Connected Small Business Deployment Guide

Introduction

This guide is for those customers of Connected Small-Business Service who have received an email containing download, registration and support information. This instructional guide outlines the options available to you – and provides instructions for – deploying the DataProtector Agent on each machine that will be using the Service. If you have not subscribed to the Connected Small Business Service, please do so before continuing with the instructions below.

What You Received

The following items will be electronically forwarded to you from Connected fulfillment upon successful validation of your company’s credit card. Please refer to the FAQ section of Connected’s web site if you have questions on the following:

  • Community Registration Codes, password and technician ID
  • Welcome letter email containing:
    • Technician Login and password
    • Web address for Connected Help
    • How to get technical support (free web help and email) information
    • Portal account number – for billing reference
    • Location of FAQs
    • Support Center Information

The Setup executable you will download is a self-executing program that will install the DataProtector Agent on a user’s machine and walk the user through the process of installation and their first backup*.
 

*Note: Not intended for servers or multimedia. The ability to deselect files is enabled with this service plan. Improper use of this function could result in users deselecting files required for Heal.

Deployment Options

The DataProtector Agent can be deployed to your user (individual accounts) in any of the following ways:

  • Email – (Connected’s recommended method) The Setup/DataProtector Agent is light enough to be attached to an email and broadcast throughout your company. Average size of the Agent is 3MB. The Setup should be copied/saved from the email to the local PC and executed locally. For companies with strict email security, we recommend using WinZip to zip up and forward the executable.
  • CD – Save the Setup/Agent to CD. The CD can be used for on-the-spot deployments to PCs. Simply copy the Setup from the CD to the target PC and run the setup locally.
  • Shared Drive – Save the Setup/Agent to a shared drive to which your company members have access. The Setup should be copied to the local PC and executed from the user’s PC.

DataProtector Agent Installation Instructions

The follow instructions should be followed closely by those who wish to install the Connected DataProtector Agent successfully.

1. Double click to open the Setup.
2. Click “Install.”
“Registering Agent” will appear.
3. Choose “Run.”
4. View the ReadMe file
5. Follow the default settings:

  • Choose “Registering New Account.”
  • Note your registration number and your registration password (you may print screen).
  • Fill in your name and corporate information.
  • *IMPORTANT* – Enter a data Encryption key, as this is your password to unlocking your data. It is critical not to lose/forget your encryption keys.
  • Choose the appropriate firewall protection – Connected operates on port 16384. This port must be open to communicate with the Data Center. (Please refer to the section on firewalls).
    • The software will test the connection to make sure that the Agent can contact the Data Center Server.
    • See “Overview” section below for firewall details***.
  • Click “Finish” - Connected will register the account on the Data Center Server.
  • Print out Account Information.
  • For maximum backup efficiency, leave the backup “Scheduler” default setting as is.
  • Click “Next.”
  • The Agent defaults to backing up your entire disk. This process time varies depending on your connection to the Internet.

You are now ready to complete your initial backup. It is not unusual for an initial backup to take several hours. We recommend you initiate this backup in the evening to run overnight. Each backup thereafter will generally take a few minutes.

  • The Agent will initiate. Click “Backup Now” at the bottom of the window.

Configuring the Connected Service with an Internet Firewall

Overview
A Connected DataProtector Agent communicates with the Connected Secure Operations Center using the standard TCP/IP protocol.

Connections are initiated from the backup clients inside the firewall. Connections are NEVER initiated from the outside.

The program can work with all types of firewalls, including packet-filtering, circuit-filtering, SOCKS-compliant Proxy or Mapped Proxy firewalls. For most firewalls, some configuration of the firewall by the firewall administrator is needed. If your network requires explicit connection to the firewall to initiate outgoing connections, the backup software must be configured for your firewall

The requirements for running Connected Small-Business Service are consistent with security best-practices. They do not create an opening for incoming connections, and outgoing connections can be limited to specific ports at specific known IP addresses. As an added security measure, all data is 128-bit or DES-encrypted before leaving the PC; it remains encrypted though transmission, and is stored encrypted at the Connected Secure Data Centers.

The following additional information is useful to a firewall administrator for configuring a firewall to permit outgoing connections to the Backup servers.

Protocols
TCP/IP is used. There is no use of UDP or ICMP.

Server Subnets
Each user's DataProtector Agent software connects to a primary and an alternate server in order to provide high availability. Currently, all servers reside in the subnet 12.159.133.0-63 (also expressed as 12.159.133.0/26) and in the subnet 66.151.228.0-255 (also expressed as 66.151.228.0/24). The DataProtector software must have access to both of these subnets. Should these addresses change in the future, notice will be given to allow firewall changes and the DataProtector software can be automatically updated with the new addresses.

Port Numbers
All Connected servers listen for client requests on a well-known port number: 16384. An Agent always establishes a TCP/IP session with port 16384 on the server.

DNS
The Connected DataProtector Agent connects to a server using the server's IP address, not its name. Therefore, name resolution and access to a name server are not required.

Registration vs. Subsequent Connections
The Connected DataProtector Agent is configured to connect to one of a pair of registration server addresses (primary and alternate) when it is used for the first time. The registration process assigns a server address pair (primary and alternate) for all subsequent uses.

SOCKS-Compliant Proxy Servers
The Connected DataProtector Agent software can be configured to connect out through a SOCKS proxy server. The IP address (or the DNS) of the proxy server and the port number on which it listens for connections must be known in order to configure the backup software. SOCKS is designed to allow outgoing connections and responses back to those connections, but to prevent other incoming packets. This is consistent with Connected Service. If your SOCKS proxy server has been set up with additional restrictions on outgoing connections, it is necessary to include Connected subnets in the permitted destinations.

When prompted by the Agent setup program to select a Firewall option, select the, "Use SOCKS proxy firewall" radio button and enter your proxy server information. (Note: The default setting for SOCKS TCP Port is 1080.)

Other Proxy Firewalls
In order for the Connected Agent software to be used with an application-based proxy firewall server, the firewall must be set to permit outbound TCP connections for a generic application. Mapped firewalls require a separate port on the firewall for each different destination address.

The IP addresses that must be mapped will appear when you attempt to run the client software, or can be seen by selecting Options/Connection.../Firewall in the client software. The destination port number is always 16384. The firewall administrator may choose any available port numbers on the firewall. Finally, the Agent must be configured with the IP address or the DNS of the firewall and the firewall port numbers that were chosen.

When prompted by the DataProtector Agent to select a Firewall option, select the, "Use proxy firewall server(s)" radio button. Then enter the firewall mapping that was configured on your firewall: Enter the IP Address or DNS of your firewall into the "Firewall IP address" field for both Secure Data Centers. Enter the port numbers chosen by the firewall administrator.

Packet filtering firewalls
The following is a summary of 'rules' that must be applied to the firewall software or hardware in order to enable Connected's client-server protocol. (All the rules are described from the 'firewall's point of view.')

1. Permit TCP/IP outbound to port 16384 to subnets 12.159.133.0-63 (12.159.133.0/26) and 66.151.228.0-255 (66.151.228.0/24).

2. If your firewall requires you to explicitly permit the response packets to come back, do so by permitting TCP/IP inbound to ports 1024-5000 from the subnets listed above, for an already-established connection. It is NOT necessary to permit a connection originating from outside the firewall.

3. We do not utilize UDP or ICMP.

IMPORTANT: If your question is not answered in the FAQs, please complete a Support Request.
If you have questions about our services or solutions call us at 800-899-IRON.
Copyright © Iron Mountain 2001 - 2008. All rights reserved.