, a default self-signed certificate is used. This certificate is not recommended for use outside secure networks as it is shipped with every Site Manager installation. Any certificate in OpenSSL .PEM file format can be used in place of the built in certificate. If you have keys in a different format, the OpenSSL command line utility can convert a variety of formats. See for details.


To configure the settings for Site Manager, access the Settings page from the main menu:

This is divided into a number of sections which are explained in more detail below.

User Settings - User Interface

This section controls the logged in users configuration of the Site Manager Dashboard and interface.

Reset dashboard layoutThis option will restore the dashboard to the default layout, removing all widget layout and notification tile customization. This only applies to the currently logged in user
Reset table layoutsThis option will remove any changes to the table layouts on all Site Manager pages. This includes moving, hiding or sorting columns. This only applies to the currently logged in user

Systems Settings - User Interface

This section controls the configuration of the Site Manager Dashboard and interface for all users.

Reset all layoutsRemoves all customization for all users and resets Site Manager to default layout settings


The Email section is divided into three subsections - SMTP Configuration for setting up server details, Notification Email for configuring where notifications (Backup start, end and others) are sent to and Backup Summary for configuring daily status emails.

SMTP Configuration 

This section allows Email server settings to be configured, including security settings.

Sender's Email AddressThe email address the summary emails will be sent from.
SMTP ServerThe address (DNS or IP) of the SMTP server to use for sending.
Connection Type and Port

The type of connection used by the SMTP server. Supported options are:

  • Plain Text
  • Secure Sockets (SSL/TLS)
  • Transport Layer Security (STARTTLS)

The authentication method used by the SMTP server. Supported options are:

  • None
  • Auto-Detect
  • Challenge/Response Authentication (CRAM-MD5)
  • Secure Username/Password login (AUTH LOGIN)
  • Username/Password login (AUTH PLAIN)
  • Microsoft NT LAN Manager (NTLM)
Username and PasswordThe username and password for the SMTP server. If left blank, no username will be used.
Test EmailSends a test message to the recipients entered in the test box. If there are errors in the send, they will be reported back.

Notification Email

This section allows the recipients and subject to be specified for notification emails. These setting are applied to any notification emails sent according to the Settings Notifications section.

Recipients' Email AddressesEmail addresses to send notification emails - may be a semicolon separated list 
Email SubjectSubject to be set on notification emails with optional variable input

The Email Subject can be specified using replaceable parameters.

Replaceable parameters are specified by starting them with a dollar character (and optionally surrounding them in curly braces) - {$example}. Available parameters are:

{$servername}Name of the Site Manager server as specified in Settings System
{$date}The date in YYYYMMDD format
{$isodate}ISO 8601 timestamp of the date - YYYY-MM-DD

The type of notification. Possible types are:

  • Backup Successful
  • Backup Failed
  • Backup Started
  • Intra-daily Backup Successful
  • Update Found
  • Testing Slack
  • Testing Email
  • Remote Synchronization Started
  • Remote Synchronization Successful
  • Remote Synchronization Failed
  • Restore Started
  • Restore Successful
  • Restore Failed
  • Disk Space Low
  • Repository Uncontactable

Name of the Agent that triggered the notification.

{$definitionname}Name of the backup definition which triggered the notification.
{$schedulename}Name of the schedule which triggered the notification.
{$reponame}Name of the repository being used.

The backup level. Can be one of the following:

  • Full
  • Differential
  • Incremental

The type of operating being performed. Can be:

  • Image
  • Image Restore
  • File and Folder Backup
  • File and Folder Restore
  • Exchange Backup
  • Exchange Restore
  • SQL Backup
  • SQL Restore
  • Clone

If a variable doesn't expand to anything and it's in a curly brace section, the whole curly brace section will be omitted. This can be used to hide extra spacing and text. For example, if the variable string

Notification - $notificationtype{ on computer $agent}

is used, it will expand to "Notification - Backup Started on computer MYCOMPUTER" for a backup start notification and "Notification - Disk Space Low" for a disk space low notification.

Backup Summary

The summary section allows configuration of daily backup summary emails as below:

The options available are: 

EnableThis toggle can be used to turn summary emails on or off
Recipients' Email AddressesEmail addresses to send notification emails - may be a semicolon separated list 
Send TimeThe time when the daily email will be sent
Email SubjectSubject of the email with optional variable input
Days To SendThe days when an email will be sent
Select ColumnsWhich columns should appear in the summary email. Changes to this section are reflected in the email preview underneath
Select OptionsAdditional options to appear in the summary email. Changes to this section are reflected in the email preview underneath
Update AvailableThe email will state whether a Site Manager server update is available or not
Remote SyncInserts an additional section and table summarising Remote Sync activity
Unsuccessful Backup Details OnlyThe backup details table will only show information for failed backups. Successful backups are briefly summarised instead
Computer WarningsAdditional section detailing all computer warning information available. 

A preview of the daily email with the selected columns is shown below the settings.

The Email Subject can be specified using replaceable parameters.

Replaceable parameters are specified by starting them with a dollar character (and optionally surrounding them in curly braces) - {$example}. Available parameters are:

{$servername}Name of the Site Manager server as specified in Settings System
{$date}The date in YYYYMMDD format
{$isodate}ISO 8601 timestamp of the date - YYYY-MM-DD
{$notificationtype}This will be Backup Summary


The Management Console supports sending notifications to Slack. Once configured, the types of notifications can be configured in the Notifications section, below.

Enable Toggle this to enable/disable Slack notifications.
Slack Incoming Webhook URLWebhook to use to post Slack messages. This can be configured in Slack management by creating a private app. See Slack Webhooks for more information
ChannelHere you can specify which channel you wish to post to in Slack. You may wish to create a new channel in Slack for your notifications.
Test NotificationThis button sends a test message the the slack channel configured above.


Here you can customize the various security options for the Management Console.

Access Restriction

This section controls general access settings to Site Manager - which network interfaces the Site Manager UI is available on and whether user login is required.. Finer control is provider under the User Permissions section.

Allow Access to Site Manager without login

If enabled, any new connections to Site Manager will allow direct access without a login. This may allow unauthenticated users access to configuration and contents of backups and should only be used in a secure environment.

Session will expire after X minutesSession expiry time can be set so that if the Site Manager interface is left open in a web browser, it will automatically log out after a specified number of minutes being idle.
Network AccessSetting this to Site Manager accessible only from localhost will make the Site Manager interface only accessible from a web browser running on the server itself. Otherwise the interface is available from any IP address.

User Permissions

Dialogs to manage login providers and Site Manager access permissions can be accessed here. The provider manager is used to create, configure and delete login providers and the permissions manager is used to set role based user and group permissions for each provider. For more information see: Access Control

Connection Settings

This section allows you to configure HTTP/HTTPS connection settings for the Management Console. The defaults should be fine for most installations but you may wish to provide your own SSL credentials and possibly alter the ports if they conflict with other applications on your server.

By default, Site Manager supplies a self-signed certificate for HTTPS operation. As this key is shared between all Site Manager installations, it should not be considered secure if the Site Manager server is exposed to the internet or in any sensitive deployment. In these cases, we recommend an alternate key is used.

The keys supplied must be in OpenSSL .PEM format.

Different certificate management systems and providers use different names and file extensions to identify certificate files. The Site Manager server requires files using PEM format, under any file extension. These files can be identified by opening them in a text editor:

  • Valid certificate files will contain a Base64 encoded certificate in a section denoted by -----BEGIN CERTIFICATE-----
  • Valid private key files will contain a Base64 encoded key in a section denoted by -----BEGIN PRIVATE KEY-----
  • If both the certificate and key are in the same file, the same file should be specified for both fields in Site Manager configuration
PortThe port used by the Site Manager HTTP and HTTPS servers
Certificate pathThe public certificate to be used by the internal Site Manager HTTPS server
Private key pathThe private key which matches the certificate specified in the Certificate path
Private key passphraseIf the private key file requires a passphrase to use, it can be set here

Agent Security

This section contains additional security settings for Agent communications. It allows an additional passphrase to be set - using a passphrase means that once communication has been established with an agent on a remote computer, the remote computer will only communicate with Site Manager servers which have the same passphrase set. This is intended to prevent any rogue processes emulating a Site Manager server and gaining access to the agent on a remote computer. 

If a computer is added after previously having a passphrase set, the computer will be listed as Unauthorized in the computers list. To manage the computer, either the Site Manager server must have the correct passphrase, the passphrase on the agent must be changed (Requires local administrator access to the computer) or a passphrase can be entered on the Site Manager server to allow one-off access. 


Here you can select which notifications appear in the User Interface, the Windows Event Log, over Slack or email (if configured). 

Notification types

Update AvailableSent when a software update to the Management Console is available 
Backup StartSent when a backup has started to run on a managed computer
Backup SuccessSent when a backup has completed successfully on a managed computer
Include Stealth Intra-daily backupsThis controls whether backup success emails should include intra-daily backups with the stealth option set. These backups do not create normal log files unless an error is encountered

Backup Fail

Sent when a backup has completed unsuccessfully on a managed computer
Restore StartSent when a restore has started to run on a managed computer
Restore SuccessSent when a restore has completed successfully on a managed computer
Restore FailSent when a restore has completed unsuccessfully on a managed computer
Remote Sync
Remote Sync StartSent when a repository starts remote synchronization with another server
Remote Sync SuccessSent when remote synchronization with another server succeeds
Remote Sync FailSent when remote synchronization with another server fails
Low Repository Disk SpaceSent when a repository has reached a low disk space
Repository UncontactableSent when a repository isn't available to Site Manager

Additionally, there are options to set whether relevant backup logs should be attached to emails and how many days without a backup should be allowed before the daily summary email warns that a computer is unprotected.


The number of days a computer can go without backups before being flagged as having an error in the dashboard, computers page and daily status email is configurable here via the Backup expiry period setting.


The system section contains options for modifying the behavior of the overall system. The options available are as follows:

Server Name

Server Name

Allows a custom server name to be set. This server name will be shown in the title/tab bar of the browser, at the top of the Site Manager interface and in email subject lines.

This allows organizations with multiple Site Manager installs to easily tell them apart. The naming options are:

  • Do not display a name - this is the default setting
  • Display the server Computer name - uses the NetBIOS name of the server
  • Display a custom name - the name entered in the Custom Name field will be used

Configuration Transfer

This section has options for backup up, downloading and restoring the Site Manager configuration:

ArchiveUpdate the configuration archive on the Site Manager server with the current Site Manager configuration. Once complete, the timestamp shown by the Download configuration option will be updated
Import settingsUpload a previously create Site Manager configuration backup and apply the settings to this Site Manager server. The current Site Manager configuration will be overwritten
Download configurationDownload the latest created archive in the browser. This can be used to provide a backup of Site Manager settings in case of server hardware error

Log Retention

This section allows logs (both backup logs and event logs) to be automatically deleted after a number of days. This will only happen if the Keep Logs Forever option is unselected. This option will affect both the backup logs and event logs. An agent computer's copy of the backup logs will also be permanently deleted.

Any permanent deletion action on the agent back logs will occur either at mid-night (local time) or on Site Manager service restart. This is to reduce accidental changes applying instantly.

Support Information

This section allows gathering of support information and upload to Macrium servers or download as a zip file. It should only be used under the direction of Macrium Support.

Macrium Image Guardian 

This section provides convenient access to the Macrium Image Guardian installers. The installers can be used to install Macrium Image Guardian on Windows computers that host repositories separately to the Site Manager server.


The MultiSite section controls integration with Macrium MultiSite for remote management of Site Manager. If MultiSite is enabled and the HTTPS port configured in the Security section is exposed to the internet, Site Manager can be managed by Macrium MultiSite.

The options in the MultiSite section are as follows:

EnableEnables the interface for Macrium MultiSite on the same port used for HTTPS access. This does not affect HTTPS access.
API KeyThis key is required to authorize MultiSite to access Site Manager.
CopyCopies the API key to the clipboard to make transferring it easier.
Generate New KeyGenerates a new API key, replacing the old key. Note that if this Site Manager is managed by Macrium MultiSite, the key must be updated in MultiSite for continued access.

The MultiSite Connection Status section will only appear if MultiSite is enabled. This section will show the current status of the Site Manager's connection to MultiSite. The Refresh button retries the MultiSite connection if there are issues. 


This section controls how Site Manager agents and remote agent installation work.


Install Settings - Quiet Agent InstallSetting this option will change the default install options for the remote agent install to install the agent without creating desktop or start menu shortcuts. Quiet install settings will only be updated on an agent when the remote install feature is used or the agent is upgraded through Site Manager
Install Settings - Auto Add AgentsSite Manager will automatically add agents to the computers table (Site Configuration -> Computers) on an agents first established connection to Site Manager. Previously removed agents will not be auto added.
Install Settings - Auto UpdateIf this option is set, the server will automatically update the agents when a new version is available
Maximum Simultaneous UpdatesThis option specifies the number of updates that will be performed simultaneously
Install Credentials

This option allows you to set credentials which will be used to install remote agents. This is useful if the majority of computers you wish to install agents on are on a domain which is not the same one used to log in to the Site Manager server

Server Connection DetailsTo change these fields while agents are connected will cause the server to send the new details to the connected agents. When an agent receives the new details, it will drop the connection and try to reconnect to the server. If the agent is not able to reconnect or if it wasn't connected when the details were changed the details must be manually set on the agent via Agent Config tool or remote install
Server Connection Details - Server IP

Additional IP addresses the Agent should use to communicate with the Site Manager. Any IP addresses here will be tried before DNS name resolution or NetBIOS name resolution is attempted.

Server Connection Details - Server DNSAdditional DNS names the Agent should use to look up the Site Manager server IP address. Any DNS addresses here will be tried before NetBIOS name resolution is attempted.
Server Connection Details - TCP PortThe TCP/IP port used by Site Manager to communicate with Agents. If this is changed, the Site Manager server will update all connected Agents and restart. 
Migrate AgentsThis section allows Agents to be moved from one Site Manager server to another - the selected Agents will attempt to connect to the server using the NetBIOS, DNS or IP addresses specified and if successful, the Agent will connect to the new server and drop into the disconnected status on the current server. If the Agent cannot contact a Site Manager server using the entered network details, they will remain connected to the current Site Manager server.

Agent Server Connection

When installed via the Remote Install feature, Agents will automatically be configured with the NetBIOS name of the Site Manager server, plus any details configured here. The Agent will try all connection details to connect to a Site Manager server.


This section contains options controlling how the Site Manager server access the internet.

Proxy Settings

A proxy server may be configured here. Site Manager will use this for all HTTP/HTTPS requests to the internet.

No ProxySite Manager will access the internet directly
Manual Proxy Setup - Proxy AddressThis is the address and type of the proxy server to use. The proxy type is selected from a dropdown (HTTP, HTTPS and SOCKS options)
Manual Proxy Setup - Proxy PortPort of the proxy server 
Manual Proxy Setup - Proxy UsernameUsername used to authenticate with the proxy server
Manual Proxy Setup - Proxy PasswordPassword used to authenticate with the proxy server
Get Proxy Settings From Specific UserIf account details for an account on the local domain or computer are entered here, the Site Manager server will attempt to read Internet Explorer proxy information from this user's profile on the Site Manager server.

Rescue Media

This section contains options controlling how Site Manager builds rescue media.

Working Directory

The Working Directory is the folder on the Site Manager server which is used as temporary space for Rescue Media building and to store the Rescue Media ISO images.

Working Directory

The path on the server to use for the Rescue Media working directory. This must be a local filesystem running NTFS. 

If this directory is changed, the old directory will be left intact and must be deleted manually. 

TestTests that the Rescue Media working directory is accessible and writable.

Export Drivers

Site Manager collects drivers needed to build Rescue Media from connected Agents. These drivers may be exported for use in disaster recovery by using the Export all Drivers or Export Selected Drivers options.  This will copy all the drivers to the drivers\export folder in the Rescue Media working directory,

The Group extracted drivers by Agent Rescue Media configuration option places the exported drivers into subfolders based on the relevant Windows PE version for that computer - e.g. all computers which require Rescue Media based on Windows PE 10 64-bit will have their drivers exported to the drivers\export\PE10x64 folder. 

This can be useful when extracting drivers to create custom rescue media.

Daily Data Export

This section controls Site Manager's creation of a number of CSV files that can be exported on a daily basis to assist in auditing, third-party integration or custom scripting.

The initial options allow the types of export to be selected and the export time. The export types are:

Export TypeDescription
Repository ContentsA list of backup images stored in each repository, along with type, path and size information
Repository UsageThis generates two files - one with an overview of each repository, including status, path, free space and space used by backups. The other file contains a breakdown of space used on each repository broken down by computer, including number of backups and disk space usage changes since last export.
ComputersA list of agent computers, along with status, last backup time and other information from the Computers page.
Backup DataA list of backups attempted in the last 24-hours, including success or failure
Event LogThe last 24 hours of the event log

This section configures the file and folder information for the export. The credentials used to write the files can be controlled by specifying a username, password and domain for the account. If left blank, the SYSTEM account on the Site Manager server is used.

The folder and file paths can be specified here using replaceable parameters - this allows a number of configurations, including creating each day's exports in the same place (overwriting old files), giving each day's export file a name based on the date, or placing each day's exports into a different subfolder.

Replaceable parameters are specified by starting them with a dollar character (and optionally surrounding them in curly braces) - {$example}. Available parameters are:

{$date}The date in YYYYMMDD format
{$time}The time in hhmm format
{$isodate}ISO 8601 timestamp of the export time - YYYY-MM-DDThhmmss
{$servername}Name of the Site Manager server as specified in Settings System

Type of export. When exporting multiple export types, this should be used to prevent each export type overwriting the other. Possible values are:

  • Repository Contents
  • Repository Status
  • Repository Changes
  • Computers
  • Backup Data
  • Event Log

If a file already exists with the name generated, the export will overwrite the old file with the new one unless increment is used. Increment is a simple number that is incremented to create a unique file name for the export. 

For example, if the filename field is set to filename.csv, each day, the old file will be overwritten. If the field is set to filename-{$increment}.csv, the first day's export will create the file export-1.csv, the second day will create export-2.csv etc

  • No labels