This section is intended to discuss the security involved in Site Manager and show how these features and other features can be configured through the Site Manager interface.
User Settings - User Interface
This section controls the logged-in users' configuration of the Site Manager dashboard and interface.
| Option | Description |
|---|---|
| Reset dashboard layout | This option will restore the dashboard to the default layout, removing all widget layouts and notification tile customization. This only applies to the currently logged-in user |
| Reset table layouts | This option will remove any changes to the table layouts on all Site Manager pages. This includes moving, hiding, or sorting columns. This only applies to the currently logged-in user |
User Management - Roles, Users & Groups, Login Providers
The 'User Management' section of the Site Manager settings controls the users that can access Macrium Site Manager, the domains where these users are located, and the amount of access that these users have with pre-defined and custom role based permissions. For more information about configuring access control in Macrium Site Manager, see here.
System Settings
User Interface
This section controls the configuration of the Site Manager dashboard and interfaces for all users.
| Option | Description |
|---|---|
| Reset all layouts | Removes all customization for all users and resets Site Manager to default layout settings |
Security
The various forms of network communication in Site Manager have some built-in security with options for further configuring them.
Access Restriction
This section controls general access settings to Site Manager including which network interfaces the Site Manager UI is available on and whether user login is required. More granular access control is provided under the 'User Permissions' section.
| Option | Description |
|---|---|
| Allow Access to Site Manager without login | If enabled, any new connections to Site Manager will allow direct access without a login. This may allow unauthenticated users access to the configuration and contents of backups and should only be used in a secure environment. |
| Session will expire after X minutes | Session expiry time can be set so that if the Site Manager interface is left open in a web browser, it will automatically log out after a specified number of minutes being idle. |
| Network Access | Setting this to 'Site Manager accessible only from localhost' will make the Site Manager interface only accessible from a web browser running on the server itself. Otherwise the interface is available from any IP address. |
Connection Settings
If the interface is exposed to a potentially insecure network or the internet, we recommend using HTTPS. When HTTPS is first enabled, a default self-signed certificate is used. This certificate is not recommended for use outside secure networks as it is shipped with every Site Manager installation. Any certificate in OpenSSL .PEM file format can be used in place of the built-in certificate. If you have keys in a different format, the OpenSSL command line utility can convert a variety of formats. See https://www.openssl.org for details.
This section allows you to configure HTTP/HTTPS connection settings for the management console. The defaults should be fine for most installations but you may wish to provide your own SSL credentials and possibly alter the ports if they conflict with other applications on your server.
The keys supplied must be in OpenSSL .PEM format.
Different certificate management systems and providers use different names and file extensions to identify certificate files. The Site Manager server requires files using PEM format, under any file extension. These files can be identified by opening them in a text editor:
Valid certificate files will contain a Base64 encoded certificate in a section denoted by -----BEGIN CERTIFICATE-----
Valid private key files will contain a Base64 encoded key in a section denoted by -----BEGIN PRIVATE KEY-----
If both the certificate and key are in the same file, the same file should be specified for both fields in the Site Manager configuration
| Option | Description |
|---|---|
| Port | The port used by the Site Manager HTTP and HTTPS servers |
| Certificate path | The public certificate to be used by the internal Site Manager HTTPS server |
| Private key path | The private key that matches the certificate specified in the 'Certificate Path' field. |
| Private key passphrase | If the private key file requires a passphrase to use, it can be set here |
Agent Security
Communications between an agent and the Site Manager server are always encrypted using 256-bit AES encryption. This happens automatically, key generation, negotiation, and encryption are all done without any additional configuration. In addition, a passphrase can be set in the Site Manager. This passphrase is set on any successfully connected agent and prevents any other Site Manager from taking over that agent unless the new Site Manager has the same passphrase set.
The purpose of this passphrase is for use in high integrity or untrusted environments where a guarantee that only the Site Manager server that has been configured for that agent can access that agent is required.
If a passphrase has been set on an agent, it will fail to connect to a Site Manager which does not have the matching passphrase set. Reinstalling the agent will reset the passphrase.
If a computer is added after previously having a passphrase set, the computer will be listed as unauthorized in the computers list. To manage the computer, either the Site Manager server must have the correct passphrase, the passphrase on the agent must be changed (this requires local administrator access to the computer) or a passphrase can be entered on the Site Manager server to allow one-off access.
The Email section is divided into three subsections: 'SMTP Configuration' for setting up server details, 'Notification Email' for configuring where notifications (backup start, end, and others) are sent to, and 'Backup Summary' for configuring daily summary emails.
SMTP Configuration
This section allows Email server settings to be configured, including security settings.
| Option | Description |
|---|---|
| Sender's Email Address | The email address the summary emails will be sent from. |
| SMTP Server | The address (DNS or IP) of the SMTP server to use for sending. |
| Connection Type and Port | The type of connection used by the SMTP server. Supported options are: Plain Text Secure Sockets (SSL/TLS) Transport Layer Security (STARTTLS) |
| Authentication | The authentication method used by the SMTP server. Supported options are: None Auto-Detect Challenge/Response Authentication (CRAM-MD5) Secure Username/Password login (AUTH LOGIN) Username/Password login (AUTH PLAIN) Microsoft NT LAN Manager (NTLM) |
| Username and Password | The username and password for the SMTP server. If left blank, no username will be used. |
| Test Email | Sends a test message to the recipients entered in the test box. If there are errors in the send, they will be reported back. |
Notification Email
This section allows the recipients and subject to be specified for notification emails. These settings are applied to any notification emails sent according to the 'Notifications' section of the 'Settings'.
| Option | Description |
|---|---|
| Recipients' Email Addresses | Email addresses to send notification emails - may be a semicolon-separated list |
| Email Subject | Subject to be set on notification emails with optional variable input |
The email subject can be specified using replaceable parameters.
Replaceable parameters are specified by starting them with a dollar character (and optionally surrounding them in curly braces) - {$example}. Available parameters are:
| Parameter | Description |
|---|---|
{$servername} | Name of the Site Manager server as specified in the 'System' page of the 'Settings'. |
{$date} | The date in YYYYMMDD format |
{$isodate} | ISO 8601 timestamp of the date - YYYY-MM-DD |
{$notificationtype} | The type of notification. Possible types are: Backup Successful Backup Failed Backup Started Intra-daily Backup Successful Update Found Testing Slack Testing Email Remote Synchronization Started Remote Synchronization Successful Remote Synchronization Failed Restore Started Restore Successful Restore Failed Disk Space Low Repository Uncontactable |
{$agent} | Name of the Agent that triggered the notification. |
{$definitionname} | Name of the backup definition that triggered the notification. |
{$schedulename} | Name of the schedule that triggered the notification. |
{$reponame} | Name of the repository being used. |
{$backuplevel} | The backup level. Can be one of the following: Full Differential Incremental |
{$backuptype} | The type of operating being performed. Can be: Image Image Restore File and Folder Backup File and Folder Restore Exchange Backup Exchange Restore SQL Backup SQL Restore Clone |
If a variable doesn't expand to anything and it's in a curly brace section, the whole curly brace section will be omitted. This can be used to hide extra spacing and text. For example, if the variable string below is used:
Notification - $notificationtype{ on computer $agent}
It will expand to "Notification - Backup Started on computer MYCOMPUTER" for a backup start notification and "Notification - Disk Space Low" for a disk space low notification.
Backup Summary
The summary section allows the configuration of daily backup summary emails as below:
The options available are:
| Option | Description | |
|---|---|---|
| Enable | This toggle can be used to turn summary emails on or off | |
| Recipients' Email Addresses | Email addresses to send notification emails - may be a semicolon-separated list | |
| Send Time | The time when the daily email will be sent | |
| Email Subject | Subject of the email with optional variable input | |
| Days To Send | The days when an email will be sent | |
| Select Columns | Which columns will appear in the summary email. Changes to this section are reflected in the email preview underneath | |
| Select Options | Additional options to appear in the summary email. Changes to this section are reflected in the email preview underneath | |
| Update Available | The email will state whether a Site Manager server update is available or not | |
| Remote Sync | Inserts an additional section and table summarising Remote Sync activity | |
| Unsuccessful Backup Details Only | The backup details table will only show information for failed backups. Successful backups are briefly summarised instead | |
| Computer Warnings | Additional section detailing all computer warning information available. | |
A preview of the daily email with the selected columns is shown below the settings.
The email subject can be specified using replaceable parameters. Replaceable parameters are specified by starting them with a dollar character (and optionally surrounding them in curly braces) - {$example}. Available parameters are:
| Parameter | Description |
|---|---|
{$servername} | Name of the Site Manager server as specified in 'Settings' then 'System' |
{$date} | The date in YYYYMMDD format |
{$isodate} | ISO 8601 timestamp of the date - YYYY-MM-DD |
{$notificationtype} | This will be Backup Summary |
Slack
The management console supports sending notifications to Slack. Once configured, the types of notifications can be configured in the 'Notifications' section described below.
| Option | Description |
|---|---|
| Enable | Toggle this to enable/disable Slack notifications. |
| Slack Incoming Webhook URL | Webhook to use to post Slack messages. This can be configured in Slack management by creating a private app. See Slack Webhooks for more information |
| Channel | Here you can specify which channel you wish to post to in Slack. You may wish to create a new channel in Slack for your notifications. |
| Test Notification | This button sends a test message the the slack channel configured above. |
Notifications
Here you can select which notifications appear in the User Interface, the Windows Event Log, over Slack or email (if configured).
Notification types
| Event | |
|---|---|
| Update Available | Sent when a software update to the Management Console is available |
| Backup | |
| Backup Start | Sent when a backup has started to run on a managed computer |
| Backup Success | Sent when a backup has completed successfully on a managed computer |
| Include Stealth Intra-daily backups | This controls whether backup success emails should include intra-daily backups with the stealth option set. These backups do not create normal log files unless an error is encountered |
Backup Fail | Sent when a backup has completed unsuccessfully on a managed computer |
| Restore | |
| Restore Start | Sent when a restore has started to run on a managed computer |
| Restore Success | Sent when a restore has completed successfully on a managed computer |
| Restore Fail | Sent when a restore has completed unsuccessfully on a managed computer |
| Remote Sync | |
| Remote Sync Start | Sent when a repository starts remote synchronization with another server |
| Remote Sync Success | Sent when remote synchronization with another server succeeds |
| Remote Sync Fail | Sent when remote synchronization with another server fails |
| Repository | |
| Low Repository Disk Space | Sent when a repository has reached a low disk space |
| Repository Uncontactable | Sent when a repository isn't available to Site Manager |
Additionally, there are options to set whether relevant backup logs should be attached to emails and how many days without a backup should be allowed before the daily summary email warns that a computer is unprotected.
Warnings
The number of days a computer can go without backups before being flagged as having an error in the dashboard, computers page, and daily status email is configurable here via the 'Backup expiry period (days)' setting.
System
The system section contains options for modifying the behavior of the overall system. The options available are as follows:
Server Name
| Option | Description |
|---|---|
| Server Name | Allows a custom server name to be set. This server name will be shown in the title/tab bar of the browser, at the top of the Site Manager interface, and in email subject lines. This allows organizations with multiple Site Manager installs to easily tell them apart. The naming options are: Do not display a name - this is the default setting. Display the server Computer name - uses the NetBIOS name of the server. Display a custom name - the name entered in the 'Custom Name' field will be used. |
Support Information
This section allows the gathering of support information and uploading to Macrium servers or downloading as a zip file. It should only be used under the direction of Macrium Support.
Log Retention
This section allows logs (both backup logs and event logs) to be automatically deleted after a number of days. This will only happen if the 'Keep Logs Forever' option is unselected. This option will affect both the backup logs and event logs. An agent computer's copy of the backup logs will also be permanently deleted.
Any permanent deletion action on the agent backup logs will occur either at midnight (local time) or on the Site Manager service restarting. This is to reduce accidental changes applying instantly.
Macrium Image Guardian
This section provides convenient access to the Macrium Image Guardian installers. The installers can be used to install Macrium Image Guardian on Windows computers that host repositories separately to the Site Manager server. This article contains more information about Macrium Image Guardian.
Configuration Transfer
This section has options to backup, download, and restore the Site Manager configuration:
| Option | Description |
|---|---|
| Archive | Update the configuration archive on the Site Manager server with the current Site Manager configuration. Once complete, the timestamp shown by the 'Download configuration' option will be updated |
| Import settings | Upload a previously create Site Manager configuration backup and apply the settings to this Site Manager server. The current Site Manager configuration will be overwritten |
| Download configuration | Download the latest created archive in the browser. This can be used to provide a backup of Site Manager settings in case of server hardware error |
MultiSite
The MultiSite section controls integration with Macrium MultiSite for remote management of Site Manager. If MultiSite is enabled and the HTTPS port configured in the 'Security' section is exposed to the internet, Site Manager can be managed by Macrium MultiSite.
The options in the 'MultiSite' section are as follows:
| Option | Description |
|---|---|
| Enable | Enables the interface for Macrium MultiSite on the same port used for HTTPS access. This does not affect HTTPS access. |
| API Key | This key is required to authorize MultiSite to access Site Manager. |
| Copy | Copies the API key to the clipboard to make transferring it easier. |
| Generate New Key | Generates a new API key, replacing the old key. Note that if this Site Manager is managed by Macrium MultiSite, the key must be updated in MultiSite for continued access. |
The 'MultiSite Connection Status' section will only appear if MultiSite is enabled. This section will show the current status of the Site Manager's connection to MultiSite. The 'Refresh' button retries the MultiSite connection if there are issues.
Agent
This section controls how Site Manager agents and remote agent installation work.
Option | Description |
|---|---|
| Install Settings - Quiet Agent Install | Setting this option will change the default install options for the remote agent install to install the agent without creating a desktop or start menu shortcuts. Quiet install settings will only be updated on an agent when the remote install feature is used or the agent is upgraded through Site Manager |
| Install Settings - Auto Add Agents | Site Manager will automatically add agents to the computers table ('Backups' > 'Computers') on an agent's first established connection to Site Manager. Previously removed agents will not be auto-added. |
| Install Settings - Auto Update | If this option is set, the server will automatically update the agents when a new version is available. |
| Maximum Simultaneous Updates | This option specifies the number of updates that will be performed simultaneously. |
| Install Credentials | This option allows you to set credentials that will be used to install remote agents. This is useful if the majority of computers you wish to install agents on are on a domain that is not the same one used to log in to the Site Manager server |
| Server Connection Details | Changing these fields while agents are connected will cause the server to send the new details to the connected agents. When an agent receives the new details, it will drop the connection and try to reconnect to the server. If the agent is not able to reconnect or if it wasn't connected when the details were changed the details must be manually set on the agent via the AgentConfigTool or remote install |
| Server Connection Details - Server IP | Additional IP addresses the agent should use to communicate with the Site Manager. Any IP addresses here will be tried before DNS name resolution or NetBIOS name resolution is attempted. |
| Server Connection Details - Server DNS | Additional DNS names the agent should use to look up the Site Manager server IP address. Any DNS addresses here will be tried before NetBIOS name resolution is attempted. |
| Server Connection Details - TCP Port | The TCP/IP port that is used by Site Manager to communicate with Agents. If this is changed, the Site Manager server will update all connected Agents and restart. |
| Migrate Agents | This section allows agents to be moved from one Site Manager server to another - the selected agents will attempt to connect to the server using the NetBIOS, DNS, or IP addresses specified and if successful, the agent will connect to the new server and drop into the disconnected status on the current server. If the agent cannot contact a Site Manager server using the entered network details, they will remain connected to the current Site Manager server. |
Agent Server Connection
When installed via the remote install feature, agents will automatically be configured with the NetBIOS name of the Site Manager server, plus any details configured here. The Agent will try all connection details to connect to a Site Manager server.
Network
This section contains options controlling how the Site Manager server accesses the internet.
Proxy Settings
A proxy server may be configured here. Site Manager will use this for all HTTP/HTTPS requests to the internet.
| Option | Description |
|---|---|
| No Proxy | Site Manager will access the internet directly |
| Manual Proxy Setup - Proxy Address | This is the address and type of the proxy server to use. The proxy type is selected from a dropdown (HTTP, HTTPS and SOCKS options) |
| Manual Proxy Setup - Proxy Port | Port of the proxy server |
| Manual Proxy Setup - Proxy Username | Username used to authenticate with the proxy server |
| Manual Proxy Setup - Proxy Password | Password used to authenticate with the proxy server |
| Get Proxy Settings From Specific User | If account details for an account on the local domain or computer are entered here, the Site Manager server will attempt to read Internet Explorer proxy information from this user's profile on the Site Manager server. |
Rescue Media
This section contains the option to change the Site Manager rescue media 'Working Directory'.
The working directory is the folder on the Site Manager server which is used as temporary space for Rescue Media building and to store the rescue media ISO images.
| Option | Description |
|---|---|
| Working Directory | The path on the server to use for the rescue media working directory. This must be a local filesystem running NTFS. If this directory is changed, the old directory will be left intact and must be deleted manually. |
| Test | Tests that the Rescue Media working directory is accessible and writable. |
Daily Data Export
This section controls Site Manager's creation of a number of CSV files that can be exported on a daily basis to assist in auditing, third-party integration, or custom scripting.
The initial options allow the types of export to be selected and the export time. The export types are:
| Export Type | Description |
|---|---|
| Repository Contents | A list of backup images stored in each repository, along with type, path, and size information |
| Repository Usage | This generates two files - one with an overview of each repository, including status, path, free space, and space used by backups. The other file contains a breakdown of space used on each repository broken down by computer, including the number of backups and disk space usage changes since the last export. |
| Computers | A list of agent computers, along with status, last backup time, and other information from the Computers page. |
| Backup Data | A list of backups attempted in the last 24 hours, including success or failure |
| Event Log | The last 24 hours of the event log |
This section configures the file and folder information for the export. The credentials used to write the files can be controlled by specifying a username, password, and domain for the account. If left blank, the SYSTEM account on the Site Manager server is used.
The folder and file paths can be specified here using replaceable parameters - this allows a number of configurations, including creating each day's exports in the same place (overwriting old files), giving each day's export file a name based on the date, or placing each day's exports into a different subfolder.
Replaceable parameters are specified by starting them with a dollar character (and optionally surrounding them in curly braces) - {$example}. Available parameters are:
| Parameter | Description |
|---|---|
{$date} | The date in YYYYMMDD format |
{$time} | The time in hhmm format |
{$isodate} | ISO 8601 timestamp of the export time - YYYY-MM-DDThhmmss |
{$servername} | Name of the Site Manager server as specified in Settings → System |
{$exporttype} | Type of export. When exporting multiple export types, this should be used to prevent each export type from overwriting the other. Possible values are: Repository Contents Repository Status Repository Changes Computers Backup Data Event Log |
{$increment} | If a file already exists with the name generated, the export will overwrite the old file with the new one unless increment is used. Increment is a simple number that is incremented to create a unique file name for the export. For example, if the filename field is set to |