The Nasuni Management Console provides extensive information that enables you to monitor the status of your data from a single application. In addition, you can use the Nasuni Management Console to configure volumes, SMB (CIFS) shares, NFS exports, and FTP/SFTP directories from a single application, regardless of which Nasuni Edge Appliance they reside on. This makes it simpler and faster for you to perform multiple, near-simultaneous configurations, while maintaining consistent settings.
There can be only one Nasuni Management Console for your account.
Using the Nasuni Management Console, you can manage Nasuni Edge Appliances even if they are not presently connected. Any configuration changes made will propagate to the Nasuni Edge Appliance when it becomes connected.
Note: Notifications and changes on Nasuni Edge Appliances can take up to 10 minutes to appear in the Nasuni Management Console.
Without the Nasuni Management Console, data management tasks require configuring volumes, SMB (CIFS) shares, NFS exports, and FTP/SFTP directories separately on each Nasuni Edge Appliance, which is time-consuming and can lead to inconsistent settings.
This chapter presents an overview of some of the tasks that you can perform with the Nasuni Management Console, along with links to further information.
Starting with the Nasuni Management Console
Installing the Nasuni Management Console
Installing and configuring the Nasuni Management Console on your virtual platform is a simple and straightforward process.
The Nasuni Management Console runs on your virtual platform. First, download and install the software on your virtual platform. See “Installing the Nasuni Management Console Software” on page 41.
Run the Install Wizard, including entering serial number and authorization code, found under the Account section of www.nasuni.com. See “Installing the Nasuni Management Console” on page 39.
Important: Authorization codes (also called “Auth codes”) are intended for a single use, and are not permanent. Authorization codes change if the associated serial number is used successfully, if the authorization code is refreshed via the NMC (Account Status --> Serial Numbers, then click Refresh), and if the authorization code is regenerated via the NOC (visit https://account.nasuni.com/account/serial_numbers/, then click show, then click regen).
After you install and configure the Nasuni Management Console, you can place Nasuni Edge Appliances under the control of the Nasuni Management Console. See “Nasuni Edge Appliance and Nasuni Management Console” on page 23.
Creating new volumes
You use volumes to manage data. There are two types of volumes: local volumes that are “owned” by the local Nasuni Edge Appliance, and remote volumes that belong to other Nasuni Edge Appliances. If you do not already have a volume set up, you can create a new "owned" local volume.
Important: The Edge Appliance that “owns” a volume (which is the Edge Appliance that created the volume) is called the “owning Appliance” or the “volume owner”. The volume owner has certain special features with respect to its owned volume. In particular, the following functions are not available if the volume owning Appliance is offline:
Creating volume.
Global File Acceleration: enabling or disabling.
Global File Lock: enabling or disabling.
Health check for volume.
Protocol: changing or adding.
Remote Access: enabling and disabling settings.
Safe Delete: enabling or disabling.
Shared volume: connecting and disconnecting.
Snapshot Directory Access: enabling or disabling.
Snapshot Retention: enabling, disabling, or changing.
Volume Quota and Volume Quota Rules.
Cloud I/O.
Before creating a new "owned" local volume, ensure that you have the encryption keys you would like to use. Nasuni recommends creating and uploading your own OpenPGP-compatible encryption keys (“Adding (importing or uploading) encryption keys to Nasuni Edge Appliances” on page 334). All uploaded encryption keys must be at least 2048 bits long.
For security reasons, encryption keys that you upload cannot be downloaded from the system.
Warning: Do NOT save encryption key files to a volume on a Nasuni Edge Appliance. You will NOT be able to use these to recover data. This is NOT how to upload encryption keys to a Nasuni Edge Appliance.
Otherwise, you can specify generating a new encryption key when you create the new volume. Nasuni also recommends safeguarding your encryption keys yourself. You can download generated keys for safeguarding (using the Nasuni Edge Appliance user interface). Alternatively, you can escrow encryption keys with Nasuni (“Escrowing Encryption Keys with Nasuni” on page 337).
Note: If you use the Nasuni Management Console to create a volume on a Nasuni Edge Appliance, and specify generating a new encryption key for that volume, that new encryption key is generated on the Nasuni Edge Appliance, not on the Nasuni Management Console. The only way to download a Nasuni Edge Appliance encryption key is by using the Nasuni Edge Appliance user interface.
Important: The time to generate an encryption key can vary widely, depending on the hardware (real or virtual) that the Nasuni Edge Appliance is executing on. Encryption keys are generated in the background, so as to not block use of the Nasuni Edge Appliance during generation.
To create a new "owned" local volume on a Nasuni Edge Appliance, see “Create Volume” on page 110.
You can create SMB (CIFS) shares (“Creating shares” on page 182), NFS exports (“Creating exports” on page 156), and FTP/SFTP directories (“Creating FTP directories” on page 169) for users to access. You can check and edit the settings for SMB (CIFS) shares (“Editing shares” on page 201), NFS exports (“Editing exports” on page 161), and FTP/SFTP directories (“Editing FTP directories” on page 176).
Managing the Nasuni Management Console
You have many options for configuring the Nasuni Management Console.
You can configure the Nasuni Management Console to automatically download and install software updates. prevent automatic software updates from occurring at inconvenient times, you can specify the days and times for automatic software updates to occur, or prevent automatic software updates entirely. See “Automatic Software Updates for NMC” on page 433.
Alternatively, you can manually update the Nasuni Management Console software. See “Software Update for NMC” on page 529.
You can view the status and expiration date of your subscription. See “Viewing account status” on page 417. You can also refresh your subscription license. See “Refreshing license” on page 418.
The Notifications page lets you view and acknowledge Nasuni Management Console notifications. See “Notifications” on page 564.
You can configure email alerts, which are sent to your email account from the Nasuni Management Console. You can select various types of alerts to receive. See “Email Settings” on page 436.
You can perform the disaster recovery procedure for a genuine emergency, or when moving the Nasuni Management Console to another location. See “Recovery” on page 569.
Managing data
Providing data access to users
You can define which users can access which data.
You can define an SMB (CIFS) share, an NFS export, or an FTP/SFTP directory for each directory tree (the directory itself and any files and directories it contains) in a volume. You can create many shares, exports, or FTP/SFTP directories on a volume. See “Creating shares” on page 182, “Creating exports” on page 156, and “Creating FTP directories” on page 169. You can check and edit the settings for SMB (CIFS) shares “Editing shares” on page 201), NFS exports (“Editing exports” on page 161), and FTP/SFTP directories (“Editing FTP directories” on page 176).
For each share, export, or FTP/SFTP directory, you can define which volume and which directory tree within the volume to share or export. You can specify Read-Only access. You can limit which hosts can access the share, export, or directory.
For SMB (CIFS) shares, you can use Windows Explorer to define user and group access to folders.
You can map network drives to SMB (CIFS) shares in Windows, and mount SMB (CIFS) shares or NFS exports in Linux or UNIX. See the “Managing Data” chapter in the Nasuni Edge Appliance Administration Guide.
You can access FTP/SFTP directories using the FTP/SFTP protocol.
Tip: By default, dot files are not displayed. If you want dot files to be displayed, contact Nasuni Support.
You can establish Web Access to SMB (CIFS) shares. This enables users to access data using any supported Web browser. See “Editing shares” on page 201.
Note: Web Access is not available with LDAP Directory Services security.
Restoring, and bringing data into cache
You can select specific volumes, folders, and files. You can then restore or bring the selected data into the local cache of the Nasuni Edge Appliance.
You can browse to volumes, folders, and files (“Browsing a Volume” on page 125).
You can also search for data by folder or file name and date (“Searching for a Folder or File by Name and Date” on page 131).
You can bring folders and files into the local cache of a Nasuni Edge Appliance (“Bringing Data into Cache of the Nasuni Edge Appliance” on page 136). To view unprotected files in the cache, see “Unprotected Files” on page 153.
You can restore folders and files (“Restoring Files or a Folder from a Snapshot” on page 150).
Setting quotas on folders and volumes
You can set quotas on the size of folders and volumes (“Setting Quota or Rule” on page 148).
Sharing data between Nasuni Edge Appliances
You share data between Nasuni Edge Appliances by using volumes. There are two types of volumes: local volumes that are “owned” by the local Nasuni Edge Appliance, and remote volumes that belong to other Nasuni Edge Appliances. If you do not already have a volume set up on the source Nasuni Edge Appliance, you can create a new "owned" local volume (“Create Volume” on page 110).
Tip: Before adding data to a Nasuni Edge Appliance, it is a Best Practice to clean up historical and orphaned SIDs. This can help prevent later difficulties with permissions. For more details, see Permissions Best Practices.
Caution: If a file or directory is renamed (and its data and permissions remain unchanged) on two different Edge Appliances that share the item’s volume, and both renames occur before the snapshots on the two Edge Appliances, then only one of the renames is effective, namely, the one with the latest snapshot.
This is not considered a merge conflict.
Before creating a new "owned" local volume, ensure that you have the encryption keys you would like to use. Nasuni recommends creating and uploading your own OpenPGP-compatible encryption keys (“Adding (importing or uploading) encryption keys to Nasuni Edge Appliances” on page 334). Otherwise, you can specify generating a new encryption key when you create the new volume. Nasuni also recommends safeguarding your encryption keys yourself. You can download generated keys for safeguarding (using the Nasuni Edge Appliance user interface). Alternatively, you can escrow encryption keys with Nasuni (“Escrowing Encryption Keys with Nasuni” on page 337).
Note: If you use the Nasuni Management Console to create a volume on a Nasuni Edge Appliance, and specify generating a new encryption key for that volume, that new encryption key is generated on the Nasuni Edge Appliance, not on the Nasuni Management Console. The only way to download a Nasuni Edge Appliance encryption key is by using the Nasuni Edge Appliance user interface.
Important: The time to generate an encryption key can vary widely, depending on the hardware (real or virtual) that the Nasuni Edge Appliance is executing on. Encryption keys are generated in the background, so as to not block use of the Nasuni Edge Appliance during generation.
To create a new "owned" local volume on the Nasuni Edge Appliance, see “Create Volume” on page 110.
Volumes are not shared by default. First, you need to enable Remote Access for the volume that is sharing data. You can specify Read/Write or Read-Only access for the Nasuni Edge Appliances that are receiving data. See “Setting or editing remote access settings” on page 237.
After the volume that is sharing data has Remote Access enabled, you connect the Nasuni Edge Appliances that are receiving data to the volume that is sharing data. See “Connect to (and Disconnect from) a Remote Volume” on page 120.
End users access the data through SMB (CIFS) shares, NFS exports, or FTP/SFTP directories of the destination volume. You define SMB (CIFS) shares (“Creating shares” on page 182), NFS exports (“Creating exports” on page 156), or FTP/SFTP directories (“Creating FTP directories” on page 169) on the destination volume for users to access. If you created an SMB (CIFS) share, NFS export, or FTP/SFTP directory automatically when you created a new volume, you can check and edit the settings for SMB (CIFS) shares (“Editing shares” on page 201), NFS exports (“Editing exports” on page 161), or FTP/SFTP directories (“Editing FTP directories” on page 176).
Adding data to volumes
There are several ways to add data to volumes.
Tip: Before adding data to a Nasuni Edge Appliance, it is a Best Practice to clean up historical and orphaned SIDs. This can help prevent later difficulties with permissions. For more details, see Permissions Best Practices.
Tip: PST files: Microsoft Outlook Personal Storage (.pst) files are used to store information for Microsoft Outlook email systems. These files contain a large quantity of different types of information, and can grow very large: multi-GB .pst files are common.
Nasuni recommends that customers NOT store active Outlook .pst files with the Nasuni Edge Appliance, for a number of reasons:
Whenever a new email arrives, the entire .pst file is marked as unprotected, and the entire very large file must then be uploaded to the cloud again with the next snapshot. This can interfere with the handling of other files, and with data propagation.
The multiple versions of .pst files can increase the cloud usage of such files for a volume.
Microsoft also recommends NOT storing .pst files on networks: https:// docs.microsoft.com/en-US/outlook/troubleshoot/data-files/limits-using-pst-files-over- lan-wan
To help ensure that .pst files are not stored with the Nasuni Edge Appliance, Nasuni recommends that customers enable the File Alert Service and include patterns such as *.pst.
You can access FTP/SFTP directories using the FTP/SFTP protocol.
You can access SMB (CIFS) shares from Windows, OS X, and Linux. You can mount NFS exports in Linux or OS X. This enables users to add data to volumes using the file management capabilities of Windows, Linux, and OS X operating systems.
You can share data from other Nasuni Edge Appliances as described in “Sharing data between Nasuni Edge Appliances” on page 31.
You can define Web Access to SMB (CIFS) shares. This enables users to add data to volumes using any supported Web browser. See “Editing shares” on page 201.
Note: Web Access is not available with LDAP Directory Services security.
Protecting data
A snapshot is a complete picture of your volume at a specific point in time. Snapshots offer data protection by enabling you to recover past versions of a file or to restore an entire file system. You can select when and how frequently to perform snapshots. For example, you can configure snapshots to occur only at night when network usage is low.
You can schedule snapshots for whenever suits your system best. See “Editing Snapshot Schedules” on page 255.
You can also take snapshots manually at any time. See “Take Snapshot” on page 108.
For compliance purposes or your own best practices, you can specify to delete older snapshots from cloud object storage, based on a configured snapshot retention policy for a specific volume. See “Setting or editing snapshot retention settings” on page 249.
Note: With each Nasuni snapshot, configuration information is included, in case it is necessary to recover the Edge Appliance. The configuration information includes volume name, volume GUID, share type, software version, last pushed version, retention type, and permissions policy. The configuration bundle is encrypted in the same way that all the customer data is encrypted.
If you receive an alert that such backup configurations have failed, this might be due to intermittent network issues, or possibly due to DNS issues. If you see notifications that the Edge Appliance has successfully completed a snapshot after the backup alert, then you can safely ignore the alert.
Managing volumes
The Nasuni Management Console offers many options for managing volumes. See “Volumes Page” on page 80.
Volumes should have names that describe what data they contain and that users recognize. You can change the name of a volume. See “Changing volume name” on page 214.
You can monitor file statistics. See “Data Growth chart” on page 74.
For SMB (CIFS) and NFS volumes and FTP/SFTP directories, the volume quota (maximum capacity) enables you to limit the amount of storage space for a volume, including snapshots, which helps you to control your storage costs. You can change the volume quota. See “Quota” on page 226.
You can delete volumes that are no longer needed. See “Deleting a local volume” on page 100.
Security
Tip: In the Nasuni model, customers provide their own cloud accounts for the storage of their data. Customers should leverage their cloud provider's role-based access and identity access management features as part of their overall security strategy. Such features can be used to limit or prohibit administrative access to the cloud account, based on customer policies.
Handling encryption keys
Encryption keys are used to encrypt your data in cloud object storage. You can use the Nasuni Management Console to manage encryption keys in several ways.
You can view encryption keys and their settings by volume (“Viewing encryption keys” on page 209), by Nasuni Edge Appliance (“Viewing encryption keys on Nasuni Edge Appliances” on page 333), and on the Nasuni Management Console (“Viewing encryption keys on the Nasuni Management Console” on page 469).
Nasuni recommends creating and uploading your own OpenPGP-compatible encryption keys. You can upload encryption keys to the Nasuni Management Console. For security reasons, encryption keys that you upload cannot be downloaded from the system. See “Uploading (importing or adding) encryption keys to the NMC” on page 471.
You can also upload encryption keys to specific Nasuni Edge Appliances. For security reasons, encryption keys that you upload cannot be downloaded from the system. See “Adding (importing or uploading) encryption keys to Nasuni Edge Appliances” on page 334.
Note: If an uploaded encryption key has an associated passphrase, that passphrase is removed from the encryption key when it is uploaded. The Edge Appliance does not need the passphrase in order to use the encryption key. However, if you do not escrow this encryption key, if you ever perform a recovery procedure on the Edge Appliance, you must provide that passphrase when you upload that encryption key during the recovery procedure.
Tip: You can also upload encryption keys using the NMC API. This can be useful for automating tasks and for enhancing security. For more details, see Nasuni API Documentation.
Alternatively, you can specify generating a new encryption key when you create a new volume.
You can use specific uploaded encryption keys with specific volumes. As a first step, you can send encryption keys that you uploaded on the NMC to the Nasuni Edge Appliances where those volumes reside. See “Sending encryption keys to Nasuni Edge Appliances” on page 336.
The next step is to add specific encryption keys to specific volumes. See “Adding encryption keys to a volume” on page 210.
The next step is to enable (or disable) specific encryption keys for specific volumes. See “Enabling encryption keys for a volume” on page 211 or “Disabling encryption keys for a volume” on page 212.
Nasuni recommends safeguarding your encryption keys yourself. You can download generated keys for safeguarding (using the Nasuni Edge Appliance user interface). See “Downloading the NMC’s generated encryption key” on page 473.
Note: You cannot download any Nasuni Edge Appliance encryption key from a Nasuni Management Console, because the Nasuni Edge Appliance never transmits any encryption keys to a Nasuni Management Console. The Nasuni Management Console is never in possession of any encryption key generated by a Nasuni Edge Appliance. In particular, if you use the Nasuni Management Console to create a volume on a Nasuni Edge Appliance, and specify generating a new encryption key for that volume, that new encryption key is generated on the Nasuni Edge Appliance, not on the Nasuni Management Console. The only way to download a Nasuni Edge Appliance encryption key is by using the Nasuni Edge Appliance user interface.
Warning: Do NOT save encryption key files to a volume on a Nasuni Edge Appliance. You will NOT be able to use these to recover data. This is NOT how to upload encryption keys to a Nasuni Edge Appliance.
Alternatively, you can escrow uploaded encryption keys with Nasuni. See “Escrowing encryption keys with Nasuni” on page 474.
Note: All automatically-generated encryption keys are automatically escrowed with Nasuni.
You can delete encryption keys that are not necessary for disaster recovery purposes. See “Deleting Encryption Keys” on page 475.
Role-based access control
Rather than managing the permissions for performing tasks individually for each person, it is simpler to create groups that have specific combinations of permissions, then assign users to the appropriate groups. You can define users and groups of users, then assign specific permissions to each group. You can define up to 500 users and 500 groups.
To control who can manage the Nasuni Management Console, you can assign users to either the NMC Administrators group or to a new group that you create with the “Manage all aspects of NMC (super user)” permission. See “Console Users and Groups” on page 504.
To control who can perform actions on the Nasuni Management Console, you can define users and groups of users, then assign specific permissions. See “Console Users and Groups” on page 504.
To control who can access specific Nasuni Edge Appliances, you can assign users to a new group that you create for those Nasuni Edge Appliances. See “Console Users and Groups” on page 504.
To control who can access SMB (CIFS) shares that have Active Directory or LDAP Directory Services security, you can define users and groups of users, then assign specific permissions. See “Editing shares” on page 201.
SSL certificates
The user interface of the Nasuni Management Console and the user interface of Nasuni Edge Appliances are Web-based. In order to secure these Web sites, SSL certificates or self-signed certificates are used.
You can view or add SSL certificates or a self-signed certificate that you can use when accessing the Nasuni Management Console user interface. See “SSL Certificates” on page 480.
You can view the SSL certificates or self-signed certificate that you use when accessing Nasuni Edge Appliances. See “SSL Certificates” on page 415.
Antivirus Service
Nasuni offers the option of protecting data with antivirus scanning, and review of files flagged for violations. Nasuni Edge Appliance Antivirus Protection uses the Clam AntiVirus (ClamAV®) open- source antivirus engine and updates the antivirus definition files multiple times daily. Synchronization with the ClamAV virus database occurs within four hours of an update to that database. If you encounter a false positive, you can report the false positive on Clam AntiVirus’s Report False Positive page.
You can enable or disable Antivirus Service. See “Antivirus Services Page” on page 558.
You can review antivirus violations. See “Antivirus Violations Page” on page 561.
Ransomware Detection
Nasuni offers protection against ransomware by identifying known ransomware patterns, and notifying administrators of their presence. Additionally, Nasuni can also automatically disconnect from apparent sources of ransomware attacks, and then restore files affected by ransomware attacks.
You can enable or disable Ransomware Detection. See “Ransomware: Detection & Mitigation Page” on page 537.
Firewall protection
You can limit which network hosts connect to the Nasuni Management Console user interface and the Nasuni Support SSH port, which provides firewall protection. See “Firewall” on page 522.
Changing performance
There are a number of settings that can affect the performance of the system.
Quality of Service (QoS) settings specify the outbound bandwidth for moving snapshots from the Nasuni Edge Appliance to cloud object storage.
Tip: Nasuni recommends setting the Quality of Service to the limit of the total bandwidth, or slightly higher (so that bandwidth is not being limited). If the Quality of Service is too low, it can cause delays in propagation and snapshots.
Nasuni does not recommend setting the Quality of Service to Unlimited, because a setting of Unlimited disables traffic shaping, which prioritizes and allocates bandwidth to different types of traffic (such as user activity, snapshots, and merges), so that no traffic is denied bandwidth.
Snapshots are slower during periods of lower bandwidth. Local user read/write operations are not affected. Limiting the bandwidth of outbound data between specific hours can help decrease network congestion. See “Quality of Service (Bandwidth) Settings” on page 346.
On virtual platforms, you can change resources such as the number of processors applied to the virtual machine as well as the contention for resources. See the installation guide for your virtual machine platform: Installing on Google Cloud, Installing on Hyper-V, Installing on Nutanix, Installing on Scale HyperCore, Installing on VMware, Installing on Microsoft Azure, or Installing on Amazon EC2.
The cache is the local storage of the Nasuni Edge Appliance. All data and metadata that are accessed regularly are kept locally in the cache. By default, the amount of local cache space reserved for new writes is managed automatically, using an advanced algorithm to optimize cache usage. However, you can override the amount of local cache space reserved for new writes in order to suit your company’s workload. Reserving a large portion of the cache for new writes allows snapshots to complete more rapidly, but reduces the amount of data that is kept locally. Reserving a small portion of the cache for new writes allows keeping more data locally, but increases the time for completing snapshots. See “Cache Settings” on page 316. To view unprotected files in the cache, see “Unprotected Files” on page 153.
On virtual platforms, you can also increase the size of the cache. See the installation guide for your virtual machine platform: Installing on Google Cloud, Installing on Hyper-V, Installing on Nutanix, Installing on Scale HyperCore, Installing on VMware, Installing on Microsoft Azure, or Installing on Amazon EC2.
Frequent snapshots increase the system load significantly. You can change when and how frequently snapshots occur. See “Editing Snapshot Schedules” on page 255.
Pinning a folder means retaining a folder in the local cache at all times. This can improve performance and reduce the time necessary to return accessed data to clients. See “Pinned Folders” on page 215. To view unprotected files in the cache, see “Unprotected Files” on page 153.
Important: The NMC API can be used to pin metadata in the cache, or to enable Auto Cache for metadata.
Pinning metadata in the cache and enabling Auto Cache for metadata can affect the amount of data in the cache, and the display of data in the cache. Also, bringing all metadata into the cache adds time to the sync process and might affect user performance. With no users on a dedicated appliance (for example, to change permissions or perform searches), the effect on sync times due to syncing the entire metadata tree would not affect any user-related snapshot or sync changes.
The NMC API can also be used to verify that these features have been configured for a directory.
Because metadata-only pinning and Auto Cache pinning are currently possible only with the NMC API, directories with such pinning enabled are not displayed in the File
Browser of the NMC and the Edge Appliance, nor on the NMC Pinned Folders and NMC Auto Cached Folders pages.
Actions only available on the Nasuni Edge Appliance
There are certain actions that cannot be performed from within the Nasuni Management Console. You must perform these actions using the specific Nasuni Edge Appliance’s user interface.
Affected item | On Nasuni Edge Appliance Action: Menu |
|---|---|
Place Edge Appliance in NMC control | Enable: Services → Nasuni Management Console |
Active Directory domain | Join, Leave, Edit, View: Configuration → Directory Services |
LDAP Directory Services domain | Join, Leave, Edit, View: Configuration → Directory Services |
Administrative Users | Set Administrative Users, Allocation Roundup Size, Support for POSIX clients, Protocol Level: Configuration → General Settings |
Network | Edit: Configuration → Network Configuration Charts, Status: Status → Network Status |
Firewall | Edit: Configuration → Firewall |
SSL certificates | Add, Delete, Set: Configuration → SSL Certificates |
HTTPS proxy | Edit: Configuration → HTTPS Proxy |