Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

This section is intended to discuss the security involved in Site Manager and show how these features and other features can be configured through the Site Manager interface.


Security

The various forms of network communication in Site Manager have some built in security with options for further configuring them. 

Agent Communications

Communications between agent and Site Manager server are always encrypted using 256-bit AES encryption. This happens automatically, key generation, negotiation and encryption are all done without any additional configuration. In addition, a passphrase can be set in the Site Manager. This passphrase is set on any successfully connected agent and prevents any other Site Manager taking over that agent unless the new Site Manager has the same passphrase set. 

The purpose of this passphrase is for use in high integrity or untrusted environments where a guarantee that only the Site Manager server that has been configured for that agent can access that agent is required.

If a passphrase has been set on an agent, it will fail to connect to a Site Manager which does not have the matching passphrase set. Reinstalling the agent will reset the passphrase.

The agent passphrase can be set in the Agent Security section of the Security settings below.

Web Interface Access

The web interface used to access the Site Manager interface can use HTTP or HTTPS. By default the Site Manager uses HTTP access but is only accessible from the computer it is installed on. This restriction can be removed in the Connection Settings section of the Settings page. 

If the interface is exposed to a potentially insecure network or the internet, we recommend using HTTPS. When HTTPS is first enabled, a default self-signed certificate is used. This certificate is not recommended for use outside secure networks as it is shipped with every Site Manager installation. Any certificate in OpenSSL .PEM file format can be used in place of the built in certificate. If you have keys in a different format, the OpenSSL command line utility can convert a variety of formats. See https://www.openssl.org for details.

Configuration

To configure the settings for Site Manager, access the Settings page from the main menu:

This is divided into a number of sections which are explained in more detail below

Email

The Email section is divided into two subsections - SMTP Configuration for setting up server details and Backup Summary for configuring which emails are sent automatically.

SMTP Configuration 

This section allows Email server settings to be configured, including security settings.


OptionDescription
Recipients' Email AddressesA semicolon separated list of email addresses which status emails will be sent to.
Sender's Email AddressThe email address the summary emails will be sent from.
SubjectText which should be added to the subject line of each email - this can be used to help differentiate emails from multiple Site Manager installations
SMTP ServerThe address (DNS or IP) of the SMTP server to use for sending.
Connection Type and Port

The type of connection used by the SMTP server. Supported options are:

  • Plain Text
  • Secure Sockets (SSL/TLS)
  • Transport Layer Security (STARTTLS)
Authentication

The authentication method used by the SMTP server. Supported options are:

  • None
  • Auto-Detect
  • Challenge/Response Authentication (CRAM-MD5)
  • Secure Username/Password login (AUTH LOGIN)
  • Username/Password login (AUTH PLAIN)
  • Microsoft NT LAN Manager (NTLM)
Username and PasswordThe username and password for the SMTP server. If left blank, no username will be used.
Test EmailSends a test message to the recipients entered in the test box. If there are errors in the send, they will be reported back.

Backup Summary

The summary section allows configuration of daily backup summary emails as below:

The options available are: 

OptionDescription
EnableThis toggle can be used to turn summary emails on or off
Email SubjectSubject of the email
Send TimeThe time when the daily email will be sent
Select ColumnsWhich columns should appear in the summary email. Changes to this section are reflected in the email preview underneath


A preview of the daily email with the selected columns is shown below the 



Slack

The Management Console supports sending notifications to Slack. Once configured, the types of notifications can be configured in the Notifications section, below.


OptionDescription
Enable Toggle this to enable/disable Slack notifications.
Slack Incoming Webhook URLWebhook to use to post Slack messages. This can be configured in Slack management by creating a private app. See Slack Webhooks for more information
ChannelHere you can specify which channel you wish to post to in Slack. You may wish to create a new channel in Slack for your notifications.
Test NotificationThis button sends a test message the the slack channel configured above.



Security

Here you can customize the various security options for the Management Console.


Access Restriction

This section is about controlling how permissive Site Manager is with respect to who can access the dashboard and from where. Finer control is provider under the User Permissions section.

OptionDescription
Authentication

Here you have the option to enable/disable the login prompt for new sessions connecting to the Management Console.

Session expiry time can also be set to ensure that if the Site Manager interface is left open in a web browser, it will automatically log out after a specified number of minutes being idle.

Network AccessHere you can restrict network access to the Site Manager web UI to the server computer only or allow other computers to connect.

User Permissions

Dialogs to manage login providers and Site Manager access permissions can be accessed here. The provider manager is used to create, configure and delete login providers and the permissions manager is used to set permissions for each provider. For more information see: Access Control

Connection Settings

This section allows you to configure HTTP/HTTPS connection settings for the Management Console. The defaults should be fine for most installations but you may wish to provide your own SSL credentials and possibly alter the ports if they conflict with other applications on your server.

The main choice here is whether you wish to use HTTPS or plain HTTP.

By default, Site Manager supplies a self-signed certificate for HTTPS operation. As this key is shared between all Site Manager installations, it should not be considered secure if the Site Manager server is exposed to the internet or in any sensitive deployment. In these cases, we recommend an alternate key is used.

The keys supplied must be in OpenSSL .PEM format.

OptionDescription
PortYou can change the communication port for both HTTP & HTTPS independently. 
Certificate pathYou may wish to use your company SSL certificate to prevent browser warnings when using HTTPS.
Private key pathIf you change the SSL certificate you will need to provide the matching Private Key file.

Agent Security

This section contains additional security settings for Agent communications. It allows an additional passphrase to be set - using a passphrase means that once communication has been established with an agent on a remote computer, the remote computer will only communicate with Site Manager servers which have the same passphrase set. This is intended to prevent any rogue processes emulating a Site Manager server and gaining access to the agent on a remote computer. 

If a computer is added after previously having a passphrase set, the computer will be listed as Unauthorized in the computers list. To manage the computer, either the Site Manager server must have the correct passphrase, the passphrase on the agent must be changed (Requires local administrator access to the computer) or a passphrase can be entered on the Site Manager server to allow one-off access. 



Notifications

Here you can select which notifications appear in the User Interface, the Windows Event Log, over Slack or email (if configured). 

The options available are:

  • Update available - sent when a software update to the Management Console is available. 
  • Backup Start - sent when a backup has started to run on a managed computer
  • Backup Success - sent when a backup has completed successfully on a managed computer
  • Backup Fail - sent when a backup has completed unsuccessfully on a managed computer
  • Restore Start - sent when a restore has started to run on a managed computer
  • Restore Success - sent when a restore has completed successfully on a managed computer
  • Restore Fail - sent when a restore has completed unsuccessfully on a managed computer
  • Remote Sync Start - sent when a repository starts remote synchronization with another server
  • Remote Sync Success - sent when remote synchronization with another server succeeds
  • Remote Sync Fail - sent when remote synchronization with another server fails

Additionally, there are options to set whether relevant backup logs should be attached to emails and how many days without a backup should be allowed before the daily summary email warns that a computer is unprotected.

Warnings

The number of days a computer can go without backups before being added to the dashboard and daily status email as a computer with a warning is configurable here via the Backup expiry period setting.


System

The system section contains options for modifying the behavior of the overall system. The options available are as follows:

Server Name


OptionDescription
Server Name

Allows a custom server name to be set. This server name will be shown in the title/tab bar of the browser, at the top of the CMC interface and in email subject lines.

This allows organisations with multiple CMC installs to easily tell them apart. The naming options are:

  • Do not display a name - this is the default setting
  • Display the server Computer name - uses the NetBIOS name of the server
  • Display a custom name - the name entered in the Custom Name field will be used

Configuration Transfer

This section has options for backup up, downloading and restoring the Site Manager configuration:


OptionDescription
ArchiveUpdate the configuration archive on the Site Manager server with the current Site Manager configuration. Once complete, the timestamp shown by the Download configuration option will be updated
Import settingsUpload a previously create Site Manager configuration backup and apply the settings to this Site Manager server. The current Site Manager configuration will be overwritten
Download configurationDownload the latest created archive in the browser. This can be used to provide a backup of Site Manager settings in case of server hardware error

Log Retention

This section allows logs (both backup logs and event logs) to be automatically deleted after a number of days. This will only happen if the Keep Logs Forever option is unselected. 



Remote Management

The Remote Management section controls integration with Macrium MultiSite. If remote access is enabled and the HTTPS port configured in the Security section is exposed to the internet, the Site Manager can be managed by Macrium MultiSite.

The options in the Remote Management section are as follows:

OptionDescription
EnableEnables the remote management interface for Macrium MultiSite on the same port used for HTTPS access. This does not affect HTTPS access.
API KeyThis key is required to authorize MultiSite to access the Site Manager.
CopyCopies the API key to the clipboard to make transferring it easier.
Generate New KeyGenerates a new API key, replacing the old key. Note that if this Site Manager is managed by Macrium MultiSite, the key must be updated in MultiSite for continued access.


The MultiSite Connection Status section will only appear if Remote Management is enabled. This section will show the current status of the Site Manager's connection to MultiSite. The Refresh button retries the MultiSite connection if there are issues. 


User Profiles

This section controls the per-user configuration of the Site Manager Dashboard and interface

OptionDescription
Reset dashboard layoutThis option will restore the dashboard to the default layout, removing all widget layout and notification tile customization. This only applies to the currently logged in user
Reset table layoutsThis option will remove any changes to the table layouts on all Site Manager pages. This includes moving, hiding or sorting columns. This only applies to the currently logged in user
Reset all layoutsRemoves all customization for all users and resets Site Manager to default layout settings



Agent

This section controls how Site Manager agents and remote agent installation work

Option

Description
Install Settings - Quiet Agent InstallSetting this option will change the default install options for the remote agent install to install the agent without creating desktop or start menu shortcuts. Quiet install settings will only be updated on an agent when the remote install feature is used or the agent is upgraded through Site Manager
Install Settings - Auto UpdateIf this option is set, the server will automatically update the agents when a new version is available
Maximum Simultaneous UpdatesThis option specifies the number of updates that will be performed simultaneously
Install Credentials

This option allows you to set credentials which will be used to install remote agents. This is useful if the majority of computers you wish to install agents on are on a domain which is not the same one used to log in to the Site Manager server

Server Connection DetailsTo change these fields while agents are connected will cause the server to send the new details to the connected agents. When an agent receives the new details, it will drop the connection and try to reconnect to the server. If the agent is not able to reconnect or if it wasn't connected when the details were changed the details must be manually set on the agent via Agent Config tool or remote install
Server Connection Details - Server IP

Additional IP addresses the Agent should use to communicate with the Site Manager. Any IP addresses here will be tried before DNS name resolution or NetBIOS name resolution is attempted.

Server Connection Details - Server DNSAdditional DNS names the Agent should use to look up the Site Manager server IP address. Any DNS addresses here will be tried before NetBIOS name resolution is attempted.
Server Connection Details - TCP PortThe TCP/IP port used by Site Manager to communicate with Agents. If this is changed, the Site Manager server will update all connected Agents and restart. 

Agent Server Connection

When installed via the Remote Install feature, Agents will automatically be configured with the NetBIOS name of the Site Manager server. The Agent will attempt to resolve the NetBIOS to an IP address and connect to the Site Manager server.

Additional IP addresses or DNS names may be configured to allow Agents to connect. The Agent will try all IPs and names to connect to Site Manager until it finds one which works.


Network

This section contains options controlling how the Site Manager server access the internet.

Proxy Settings

A proxy server may be configured here. Site Manager will use this for all HTTP/HTTPS requests to the internet.

OptionDescription
No ProxySite Manager will access the internet directly
Manual Proxy Setup - Proxy AddressThis is the address and type of the proxy server to use. The proxy type is selected from a dropdown (HTTP, HTTPS and SOCKS options)
Manual Proxy Setup - Proxy PortPort of the proxy server 
Manual Proxy Setup - Proxy UsernameUsername used to authenticate with the proxy server
Manual Proxy Setup - Proxy PasswordPassword used to authenticate with the proxy server
Get Proxy Settings From Specific UserIf account details for an account on the local domain or computer are entered here, the Site Manager server will attempt to read Internet Explorer proxy information from this user's profile on the Site Manager server.

Rescue Media

This section contains options controlling how Site Manager builds rescue media.

Working Directory

The Working Directory is the folder on the Site Manager server which is used as temporary space for Rescue Media building and to store the Rescue Media ISO images.

OptionDescription
Working Directory

The path on the server to use for the Rescue Media working directory. This must be a local filesystem running NTFS. 

If this directory is changed, the old directory will be left intact and must be deleted manually. 

TestTests that the Rescue Media working directory is accessible and writable.

Export Drivers

Site Manager collects drivers needed to build Rescue Media from connected Agents. These drivers may be exported for use in disaster recovery by using the Export all Drivers or Export Selected Drivers options.  This will copy all the drivers to the drivers\export folder in the Rescue Media working directory,

The Group extracted drivers by Agent Rescue Media configuration option places the exported drivers into subfolders based on the relevant Windows PE version for that computer - e.g. all computers which require Rescue Media based on Windows PE 10 64-bit will have their drivers exported to the drivers\export\PE10x64 folder. 

This can be useful when extracting drivers to create custom rescue media.

  • No labels