Source:Blocky4sesam Configuration

From SEPsesam
Revision as of 09:55, 17 November 2022 by Jus (talk | contribs) (Marked this version for translation)
Other languages:

Copyright © SEP AG 1999-2024. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.


Draft.png WORK IN PROGRESS
This article is in the initial stage and may be updated, replaced or deleted at any time. It is inappropriate to use this document as reference material as it is a work in progress and should be treated as such.
Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3 Beefalo/5.0.0 Jaglion. For previous documentation version(s), check Documentation archive.

Overview

Backup is a key area in enterprise ransomware protection, as cyber attacks usually aim to destroy backup data. With Blocky4sesam you choose reliable protection of your SEP sesam backups against Ransomware - secure, fully integrated and without excessive administration effort for your Windows RDS systems.

The ransomware protection is based on GRAU DATA's proven application whitelisting technologies (as recommended by the BSI). It is tailored specially for integration into SEP sesam backup solutions and prevents any modification of the data without explicit authorization. To identify authorized processes, Blocky uses the application fingerprint. Unauthorized access is also logged and reported to the administrator.

Prerequisites

  • For the minimum Si3 hardware requirements that apply to SEP sesam Si3 deduplication server, see Hardware requirements.
  • When estimating the maximum size of a deduplication store, you have to ensure that there is enough space available for dedup trash, otherwise the deduplication store will run out of space. You should calculate the required disk space based on a representative sample of your full backup and add the additional storage space equal to approximately 50% of the representative full backup.
  • Blocky4Backup requires the Windows GUI component installed on the Windows Server.

Supported operating systems and filesystems

Blocky4sesam supports the NTFS and ReFS filesystems.

The supported operating systems are:

  • MS Windows Server 2012 R2 Standard & Enterprise Edition
  • MS Windows Server 2016
  • MS Windows Server 2019

Configuration procedure

The configuration procedure of Blocky4sesam consists of the following general steps:

  1. Install Blocky4sesam.
  2. Prepare the RDS system.
  3. Set up the SEP Si3-NG deduplication store on the Blocky-controlled volume.

Security considerations

Sufficient protection can only be achieved by meeting the following security recommendations:

  • Disable remote access to the RDS system after setup. RDS should only be accessible over a local console.
  • Close all irrelevant ports on the RDS system. Consider using advanced network security.
  • The RDS system should not be a domain member.
  • Open the Blocky GUI only when performing administrative tasks (for example, licensing or setup). Close the GUI immediately after your work is done.

For more information and additional recommendations see Ransomware Protection Best Practices.

Installing Blocky4sesam

Install and configure your SEP sesam RDS. Download the Blocky4sesam extension module from SEP Download Center, unpack the installation package and install Blocky4sesam.

Information sign.png Note
The Blocky4BackupAdminGuide.pdfdocument is part of the installation package. You can check the Blocky4Backup Administration Guide for more details on installation procedure.

When the installation is complete, launch the Blocky GUI and set up the password.

Preparing the RDS system

To ensure the full functionality of the sesam Si3-NG deduplication store, the Java interpreter used by sesam's sds service needs to be whitelisted for Blocky.

Because other components might be using the Java interpreter, a dedicated Java interpreter should be created only for SEP sesam use. To enhance security on the RDS system, access to the dedicated Java interpreter must be restricted.

To prepare the SEP sesam RDS and configure the Java interpreter:

  1. Run the <SESAM_VAR>\ini\sm_prof.ps1 as Administrator to launch the PowerShell terminal with sesam profile.
  2. Run the following commands:
    >ini
    >$interpreter=(Get-Content sm.ini | findstr java_interpreter ).SubString(17) 
    >$path_only=($interpreter.TrimEnd('\java.exe')) 
    >copy $interpreter $path_only\sdsj.exe 
    >echo $path_only
    
  3. In the File Explorer go to the folder printed out by the echo $path_only command.
  4. Right-click the file sdsj.exe and click Properties.
  5. In the Security tab click Advanced and then click Change permissions.
  6. Click Disable inheritance and then select the option Convert inherited permissions into explicit permissions on this object.
  7. Make sure the user SYSTEM has file ownership and then remove all permission entries except the one dedicated to the user SYSTEM. Click OK.
    Blocky4sesam file ownership.jpg Blocky4sesam removing permissions.jpg
  8. Log into Blocky GUI and in the menu bar click Whitelisting and then Whitelist Programs. Browse to the location of the sdsj.exe file and add it to the whitelist.
    Blocky4sesam file whitelisting.jpg
  9. Open the config file <SESAM_VAR>\ini\sm.ini using a text editor and change the java_interpreter parameter in section [JAVA] from <JAVA_HOME>\java.exe to <JAVA_HOME>\sdsj.exe. For example:
    Before:
    	[JAVA]
    	java_interpreter=C:\Program Files\ojdkbuild\java-11-openjdk-11.0.15-1\bin\java.exe
    

    After:

    	[JAVA]
    	java_interpreter=C:\Program Files\ojdkbuild\java-11-openjdk-11.0.15-1\bin\sdsj.exe
    
  10. Restart the SEP sesam service on the RDS server.

Setting up the SEP Si3-NG deduplication store on the Blocky-controlled volume

To set up the Blocky data store in SEP sesam GUI first create a new SEP Si3 NG deduplication store and then create a dedicated media pool with required retention period:

  1. In the Main Selection -> Components, click Data Stores to display the data store contents frame.
  2. From the Data Stores menu, select New Data Store. A New Data Store dialog opens:
    • From the Store Type drop-down list, select SEP Si3 NG Deduplication Store.
    • From the Device Server drop-down list, select the Blocky4sesam RDS for your data store.
    • In the Path field, enter the location of your Blocky4sesam data store or use the Browse button to select it. Click OK.
    Blocky4sesam datastore.jpg
  3. From Main Selection -> Media Pools, click New Media Pool. The New Media Pool dialog opens.
  4. Specify the name, drive group and retention period of the media pool, and other fields as required.
    Blocky4sesam media pool.jpg
  5. In the data store contents frame, right-click your Blocky data store and click Properties.
  6. In the Drives list, double-click the first drive to open the Drive Properties window.
  7. In the Options field, enter -o use_blocky. This drive option enables the deduplication store to run in a Blocky compatible mode and ensures correct behavior during drive configuration. Click OK.
    Blocky4sesam drive options.jpg
  8. Run a test backup on your newly created deduplication store. For more details, refer to Run a test backup on Si3 NG.
  9. Log in to Blocky GUI and enable Access Control for the volume where your newly created SEP Si3_NG deduplication store resides. For more detailed instructions refer to the Blocky4Backup Administration Guide.
    Blocky4sesam access control.jpg

Licensing

To activate your license for the Blocky-controlled volume where your deduplication store is running, you should have received a Capacity-ID. If you purchased Blocky4Sesam for multiple RDS servers, you should have received a Capacity-ID for each instance purchased. In this case repeat the following procedure for every server and corresponding Capacity-ID.

  1. Launch Blocky GUI on Blocky RDS and type in your password.
  2. In the upper menu bar click License and then Request License.
    Blocky4sesam request license.jpg
  3. In the popup window select the volume for which you want to activate your license and click OK.
  4. Enter your Capacity-ID and click OK.
  5. Follow the wizard to complete the licensing procedure. For more details refer to the Blocky4Backup Administration Guide.

See also

Standard Backup ProcedureBackup to S3 Cloud StorageBackup to Azure StorageStandard Restore ProcedureRestore Assistant