Did you hear?

Metallic™ solutions are now available across the EMEA region. Learn how Metallic can help customers support data sovereignty, GDPR compliance efforts and more.

Documentation

Metallic Documentation

No matter where your data is or where you want to store it, Metallic has a solution.


Going to the Hub

Go to the Hub for an overall picture of the health of your Metallic environment. The Hub is also the place to configure new data sources to back up.

Procedure

  1. Go to login.metallic.io and log in. The Hub appears.
  2. To determine the health of the environment, select from the following tabs, and then review the information in the tiles:
    • Metallic Core
    • Office 365
    • Endpoints
  3. To back up a new data source, in the upper-right corner of the page, from the New Configuration list, click the type of data that you want to back up, and then follow the instructions in the guided setup.

Use cases

Data sourceData source locationBackup storage location
File servers SQL serversCloudCloud
File servers Endpoints SQL servers Virtual machinesOn-premisesCloud On-premises On-premises and cloud
Office 365: Exchange OneDrive SharePointCloudCloud

To learn more about choosing a storage option, see All about storage.


Creating an administrator

You can create additional administrators for Metallic. When you set up Metallic, one administrator account is automatically created. If you use the Endpoint application and need to authenticate laptop and desktop users, see Endpoint tasks.

Procedure

  1. From the navigation pane, go to Security > Users.The Users page appears.
  2. In the upper right corner of the page, click Add user. The Add user dialog box appears.
  3. Next to User type, click Local user, and then provide the user information.
  4. From the User group list, select Tenant Admin.
  5. Decide how to create the password for the user:
    • To auto-generate a password for local users, select the Use system generated password check box.
    • To manually set a password for the user, in the Password box and the Confirm password box, type a password.
  6. Click Save.

Configuring identity provider

To authenticate users with SAML, configure an identity provider. Common SAML identity providers include AD FS, Azure, and Okta.

Note: The direct access method for Active Directory is not supported.


Using Azure Active Directory as Your Identity Provider

Azure Active Directory (Azure AD) is a third-party identity provider (IdP) that can act as the IdP when your users log on to Metallic. Metallic is the service provider (SP).

To integrate with Azure AD, add a SAML application in your Azure AD account and in Command Center. Metadata from the Azure application (IdP) and the Command Center application (SP) are shared during this process.

Before You Begin

You must have the Azure Active Directory Premium P1 or Premium P2 edition. For information, go to the Microsoft Azure Active Directory documentation.

Step 1: Creating an Application in the Azure Portal

  1. Go to the Microsoft Azure portal.
  2. From the navigation pane, go to Azure Active Directory > Enterprise applications, and then click New application ( ).
  3. Under Add an application, click the Non-gallery application tile.
  4. Enter a name for the application, and then click Add.
  5. Review the overview, and complete the following steps required by Microsoft: Assign a user for testing and Create your test user in test.
  6. From the navigation pane, click Single sign-on, and then click the SAML tile. The SAML-based Sign-on page appears.
  7. In the SAML Signing Certificate section, next to Federation Metadata XML, click the Download link. The federated metadata file that you download is the IdP metadata file that you will upload to Metallic.
Screenshot of where the Federation Metadata XML download appears in the SAML Signing Certificate section
  1. Remain on the SAML-based Sign-on page. The SP metadata file that you will create in Metallic must be uploaded to your Azure application from the SAML-based Sign-on page.

Step 2: Adding a SAML Application in Metallic

  1. From the navigation pane, go to Manage > Security > Identity server. The Identity servers page appears.
  2. In the upper-right corner of the page, click Add. The Add domain dialog box appears.
  3. Click SAML.
  4. In the Domain name box, enter an application name.
  5. In the SMTP address box, enter the SMTP address.
  6. Upload the IdP metadata:
    1. Next to the Upload IDP metadata box, click Browse.
    2. Browse to the location of the XML file that contains the IdP metadata, select the file, and then click Open.
  7. Review the value in the Webconsole url box. This value is automatically generated and is used in the SP metadata file. The format of the value is https://mycompany:443/webconsole.
  8. To digitally sign the SAML message, move the Auto generate key for digital signing of SAML messages toggle key to the right.
  9. Click Save. The SP metadata file is generated and the IdP metadata is saved, and the Identity servers page appears.
  10. In the Name column, click the identity server. The identity server properties page appears.
  11. In the upper-right of the page, click Download SP metadata. The name of the file that is downloaded begins with SPMetadata. The SP metadata file must be uploaded to the Azure application.
  12. In the General section, copy the value in the SP Entity ID box and the Single sign on url box. These values are required in the Azure application.

Step 3: Uploading the Metadata to the Azure Portal

  1. In the Microsoft Azure portal, on the SAML-based Sign-on page, click Upload metadata file.
  2. Upload the SP metadata file created in Command Center.
  3. In the Basic SAML Configuration section, click Edit.
  4. In the Identifier (Entity ID) box, paste the entity ID that you copied from the SAML app in Command Center. This is the value from the SP Entity ID box.
  5. In the Reply URL (Assertion Consumer Service URL) box, paste the single sign-on URL that you copied from Command Center. This is the value from the Single sign on url box.
  6. Click Save.
  7. Under User Attributes & Claims, in unique User Identifier box, select user.userprincipalname.

Using Okta as Your Identity Provider

Okta is a third-party identity provider (IdP) that can act as the IdP when your users log on to Metallic. Metallic is the service provider (SP).

To integrate with Okta, add a SAML application in your Okta account and in Command Center. Metadata from the Okta application (IdP) is shared with the Command Center application (SP) during this process.

Step 1: Creating an Application in Okta

  1. Log on to your Okta account. You will create a new application using SAML 2.0 as the sign on method.
  2. Follow the wizard for the general settings.
  3. Under Configure SAML > SAML Settings, in the Single sign on URL box and the Audience URI (SP Entity ID) box, enter the URL for the Web Console using the following format: https://mycompany:443/webconsole.
Screenshot of the Single sign on & Audience boxes on the Okta configuration screen
  1. From the Name ID format list, select Email Address.
  2. Continue to follow the wizard and accept the default values.
  3. Click Finish.
  4. Open the application, and then click Sign On.
Sign on Methods screen
  1. Under the View Setup Instructions button, click Identity Provider metadata, and then save the IdP metadata file as an XML file.

    The identity provider metadata file that you save is the IdP metadata file that you will upload to Metallic.
  2. Keep your Okta account open.

    The value in the Single sign on URL box in Okta must be updated after a new URL is created in Metallic.

Step 2: Adding a SAML Application in Metallic

  1. In the upper-right corner of the page, click Add. The Add domain dialog box appears.
  2. Click SAML.
  3. In the Domain name box, enter an application name.
  4. In the SMTP address box, enter the SMTP address.
  5. Upload the IdP metadata:
    1. Next to the Upload IDP metadata box, click Browse.
    2. Browse to the location of the XML file that contains the IdP metadata, select the file, and then click Open.
  6. Review the value in the Webconsole url box. This value is automatically generated and is used in the SP metadata file. The format of the value is https://mycompany:443/webconsole.
  7. To digitally sign the SAML message, move the Auto generate key for digital signing of SAML messages toggle key to the right.
  8. Click Save. The Identity servers page appears.
  9. In the Name column, click the identity server. The identity server properties page appears.
  10. In the General section, copy the value in the Single sign on url box. This value must be updated in Okta.

Step 3: Update the Single Sign-on URL in Okta

  • In your Okta account, under Configure SAML > SAML Settings, in the Single sign on URL box, paste the URL that you copied from Command Center. This is the value from the Single sign on url box.

Step 4: Optional Okta Configurations

  1. To configure single logout in Okta, complete the following steps:
    1. From the generated SP metadata XML file, copy the following information:
      • SP EntityId
      • SingleLogoutService location with POST binding
    2. To download the signature certificate, log on to Command Center, and then in your web browser, type the SAML App URL in the following format: https://webconsole_hostname/adminconsole/downloadSPCertificate.do?appName=URL encoded SAML app name Example: https://company.com/adminconsole/downloadSPCertificate.do?appName=app%20Name
    3. Press Enter.
    4. In your Okta account, under General > Advanced Settings, select the Enable Single Logout box.
    5. In the Single Logout URL box, type the SingleLogoutService location that you copied from the SP metadata XML file.
    6. In the SPIssuer box, type the entityID that you copied from the SP metadata XML file.
    7. In the Signature Certificate box, upload the certificate that you downloaded from the SAML app URL.
  2. To assign other Okta users access to your Okta account, complete the following steps:
    1. In your Okta account, under Assignments, click Assign, and then select one of the following options:
      • To assign individual Okta users, click Assign to People.
      • To assign a user group, click Assign to Groups.
    2. Select the user or group that you want to assign, and then click Add.
  3. To assign domain users based on Okta’s user groups SAML attribute, complete the following steps:
    1. In your Okta account, under Group Attribute Statements, click Add.
    2. In the Name box, type user_groups.
    3. In the Filter box, assign filters as required. For example, to assign users from a user group name that starts with “domain users”, select Starts With, and then type domain users.
    4. Preview the SAML assertion and verify that your IdP response XML includes the user group attribute. For example: <saml2:Attribute Name=”user_groups” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified”>
        <saml2:AttributeValue
      xmlns:xs=”http://www.w3.org/2001/XMLSchema”
      xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:type=”xs:string”>GroupName Match Starts with “domain users” (ignores case)
      </saml2:AttributeValue>
      </saml2:Attribute>
    5. In Command Center, map Okta’s user_group SAML attribute with the user group user attribute.

Security and compliance

Metallic is committed to ensuring the security of your data at every level. Metallic is built on Microsoft Azure, the cloud platform leading the industry in compliance with over 90 certifications.

Commvault Systems, Inc. is also an ISO.IEC 27001:2013 certified provider whose Information Security Management System (ISMS) has received third-party accreditation from the International Standards Organization. The scope of our ISO/IEC 27001:2013 certification includes the Commvault offering Metallic.

A-lign, an independent, third-party auditor, found Metallic to have technical controls in place and formalized IT Security policies and procedures. A-lign is an ISO / IEC 27001 certification body accredited by the ANSI-ASQ National Accreditation Board (ANAB) to perform ISMS 27001 certifications.


GDPR

Metallic supports our customers’ compliance with the General Data Protection Regulation (GDPR). For information about Metallic and GDPR compliance, see GDPR readiness with Metallic.

Core

To store data in a cloud, use your own cloud or use the Metallic cloud. To store data on-premises, configure a backup gateway. Data can be stored directly on the backup gateway, or you can access other resources by using a UNC path.

Data flow

Data flow diagram

All about storage

Deciding where to store your data doesn’t have to be hard. You can choose to back up to an on-premises server, to the cloud, or to a combination of both.

Let’s look at the benefits and considerations for all of the options.

On-premises storage

Restoring data from an on-premises server is as fast as your own network.

Benefits of on-premises storage:

  • Fast recovery
  • No charge for moving data
  • You know exactly where your data is

Considerations for on-premises storage:

  • You must manage your storage infrastructure
  • Adding or upgrading storage requires planning and money

Cloud storage

Storing data in the cloud gives you the flexibility to scale up or down depending on your storage needs.

Benefits of cloud storage:

  • Easy to scale
  • No infrastructure management

Considerations for cloud storage:

  • Slower recovery
  • Depending on the agreement with the cloud provider, there could be charges associated with restoring data

Related topics

Backup gateway requirements

Cloud storage requirements


Backup gateway requirements

The on-premises backup gateway functions as a gateway between the on-premises data source and the cloud backup service. If you want to use on-premises backup storage, you can store a copy of your data on the on-premises backup gateway.

Important: The on-premises backup gateway must be able to connect to the Metallic Backup Service and must be able to access the servers that need to be backed up.

Data flow

Data flow diagram for on-prem servers

Hardware requirements

Install the backup gateway package on a server that meets the following minimum requirements.

Requirements1TB/10VMs3TB/30VMs10TB/100VMs30TB/300VMs
CPU2 vCPUs2 vCPUs2 vCPUs4 vCPUs
RAM8 GB16 GB16 GB32 GB
Disk: Operating system and program files (SSD recommended)300 GB, 200 IOPS500 GB, 250 IOPS1 TB, 250 IOPS3 TB, 500 IOPS
Disk: On-premises copy (30 days retention maximum)2 TB, any IOPS6 TB, any IOPS20 TB, any IOPS60 TB, any IOPS

Network requirements

  • TCP 443 outbound must be open for network access to backup service hosts and storage services (*.metallic.io).
  • To back up VMware servers, the backup gateway must be able to access the VMware environment and components:
    • vCenter: Port for web service (default: 443) must be opened. If vCenter is configured to use non-default ports, the non-default ports must also be opened.
    • ESX Server: Ports for web service (default: 443) and TCP/IP (default: 902) must be opened for the vStorage APIs for data protection.
  • To back up Hyper-V virtual machines (VMs), the Metallic VM proxy must be able to access the backup gateway on the port for the web service (default: 443).

Sizing

Requirements1TB/10VMs3TB/30VMs10TB/100VMs30TB/300VMs
Network interface card1 Gbps NIC1 Gbps NIC10 Gbps NIC2 10 Gbps NIC
Available internet bandwidth requirements30 Mbps100 Mbps1 Gbps3 Gbps

Supported operating systems

The following operating systems are supported:

  • Microsoft Windows Server 2019 Editions
  • Microsoft Windows Server 2012 R2 Editions
  • Microsoft Windows Server 2012 Editions
  • Microsoft Windows Server 2016 Editions
  • Microsoft Windows Client 10 Editions

Cloud storage requirements

To store data in a cloud, use your own cloud or use the Metallic cloud.

Data flow

Data flow diagram for cloud servers

Supported providers

The following clouds are supported:

  • AWS
  • Azure

Requirements for backing up Hyper-V servers

Review the following requirements if you want to back up on-premises Hyper-V servers.

To backup on-premises data, a backup gateway is required. To review the requirements for the backup gateway, see Backup gateway requirements.

Hyper-V deployment model

To back up Hyper-V virtual machines (VMs), Metallic VM proxy for Hyper-V must be installed on each Hyper-V host in the cluster. The Metallic VM proxy for Hyper-V communicates on TCP port 443 with the Metallic backup services hosted in the cloud and with the Metallic backup gateway.

Best Practice: Install the Metallic VM proxy for Hyper-V and the Metallic backup gateway on the same local network for the best backup and recovery performance. Using this configuration, options for both local and cloud backup copies are available.

Authenticating to Hyper-V

  • Obtain the user credentials to access the Hyper-V server from your Hyper-V administrator. The user must be part of the following administrator groups on the Hyper-V host:
    • Local Administrators group (for Hyper-V Server 2008 R2 and Hyper-V Server 2016)
    • Any user that are part of Hyper-V Administrators group (for Hyper-V Server 2012 and 2012 R2)
    For a Hyper-V cluster, the user account must have full Cluster Permissions (Read and Full Control).

Physical machine operating systems

  • Microsoft Windows Server 2019 (including Core Edition)
  • Microsoft Hyper-V Server 2019 (including Core Edition)
  • Microsoft Windows Server, version 1709 (including Core Edition)
  • Microsoft Hyper-V Server, version 1709 (including Core Edition)
  • Microsoft Windows Server 2016 (including Core Edition)
  • Microsoft Hyper-V Server 2016 (including Core Edition)
  • Microsoft Windows Server 2012 R2 (including Core Edition)
  • Microsoft Hyper-V Server 2012 R2 (including Core Edition)
  • Microsoft Windows Server 2012 (including Core Edition)
  • Microsoft Hyper-V Server 2012 (including Core Edition)
  • Microsoft Windows Server 2008 R2 SP1

Virtual machine operating systems

All guest operating systems supported by Microsoft Hyper-V.

Hyper-V integration services

To back up the virtual machines on a Hyper-V server or cluster, Hyper-V integration services must be installed and updated on the virtual machine.

Hard drive

100 GB is recommended.

Allocation unit size of the NTFS volumes

The cluster size or the allocation unit size of an NTFS volume in a virtual machine must be multiple of 1024 bytes. You can set the cluster size before formatting a volume. The default cluster size is 4096 bytes.

Microsoft Visual C++

The following Redistributable Package is installed automatically. The Redistributable Package can co-exist with other versions of this software.

  • Microsoft Visual C++ 2010 Redistributable Package
  • Microsoft Visual C++ 2013 Redistributable Package
  • Microsoft Visual C++ 2017 Redistributable Package

Disclaimer

Third-party maintenance (minor) releases or service packs that are supported by the Commvault software may not be listed in our System Requirements. When possible, Commvault provides information on any known issues related to these minor releases or service packs. In some cases, these minor releases or service packs affect how the Commvault software works. Commvault software may experience changes in functionality as the result of the third-party minor release or service pack. These changes are beyond the control of Commvault. Platforms that are supported in the current version of Commvault software may not be supported in earlier versions of the software. Contact your software provider to ensure that third-party minor releases or service packs are compatible with the Commvault software.

Additional considerations regarding minimum requirements and End-of-Life policies from third-party vendors also apply.


Requirements for backing up VMware servers

Review the following requirements if you want to back up on-premises VMware servers.

To backup on-premises data, a backup gateway is required. To review the requirements for the backup gateway, see Backup gateway requirements.

VMware vCenter Server Support

The following versions are supported for vCenter Server and vCenter Server Appliance. vCenter Server support includes support for vSphere, Virtual Disk Development Kit (VDDK), ESX or ESXi, and file system versions as provided by the vCenter version.

For more information, see Correlating build numbers and versions of VMware products (1014508).

As a general rule of thumb, each version of the VDDK supports vCenter Server for the two previous major versions and for the next minor version. For example, VDDK 6.0.0 can be used with vCenter Server 5.5, 5.1, or 6.0 Update 1.

When VMware issues new versions or updates, Metallic tests against the current service pack before announcing support. For new VMware versions or updates released between Metallic service packs, and for earlier supported versions or service packs, Metallic provides continuing support, including Hot Fixes as needed to address VMware changes to functions that affect backup and recovery.

vCenter Server Version

  • 6.7 Update 3 (all minor updates)
  • 6.7 Update 2 (all minor updates)
  • 6.7 Update 1 (all minor updates)
  • 6.7 (all minor updates)
  • 6.5 Update 3 (all minor updates)
  • 6.5 Update 2 (all minor updates)
  • 6.5 Update 1 (all minor updates)
  • 6.5 GA (all minor updates)
  • 6.0 Update 3 (all minor updates)
  • 6.0 Update 2 (all minor updates)
  • 6.0 Update 1 (all minor updates)
  • 6.0 GA (all minor updates)
  • 5.5 Update 3 (all minor updates)
  • 5.5 Update 2 (all minor updates)
  • 5.5 Update 1 (all minor updates)
  • 5.5 GA (all minor updates)
  • 5.1 (all updates)
  • 5.0 (all updates)
  • 4.1 (all updates)

Note: If VMs are part of ESX 4.1, then streaming and IntelliSnap backups are supported only through the vCenter. You cannot use a standalone ESX 4.1 server.

ESX Host Support

Before configuring backup of any ESXi servers, ensure that you are using Essentials licensing level or higher. The vStorage APIs for Data Protection (VADP) are not provided with the free version of ESXi.

VDDK Support

Metallic includes the latest supported VDDK. Multiple versions of the VDDK are included, and the appropriate VDDK for the vSphere version is loaded automatically when required.

vCenter Server Versions Required for Specific Features

Some features are supported only for more recent versions of vCenter Server. The following table shows the required versions for features that are dependent on the version of vCenter Server and associated software. Support includes all updates for each major version unless an update is specifically excluded.

FeatureRequired Version of vCenterServer
Agentless file restores5.1, 5.5, 6.0, 6.5, 6.7
File Recovery Enabler for Linux4.1, 5.1, 5.5, 6.0, 6.5, 6.7

Virtual Machine Hardware

Version 4.0, 7.0, 8.0, 9.0, 10.0, 11.0, 13.0, 14.0, 15.0

Virtual Machine Operating Systems

All Guest Operating Systems supported by VADP.

Datastore Support

  • Network File System (NFS)
  • Virtual Machine File System (VMFS)
  • Virtual storage area network (vSAN)
  • VMware Virtual Volume (VVol)

VMware Tools on Virtual Machines

The latest version of VMware Tools supported by the host should be installed on each virtual machine. At a minimum, the version of VMware tools on virtual machines must be supported on the host; unsupported versions must be upgraded. For more information about VMware Tools support for Windows and Linux guest VMs, see the VMware Compatibility Guide.

open-vm-tools

For UNIX guest VMs running the following operating system releases, open-vm-tools can be used:

  • Fedora 19 and later
  • Debian 7.x and later
  • openSUSE 11.x and later
  • Recent Ubuntu (12.04 LTS, 13.10 and later)
  • Red Hat Enterprise Linux 7.0 and later
  • CentOS 7.0 and later
  • Oracle Linux 7.0 and later
  • SUSE Linux Enterprise 12 and later

For more information, see VMware support for open-vm-tools (2073803).

Allocation Unit Size of NTFS Volumes

The cluster size or the allocation unit size of an NTFS volume in a virtual machine must be multiple of 1024 bytes per cluster. You can set the cluster size before formatting a volume. The default cluster size is 4096 bytes per cluster.

Disclaimer

Third-party maintenance (minor) releases or service packs that are supported by the Commvault software may not be listed in our System Requirements. When possible, Commvault provides information on any known issues related to these minor releases or service packs. In some cases, these minor releases or service packs affect how the Commvault software works. Commvault software may experience changes in functionality as the result of the third-party minor release or service pack. These changes are beyond the control of Commvault. Platforms that are supported in the current version of Commvault software may not be supported in earlier versions of the software. Contact your software provider to ensure that third-party minor releases or service packs are compatible with the Commvault software.

Additional considerations regarding minimum requirements and End-of-Life policies from third-party vendors also apply.


Transport Modes for VMware

By default, the transport mode is selected automatically for backups and restores, based on the gateway used and the virtual machines being backed up or restored. You can force a specific transport mode by configuring it.

The following transport modes are available in VMware. Advanced transport methods (HotAdd) replace the proxy-based VMware Consolidated Backup (VCB) solution.

  • SAN (storage area network) – SAN mode is supported for directly connected storage using Fibre Channel (FC) or Internet SCSI (iSCSI) protocols. With automatic transport mode selection, SAN mode is selected if SAN storage is connected to the ESX host. The Virtual Server Agent must have access to the datastore LUNs (logical drives) that provide storage for virtual machine disks. Data is read directly from the storage where virtual machines reside, without going through the ESX host or transferring data over the local area network (LAN). The ESX host is contacted only to coordinate access to the LUN.
  • HotAdd – In HotAdd mode, software is installed on a virtual machine residing on an ESX Server. The term HotAdd refers to the way the backups are completed. In HotAdd mode, virtual disks from the virtual machines being backed up are automatically mounted to the gateway, so they can be accessed by the gateway as local disks. The ESX host the gateway is running on must have access to all datastores for the virtual machine. If the virtual machine and the gateway are not on the same host, all datastores must be shared between the hosts. In vSphere 5.0, the SCSI HotAdd feature is enabled only for vSphere editions Enterprise and higher, which have Hot Add licensing enabled. No separate Hot Add license is available for purchase as an add-on. In vSphere 4.1, Hot Add was also enabled in the Advanced edition. Customers with vSphere Essentials or Standard editions are not able to perform proxy-based backup, which relies on SCSI HotAdd. Those customers must use alternate transport modes.
  • Local Area Network (NBD and NBDSSL) – NBD (network block device) and NBDSSL (encrypted NBD) transmit data over the TCP/IP connection between the ESX server and the gateway computer. NBD serves as a fallback when other transport modes are not available. The local area network (LAN) can be the production network or a dedicated backup network. NBDSSL is similar to NBD mode, but data transfer between the gateway computer and the ESX server is encrypted. Encryption should be used for sensitive information, even within a private network.

SAN and HotAdd transport can enable LAN-free backups and restores. In most scenarios, backups and restores using SAN and HotAdd transport are faster than local area network (LAN) operations using network block device (NBD) or secure NBD (NBDSSL).

SAN restores using thin disk provisioning can be slower than LAN restores; performance can be improved by using NBD or by setting the transport mode to SAN and forcing the disk type to thick, which uses eager zero provisioning.

The following table summarizes the configurations based on the storage type.

ModeDatastore Storage TypeVM Data Protected by Single NodeAdditional Comments
LAN Free SAN modeVMFS using Fibre Channel or iSCSIUp to 40 TBSoftware installed on the same physical computer with direct connection to datastore.

Eliminates data transfer over network during backup and restore. Provides best backup and restore performance.
LAN Free HotAdd modeVMFS, NFS, vSAN, VVolUp to 30 TBSoftware installed on virtual machine running on host with access to datastore.

Eliminates data transfer over network during backup and restore.
Network based (NBD, HotAdd, NAS)VMFS, NFS, vSAN, VVol, direct attached storageSoftware installed on different computers. The software writes over the network to a remote computer.

Depends on infrastructure.

Connectivity

Configure DNS on the backup gateway, ESX hosts, and vCenter Server. For any transport mode, missing or incorrect DNS configuration produces nslookup errors during fully qualified domain name (FQDN) resolution.


Push installations

Applies to: Core installations for Windows, Linux, and Microsoft SQL Server

To install software on the server that you want to back up, you can push the software from the backup gateway to the server. To perform a push installation, you need the name of the server that you want to back up and the user credentials for the server.

To successfully perform a push installation, do the following:

  • Verify that the backup gateway has network access to the server.
  • Obtain system administrator (sysadmin) user credentials for the server.
  • Windows computers: The Remote Registry service must be enabled and configured to automatically start during the computer startup.

Firewall and Network Port Requirements

Turn off the firewall services on the server, and temporarily open the following inbound network ports before performing the push installation:

  • For UNIX, Linux, and Macintosh computers, enable SSH (Secure Shell), and then open port 22.
  • For Windows computers, do the following:
    • Open Port 135 for DCOM (Distributed Component Model).
    • Open Port 139 for NetBIOS Session Service (if you are using legacy Windows computers, such as Windows NT or earlier versions).
    • Open Port 445 for SMB (Server Message Block) file sharing.
    • Open the Windows Management Instrumentation (WMI) port. For instructions on setting up a fixed port for WMI, see Setting Up a Fixed Port for WMI on the Microsoft website.
    • Important: If Windows Firewall is enabled on the computer, do one of the following:
      • Temporarily open the following ports in Windows Firewall: – Port 135 for DCOM-In (COM + Network Access) – Port 445 for SMB – WMI port
      • Set up a remote cache in the network where the computer resides.

Customizing the Backup Content for a Server

You can customize the backup content for a file server.

The backup content originally comes from the plan associated with the file server. If you customize the backup content for the file server, the backup content on the plan is not affected.

The following tabs are available to add customized content:

  • On the Content tab, you specify the content that you want to back up.
  • On the Exceptions tab, you specify the content that you do not want to back up.
  • On the Exclusions tab, you specify exclusions to the content that you specified in the exceptions list.

Procedure

  1. From the navigation pane, go to Protect > File servers. The File servers page appears.
  2. In the Actions column for the server, click the action button, and then click Edit plan association. The Edit plan dialog box appears. The plan associated with the file server and the backup content defined in the plan are displayed.
  3. Move the Define your own backup content toggle key to the right.
  4. Complete the following steps to add customized content:
OptionOn tabsSteps
Enter custom pathContent Exclusions ExceptionsType a path, and then click the add button.The path is added to the Files and folders table.
BrowseContent Exclusions ExceptionsClick Browse. The Select a path dialog box appears. Select a file or folder. Click Save. The path is added to the Files and folders table.
Content LibraryContent ExclusionsUse the Content Library to select well known folders, such as Desktop, and file types. Click Content Library. The Add content dialog box appears. Select content. Click Save. The path is added to the Files and folders table.
Impersonate userContentUse Impersonate user to use a saved user credential to access the file system. Click Impersonate user. The Impersonate user dialog box appears. From the Credential list, select the user credential. Click OK.
Files and foldersContent Exclusions ExceptionsSelect the check boxes. Important: If you do not select a check box, then that content is not included, excluded, or excepted from the exclusions.
Include global exclusion filtersExclusionsFrom the list, select one of the following options: Use cell level policy (default): Enables or disables the global exceptions for the default subclient depending on whether the Use global filters on all subclients option is enabled for the environment. On: Enables the global exceptions for the default subclient. Off: Disables the global exceptions for the default subclient.
  1. Click Save.

Microsoft Azure

You can configure your Azure blobs and files to back up directly to Metallic Azure storage without installing additional hardware or software. You can also back up Azure blobs and files to your own Azure storage.

Avoid Egress Charges

To avoid paying Azure egress charges, the Azure region the storage is located in must be the same Azure region that you back up to. For example, if you are backing up a blob located in Central US, the backup storage must also be located in Central US.

Supported Azure Regions

  • Central US
  • East US
  • East US 2
  • North Central US
  • South Central US
  • West Central US
  • West US
  • West US 2
  • Canada Central
  • Canada East
  • Australia Central (Canberra)
  • Australia Central 2 (Canberra)
  • Australia East (New South Wales)
  • Australia Southeast (Victoria)
  • UK South
  • UK West
  • West Europe
  • North Europe
  • Norway East


Accessing the object storage overview

To perform operations on your Azure blob, open the object storage overview page.

Procedure
  1. Go to the Hub.
  2. On the Core tab, in the Manage Data Sources tile, above Object Storage, click the number.
    The Object storage page appears.
  3. In the Name column, click the object storage that you want to open.

Azure Blob

You can configure your Azure blob to back up directly to Metallic Azure storage without installing additional hardware or software. You can also back up your Azure blob to your own Azure storage.

To back up multiple storage accounts, configure each storage account individually.

Data Flow


Restoring an Azure Blob in Place

To restore an Azure blob backup to its original location, use the in-place restore operation.

Procedure

  1. From the navigation pane, go to Protect > Object storage.The Object storage page appears.
  2. In the Object storage table, right-click the object storage repository that you want to restore, and then click Restore.
    The Backup content page appears.
  3. In the backup content list, select the backups to restore, and then click Restore.
    The Restore options dialog box appears.
  4. On the In place tab, specify the following information:
    • No of streams: Enter the number of streams to use for the restore operation.
    • Select one of the following:
      • Overwrite files unconditionally
      • Overwrite files only if the backed up file is newer
  5. Click Submit.

Restoring an Azure Blob Out of Place

To restore an Azure blob backup to a different blob (not the original blob), use the restore out-of-place operation.

Procedure
  1. From the navigation pane, go to Protect > Object storage.
    The Object storage page appears.
  2. In the Object storage table, right-click the object storage repository that you want to restore, and then click Restore.
    The Backup content page appears.
  3. In the backup content list, select the backups to restore, and then click Restore.
    The Restore options dialog box appears.
  4. On the Out of place tab, specify the following information:
    • Destination target: Type the path to the target.
    • No of streams: Type the number of streams to use for the restore operation.
    • Destination path: Type the full restore location path.
    • Select one of the following:
      • Overwrite files unconditionally
      • Overwrite files only if the backed up file is newer
  5. Click Submit.

Azure Files

You can configure your Azure files to back up directly to Metallic Azure storage without installing additional hardware or software. You can also back up your Azure files to your own Azure storage.

To back up multiple storage accounts, configure each storage account individually.

Data Flow

Restoring an Azure File in Place

To restore an Azure file backup to its original location, use the in-place restore operation.

Procedure

  1. From the navigation pane, go to Protect > Object storage.
    The Object storage page appears.
  2. In the Object storage table, right-click the object storage repository that you want to restore, and then click Restore.
    The Backup content page appears.
  3. In the backup content list, select the backups to restore, and then click Restore.
    The Restore options dialog box appears.
  4. On the In place tab, specify the following information:
    • No of streams: Enter the number of streams to use for the restore operation.
    • Select one of the following:
      • Overwrite files unconditionally
      • Overwrite files only if the backed up file is newer
  5. Click Submit.

Restoring an Azure File Out of Place

To restore an Azure file backup to a different location (not the original location), use the restore out-of-place operation.

Procedure

  1. From the navigation pane, go to Protect > Object storage.
    The Object storage page appears.
  2. In the Object storage table, right-click the object storage repository that you want to restore, and then click Restore.
    The Backup content page appears.
  3. In the backup content list, select the backups to restore, and then click Restore.
    The Restore options dialog box appears.
  4. On the Out of place tab, specify the following information:
    • Destination target: Type the path to the target.
    • No of streams: Type the number of streams to use for the restore operation.
    • Destination path: Type the full restore location path.
    • Select one of the following:
      • Overwrite files unconditionally
      • Overwrite files only if the backed up file is newer
  5. Click Submit.

Microsoft Azure VM

You can use Metallic to back up and to restore Azure virtual machines (VMs) residing in Azure public cloud datacenters. Metallic backups leverage Azure snapshots and Metallic streaming backups.

To allow Metallic backup services to connect to and to back up your Azure VMs, you must set up an application and tenant in the Azure portal.

Data Flow


Setting Up an Application and Tenant for Azure Resource Manager

To create an Azure virtualization client in the Metallic software, you need to set up an application and tenant for the Azure Resource Manager.

An application is a specific cloud service associated with your Azure account, and the tenant is a client or organization that manages an instance of the cloud service. The application and tenant are associated with your subscription through Azure Active Directory, which provides identity and access management for the Azure cloud.

To complete the setup of the Azure virtualization client in the Metallic software, you need the following:

  • Application name
  • Application ID
  • Subscription ID
  • Tenant ID (Directory ID)
  • Application key
Before You Begin

Collect the following information for your Azure account:

  • Subscription ID for the Azure account
  • User credentials with Service Administrator capabilities, for logging in to your Azure account
Procedure
  1. Log on to the public Azure portal with service administrator credentials.
  2. From the All services menu, select the App registrations tab, and then click on New registration.
  3. Enter the appropriate values for the following:
    • Name: Name of the application to be created on Azure Active Directory.
    • Account type: Select one from the following:
      • Accounts in this organizational directory only
      • Accounts in any organizational directory
      • Accounts in any organizational directory and personal Microsoft accounts.
    • Redirect URI: Optional. https://app_name (URL including the application name you specify). For example: MyWebApp and https://MyWebApp.
  4. Click Register.
    The application will be listed on the App Registration tab. Note down the Application ID.
  5. Go to the API permissions blade.
  6. Click Add a permission to add the required API permissions:
    1. Select the Microsoft API: Azure Service Management.
    2. Select the option to provide delegated permissions to Access Azure Service Management as organization users.
    3. Click Add permissions.
      Note: If you are configuring a Linux proxy, you must also request API permissions for the Microsoft API: Azure Storage.
  7. Go to the Certificates & secrets blade.
  8. Click on New client secret, and then provide the key description and expiration date.
  9. Click Save.
    A unique secret key is generated for the application.
    Important: Save the key value. The key value will be your application password. You will not be able to retrieve the key after you leave the Certificate & secrets tab/blade.
  10. From the All services menu, click the Subscriptions tab, and then select the subscription ID for which the virtualization client needs to be created.
  11. To define a custom role instead of using the predefined Contributor role, do the following:
    Define a custom role to specify more limited permissions that can be used for backup and restore operations, either for a specific resource group or for the subscription as a whole.
    1. Download the CVBackupRole.json file, which contains the minimum permissions needed for Azure backup and restore operations.
    2. Use a JSON editor to modify the following entry and change #SubscriptionID# to your subscription ID: “AssignableScopes” : [“/subscriptions/#SubscriptionID#“]
    3. To create a custom role, refer to Custom roles for Azure resources.
  12. On the Access Control (IAM) tab, click Add to add a service principal user.
  13. On the Add Permissions blade, select the Contributor role or the custom role that you created.
  14. Select Azure AD user, group, or application.
  15. In the Select field, type the application name, and then select the application created in previous step.
  16. You can obtain the Tenant ID from the public Azure cloud by selecting Azure Active Directory > Properties > Directory ID.
    The Directory ID is also the Tenant ID.
What to do next

In the Metallic software, create the Azure virtualization client using the Subscription ID, Tenant ID, Application ID, and Application Key.


Office 365

You can configure Office 365 applications to back up directly to the Metallic cloud without installing additional hardware or software. Protect data in the following Office 365 applications from accidental deletions, ransomware scenarios, and data corruption:

  • Exchange Online
  • SharePoint Online
  • OneDrive

When it is time to recover data, you can find and recover as many files as you need, or you can restore an entire folder or mailbox to a point in time. Metallic eliminates “dumpster diving” or rummaging through the Office 365 recycle bin.

Data flow

Office 365 Data Flow

Accessing Office 365 apps

To perform operations, such as restore operations, on an Office 365 application, you must open the application.

  1. Go to the Hub.
  2. On the Office 365 tab, in the Manage Data Sources tile, click the number of mailboxes, users, or sites that you are managing. The Office 365 apps page appears.
  3. In the App name column, click the app that you want to open. Tip: The Service type column displays the app type: Exchange Online, OneDrive for Business, or SharePoint.

Exchange Online

You can use Metallic to back up and to restore Exchange Online data.

To set up Exchange Online, you can use the express configuration option or the custom configuration option. With the express configuration option, you use the Office 365 global administrator account. You can use the custom configuration option instead, for either of the following reasons:

  • You do not want to use the global administrator account.
  • You have MFA enabled for global administrator account which is not supported in the express configuration.

Retention

The index server is scanned every 24 hours. Messages that are eligible for data aging based on their received time and the rules defined in the plans are pruned.


Express configuration for Office 365

Before you begin the automated setup and configuration of Office 365 with Metallic, check the following configurations in the Office 365 applications:

  • You must have an Azure global administrator account.Using the global administrator account, Metallic automatically creates the Metallic backup app and registers with Azure AD. The credentials from the global administrator account are used to create the service accounts that are required to discover user mailboxes and group mailboxes. In Teams, when new channels are created, the global administrator credentials are used to assign service accounts to the group mailboxes that are created in the background. After the Metallic app is configured, you can replace the global administrator role with the Exchange administrator role. However, new Teams group mailboxes will not be protected because only global administrator credentials can assign service accounts to group mailboxes.
  • Multi-factor Factor Authentication (MFA) must be turned off.
  • Service accounts:
    • Auto-generated service accounts must be excluded from any Modern Authentication policy and from any automatic password reset policy.
    • Service accounts with the Exchange administrator role must be excluded from any automatic password reset policy.

Add an App for Exchange Online Using the Express Configuration Option

Use the express configuration option to create an Exchange Online app. After you create the Azure app that is needed for the Exchange Online app, the Metallic software automatically creates an Exchange Online service account for the Azure app, syncs the app with Azure, and authorizes the Azure app.

Procedure

  1. Go to the Hub.
  2. On the Office 365 tab, from the New Configuration list, select Configure Exchange.
    The Exchange Online page appears.
  3. In the Name box, type a name for the app.
  4. From the Office 365 cloud region list, select the region that hosts Exchange Online:
    • If Exchange Online is not hosted in a national cloud, select Default (Global Service).
    • If Exchange Online is hosted in a national cloud, select the region.
  5. In the Connection settings section, enter the following information:
    1. Select Express configuration (Recommended).
    2. Enter the Office 365 global administrator account user name and password.
    3. Click Create Azure app.
      A Microsoft window displays all the permissions that are required to access the Azure app.
    4. Click Accept.
      If the pop-up blocker appears in the browser, allow access to the Microsoft window so that you can accept the required permissions without interference.
  6. Click Save.

Custom configuration for Office 365

If the automated configuration method cannot be used for your organization, manually configure the connection details in your Azure tenant. Use the connections details to configure the Metallic backup application in the Metallic environment.

The Metallic backup application is a logical container created per tenant that holds the connection details to the tenant Office 365 subscription. The Metallic backup application is registered with Microsoft Azure Active Directory (Azure AD) in order to authenticate all connections to the Office 365 applications such as Exchange Online and OneDrive.


Adding an App for Exchange Online Using the Custom Configuration Option

You can create the Exchange Online client manually by providing the Azure app details and Exchange Online service account login details.

Before You Begin

Complete the setup for either basic authentication or modern authentication:

  • The setup for Basic Authentication includes the following:
    • Registering the application in the Azure portal to obtain the application ID, the Azure directory ID, and the application key value.
    • Configuring the Exchange Online service account, and then using the Exchange Online service account login details to add the app. The password for basic authentication must be the app password that you created when you configured the Exchange Online service account.
  • The setup for Modern Authentication includes the following:
    • Registering the application in the Azure portal to obtain the application ID, the Azure directory ID, and the application key value.
    • Configuring the Exchange Online service account, and then using the Exchange Online service account login details to add the app.

Procedure

  1. Go to the Hub.
  2. On the Office 365 tab, from the New Configuration list, select Configure Exchange.
    The Exchange Online page appears.
  3. In the Name box, type a name for the app.
  4. From the Office 365 cloud region list, select the region that hosts Exchange Online:
    • If Exchange Online is not hosted in a national cloud, select Default (Global Service).
    • If Exchange Online is hosted in a national cloud, select the region.
  5. In the Connection settings section, enter the following information:
    1. Select Custom configuration (Advanced).
    2. To enable modern authentication during a backup operation and a restore operation, move the Use modern authentication toggle key to the right.
    3. Click Add an Azure app.
      The Azure application dialog box appears.
      1. In the Application ID box, type the application ID.
      2. In the Application secret box, type the key value.
      3. In the Azure directory ID box, type the directory ID.
      4. Click Add.
    4. Click Add a service account.
      The Exchange Online Service account dialog box appears.
      1. In the Email address box, type the service account email ID.
      2. Type the associated password.
      3. Click Add.
  6. Click Save.

Basic Authentication

Basic authentication is also called legacy authentication.

Registering the Azure App for Exchange Online

Register the Exchange Online app with Microsoft Azure Active Directory (AD).

When you finish registering the app, record the Application ID and Directory ID. When you finish creating the client secret, record it. You will need to enter these values when you add an Exchange Online app.

To improve performance and to minimize throttling, you can register multiple apps. For example, for an Exchange Online app that has 2,500 mailboxes, register 5 apps. Every time an additional 1,000 mailboxes are added, register 1 additional app.

Disclaimer: You perform these steps in the Microsoft Azure Active Directory web application, which is subject to change without notice.

Log On to the Azure Portal as the Global Administrator

  1. Log on to the Azure portal (https://portal.azure.com/) using your global administrator account.
  2. Go to Azure Active Directory.

Register the Azure App

  1. In the navigation pane, click App registrations.
  2. Click New registration.
  3. In the Name box, enter a name for the app.
  4. Under Supported account types, select the accounts that you want to give access to the app.
  5. If you want to verify the status of the app and to authorize the app from the Command Center, under Redirect URI, enter the Command Center URL.
    For example, enter https://Command_Center_name.domainname.com/adminconsole.
  6. Click Register.
  7. Copy and paste the following values in a file or other document that you can access later:
    • Application ID
    • Directory ID

    You will enter these values in the Command Center when you create the Exchange Online app.

Request and Grant Permissions for Azure APIs

  1. In the navigation pane, click API permissions.
  2. Click Add a permission.
  3. Click Microsoft Graph.
  4. Click Application permissions.
  5. Select the following permissions:
    • Directory: Directory.Read.All
    • Group: Group.ReadWrite.All
  6. Click Add permissions.
  7. Click Add a permission.
  8. At the bottom of the page, under Supported legacy APIs, click Exchange.
  9. Click Application permissions.
  10. Select full_access_as_app.
  11. Click Add permissions.
  12. Click Grant admin consent for tenant_name.

Create a Client Secret

  1. In the navigation pane, click Certificates & secrets.
  2. Click New client secret.
  3. Enter a description, and then select when you want the secret to expire.
  4. Click Add.
  5. Copy and paste the client secret value in a file or other document that you can access later.
    You will enter this value in the Command Center when you create the Exchange Online app.

Providing Service Accounts Access to Mailboxes in Exchange Online (Through Azure Active Directory)

Applies to: Office 365 with Exchange, User Mailbox

In an Office 365 with Exchange environment, you must configure the Exchange Online service account to discover, archive, clean up, and restore data for user mailboxes, group mailboxes, and all public folders.

Before You Begin

The Office 365 with Exchange (Exchange Online) administrator account must have the following service accounts configured:

  • Exchange Online service account, which must meet the following requirements:
    • Must be an online mailbox or a shared mailbox.
    • Must have multi-factor authentication enabled. You must provide the service account email address and the app password, which must be created so that the app can connect to Office 365. For more information, see Set up multi-factor authentication in the Office 365 admin center and Create an app password for Office 365 on the Microsoft documentation website. If MFA is enabled using the conditional access policy, then the app password cannot be configured.
    • Must have either the Exchange administrator role or the global administrator role assigned so that the Exchange administrator or the global administrator can discover and back up Office365 group mailboxes. For more information, see Assign admin roles in Office 365 on the Microsoft documentation website.
    • If you use more than one access node, the service account must have local logon rights.
    • For public folders, you must have owner permissions at the root level and the sub-folder level. Convert the shared mailbox to a user mailbox, assign assign the owner permissions, and then convert the mailbox back to a shared mailbox.
    • For the Exchange Online service account, a license is not required. Convert the user mailbox to a shared mailbox, and remove the Office 365 license for the Exchange Online service account.
  • Local system account (Windows user), which must meet the following requirements:
    • Must be a member of the local administrator group.
    • Must be a domain user.

Procedure

  1. Open Windows PowerShell and create a remote PowerShell session to Office 365 with Exchange.
  2. To assign impersonation and view-only recipient permissions, type the following command:New-RoleGroup -Name “ExchangeOnlineBackupRoleGroup” -Roles “ApplicationImpersonation”, “View-Only Recipients” -Members serviceaccount1,serviceaccount2 where:
    • ExchangeOnlineBackupRoleGroup is a unique name for the new role group.
    • serviceaccount1 and serviceaccount2 are Exchange Online service accounts.

Modern Authentication

Modern authentication is a method of identity management that offers more secure user authentication and authorization.

Registering the Azure App for Exchange Online

Register the Exchange Online app with Microsoft Azure Active Directory (AD).

When you finish registering the app, record the Application ID and Directory ID. When you finish creating the client secret, record it. You will need to enter these values when you add an Exchange Online app.

To improve performance and to minimize throttling, you can register multiple apps. For example, for an Exchange Online app that has 2,500 mailboxes, register 5 apps. Every time an additional 1,000 mailboxes are added, register 1 additional app.

Disclaimer: You perform these steps in the Microsoft Azure Active Directory web application, which is subject to change without notice.

Log On to the Azure Portal as the Global Administrator

  1. Log on to the Azure portal (https://portal.azure.com) using your global administrator account.
  2. Go to Azure Active Directory.

Register the Azure App

  1. In the navigation pane, click App registrations.
  2. Click New registration.
  3. In the Name box, enter a name for the app.
  4. Under Supported account types, select the accounts that you want to give access to the app.
  5. If you want to verify the status of the app and to authorize the app from the Command Center, under Redirect URI, enter the Command Center URL.For example, enter https://Command_Center_name.domainname.com/adminconsole.
  6. Click Register.
  7. Copy and paste the following values in a file or other document that you can access later:
    • Application ID
    • Directory ID
    You will enter these values in the Command Center when you create the Exchange Online app.

Request and Grant Permissions for Azure APIs

  1. In the navigation pane, click API permissions.
  2. Click Add a permission.
  3. Click Microsoft Graph.
  4. Click Application permissions.
  5. Select the following permissions:
    • Directory: Directory.Read.All
    • Group: Group.ReadWrite.All
  6. Click Add permissions.
  7. Click Add a permission.
  8. At the bottom of the page, under Supported legacy APIs, click Exchange.
  9. Click Application permissions.
  10. Select full_access_as_app.
  11. Click Add permissions.
  12. Click Grant admin consent for tenant_name.

Create a Client Secret

  1. In the navigation pane, click Certificates & secrets.
  2. Click New client secret.
  3. Enter a description, and then select when you want the secret to expire.
  4. Click Add.
  5. Copy and paste the client secret value in a file or other document that you can access later.
    You will enter this value in the Command Center when you create the Exchange Online app.

Providing Service Accounts Access to Mailboxes Exchange Online

You must configure the Exchange Online service account to discover, archive, clean up, and restore data for user mailboxes, group mailboxes, and all public folders.

Before You Begin

  • Exchange Online service account, must meet the following requirements:
    • Must be an online mailbox or a shared mailbox.
    • Exchange administrator rights are required for running application check readiness.
    • MFA must be disabled for the service account.
  • Local system account (Windows user), which is required when more than one access node is used, must meet the following requirements:
    • Must be a member of the local administrator group.
    • Must be a domain user.

Procedure

  1. Open Windows PowerShell and create a remote PowerShell session to Office 365 with Exchange.
  2. To assign impersonation and view-only recipient permissions, type the following command:New-RoleGroup -Name “ExchangeOnlineBackupRoleGroup” -Roles “ApplicationImpersonation”, “View-Only Recipients” -Members serviceaccount1,serviceaccount2 where:
    • ExchangeOnlineBackupRoleGroup is a unique name for the new role group.
    • serviceaccount1 and serviceaccount2 are Exchange Online service accounts.

Restores for Exchange Online

You can restore an individual mailbox item (such as folders, messages, and calendar appointments) or an entire mailbox.


Restoring an Individual Mailbox Item to Its Original Location

You can restore an individual Exchange Online mailbox item to the location that it was backed up from.

Procedure

  1. From the navigation pane, go to Protect > Applications > Office 365.
    The Office 365 apps page appears.
  2. In the App name column, click the app that contains the item that you want to restore.
    The app page appears.
  3. On the Mailboxes tab, select the mailbox that contains the item that you want to restore, click Restore, and then click Restore messages.
    The mailbox contents appear.
  4. Select the item that you want to restore.
  5. Click Restore, and then click Selected items.
    The Restore options dialog box appears, with options for restoring to the original location already selected.
  6. For When message exists, specify what to do with existing items:
    • To overwrite existing items, select Overwrite unconditionally.
    • To not overwrite existing items, select Skip.
  7. Click Submit.

Restoring a Mailbox to Its Original Location

You can restore an entire mailbox to the location that it was backed up from.

Procedure

  1. From the navigation pane, go to Protect > Applications > Office 365.
    The Office 365 apps page appears.
  2. In the App name column, click the app that contains the mailbox that you want to restore.
    The app page appears.
  3. On the Mailboxes tab, select the mailbox that you want to restore, click Restore, and then click Restore mailbox.
    The Restore options dialog box appears, with options for restoring to the original location already selected.
  4. For When message exists, specify what to do with existing items:
    • To overwrite existing items, select Overwrite unconditionally.
    • To not overwrite existing items, select Skip.
  5. Click Submit.

Downloading Exchange Online Folders or Messages

You can export folders or messages to an export set, change the format of the items to fit your needs, and download the exported PST or CAB file directly to your browser. When you export, an export set is automatically created.

The following file formats are supported when you export:

  • PST (Portable Storage Table)
  • CAB (cabinet file)

The default maximum size of export to PST or CAB is 25 GB. The size limitation applies to the total size of emails exported from the Office 365 client.

Note:

  • When the export size exceeds 25GB, the export job does not start and an error message occurs. You can use the restore option or create multiple, smaller export sets.
  • When multiple mailboxes are exported to a PST file, all the emails are exported from all the mailboxes into a single PST file.

Procedure

  1. From the navigation pane, go to Protect > Applications > Office 365.
    The Office 365 apps page appears.
  2. Right-click the Office 365 app that contains what you want to export, and then click Restore.
    The user mailbox appears in the folder view.
  3. You can export a folder or messages:
    Note: To include deleted items in the export file, click the action button , and then select Include deleted items.
    • To export a folder or a sub-folder, do the following:
      1. In the left pane, expand the mailbox, and then click the folder or the sub-folder.
      2. From the Export selected folder to list, select the file format.
    • To export messages, do the following:
      1. Either expand folders to navigate to the messages, or in the Search box, enter search terms in the search filter list.
        For example, enter inbox for the Folder filter.
      2. Select the check boxes for the messages.
      3. From the Export selected items to list, select the file format.
        The Export to dialog box appears.
  4. In the Name box, type a name for the export set.
  5. If messages are selected, next to Selection Range, select the email messages to include in the export set:
    • To select the selected email messages, click Selected.
    • To select all the emails in the search results, select All.
  6. Click Submit.
    A job runs to create the export set.
  7. In the upper-right corner of the page, click View exports.
    The View exports dialog box appears. The export sets that are ready to be downloaded and the export sets that are being created are listed.
  8. To download the export set, click the download button download button.
    Note: When mailboxes are exported, the folder hierarchy is maintained in the export set.
  9. To delete an export set, select the check box for the export set, and then click Delete.
    The message Selected exports deleted successfully confirms the deletion.

Automated setup for Office 365

Before you begin the automated setup and configuration of Office 365 with Metallic, check the following configurations in the Office 365 applications:

  • You must have an Azure global administrator account.
    • Using the global administrator account, Metallic automatically creates the Metallic backup app and registers with Azure AD.
    • The credentials from the global administrator account are used to create the service accounts that are required to discover user mailboxes and group mailboxes. In Teams, when new channels are created, the global administrator credentials are used to assign service accounts to the group mailboxes that are created in the background.
    • After the Metallic app is configured, you can replace the global administrator role with the Exchange administrator role. However, new Teams group mailboxes will not be protected because only global administrator credentials can assign service accounts to group mailboxes.
  • Basic authentication must be enabled for the global administrator account.
  • Multi-factor Factor Authentication (MFA) must be turned off.
  • Service accounts:
    • Auto Generated Service Accounts must be excluded from any Modern Authentication policy and from any automatic password reset policy.
    • Service accounts with the Exchange administrator role must be excluded from any automatic password reset policy.

Manually configuring connection details for Exchange

If the automated configuration method cannot be used for your organization, manually configure the connection details in your Azure tenant.

In an Office 365 with Exchange environment, you must configure the Exchange Online service account to discover, archive, clean up, and restore data for user mailboxes, group mailboxes, and all public folders.

Important: Metallic software supports Microsoft Azure for public clouds only. Sovereign clouds, such as in Germany or China, are not supported. For more information, consult Microsoft documentation. For example, “App Service Regional Details”, azure.microsoft.com/en-us/pricing/details/app-service/regional-details/.

When you perform this procedure, record the following values for the Exchange Online application. You will use these values when you configure your Metallic environment.

  • Exchange Online service account username and password
  • Application ID
  • Key value
  • Directory ID

Before You Begin

The Office 365 with Exchange (Exchange Online) Administrator Account must have the Exchange Online Service Account configured. The account does not need a mailbox.

Procedure

  1. Open Windows PowerShell and create a remote PowerShell session to Office 365 with Exchange.
  2. To assign impersonation and view-only recipient permissions, type the following command:New-RoleGroup -Name “ExchangeOnlineBackupRoleGroup” -Roles “ApplicationImpersonation”, “View-Only Recipients” -Members serviceaccount1,serviceaccount2 where:
    • ExchangeOnlineBackupRoleGroup is a unique name for the new role group.
    • serviceaccount1 and serviceaccount2 are Exchange Online service accounts.
  3. Access the Azure portal (https://portal.azure.com/) using your global admin user account.
  4. In the Microsoft Azure dashboard, in the left navigation pane, go to Azure Active Directory > App registrations, and then click New Registration.
  5. On the Register an application blade, do the following:
    1. In the Name box, type a name for your application.
    2. Under Supported account types, select the accounts that you want to give access to this application API.
    3. The Redirect URI (optional) box, enter the URL.For most authentication scenarios, you need to enter this value. However, in some cases, you do not need to enter a value. Also, you can change this value later.
    4. Click Register.The Overview screen appears.
  6. On the Overview tab, go to View API Permissions > Add a permission > Microsoft Graph, and then click Application Permissions. The permissions screen appears.
  7. Expand Directory, and then select the Directory.Read.All permission.
  8. Click Add Permission.
  9. On the API Permissions tab, under Grant consent, click Grant admin consent for tenant name. A confirmation dialog box appears.
  10. Click Yes.A message states that admin consent is granted for the requested permissions.
  11. On the preview screen, click Overview, and then record the application ID and the directory ID.
  12. Click Certificates and secrets, and then complete the following steps:
    1. Click New client secret.
    2. To add an application key value, type a description, and then select Never Expires.
    3. Click Add.
    4. Record the client secret key value.

Restoring Mailboxes, Mailbox Items, or Messages for Exchange Online

You can restore a mailbox, a mailbox item (such as a folder, a contact, or a calendar entry), or a message.

Procedure

  1. From the navigation pane, go to Protect > Applications > Office 365. The list of all Exchange clients appears.
  2. Click the Exchange client that contains the mailbox that you want to restore. The mailboxes page appears.
  3. Select the mailbox that you want to restore, and then click Restore. The page with the mailbox display name appears in the folder view.
  4. Do one of the following:
    • To restore a mailbox, select a mailbox in the left pane.
    • To restore a folder, expand the mailbox, and then select the folder.
    • To restore a message, in the right pane, select the appropriate message.
  5. Click Selected items. The Restore Options dialog box appears.
  6. From the Restore to list, select Mailbox.
  7. From the Destination host list, select the name of the Exchange server computer.
  8. To restore the data to the same path from which it was backed up, select the Restore to original folder check box.
  9. In the When message exists area, do either of the following:
    • To overwrite any existing messages, select Overwrite unconditionally.
    • To prevent an item that already exists from being overwritten, select Skip.
  10. Click Submit.

Restoring Mailboxes, Mailbox Items, or Messages to a Different Place for Exchange Online

You can restore a mailbox, a mailbox item (such as a folder, a contact, or a calendar entry), or a message to different folder on the same client or to a different Exchange client.

Procedure

  1. From the navigation pane, go to Protect > Applications > Office 365. The list of all Exchange clients appears.
  2. Click the Exchange client that contains the mailbox that you want to restore. The mailboxes page appears.
  3. Select the mailbox that you want to restore, and then click Restore. The page with the mailbox display name appears in the folder view.
  4. Do one of the following:
    • To restore a mailbox, select a mailbox in the left pane.
    • To restore a folder, expand the mailbox, and then select the folder.
    • To restore a message, in the right pane, select the appropriate message.
  5. Click Selected items. The Restore Options dialog box appears.
  6. From the Restore to list, select Mailbox.
  7. Define where the messages are restored by doing one of the following:
    • If you want to restore to a different folder on the same client, clear the Restore to Original Folder check box, and then type the destination path.
    • If you want to restore to a different Exchange client, from the Destination client list, select the name of the appropriate client.
  8. Click Submit.

OneDrive for Business

You can use Metallic to back up and to restore Microsoft OneDrive for Business data.


Automated setup for OneDrive

Before you begin the automated setup and configuration of Office 365 with Metallic, check the following configurations in the Office 365 applications:

  • You must have an Azure global administrator account. Using the global administrator account, Metallic automatically creates the Metallic backup app and registers with Azure AD. After the Metallic app is configured, you can remove the global administrator role.
  • Basic authentication must be enabled for the global administrator account.
  • Auto Generated Service Accounts must be excluded from any Modern Authentication policy and from any automatic password reset  policy.
  • Multi-factor Factor Authentication (MFA) must be turned off.

Manually configuring connection details for OneDrive

If the automated configuration method cannot be used for your organization, manually configure the connection details in your Azure tenant.

You must register the OneDrive for Business application with Microsoft Azure Active Directory (Azure AD). Azure AD manages the connection between the OneDrive for Business application and the Metallic software.

Important: To complete this procedure, you must have a thorough understanding of Microsoft Azure Active Directory. Consult Microsoft documentation, such as “Azure Active Directory Documentation” (docs.microsoft.com/en-us/azure/active-directory/)

Disclaimer

This procedure is performed using the Microsoft Azure Active Directory (Azure AD) Web application. The Azure AD application is subject to change without notice. Consult Microsoft documentation, such as “Azure Active Directory Documentation”: docs.microsoft.com/en-us/azure/active-directory/

Before you begin

To complete this procedure, you need the following information:

  • Your tenant name and ID
  • The global admin user account information

When you perform this procedure, record the following values for the OneDrive for Business application. You will use these values when you configure your Metallic environment.

  • Application ID
  • Key value
  • Directory ID

Note: If you do not record the information, return to your OneDrive account to retrieve the Application ID and the Azure Directory ID and to regenerate the client secret key.

Procedure

  1. Access the Azure portal (portal.azure.com/) using your global admin user account.
  2. In the Azure dashboard, in the left navigation pane, click Azure Active Directory.
  3. On the preview screen, click App registrations.
  4. To create a new application, click New registration.The Register an application page appears.
  5. In the Name box, type a name for the application.
  6. Depending on the target audience using the application or API, under Supported account types, select an option.
  7. Optional: In the Redirect URI box, type the homepage URL http://localhost:1234.
  8. Click Register.
  9. On the preview screen, click API permissions.
  10. Click Add a permission.The Request API permissions pane appears.
  11. Click Microsoft Graph tile.
  12. Click Application permissions, and then select the following permissions:
    1. Under Directory, select the Directory.Read.All check box.
    2. Under Sites, select the Sites.ReadWrite.All check box.
    3. Under User, select the User.Read.All check box.
    4. Under Notes, select the Notes.ReadWrite.All check box.
  13. Click Add permissions.
  14. Click Grant admin consent for CommVault. A confirmation dialog box appears.
  15. Click Yes.A message states that admin consent is granted for the requested permissions.
  16. On the preview screen, click Overview, and then record the application ID and the directory ID.
  17. On the preview screen, click Certificates and secrets, and then complete the following steps:
    1. Click New client secret.
    2. To add an application key value, type a description, and select the expiry for the key.
    3. Click Add.
    4. Record the client secret key value.

Add the user accounts to back up

To back up OneDrive user accounts, configure user groups to automatically discover user accounts. The user accounts that are discovered are added to user groups in the OneDrive app.

You can use regular expressions or Azure affinity groups to discover user accounts. If you use regular expressions, you can chose to automatically create user groups that alphabetically organize user accounts, or you can manually create user groups and then define your own regular expressions to discover user accounts.

To perform a test backup operation, you can manually create a user group and then manually add a small number of user accounts to your user group.


Enabling Autodiscovery of User Accounts for OneDrive for Business

To discover user accounts automatically, enable autodiscovery on the OneDrive for Business app, and then select the autodiscovery method. You can select either regular expressions or Azure affinity groups as the autodiscovery method.

After you enable autodiscovery and define the regular expressions or the Azure affinity groups in the user groups, when a backup operation runs for a user group, user accounts are autodiscovered and included in the backup operation.

Procedure

  1. From the navigation pane, go to Protect > Applications > Office 365.
    The Office 365 apps page appears.
  2. Click the OneDrive for Business app.
    The app page appears.
  3. Click Settings.The app settings page appears.
  4. In the Infrastructure settings section, click Edit.
    The Auto discovery settings dialog box appears.
  5. Select the Enable check box.
  6. To select the method that you want to use for autodiscovery, complete one of the following steps:
    • To use regular expressions, select Regex patterns.
      • To automatically create user groups that discover user accounts based on alphabetical order, select the Create subclients check box, and then click 10 or 20.
        Note: If you have a large number of user accounts, click 20 to create 20 user groups. Creating a larger number of user groups helps to minimize Microsoft throttling.
    • To use Azure affinity groups, select Azure AD groups.
  7. Click Save.

What to Do Next

Add regular expressions or Azure affinity groups to user groups. If you automatically created user groups based on alphabetical order, you can update the regular expressions to suit your business needs.


Autodiscovering User Accounts for OneDrive for Business Using Regular Expressions or Wildcards

You can use regular expressions or wildcards to autodiscover user accounts by display name. For example, you can use regular expressions to discover all user accounts that contain “sales” in their display names. The regular expressions that you use are case sensitive.

When you use regular expressions or wildcards to autodiscover user accounts, user accounts that match the regular expressions or the wildcard pattern are automatically assigned to the user-defined user group for which you enter the regular expressions or wildcards. If a user account does not match the expressions, then it is automatically assigned to the default user group.

Regular expressionWhat the regular expression matchesExamples of display names that match the regular expression
Sales*Display names that begin with “sales” followed by any number of any charactersSalesA
SalesOffice
[JT]imDisplay names that begin with “J” or “T” and end with “im”Jim
Tim
[a-k]LeeDisplay names that begin with any character in the range of “a” through “k” inclusive and that end with “Lee”aLee
bLee
[A-Z]*[ ][A-E][A-Z]*To skip the entire first name, find the first space and then discover users with last name beginning with the letters “A” through “E”. 

Before You Begin

Enable autodiscovery of user accounts, and then select Regex patterns. For more information, see Enabling Autodiscovery of User Accounts.

Procedure

  1. From the navigation pane, go to Protect > Applications > Office 365.
    The Office 365 apps page appears.
  2. Click the OneDrive for Business app.
    The app page appears.
  3. On the User groups tab, update an existing user group or create a user group:
    • To add regular expressions to an existing user group, right-click the user group, and then select Manage.
      The user group page appears.
    • To add regular expressions to a new user group, in the upper-right corner of the page, click Add user group.
      The Add user group page appears.
  4. On the Regex patterns tab, click Add pattern.
    The Add new content dialog box appears.
  5. In the Regular expression box, type a regular expression or wildcard pattern, and then click Add.
    You can enter multiple regular expressions or wildcard patterns.
  6. Click Save.

What to Do Next

Run a backup operation on this user-defined user group to back up all the user accounts that have display names that match the regular expressions or the wildcard patterns that you entered.


Autodiscovering User Accounts for OneDrive for Business Using Azure Affinity Groups

You can use Azure affinity groups to autodiscover user accounts.

Before You Begin

Enable autodiscovery of user accounts, and then select Azure AD groups. For more information, see Enabling Autodiscovery of User Accounts.

Procedure

  1. From the navigation pane, go to Protect > Applications > Office 365.
    The Office 365 apps page appears.
  2. Click the OneDrive for Business app.
    The app page appears.
  3. On the User groups tab, update an existing user group or create a user group:
    • To add Azure AD groups to an existing user group, right-click the user group, and then select Manage.
      The user group page appears.
    • To add Azure AD groups to a new user group, in the upper-right corner of the page, click Add user group.
      The Add user group page appears.
  4. In the Content section, go to Add > Add group.
    The Add new content dialog box appears.
  5. Select the Azure affinity groups that you want to use to autodiscover user accounts, and then click Add.
  6. Click Save.

What to Do Next

Run a backup operation on this user-defined user group to back up all the user accounts that belong to the Azure affinity groups that you selected.


Creating a User Group for Testing

To perform a test backup operation, manually create a user group and then manually add a small number of user accounts to the user group.

Procedure

  1. From the navigation pane, go to Protect > Applications > Office 365.
    The Office 365 apps page appears.
  2. Click the OneDrive for Business app.
    The app page appears.
  3. On the User groups tab, click Add user group.
    The Add user group dialog box appears.
  4. In the User group name box, type a name for the user group.
  5. From the Server plan list, select a plan.
  6. On the Users tab, click Add user.The Add new content dialog box appears.
  7. In the Name column, select the user accounts that you want to add.
  8. Click Add, and then click Save.

What to Do Next

After testing is complete, enable autodiscovery to automatically discover user accounts to back up.


Restoring OneDrive for Business Data

You can restore Microsoft OneDrive for Business data.

Procedure

  1. From the navigation pane, go to Protect > Applications > Office 365. The Office 365 apps page appears.
  2. On the Apps page, click the OneDrive for Business app. The app page appears.
  3. On the User groups tab, select the the user groups that you want to restore, and then click Restore. The Backup content page appears.
  4. From the upper-right of the page, select the backups to restore:
    • To restore the most recent backup, click Show latest backups.
    • To restore a backup from a specific date, click Show backups as of a specific date, select a date, and then select the backup.
    • To restore a backup from a date range, click Show backups for a date range, select a date range, and then select the backup.
  5. Select the user groups you want to restore, and then click Restore. The Restore options dialog box appears.
  6. From the Restore to list, select OneDrive.
  7. To restore the data, follow one of the methods in the table below:
    • Restore to original folder: Select this check box to restore data to the folder from which the data was backed up.
    • Destination server: The data is restored to the server.
    • Unconditionally overwrite if it already exists: To overwrite files and folders that are in the destination and have the same names as files and folders that you are restoring, select this check box.
  8. Click Submit.

SharePoint

You can use Metallic to back up and to restore SharePoint sites.


Automated setup for SharePoint

Before you begin the automated setup and configuration of Office 365 with Metallic, check the following configurations in the Office 365 applications:

  • You must have a SharePoint service account with the SharePoint administrator role.
  • The SharePoint service account must be excluded from any automatic password reset policy.
  • You must have a SharePoint administrator site URL.

Restoring Office 365 SharePoint Sites

You can restore Office 365 SharePoint sites to the same site collection or to a different site collection.

Before You Begin

If you are restoring a deleted site, you must manually create the destination top-level site before performing the restore operation. Deleted subsites are automatically created under the destination top-level site during the restore operation.

Procedure

  1. From the navigation pane, go to Protect > Applications > Office 365. The Office 365 apps page appears.
  2. Click a SharePoint server. The selected SharePoint server page appears.
  3. In the Contents section, click the Office 365 backup set. The Office 365 backup set properties page appears.
  4. In the Subclient section, click the subclient that you want to restore. The subclient properties page appears.
  5. In the Subclients table, in the subclient row, in the Restore column, click Restore. The Backup content page appears.
  6. In the upper-right corner of the page, select a backup to restore:
    • To use the most recent backup, click Show latest backups.
    • To use a backup from a specific date, click Show backups as of a specific date, select a date, and then select the backup.
  7. Select the sites that you want to restore, and then click Restore.

Note: If you select multiple, related sites, the top-most selected site in the source hierarchy is restored to the destination site. The subsites are restored in the same hierarchical order as seen in the source.

The Restore options dialog box appears.

  1. Clear the Restore to original folder check box.
  2. Next to Destination path, click Browse.

Important: Do not copy and paste the URL from a web browser into the Destination path box.

The Browse destination dialog box appears.

  1. Next to the destination site, click the check box, and then click OK.
  2. Click Submit.

Microsoft Teams

You can use the Metallic software to protect data in Microsoft Teams. This data includes the Office 365 Group mailbox and the SharePoint team site that are automatically created when you create a team.

Data That Is Protected

Data residing in a team can be backed up using the Metallic Exchange Mailbox and the SharePoint applications.

Microsoft Teams dataMetallic application that backs up the dataData that is protected
Office 365 Group mailboxExchange OnlineEmails
Conversations
Calendar

Note: Team conversations are stored in the Office 365 Group Mailbox, in a hidden folder called Conversation History\Team Chat. Private chats are stored in the posting user’s mailbox, in a hidden folder called Conversation History\Team Chat. In-place restores are not supported for team conversations. Teams conversations can be restored to PST, disk or out of place restore to user or shared mailboxes.
Office 365 Group SharePoint team siteSharePoint OnlineSharePoint Online Office 365 Group site files, which includes the document library.
Wiki page library containing the Team data.

Note: Third party Apps are not supported. Files shared in a team channel conversation are stored in a SharePoint Online site.

Important:

  • The tabs and the channels for a team are not protected and cannot be restored. Tabs and channels have to be added back manually.
  • Chat messages and links to the files shared cannot be restored back to Teams, at this time.

Endpoint

If you are using the Endpoint solution to back up user laptops and desktops, you can manage your endpoints by using the Hub.

Setup considerations

Add an antivirus exclusion for the installation path: Metallic_installation_directory\Metallic\Contentstore. For example, add c:\Program Files\Metallic\ContentStore.

If outbound traffic to TCP 80/443 is restricted, add these entries to your whitelist:

  • p000002ue2v.eastus2.cloudapp.azure.com IP: 52.252.15.17 (TCP port 443)

Note: If you connect through a VPN, access to p000002ue2v.eastus2.cloudapp.azure.com 52.252.15.17 (TCP port 443) must be allowed through the VPN and on the application access layer for the VPN.

  • e000002ue2v.eastus2.cloudapp.azure.com IP: 52.251.7.76 (TCP 80,443)
  • e010002ue2v.eastus2.cloudapp.azure.com IP: 40.70.200.213 (TCP 80,443)

Endpoint hub

Endpoint hub tab screenshot

Install software and authenticate users

To backup and monitor endpoint data, the Endpoint package must be installed on your users’ laptops and desktops. You can ask your users to download and to install the laptop package, or you can perform a silent installation of the laptop package. To decide which method to use in your environment, review the details of each method.

Interactive installations

User authenticationTenant administrator actionUser action
Active DirectoryConfigure an Active Directory identity server. Distribute the link for the laptop package and the auth code to users. Users can also use their email addresses to register their laptops.Download and install the laptop package, and then register the laptop or desktop with the auth code provided by the tenant administrator or your email address.
SAMLConfigure an identity provider that supports SAML. Distribute the link for the laptop package and the auth code to users.Download and install the laptop package, and then register the laptop or desktop with the auth code provided by the tenant administrator.
LocalCreate users and automatically send the users email invitations. The email invitation contains a link for the laptop package and user credentials.Download and install the laptop package, and then register the laptop or desktop with the credentials in the invitation email.

Silent Installations

User authenticationTenant administrator actionUser action
Active DirectoryConfigure an Active Directory identity server. Install the laptop package by using a third-party tool and the auth code.None
SAMLConfigure an identity provider that supports SAML. Install the laptop package by using a third-party tool and the auth code.None

Installing software by using a third-party tool

The Endpoint package can be pushed and installed using third-party software such as Microsoft System Center Configuration Manager (SCCM) or Jamf software.

Before you begin

Obtain the authorization code by going to the Hub, and then on the Endpoint tab, click Download Packages.

Procedure

Configure the third-party software to run the following command from the folder containing the laptop package contents.

  • Windows Windows packages use a self-extracting executable that can be launched using a deployment tool with command line. The package must be pushed to the machine locally before running the command line. Running the package remotely over the network is not supported.
    Win32_Client.exe /silent /install /silent /authcode authcode
    WinX64_Client.exe /silent /install /silent /authcode authcode
    Where authcode is the authorization code. The authorization code is required if the package does not contain user credentials for an installation user.
  • Macintosh Operating System (macOS) Silent macOS packages use the macOS pkg framework. These can be directly placed into the Jamf Casper software to run anytime. The package does not take arguments on command line, so you need to create a text file with the arguments, on the local macOS computer. On the local macOS computer, create an “install.ini” file in the global application support directory:
    • Path to the ini file: /Library/Application Support/Commvault/install.ini
    • Parameter inside the ini file: AUTH_CODE=”######” After creating the text file, you can push the macOS.pkg package to the client.
  • UNIX Operating System For silent install on a UNIX machine, use the following:
    ./silent_install –authcode authcode
    Where authcode is the authorization code. The authorization code is required if the package does not contain user credentials for an installation user.
  • For interactive or semi-silent install on a UNIX machine, use the following:
    ./cvpkgadd –authcode authcode
    Where authcode is the authorization code. The authorization code is required if the package does not contain user credentials for an installation user.

Tasks

From the Endpoint Hub, you can perform the following tasks:

  • Download packages for end-user laptops and desktops
  • Manually add users if you do not use an identity provider
  • Configure an identity provider
  • Change what is backed up on user laptops and desktops

Download packages

To backup and monitor endpoint data, the Endpoint package must be installed on your users’ laptops and desktops. You can ask your users to download and to install the laptop package, or you can perform a silent installation of the laptop package. For more information about these methods, see Install software and authenticate users.

The Endpoint package is available for the following operating systems:

Linux
  • Debian 9.x to Debian 10.x
  • Fedora release 29 with glibc 2.28.x to Fedora release 30 with glibc 2.29.x
  • Red Hat Enterprise Linux 7.x to Red Hat Enterprise Linux 8.x
  • Ubuntu 8.04 to Ubuntu 18.10
Macintosh
  • macOS Mojave (v10.14.x)
  • macOS High Sierra (v10.13.x)
  • macOS Sierra (v10.12.x)
Windows
  • Microsoft Windows 7 Editions to Microsoft Windows Client 10 Editions

Add users manually

To authenticate users with credentials stored in the Metallic backup service, manually add users. When you manually add users, you have the option to automatically send the users email invitations to download and install the Endpoint package on their laptops or desktops. The email invitation contains a link for to the Endpoint package and user credentials.

Note: If you configure an identity provider, you do not need to create users local to the Metallic backup service.

Configuring identity provider

To authenticate users with SAML, configure an identity provider. Common SAML identity providers include AD FS, Azure, and Okta.

Managing backup content

You can change what is backed up on user laptops and desktops.

By default, the following content is included or excluded when a laptop or desktop is backed up:

IncludedExcluded
Desktop folder Documents folder Office file extensions Pictures folder Image file extensionsTemporary Files (Windows, Mac, Linux) C:\Program Files C:\Program Files (x86) C:\Windows

Procedure

  1. Go to the Hub.
  2. On the Endpoint tab, click Manage backup content.The Laptop plan page appears.
  3. On the General tab, in the Plan name box, type the name of the plan.
  4. Click Next.
  5. On the Backup content tab, click the Override base setting check box.
  6. Define the content to backup:
    1. On the Windows, Mac, or UNIX tab, beside Content to backup, click Add.
    2. In the Add content dialog box, browse for content to back up, or click Add custom content to type a path or pattern. For example, type *.docx to back up all files with the docx extension.
    3. To exclude some content from the content you are backing up, next to Exclude these files/folders/patterns, click Add.
    4. Click Save.
    5. Repeat these steps until content is added for each operating system that you want the plan to support.
  7. Click Next accepting all default values.
  8. Optional: On the Options tab, clear the check box for any alerts that you do not want to receive.
  9. Click Finish.

Restoring files and folders for a laptop or computer

You can restore backed-up data, including data that was previously deleted, to the same computer or laptop or a different computer or laptop.

Procedure

  1. Go to the Hub.
  2. On the Endpoint tab, in the Manage Data Sources tile, click the number of devices that you are managing.The Laptops page appears.
  3. In the Actions column for the laptop or computer that you want to restore, click the action button , and then click Restore.The Backup content page appears.
  4. Browse for the files and folders that you want to restore. Tip: You can change the backup content you see by using the filter options in the upper-right corner of the page.
  5. To view data that was deleted from the previous backup operations, click the action button , and then click Show deleted items.Any previously deleted backed-up data appears.
  6. Select the check boxes for the files and folders that you want to restore.
  7. Click Restore.The Restore options dialog box appears.
  8. Choose how you want to restore the data:
    • Destination client: Select the computer where you want to restore the data.
    • Restore to original folder: (default) The option to restore data to the folder from where it was backed up. If you want to enter a new path in the Destination path box, clear this check box.
    • Destination path: If you cleared the Restore to original folder check box, click Browse to choose a folder or to create a new folder. The data is restored to the folder that you choose or create.
    • Unconditionally overwrite if it already exists: The option to overwrite files and folders on the destination laptop or computer with the files and folders you are restoring.
    • Impersonate user: Select this option, and then, in the Username and Password boxes, enter the credentials for a user account that has permissions to execute the restore process on the destination computer.
    • When the job completes, notify me via email: Select this option if you want to receive an email when the restore job completes.
  9. Click Submit.

Compliance Search

Use Compliance Search to search for information in structured or unstructured data within your organization. Compliance Search provides an intuitive interface for entering, categorizing and retrieving data securely, in compliance with security and data retention regulation.

Getting Started

After the Commvault team finishes setting up your Compliance Search environment, add compliance officers. Compliance officers perform searches to locate the information that is needed to satisfy regulatory compliance requirements.

Compliance Holds

To hold data for compliance purposes, you can set your user mailboxes to unlimited retention or to the retention term specified by your compliance mandate. Retention settings are on the plan that you associate with your mailboxes.


Creating compliance officers

To give users access to Compliance Search, create compliance officers.

Procedure

  1. Go to the Hub.
  2. In the User Management tile, click Manage > Compliance.
    The eDiscovery user group properties page appears.
  3. In the User section, click Add users.
    The Add users dialog box appears.
  4. You can add an existing user or a new user:
    • To add an existing user, do the following:
      1. Next to the user, select the check box.
      2. Click Add.
    • To add a new user, do the following:
      1. Click Add new user.
        The Add user dialog box appears.
      2. Enter the user information.
      3. Click Save.
        The user properties page appears.
      4. To return to the user group, click the name of the user group.

Accessing Compliance Search from the Hub

To search for email messages or files, you can open the Compliance Search search page from the Commvault Hub.

Note: If you are a Compliance Officer, access Compliance Search through the website address provided by your administrator.

Procedure

  1. Go to the Hub.
  2. On the Office 365 tab or the Endpoint tab, in the upper-right corner, click Compliance Search.
    The Search page appears.
  3. In the search box, type a keyword, and then click Search.
    Search results appear in a tab. In the left pane, under Search Engine, the number of results for each search engine is displayed. Click a search engine to see the search results for that search engine. In the left pane, you can also click predefined filters to quickly filter the search results.

Basic Email Search Options for Compliance Search

Use these options to perform basic email searches from the Compliance Search search bar.

Basic Search OptionsDescription
Search by KeywordType keywords into the search bar to search for messages that contain any of the entered keywords anywhere in the email message. Keyword searches are not case-sensitive. For example, searches that use the keywords monday or Monday will return the same results.
Search by Exact PhraseTo search using an exact phrase, place quotation marks before and after the phrase. For example, enter “today’s meeting notes” in the search bar to view results that contain this exact phrase.
Search by SenderTo search for emails from a particular sender, type from: in lower-case, followed by the sender’s name. For example, enter from: John Doe to search for emails sent from John Doe. You can also add quotation marks around the name to search by exact phrase.
Search by RecipientTo search for emails from a particular recipient, type to: in lower-case, followed by the recipient’s name. For example, enter to: John Doe to search for emails sent to John Doe. You can also add quotation marks around the name to search by exact phrase. Note: When you search for emails for a specific recipient, search results do not include messages sent to a distribution group the recipient belongs to unless you include the distribution group in your query.
Search by SubjectTo search for emails with certain keywords in the subject line, type conv: in lower-case, followed by the keywords. For example, enter conv: monday’s meeting to search for emails that contain these words in the subject line. You can also add quotation marks around the keywords to search by exact phrase.

Basic File Search Options for Compliance Search

Use these options to perform basic file searches from the Compliance Search search bar.

Basic Search OptionsDescription
Search by KeywordType keywords into the search bar to search for files that contain any of the entered keywords anywhere in the text of the document. Keyword searches are not case-sensitive. For example, searches that use the keywords monday or Monday return the same results.
Search by Exact PhraseTo search using an exact phrase, place quotation marks before and after the phrase. For example, enter “today’s meeting notes” in the search bar to view results that contain this exact phrase.
Search by LocationTo search for files within a particular location, type url: in lower-case, followed by the path of the directory. For example, enter url: C\:\\temp to search for files within the Temp folder on the C: drive.
Search by TitleTo search for files within a specific title, type conv: in lower-case, followed by the path of the title. For example, enter conv: agenda to search for files with the title Agenda. You can also add quotation marks around the keywords to search by exact phrase.

Wildcard Search

You can search for data using a wildcard character within a single keyword.

  • To replace a single character with a wildcard, use the question mark ? symbol. For example, to search for best or test,you can search using the keyword ?est.
  • To replace from zero to any number of characters with a wildcard, use the asterisk * symbol. For example, to search for bet, better, betting, you can search using the keyword bet*.
  • You can use wildcard characters in the middle of a keyword. For example, to search for books, you can search using the keyword boo*s.

Considerations

  • The wildcards are not supported within quotation marks ” “.
  • Multiple wildcard characters cannot be included when searching for a phrase.
  • Do not include a space before or after a wildcard character.

Creating Export Sets

You can create export sets in Compliance Search. Export sets are useful for preparing data or converting data to a uniform format such as CAB or PST.

Procedure

  1. In Compliance Search, perform a search.
  2. Click the check box next to the items that you want to add to the export set.
  3. Above the search bar, click Export To.
  4. Select the export format from the list.
  5. In the Export To dialog box, in the Export Set list, click Create New.
  6. Type the name of export set in the Export Set Name box.
    Note: The following characters / \ : * ? " < > | @ ; & ^ () % # + are not allowed in the name of an export set.
  7. Optional: In the Description box, type the description.
  8. Click OK.

Downloading Search Results in Compliance Search

You can download your Compliance Search search results. If multiple files or emails are selected for download, the files or emails are downloaded as a zip file. If the file name contains Unicode characters, the file name changes after download.

Procedure

  1. From the search result window, select the files or emails to be downloaded.
  2. Above the search bar, click Download.
    The files or emails are downloaded on your local disk at the destination folder specified by you.
    The downloaded file name is converted to a hyperlink.

Monitoring the Backup Environment

You can monitor activity in your environment by creating alert definitions, viewing events, and viewing and controlling jobs.


Accessing reports

Use reports to view the most critical information gathered from your Metallic environment.

To get started with Metallic reports, run the following reports:

  • SLA
  • Audit Trail
  • Backup Job Summary
  • Restore Job Summary

Procedure

  1. Log on to the Command Center.
  2. From the navigation pane, click Reports.
    The Reports page appears.
  3. Click a report.

Viewing Triggered Alerts

An alert is triggered when conditions within the entity meet the criterion selected in the alert definition.

Procedure

  1. From the navigation pane, click Alerts. The Triggered alerts page appears.
  2. Review the alerts triggered from the alert definitions.
  3. To see the alert details, in the Alert info column, click the descriptive link.

Deleting Triggered Alerts

You can delete triggered alerts.

Procedure

  1. From the navigation pane, click Alerts. The Triggered alerts page appears.
  2. To delete alerts, do one of the following:
    • To delete individual alerts, select the check box for the alert, and then click Delete.
    • To delete all of the alerts, select the check box in the table header and click Delete.

Note: If there are pinned alerts in the list, they are deleted.


Creating an Alert

You can create alerts to provide automatic notification about operations, such as failed jobs.

Procedure

  1. From the navigation pane, click Alerts. The Triggered alerts page appears.
  2. In the upper-left area of the page, click Alerts definitions. The Alerts definition page appears.
  3. In the upper-right area of the page, click Add alert definition. The Add alerts definition dialog box appears.
  4. In the Alert name box, type a name for the alert.
  5. From the Alert type list, click the type of alert you want to create. For example, select Backup Job Failed.
  6. If the alert type has a variable in it, in the Value for X box, enter a value for the variable.For example, you must define the value for X for the Backup Delay by X Hrs alert type.
  7. Under Entities, select the entities to apply the alert to.
  8. Under Users, for each user to notify, do one of the following:
    • Type the user email address.
    • Type the user or user group name, and from the generated list, select the user or user group.
  9. Click Add.
  10. Click Save.

Viewing Events

The Events page provides information about jobs and other significant events. In some cases, events can trigger alerts to notify users of events (such as job failures).

Procedure

  1. From the navigation pane, click Events. The Events page appears.
  2. To view details for an event, in the Event ID column, click the event ID.

Viewing Jobs

You can view jobs for the entities in your application. For example, you can view jobs for servers or laptops.

All Jobs

Procedure

  1. From the navigation pane, go to Jobs. The Active jobs page appears.

Tip: You can change the jobs you see by using the filter options in the upper-right corner of the page.

  1. To view the job details, in the Job ID column, click the job ID.

For a Specific Entity

Procedure

  1. From the navigation pane, click the entity. For example, select Servers.
  2. In the table of available entities, in the Name column, click the entity. The entity properties page appears.
  3. In the upper right of the entity details page, click Jobs.

Note: Some entities have links to view specific types of jobs. For example, on the laptop details page, click Restore jobs to view the restore jobs for the laptop.


Controlling Jobs

You can control active jobs. For example, you can suspend a job.

Procedure

  1. From the navigation pane, go to Jobs. The Active jobs page appears.

Tip: You can change the jobs you see by using the filter options in the upper-right corner of the page.

  1. In the Actions column for the job, click the action button and choose your action:
  • To kill the job, click Kill.
  • To suspend the job, click Suspend.
  • To resume a suspended job, click Resume.

Network connectivity

You must be able to connect to the proxies and domains associated with your Metallic environment. Network connectivity is needed for data transfer, device registration, and portal access.

To identify your environment, log on to the Metallic hub and look for the environment number in the URL:

  • m1.metallic.io
  • m2.metallic.io
  • m3.metallic.io
  • m4.metallic.io

For example, if your URL is m3.metallic.io, 3 is your environment number.

Proxies and domains

Allow connectivity to the proxies and domains associated with your environment.

Environment Country Address Port
All All *.metallic.io 80/443
*.blob.core.windows.net 443
api.skyhookwireless.com 443
edc.commvault.com 443
1 Global/US 40.123.45.235
40.79.32.105
443
Australia 20.193.2.126
40.82.219.107
443
France 40.66.63.1
40.66.61.40
443
Japan 40.81.189.67
40.81.187.89
443
UK 51.11.28.66
40.81.158.7
443
2 Global/US 52.252.15.17
52.177.30.214
443
Canada 52.228.123.134
52.228.124.35
443
3 Global/US 40.70.227.193
40.70.227.196
443
Canada 52.228.121.30
52.228.121.96
443
France 51.11.224.149
51.11.224.166
443
4 Global/US 52.167.16.74
52.179.169.140
443
India 13.71.58.233
40.81.253.93
443
Australia 20.193.31.161
20.53.69.143
443

Supported platforms and applications

You can back up data sources that meet the following requirements.

Applications

The following applications are supported.

Linux

  • Microsoft SQL Server 2017 Editions up to the latest Service Pack

Windows

  • Microsoft SQL Server 2017 Editions up to the latest Service Pack
  • Microsoft SQL Server 2016 Editions up to the latest Service Pack
  • Microsoft SQL Server 2014 Editions up to the latest Service Pack
  • Microsoft SQL Server 2012 Editions up to the latest Service Pack
  • Microsoft SQL Server 2008 R2 Editions up to the latest Service Pack
  • Microsoft SQL Server 2008 Editions up to the latest Service Pack
  • Microsoft SQL Server 2005 Editions up to the latest Service Pack

Endpoints

The following operating systems are supported for laptops and desktops.

Linux

  • Debian 9.x to Debian 10.x
  • Fedora release 29 with glibc 2.28.x to Fedora release 30 with glibc 2.29.x
  • Red Hat Enterprise Linux 7.x to Red Hat Enterprise Linux 8.x
  • Ubuntu 8.04 to Ubuntu 18.10

Macintosh

  • macOS Mojave (v10.14.x)
  • macOS High Sierra (v10.13.x)
  • macOS Sierra (v10.12.x)

Windows

  • Microsoft Windows 7 Editions to Microsoft Windows Client 10

File Servers

The following operating systems are supported.

Linux

  • Debian 9.x
  • Fedora release 29 with glibc 2.28.x
  • Red Hat Enterprise Linux/CentOS 7.x with glibc 2.17.x and Red Hat Enterprise Linux/CentOS 8.x with glibc 2.28.x
  • SuSE Linux (SLES) 11 to 15
  • Ubuntu 8.04 to Ubuntu 18.10

Windows

  • Microsoft Windows Server 2003 Editions to Microsoft Windows Server 2019 Editions: All editions except Nano Server

Hypervisors

The following hypervisors are supported.

VMware

  • Streaming backups using vCenter Server versions 4.1 – 6.7 Update 2

Hyper-V

  • Streaming backups using a Microsoft Windows Server or a Microsoft Hyper-V Server