Be sure to review this entire section before starting an N2WS installation (section ‎2.1) or an upgrade (section ‎2.2).

The primary differences between an installation and an upgrade are:·

• In an upgrade, you use an existing CPM data volume, rather than creating a new volume.

• In an upgrade, for each version you are upgrading from, there are specific steps to follow before performing the actual upgrade.

The N2WS management console is accessed via a web browser over HTTPS.

• When a new N2WS Server is launched, the server will automatically generate a new self-signed SSL certificate. This certificate will be used for the web application in the configuration step.-

• If no other SSL certificate is uploaded to the N2WS Server, the same certificate will be used also for the main N2WS application.

• Every N2WS Server will get its own certificate.

• Since the certificate is not signed by an external Certificate Authority, you will need to approve an exception in your browser to start using N2WS.

When configuring the N2WS server, define the following settings:

• AWS Credentials for the N2WS root user.

• Time zone for the server.

• Whether to create a new CPM data volume or attach an existing one from a previous N2WS server.

• Whether to create an additional N2WS server from an existing data volume during Force Recovery Mode.

• Proxy settings. Configure proxy settings in case the N2WS server needs to connect to the Internet via a proxy. These settings will also apply to the main application.

• The port the web server will listen on. The default is 443. See section 2.1.4.2.

• Whether to upload an SSL certificate and a private key for the N2WS server to use. If you provide a certificate, you will also need to provide a key, which must not be protected by a passphrase.

• Register the AWS account with N2W Software. This is mandatory only for free trials but is recommended for all users. It will allow N2WS to provide quicker and enhanced support. Registration information is not shared.

For the configuration process to work, as well as for normal N2WS operations, N2WS needs to have outbound connectivity to the Internet, for the HTTPS protocol. Assuming the N2WS server was launched in a VPC, it needs to have:

• A public IP, or

• An Elastic IP attached to it, or

• Connectivity via a NAT setup, Internet Gateway, or HTTP proxy.

If an access issue occurs, verify that the:

• Instance has Internet connectivity.

• DNS is configured properly.

• Security groups allow outbound connections for port 443 (HTTPS) or other (if you chose to use a different port).

Following are the configuration steps:

1. Approve the end-user license agreement.

2. Define the root username, email, and password.

3. Define the time zone of the N2WS Server and usage of data volumes.

4. Fill in the rest of the information needed to complete the configuration process.

2.1 Installing New N2WS Server

2.1.1 Instance ID

To initially be identified as the owner of this instance, you are required to type or paste the N2WS server instance ID. This is just a security precaution.

In the next step of the configuration process, you will also be required to approve the end-user license agreement.

2.1.2 License Agreement and Root User

The License field is presented. Select I’m starting a free trial for a free trial. Otherwise, select the appropriate license option in the list, such as Bring Your Own License (BYOL) Edition. Alternatively, if your organization purchased a license directly from N2W Software, additional instructions are shown.

The AWS root user (IAM User) is no longer allowed to control the operation of the N2WS server. A user with the Authentication credentials for N2WS Instance IAM Role is the only user allowed to install N2WS, log on to the system server, and operate it. As shown below, you need to define the root username, email, and password. This is the third step in the configuration process. The email may be used when defining Amazon Simple Notification Service (SNS) based alerts. Once created, choose to automatically add this email to the SNS topic recipients.

2.1.3 Defining Time Zone, Data Volume, Force Recovery Mode, Web Proxy

In the fourth step of the configuration process, you can:

• Set the time zone of the N2WS Server.

• If using a paid license, choose whether to create a new data volume or to use an existing one. Your AWS credentials will be used for the data volume setup process.

• Create an additional N2WS server in recovery mode only, by choosing an existing data volume and set Force Recovery Mode.

• Configure proxy settings for the N2WS server. See section 2.1.3.2.

As you will see in section 4.1.3, all scheduling of backup is performed according to the local time of the N2WS Server. You will see all time fields displayed by local time; however, all time fields are stored in the N2WS database in UTC. This means that if you wish to change the time zone later, all scheduling will still work as before.

As you can see below, the choice of new or existing data volume is made here. Actual configuration of the volume will be accomplished at the next step.

AWS credentials are required to create a new Elastic Block Storage (EBS) data volume if needed and to attach the volume to the N2WS Server instance.

• If you are using AWS Identity and Access Management (IAM) credentials that have limited permissions, these credentials need to have permissions to view EBS volumes in your account, to create new EBS volumes, and to attach volumes to instances. See section 16.3. These credentials are kept for file-level recovery later and are used only for these purposes.

• If you assigned an IAM Role to the N2WS Server instance, and this role includes the needed permissions, select Use Instance’s IAM Role, and then you will not be required to enter credentials.

2.1.3.1 New Data Volume

When creating a new data volume, the only thing you need to define is the capacity of the created volume. You also have the option to encrypt the volume, as described in section 2.1.4.1.

The volume is going to contain the database of N2WS’s data, plus any backup scripts or special configuration you choose to create for the backup of your servers. The backup itself is stored by AWS, so normally the data volume will not contain a large amount of data.

The default size of the data volume is 5 GiB.

• This is large enough to manage roughly 50 instances and about 3 times as many EBS volumes.

• If your environment is larger than 50 instances, increase the volume at about the ratio of 1 GiB per 10 backed-up instances.

The new volume will be automatically created in the same AZ as the N2WS instance It will be named N2WS Data Volume. During the configuration process, the volume will be created and attached to the instance. The N2WS database will be created on it.

2.1.3.2 Proxy Settings

2.1.4 Complete Remaining Fields in N2WS Configuration

In the fifth step, you will fill in the rest of the information needed for the configuration of the data volume for the N2WS Server.

If you chose to create a new volume, you can choose the volume capacity, type, and whether to encrypt.

2.1.4.1 Encrypting a New Data Volume

If you choose a new data volume, you have an option to encrypt CPM user data. You also have the option to encrypt a new data volume if using the silent configuration mode. See section 2.3.1 for AWS, section 2.3.2 for AWS with Secrets Manager, and section 2.3.3 for Azure.

Select Encrypted in the Encrypt Volume drop-down list and choose a key in the Encryption Key list. You have the option to use a custom ARN.

2.1.4.2 Web Server Settings

Port 443 is the default port for the HTTPS protocol, which is used by the N2WS manager. If you wish, you can configure a different port for the web server. But, keep in mind that the specified port will need to be open in the instance’s security groups for the management console to work, and for any Thin Backup Agents that will need to access it.

The final detail you can configure is an SSL certificate and private key.

• If you leave them empty, the main application will continue to use the self-signed certificate that was used so far.

• If you choose to upload a new certificate, you need to upload a private key as well. The key cannot be protected by a passphrase, or the application will not work.

2.1.4.3 Anonymous Reports Setting

Leaving the Anonymous Usage Reports value as Allow permits N2WS to send anonymous usage data to N2W Software. This data does not contain any identifying information:

• No AWS account numbers or credentials.

• No AWS objects or IDs like instances or volumes.

• No N2WS names of objects names, such as policy and schedule.

It contains only details like:

• How many policies run on an N2WS server

• How many instances per policy

• How many volumes

• What the scheduling is, etc.

2.1.5 Registering and Finalizing the Configuration

After filling in the details in the last step, you are prompted to register. This is mandatory for free trials and optional for paid products.

Select Configure System to finalize the configuration. The configuration will take between 30 seconds and 3 minutes for new volumes, and usually less for attaching existing volumes. After the configuration is complete, a ‘Configuration Successful – Starting Server …’ message appears. It will take a few seconds until you are redirected to the login screen of the N2WS application.

If you are not redirected, refresh the browser manually. If you are still not redirected, reboot the N2WS server via AWS Management Console, and it will come back up, configured, and running.

2.1.6 Configuration Troubleshooting

Most inputs you have in the configuration steps are validated when you select Next. You will get an informative message indicating what went wrong.

A less obvious problem you may encounter is if you reach the third step and get the existing volume select box with only one value in it: No Volumes found. This can arise:

• If you chose to use an existing volume and there are no available EBS volumes in the N2WS Server’s AZ, you will get this response. In this case, you probably did not have your existing data volume in the same AZ. To correct this:

  • Terminate and relaunch the N2WS server instance in the correct zone and start over the configuration process, or

  • Take a snapshot of the data volume, and create a volume from it in the zone the server is in.

• If there is a problem with the credentials you typed in, the “No Instances found” message may appear, even if you chose to create a new data volume. This usually happens if you are using invalid credentials, or if you mistyped them. To fix, go back and enter the credentials correctly.

In rare cases, you may encounter a more difficult error after you configured the server. In this case, you will usually get a clear message regarding the nature of the problem. This type of problem can occur for several reasons:

• If there is a connectivity problem between the instance and the Internet (low probability).

• If the AWS credentials you entered are correct, but lack the permissions to do what is needed, particularly if they were created using IAM.

• If you chose an incorrect port, e.g., the SSH port which is already in use.

• If you specified an invalid SSL certificate and/or private key file.

If the error occurred after completing the last configuration stage, N2WS recommends that you:

1. Terminate the N2WS server instance.

2. Delete the new data volume (if one was already created).

3. Try again with a fresh instance.

If the configuration still fails, the following message will display. If configuring a new instance does not solve the problem, contact the N2W Software Support Team. To access configuration error details, select Download Configuration Logs.

2.1.7 Using AWS Key Management Service

The AWS Key Management Service (KMS) allows you to securely share custom encryption keys between accounts. For details on enabling shared custom keys, see https://aws.amazon.com/blogs/security/share-custom-encryption-keys-more-securely-between-accounts-by-using-aws-key-management-service/.

The use of custom keys is required in the following cases:

• Authentication of cpmuser to N2WS server using a non-default certificate with a private key.

• Encrypting new volumes.

• Associating an account for File Level Recovery.

• Authentication of IAM User.

• Running scripts.

• Performing Recoveries, DR, and Cross-Account activities for RDS, EC2, and EFS resources.

2.1.8 Securing Default Certificates on N2WS Server

See Appendix G – Securing Default Certificates on N2WS Server.

2.2 Upgrading N2WS

The following diagram shows the major steps and considerations in an N2WS upgrade. The upgrade flow is the same as the installation flow with the addition of using an existing CPM data volume (section ‎2.2.2).

‌The upgrade process consists of the following phases:

1. Before starting the upgrade, refer to instructions specific to your current version in section ‎2.2.

2. Stop the current CPM instance.

3. Select the existing data volume from the snapshot to be used in the upgrade.

4. Configure the new version instance according to instructions in section ‎2.2.3.

5. Terminate the old version instance, and launch the new version as described in section ‎‎2.2.4.

6. After the upgrade, there are still a few steps to ensure a complete transition. See section ‎‎2.2.5.

If you have any questions or encounter issues, visit the N2WS Support Center where you will find helpful resources in a variety of formats or can open a Support Ticket.

2.2.1 Before Upgrading to the Latest N2WS Version

The following sections outline the steps required to upgrade to the latest N2WS Backup & Recovery version.

‌Permissions

Due to new functionality in v3.x, you may need to update your permission policies. If you have more than one AWS Account added to the N2WS console, you will have to update the IAM Policies for each account. See the JSON templates at https://support.n2ws.com/portal/kb/articles/what-are-the-required-minimal-aws-permissions-roles-for-cpm-operation

Collecting Information Before Starting Upgrade

Following is the important information you must have ready before starting:

1. Verify that there are no backups, DRs, or Cleanups running or scheduled to run within the next 15-30 minutes.

   If the only thing processing is an S3 archive, you are able to abort it if you want.

2. Have the username and password for the root/admin user ready.

3. If you are using a proxy in the N2WS settings, write down the details.

4. Take a screenshot of the N2WS EC2 instance network settings: IP, VPC, Subnet, Security Groups, and IAM Role and Keypair name.

5. Take a screenshot of the Tags if you have more than a few.

6. Terminate the N2WS EC2 instance.

   1. Terminating is only necessary BEFORE launching the new AMI if it is a Marketplace Subscription.

   2. If you are using BYOL, you can keep the old server until the new upgrade is complete and tested for an easy rollback if necessary.

7. Take a snapshot of the N2WS Data Volume. Only the Data Volume is important, as it contains all your settings, backup entries, etc.

8. Download the latest IAM permissions and update the IAM Policies from your role.

9. If you are using a custom SSL certificate, make sure you have the .CRT and .KEY files available in a place where you can easily add them during the configuration process.

2.2.2 Existing Data Volume

The Existing data volume option is used if:

• You have already run N2WS and terminated the old N2WS server, but now wish to continue where you stopped.

• You are upgrading to new N2WS releases.

• You are changing some of the configuration details.

• You want to configure an additional N2WS server in recovery mode only. See section 2.2.6.

The select box for choosing the volumes will show all available EBS volumes in the same AZ as the N2WS Server instance. When choosing the volumes, consider the following:

• It is important to create the instance in the AZ your volume was created in the first place.

• Another option is to create a snapshot from the original volume, and then create a volume from it in the AZ you require.

2.2.3 Configurating the New N2WS Server

‌To upgrade/redeploy the N2WS Server Instance:

1. About 1 minute after launching the new instance, it should in the running state. Connect to the user interface (UI) with a browser using https://[ip-of-your-new-instance].

2. Confirm the Instance ID of your newly launched instance.

3. Accept the Terms and Conditions.

4. Enter the username and password of the admin/root user.

5. Approve the exception to the SSL certificate.

6. Choose the time zone and select Use Existing Data Volume in step #4, “Data Volume and Proxy”.

7. Select your old data volume in the Existing CPM Data Volume list in step #5, “Server Configuration”.

8. Select Configure System in step #6, “Register Your Account”. N2WS will automatically resume operations. Wait until the login mask appears.

2.2.4 Terminating the Old Instance and Launching the New Instance

1. Terminate the existing CPM instance.

2. Launch a new N2WS Server instance in the same region and AZ as the old one. You can launch the instance using the Your Marketplace Software page on the AWS web site.

3. To determine the AZ of the new instance, launch the instance using the EC2 console rather than using the 1-click option.

4. Wait until the old CPM instance is in the terminated state.

5. Confirm Perform Failover prompt.

6. Wait 5 minutes for the ‘Operation Succeeded’ message.

7. Reboot.

2.2.5 Completing the Upgrade

2.2.6 Force Recovery Mode

You can configure an additional N2WS server, in recovery mode only, by choosing an existing data volume:

• In step 4, choose to use an existing volume and in the Force Recovery Mode, select Yes.

• In step 5, in the Existing CPM Data Volume list, select the volume that holds your backup records.

2.3 Automate Configuration with Silent Mode Installation

Configuring N2WS in silent mode is available using AWS user data, using AWS Secrets Manager, and for Azure.

2.3.1 AWS Configuration

Launching an EC2 instance in AWS can optionally be set with User Data. See the description of how such user data can be utilized at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html.

The N2WS instance can also use this user data when launching.

• If the string CPMCONFIG exists in the user data text, then the text following it is used for the CPM configuration.

• The extraction is until the string CPMCONFIGEND or the end of the data.

• The extracted text is assumed to be in .ini file format.

• The extracted configuration text of the new N2WS instance should start with a [SERVER] section, followed by the configuration details.

• For the relevant time_zone parameter value, see Appendix C.

Following is an example of the whole script:

[any-script-before-cpmconfig]
CPMCONFIG
[SERVER]
user=<username for the N2WS user>
password=<password>
volume_option=<new or existing>
volume_size=<in GB, used only for the new volume option>
volume_id=<Volume ID for the data volume, used only in the existing volume option>
volume_type=<set your storage performance and cost.
   The default is “gp3”. It can be set to “io1”, "io2", “gp2” or "gp3">
snapshot_id=<snapshot ID to create the data volume from, used only with the existing volume option, and only if volume_id is not present>
encryption_key=<encrypt user-data volume by setting the ARN of the 
   KMS key. used only for the new volume option>
time_zone=<set N2WS server’s local time.
   The default timezone is GMT. See Appendix C for available time zones.> 
allow_anonymous_reports=<send anonymous usage data to N2W Software. 
   The default is “False”>
force_recovery_mode=<allow additional N2WS server to perform recovery
   operations only. The default is “False”. If it set to “True” - it
   requires volume_option=existing>
activation_key=<Activation Key>
CPMCONFIGEND
[any-script-after-cpmconfig]

To use AWS Secrets Manager in Silent Mode for AWS, also see 2.3.2.

Additionally, if you need the N2WS server to connect to the Internet via an HTTP proxy, add a [PROXY] section:

[PROXY]
proxy_server=<address of the proxy server>
proxy_port=<proxy port>
proxy_user=<user to authenticate, if needed>
proxy_password=<password to authenticate, if needed>

The snapshot option does not exist in the UI. It can be used for the automation of a Disaster Recovery (DR) server recovery. Additionally, if you state a volume ID from another AZ, N2WS will attempt to create a snapshot of that volume and migrate it to the AZ of the new N2WS server. This option is for DR only.

After executing the configuration, on the AWS Instances page, select the Tags tab. If the CPM_Silent_Configuration key value equals ‘succeeded’, then the CPM instance was successfully launched with the user data configured in silent mode.

To verify configuration user data:

1. In AWS, select the CPM instance.

2. In the right-click menu, select Instance Settings, and then select View/Change User Data.

2.3.2 Silent Mode Using AWS Secrets Manager

You can keep Silent Configuration values, such as username and password, on AWS Secrets Manager. Secrets Manager can be used on any textual (not numeric or Boolean) field value in the configuration file. Secrets Manager is:

• Not available for proxy settings

• Available only for AWS.

The format is <silent config key>=@<Secret name>#<key in secret>@

CPMCONFIG
[SERVER]
user=@<secret_name>#<secret_name_user_key>@
password=@<secret_name>#<secret_name_pw_key>@
volume_option=existing
volume_id=@<secret_name>#<secret_name_vol_key>@
volume_type=gp2
time_zone=Europe/Berlin
CPMCONFIGEND

Different secrets may be used within a configuration file, such as a user's password from another secret.

user=@CPMCredentials#N2WS_User2@
password=@CPMAlternativeCredentials#N2WS_Password@

2.3.3 Configuring in Silent Mode for Azure

Silent configuration for Azure can only be executed programmatically using the Azure CLI, not through the Azure Portal.

• The Azure Portal has a limitation whereby a User Managed Identity is not associated with a Virtual Machine until after its creation.

• An existing Managed Identity with predefined permissions must be assigned to the Virtual Machine immediately upon its creation in order to perform various operations.

To deploy N2WS using the Azure CLI:

1. In the Azure Portal, accept the license terms for N2WS Backup & Recovery for Azure one time.

2. Select the Get Started link.

3. In the Configure Programmatic Deployment screen, Enable the Subscription for the image you are deploying.

4. Create a text file containing the following configuration parameters, including the Managed Identity Client ID, in the indented format shown:

 [SERVER]
  user=root
  password=rootroot
  disk_size=30
  disk_option=new
  time_zone = Asia/Jerusalem
  allow_anonymous_reports=True
  managed_identity_client_id=66d64e6d-e735-47e0-a3a5-f6b5fbbdbd26
  path: /etc/cpm/cpm_silent_config.cfg

5. Pass the file to the Azure CLI VM creation command as follows:

az vm create --resource-group my-resource-group --name my-n2ws-backup-and-recovery-vm --image n2wsoftwareinc1657117813969:n2ws_backup_and_recovery:byol_edition_and_free_trial:4.1.2 --ssh-key-name my-ssh-key --admin-username cpmuser --assign-identity /subscriptions/<my-subscription-id>/resourceGroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-n2ws-vm-identity --nsg my-n2ws-nsg --public-ip-sku <basic|standard> --custom-data cloud-init.txt

2.4 Patch Installation

To keep your N2WS running at its highest efficiency, N2WS will occasionally send you notification of the existence of a patch through an Announcement or an email. Download the patch according to the notification instructions.

To install patches:

2. Select Choose file to select the patch file.

3. Select Upload and Install.