Overview
The various forms of network communication in SiteManager Platform have some built-in security, this page contains options for further configuring them.
Access Restriction
This section controls general access settings to SiteManager Platform including which network interfaces the SiteManager Platform user interface is available on and whether user login is required. More granular access control is provided under the 'User Permissions' section.
|
Option
|
Description
|
|---|---|
| Allow Access to Site Manager without login |
If enabled, any new connections to SiteManager Platform will allow direct access without a login. This may allow unauthenticated users access to the configuration and contents of backups and should only be used in a secure environment. |
| Session will expire after X minutes | Session expiry time can be set so that if the SiteManager Platform interface is left open in a web browser, it will automatically log out after a specified number of minutes being idle. |
| Network Access | Setting this to 'Site Manager accessible only from localhost' will make the SiteManager Platform interface only accessible from a web browser running on the server itself. Otherwise the interface is available from any IP address. |
Connection Settings
If the interface is exposed to a potentially insecure network or the internet, we recommend using HTTPS. When HTTPS is first enabled, a default self-signed certificate is used. This certificate is not recommended for use outside secure networks as it is shipped with every SiteManager Platform installation. Any certificate in OpenSSL .PEM file format can be used in place of the built-in certificate. If you have keys in a different format, the OpenSSL command line utility can convert a variety of formats. See https://www.openssl.org for details.
This section allows you to configure HTTP/HTTPS connection settings for the management console. The defaults should be acceptable for most installations but you may wish to provide your own SSL credentials and possibly alter the ports if they conflict with other applications on your server.
The keys supplied must be in OpenSSL .PEM format.
Different certificate management systems and providers use different names and file extensions to identify certificate files. The SiteManager Platform requires files using PEM format, under any file extension. These files can be identified by opening them in a text editor:
Valid certificate files will contain a Base64 encoded certificate in a section denoted by:
-----BEGIN CERTIFICATE-----
Valid private key files will contain a Base64 encoded key in a section denoted by:
-----BEGIN PRIVATE KEY-----
If both the certificate and key are in the same file, the same file should be specified for both fields in the SiteManager Platform configuration.
|
Option
|
Description
|
|---|---|
| Port | The port used by the SiteManager Platform HTTP and HTTPS servers. |
| Certificate path | The public certificate to be used by the internal SiteManager Platform HTTPS server. |
| Private key path | The private key that matches the certificate specified in the 'Certificate Path' field. |
| Private key passphrase | If the private key file requires a passphrase to use, it can be set here. |
Agent Security
Communications between an agent and the SiteBackup server are always encrypted using 256-bit AES encryption. This happens automatically, key generation, negotiation, and encryption are all done without any additional configuration.
Additionally, a passphrase can be set in the SiteManager Platform settings. This passphrase is set on any successfully connected agent and prevents any other SiteBackup server from taking over that agent unless the new SiteBackup server has the same passphrase set:
The purpose of this passphrase is for use in high integrity or untrusted environments where a guarantee, that only the SiteBackup server that has been configured for that agent can access that agent, is required.
If a passphrase has been set on an agent, it will fail to connect to a SiteBackup server that does not have the matching passphrase set. Reinstalling the agent will reset the passphrase.
If a computer is added after previously having a passphrase set, the computer will be listed as unauthorized in the computers list. To manage the computer, either the SiteBackup server must have the correct passphrase, the passphrase on the agent must be changed (this requires local administrator access to the computer) or a passphrase can be entered on the Site Manager server to allow one-off access.