Chapter 4: Configuration
Last updated
Last updated
In order to configure BlockyforVeeam® run the program Blocky GUI.exe by clicking on its desktop icon.
Administrative rights are required to run the Blocky GUI. You must be logged in as Administrator or use the context menu option "Run as administrator" (right-click the BlockyforVeeam® icon) to run the program. In the case of missing privileges, see Chapter Diagnostics for details.
To protect the software against unauthorized configuration changes, a password has to be supplied for the GUI to launch. When starting the GUI for the first time, you need to set this password. Please note that single quote (') and double quote (") characters are not allowed. This local GUI password also represents the password for the local core components.
The password can be changed via the menu item "Configuration >> Change password".
To set the new password, both the old and new ones must be given and confirmed. The change will be completed after clicking "OK."
Access control can be enabled on a volume or on folders on the 1st directory level of a volume. Volumes are shown with their assigned drive letter. Volumes mounted in folders of a parent volume are shown as separate entries in the volume tree.
On access controlled volumes and folders, only whitelisted applications have unrestricted file access. Untrusted programs may only read file objects; all other file operations are denied.
To enable access right-click on the root or 1st level folder of the volume in the left pane and select “Switch On Access Control”.
To turn off access control, right-click on the controlled folder and choose "Switch Off Access Control."
AccessControl for folder-mounted volumes and their parent volumes are mutually exclusive. Once AccessControl is turned on for a folder-mounted volume, you can't turn it on for any folder on the parent volume, and the same is true for folders on the parent volume.
It is not recommended to assign both a drive letter and a folder-mount to a volume. While the volume is mounted in a folder, enabling AccessControl via drive letter may result in unsupported configurations and unexpected behavior.
There are several options to whitelist trusted applications.
Caution:
When Automatic Whitelisting is used, ALL program requests are granted and added to the Whitelist. This is potentially hazardous because it does not protect against viruses, worms, ransomware, or human error. This feature should only be temporarily used to configure systems rated as "clean" and "secure."
The Automatic Whitelisting feature can be accessed by selecting the menu item “Whitelisting >> Automatic Whitelisting”. 4.5.1At the Automatic Whitelisting Time Limit dialog, use the drop-down list and choose between 1 and 24 hours. After the countdown has ended, automatic whitelisting is turned off automatically.
To manually turn off automatic whitelisting, select the menu item “WhiteListing >> Automatic WhiteListing” again.
After Automatic Whitelisting has been turned off, please check the list of trusted apps and remove any unwanted apps. Only keep applications that are absolutely necessary!
Do not close the GUI while automatic whitelisting is running. Closing the GUI as well as connections from another GUI will terminate automatic whitelisting in the background.
Select "Whitelisting >> Whitelist Programs" from the main menu of Blocky GUI. Then, in the FileBrowserDialog, select the program to which you want full file access. If the whitelisting process was successful, the application will be shown in the "List of Trusted Applications" table.
It is possible to whitelist an application via the request table that pops up in the GUI when a non-whitelisted application tries to modify a file under Access Control. See the Request Table.
When a whitelisted application has been modified, e.g., by updating the application or its DLLs or via malicious manipulation, the fingerprint will change and the corresponding whitelist entry will become invalid. BlockyGUI will show this whitelist entry marked in red. If the modification of the application is known to be harmless, the whitelist entry may be updated to recalculate the fingerprint. To update, right-click on the invalid entry and select "Update." Updating a whitelist entry is also possible via BlockyCLI. See chapter BlockyCLI
When a whitelist entry is invalid, all write access attempts for that application will be denied. You have to update this entry to grant access.
Do not update an invalid whitelist entry if you are not aware of any expected changes to the system as the system may be compromised.
BlockyforVeeam® can send alert notifications to the Windows application event log, to configured email recipients, and to the Status Area of the Blocky GUI, depending on certain rules. When sending email notifications, multiple recipients can be specified and separated by semicolons. To configure notification delivery select the menu item “Configuration >> Notifications” from the main menu.
The following stateful event types are available:
no license valid
license will expire soon
licensed capacity exceeded
invalid whitelist entry
filter unloaded
The following stateless event types are available:
unauthorized access (m)
internal error (m)
service started (o)
service stopped (o)
Note: Stateless events may occur only once (o) or multiple (m) times.
Check for invalid whitelist entries is performed on:
file access via whitelisted app
start of Blocky service
The whitelist check investigates whether the entries in the whitelist are still valid or whether the binary's fingerprint on disk or its dependent DLLs has changed.
Rules:
<n>
0
Stateless event: notification is sent after <n> occurrences.
<n>
<m>
Stateless event: notification is sent when the event has occurred <n> times within <m> minutes.
n/a
n/a
Stateless event: event occurs only once and a notification is sent once the event has occurred.
n/a
<i>
Stateful event: notification is sent every <i> minutes when the event has occurred. When <i> is set to 0 the notification is sent only once.
Example: (email notification)
<Unauthorized Access> event occurred 1 time. (threshold settings: Count: 1 / TimeInterval:0 min) additional information:
PID: 2188, App: C:\Program Files\Windows NT\Accessories\wordpad.exe, File: \\?\E:\t1\230_49_e.log, User: WIN-DC65PAE604F\Administrator
Example: (GUI status area)
In order to send notifications to email recipients, an outgoing SMTP mail server must be configured. Several connection security options and authentication methods are available. Supply SMTP authentication data if required. Select “Configuration >> SMTP Server” to open the following configuration dialog:
Your settings can be tested by sending a test email to your user account. "Configuration >> Test Email"
The current configuration can be stored for a later restore. The SMTP Server configuration and other notification and whitelisting settings will be saved in the file C:ProgramDataGrauDataBlockyserverlocalSystemBlockyforVeeam®_localSystem_cfg.zip
To save all configuration settings, select the menu item “File >> Save Configuration."
To restore configuration settings, use “File >> Load Configuration.". This reloads a previously saved configuration from the file C:ProgramDataGrauDataBlockyserverlocalSystemBlockyforVeeam®_localSystem_cfg.zip
When you save the configuration in Central GUI Mode, the configuration from the currently connected server is saved to a subfolder in the path C:ProgramDataGrauDataBlockyserver. When you load the configuration, the configuration is restored from this location.
After installing Blocky with Core and GUI components, the GUI is in local mode. For GUI only installations (without local Core components), the GUI is already in central mode. The operation mode of the GUI is shown in the heading of the GUI. By adding a server to a local GUI, the GUI has to change its mode from local mode to central mode. Accept the warning with "Yes" to continue.
The heading of the GUI changes.
When first adding a new server, a new password for the central GUI has to be set. For GUI only installations, the initially defined password is already set for central GUI mode.
By changing the operation mode from local GUI mode to central GUI mode, the newly defined password is valid for the central GUI only. The previously used password from local GUI mode is still valid for the local core components.
In central GUI mode, you always have to select a server for managing and configuring. Any configuration changes (e.g. whitelisting, notifications, licensing, etc.) will be applied to the selected server only.
Revert to Local GUI:
To revert from a central GUI to a local one, you first have to remove all configured servers and groups. Then a new menu item will show up. Select the menu item “Configuration >> Revert to Local GUI”. The item is only visible when the GUI is in central mode with an an empty server list.
To recreate the entry for the local system, the GUI needs to be restarted.
By adding a server to the GUI, you can change the mode of operation from local GUI to central GUI.
To add a server, right-click on "Servers" under the "File System View" and select "Add Server."
For successful connections from the central GUI to remote servers, the system running the central GUI must be able to ping the remote server (i.e. send ICMP echo requests) and the remote server must allow incoming connections on the Blocky service port (default port 7880/tcp). Please adjust your firewall settings accordingly. When using a built-in Windows firewall, you must enable the existing inbound rule for File and Printer Sharing (Echo Request) and also add a new inbound rule for default port 7880/tcp.
Please make sure the initial password on the remote server has been set. Either via the local GUI if installed, via BlockyCLI, or via BlockyforVeeam® setup parameter. See Chapters BlockyCLI and Setup Command-Line Parameters.
Please make sure the system clock of the remote server is in sync with the system running the central GUI. If service authentication fails, check the system clock.
Fill out the following dialog with your server's data. Use the "Check Connection" button to check whether your server can be reached, and when connected, click "OK."
For configuration and monitoring, the localSystem is selected by default. The configurable and monitorable server is shown in a yellow color with a dark blue background, and your list of Trusted Applications shows the one on the selected server.
To change servers, right-click on the server you want to configure and select "Select Server for Configuration and Monitoring." This will change the context within the GUI for configuration and monitoring on the selected server.
When the connection is established, the highlight color changes, and the selected server appears in a yellow color with a dark blue background, and the list shows the Trusted Applications on the server.
When a server has an active connection from the central GUI and the local GUI is started and connected to that server, the connection from the central GUI will detach.
When a server has an active connection from the local GUI and the central GUI opens a connection to that server, the connection from the local GUI will detach, and the local GUI will be closed.
Each server can handle only one active connection at a given time, either from the local or a central GUI.
If you have multiple servers that share a common configuration of Trusted Applications, notification settings, and mail settings, or controlled folders, you can collect those servers in groups and define a master configuration of these parameters that can be applied to all group members.
To define a new group, right-click on "Servers" under the "File System View" and select "Define New Group."
Name your group and fill out the description box. After clicking "OK," your group will be added.
The group will be listed under "Servers" in the "File System View".
To assign a server to a Group right-click on the server you want to assign and select "Assign Server to Group".
Then select the group the server should be assigned to.
In the "File System View" this server is now listed under the selected group.
By defining a master configuration for a group, you can apply the configuration from a specific server to all servers in the group. Master configuration includes whitelist, controlled folders, and notification/SMTP settings.
Select a server for Configuration and Monitoring.
Configure the desired settings on this server. For example, switch on access control on a volume.
Define the group master configuration by selecting "Define Server Configuration as Master Group Configuration."
The configuration can now be published by right-clicking on the group and selecting "Apply Master Group Configuration."
Select the servers where the Master Configuration shall be applied.
Select "Copy Volume Settings" to transfer the access control settings for the volumes from the Master Configuration too.
Caution:
On the target systems, the access control of other already access-controlled volumes, which are not part of the Master Configuration, is switched off if "Copy Volume Settings" is enabled.
This configuration is now applied to the selected servers in the group.
If the configuration rollout fails because some servers are not connected in the Central GUI, you must decide whether to reconnect these servers or only roll out to connected servers. If you choose to reconnect, any local GUI connected GUI will terminate and the Central GUI will take over. You then have to initiate the configuration rollout again. <<<
To compare the server configuration with the server group configuration, right-click on the server you want to compare and select "Compare Server Configuration to Group Configuration."
BlockyforVeeam® allows the use of a fresh activated Blocky volume for 60 days. The trial license has neither a capacity limit nor a limit on the number of Blocky volumes. Every volume receives this trial license when Access Control is turned on for the first time. If you want to keep a Blocky volume past the trial period, you need to register the volume while the trial license is still valid to obtain a key for a registered license.
When using the GUI in central mode, licensing is done for the currently selected server. Licensing is also possible via BlockyCLI. See Chapter BlockyCLI for available CLI commands.
If the Access Control feature is turned on for a volume, a 60-day trial license will be installed on that volume automatically. Licensing is always volume-based, which means that a license must be ordered for each volume, which should be protected by BlockyforVeeam®.
You can see your current status in the "Monitoring" window.
Each Blocky volume is registered separately and therefore has its own BlockyforVeeam®-generated Capacity-ID, which is needed when requesting a registered license key for a Blocky volume.
Select the menu item “License >> Request License” from the main menu.
Use the drop-down list and choose the volume for which you want to request a license key.
Enter the Capacity-ID that your BlockyforVeeam® sales team provided you. Characters are automatically converted to upper case when entering lower case.
After pressing the “OK” button, BlockyforVeeam® will generate the license request key, which must be sent to the licensing service by using either the on-line WEB-PORTAL or sending the information via email.
When selecting "WEB-PORTAL" to request the license key, please ensure that your server is connected to the internet. You must log in to the web portal to use the licensing service. If you do not yet have login credentials, please register and provide a valid email address, which is used by the licensing service to respond back to you.
If you decide to send the license key request via email, you may either use the menu item “EMAIL...", which launches your AIL client and automatically generates an email with the necessary information, or you may copy the license request key to a text file and send it as an email attachment to support@graudata.com.
After getting the file with the registered license key for the volume, go to the main menu and choose "License >> Install License."
Check the license status on the right-side pane of the Blocky GUI. It may take up to 4 minutes until the license status is updated.
When using the GUI in central mode, you can concatenate several license files into a single combined file, one license per line. The central GUI will install the licenses on all servers with the corresponding volumes.
After you have installed the registered license, you can still update your license key file to add more capacity to a Blocky volume or extend the license time limit. The updated license key file must be requested through "License >> Request License" and installed through "License >> Install License." The previously entered Capacity-ID is not required anymore. You can ask for a new license key file at any time. The new file will show the licenses you've bought. To receive a license file with additional capacity or an extended timeframe, you must purchase an additional license from GRAU DATA at https://blockyforveeam.com/pricing/ or your local reseller before requesting an updated license.
BlockyforVeeam® checks the total physical capacity of each Blocky volume and the license time limit. If a Blocky volume goes over the licensed capacity or time limit, a warning message is shown in the application event log. If either the capacity limit or the time limit is reached, the license is no longer valid. Access protection also stops whitelisted applications from making changes until a new license key is installed for the volume to cover the total capacity or extend the time limit. As a workaround to gain write access to a Blocky volume with an invalid license, an administrator may disable access protection for that Blocky volume manually. Access protection must be enabled again before installing a valid license. The BlockyforVeeam® user interface provides an overview of the installed license types, status, and licensed capacity. It is recommended to request and install a new license before the installed license expires or the volume’s physical capacity is extended.
During the upgrade from Blocky for Veeam® version 2.4 to version 2.5 or later, all valid licenses will be migrated automatically. To update or renew such migrated licenses at a later time, you must first send a service report to GRAU DATA support (support@graudata.com) before updating the license key file.
Invalid or expired licenses will not migrate during the upgrade. To obtain a valid license, you must follow the initial licensing workflow, which requires a valid Capacity-ID.
Summary:
Each license is volume based.
The trial license is valid for 60 days after activation.
The trial license has no capacity limit.
The registered license has a time and capacity limit (depending on the purchase).
Capacity is the volume provisioned size, not the used space.
An invalid license denies any modification on existing files (on the affected volume).